feat: a solution to if-normalization (#8035)

* feat: a solution to if-normalization

* lint

* import all

* duplicated names

* Update Archive/Examples/IfNormalization/Statement.lean

Co-authored-by: Chris Hughes <33847686+ChrisHughes24@users.noreply.github.com>

* resist the temptation to let aesop specify the data

* typo in doc-string

* workaround

* fix

* fix

* fix

---------

Co-authored-by: Chris Hughes <33847686+ChrisHughes24@users.noreply.github.com>

Author: kim-em

Archive.lean

@@ -1,4 +1,7 @@
 import Archive.Arithcc
+import Archive.Examples.IfNormalization.Result
+import Archive.Examples.IfNormalization.Statement
+import Archive.Examples.IfNormalization.WithoutAesop
 import Archive.Examples.MersennePrimes
 import Archive.Examples.PropEncodable
 import Archive.Imo.Imo1959Q1

Archive/Examples/IfNormalization/Result.lean

@@ -0,0 +1,121 @@
+/-
+Copyright (c) 2023 Chris Hughes. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Chris Hughes
+-/
+import Archive.Examples.IfNormalization.Statement
+import Mathlib.Data.List.AList
+import Mathlib.Tactic.Recall
+
+/-!
+# A solution to the if normalization challenge in Lean.
+
+See `Statement.lean` for background.
+-/
+
+set_option autoImplicit true
+
+macro "◾" : tactic => `(tactic| aesop)
+macro "◾" : term => `(term| by aesop)
+
+namespace IfExpr
+
+/-!
+We add some local simp lemmas so we can unfold the definitions of the normalization condition.
+-/
+attribute [local simp] normalized hasNestedIf hasConstantIf hasRedundantIf disjoint vars
+  List.disjoint
+
+/-!
+Adding these lemmas to the simp set allows Lean to handle the termination proof automatically.
+-/
+attribute [local simp] Nat.lt_add_one_iff le_add_of_le_right
+
+/-!
+Some further simp lemmas for handling if-then-else statements.
+-/
+attribute [local simp] apply_ite ite_eq_iff'
+
+-- A copy of Lean's `decide_eq_true_eq` which unifies the `Decidable` instance
+-- rather than finding it by typeclass search.
+-- See https://github.com/leanprover/lean4/pull/2816
+@[simp] theorem decide_eq_true_eq {i : Decidable p} : (@decide p i = true) = p :=
+  _root_.decide_eq_true_eq
+
+
+/-!
+Simp lemmas for `eval`.
+We don't want a `simp` lemma for `(ite i t e).eval` in general, only once we know the shape of `i`.
+-/
+@[simp] theorem eval_lit : (lit b).eval f  = b := rfl
+@[simp] theorem eval_var : (var i).eval f  = f i := rfl
+@[simp] theorem eval_ite_lit :
+    (ite (.lit b) t e).eval f = bif b then t.eval f else e.eval f := rfl
+@[simp] theorem eval_ite_var :
+    (ite (.var i) t e).eval f = bif f i then t.eval f else e.eval f := rfl
+@[simp] theorem eval_ite_ite :
+    (ite (ite a b c) d e).eval f = (ite a (ite b d e) (ite c d e)).eval f := by
+  cases h : eval f a <;> simp_all [eval]
+
+/-- Custom size function for if-expressions, used for proving termination. -/
+@[simp] def normSize : IfExpr → Nat
+  | lit _ => 0
+  | var _ => 1
+  | .ite i t e => 2 * normSize i + max (normSize t) (normSize e) + 1
+
+/-- Normalizes the expression at the same time as assigning all variables in
+`e` to the literal booleans given by `l` -/
+def normalize (l : AList (fun _ : ℕ => Bool)) :
+    (e : IfExpr) → { e' : IfExpr //
+        (∀ f, e'.eval f = e.eval (fun w => (l.lookup w).elim (f w) (fun b => b)))
+        ∧ e'.normalized
+        ∧ ∀ (v : ℕ), v ∈ vars e' → l.lookup v = none }
+  | lit b => ⟨lit b, ◾⟩
+  | var v =>
+    match h : l.lookup v with
+    | none => ⟨var v, ◾⟩
+    | some b => ⟨lit b, ◾⟩
+  | .ite (lit true)   t e => have t' := normalize l t; ⟨t'.1, ◾⟩
+  | .ite (lit false)  t e => have e' := normalize l e; ⟨e'.1, ◾⟩
+  | .ite (.ite a b c) t e => have i' := normalize l (.ite a (.ite b t e) (.ite c t e)); ⟨i'.1, ◾⟩
+  | .ite (var v)      t e =>
+    match h : l.lookup v with
+    | none =>
+      have ⟨t', ht₁, ht₂, ht₃⟩ := normalize (l.insert v true) t
+      have ⟨e', he₁, he₂, he₃⟩ := normalize (l.insert v false) e
+      ⟨if t' = e' then t' else .ite (var v) t' e', by
+        refine ⟨fun f => ?_, ?_, fun w b => ?_⟩
+        · -- eval = eval
+          simp
+          cases hfv : f v
+          · simp_all
+            congr
+            ext w
+            by_cases w = v <;> ◾
+          · simp [h, ht₁]
+            congr
+            ext w
+            by_cases w = v <;> ◾
+        · -- normalized
+          have := ht₃ v
+          have := he₃ v
+          ◾
+        · -- lookup = none
+          have := ht₃ w
+          have := he₃ w
+          by_cases w = v <;> ◾⟩
+    | some b =>
+      have i' := normalize l (.ite (lit b) t e); ⟨i'.1, ◾⟩
+  termination_by normalize e => e.normSize
+
+/-
+We recall the statement of the if-normalization problem.
+
+We want a function from if-expressions to if-expressions,
+that outputs normalized if-expressions and preserves meaning.
+-/
+recall IfNormalization :=
+  { Z : IfExpr → IfExpr // ∀ e, (Z e).normalized ∧ (Z e).eval = e.eval }
+
+example : IfNormalization :=
+  ⟨_, fun e => ⟨(IfExpr.normalize ∅ e).2.2.1, by simp [(IfExpr.normalize ∅ e).2.1]⟩⟩

Archive/Examples/IfNormalization/Statement.lean

@@ -0,0 +1,107 @@
+/-
+Copyright (c) 2023 Lean FRO LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+
+/-!
+# If normalization
+
+Rustan Leino, Stephan Merz, and Natarajan Shankar have recently been discussing challenge problems
+to compare proof assistants.
+(See https://leanprover.zulipchat.com/#narrow/stream/113488-general/topic/Rustan's.20challenge)
+
+Their first suggestion was "if-normalization".
+
+This file contains a Lean formulation of the problem. See `Result.lean` for a Lean solution.
+-/
+
+/-- An if-expression is either boolean literal, a numbered variable,
+or an if-then-else expression where each subexpression is an if-expression. -/
+inductive IfExpr
+  | lit : Bool → IfExpr
+  | var : Nat → IfExpr
+  | ite : IfExpr → IfExpr → IfExpr → IfExpr
+deriving DecidableEq, Repr
+
+namespace IfExpr
+
+/--
+An if-expression has a "nested if" if it contains
+an if-then-else where the "if" is itself an if-then-else.
+-/
+def hasNestedIf : IfExpr → Bool
+  | lit _ => false
+  | var _ => false
+  | ite (ite _ _ _) _ _ => true
+  | ite _ t e => t.hasNestedIf || e.hasNestedIf
+
+/--
+An if-expression has a "constant if" if it contains
+an if-then-else where the "if" is itself a literal.
+-/
+def hasConstantIf : IfExpr → Bool
+  | lit _ => false
+  | var _ => false
+  | ite (lit _) _ _ => true
+  | ite i t e => i.hasConstantIf || t.hasConstantIf || e.hasConstantIf
+
+/--
+An if-expression has a "redundant if" if it contains
+an if-then-else where the then and else clauses are identical.
+-/
+def hasRedundantIf : IfExpr → Bool
+  | lit _ => false
+  | var _ => false
+  | ite i t e => t == e || i.hasRedundantIf || t.hasRedundantIf || e.hasRedundantIf
+
+/--
+All the variables appearing in an if-expressions, read left to right, without removing duplicates.
+-/
+def vars : IfExpr → List Nat
+  | lit _ => []
+  | var i => [i]
+  | ite i t e => i.vars ++ t.vars ++ e.vars
+
+/--
+A helper function to specify that two lists are disjoint.
+-/
+def _root_.List.disjoint {α} [DecidableEq α] : List α → List α → Bool
+  | [], _ => true
+  | x::xs, ys => x ∉ ys && xs.disjoint ys
+
+/--
+An if expression evaluates each variable at most once if for each if-then-else
+the variables in the if clause are disjoint from the variables in the then clause, and
+the variables in the if clause are disjoint from the variables in the else clause.
+-/
+def disjoint : IfExpr → Bool
+  | lit _ => true
+  | var _ => true
+  | ite i t e =>
+      i.vars.disjoint t.vars && i.vars.disjoint e.vars && i.disjoint && t.disjoint && e.disjoint
+
+/--
+An if expression is "normalized" if it has not nested, constant, or redundant ifs,
+and it evaluates each variable at most once.
+-/
+def normalized (e : IfExpr) : Bool :=
+  !e.hasNestedIf && !e.hasConstantIf && !e.hasRedundantIf && e.disjoint
+
+/--
+The evaluation of an if expresssion at some assignment of variables.
+-/
+def eval (f : Nat → Bool) : IfExpr → Bool
+  | lit b => b
+  | var i => f i
+  | ite i t e => bif i.eval f then t.eval f else e.eval f
+
+end IfExpr
+
+/--
+This is the statement of the if normalization problem.
+
+We require a function from that transforms if expressions to normalized if expressions,
+preserving all evaluations.
+-/
+def IfNormalization : Type := { Z : IfExpr → IfExpr // ∀ e, (Z e).normalized ∧ (Z e).eval = e.eval }

Archive/Examples/IfNormalization/WithoutAesop.lean

@@ -0,0 +1,131 @@
+/-
+Copyright (c) 2023 Chris Hughes. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Chris Hughes, Scott Morrison
+-/
+import Archive.Examples.IfNormalization.Statement
+import Mathlib.Data.List.AList
+
+/-!
+# A variant of Chris Hughes' solution for the if normalization challenge.
+
+In this variant we eschew the use of `aesop`, and instead write out the proofs.
+
+(In order to avoid duplicated names with `Result.lean`,
+we put primes on the declarations in the file.)
+-/
+
+set_option autoImplicit true
+
+namespace IfExpr
+
+attribute [local simp] eval normalized hasNestedIf hasConstantIf hasRedundantIf disjoint vars
+  List.disjoint max_add_add_right max_mul_mul_left Nat.lt_add_one_iff le_add_of_le_right
+
+-- A copy of Lean's `decide_eq_true_eq` which unifies the `Decidable` instance
+-- rather than finding it by typeclass search.
+-- See https://github.com/leanprover/lean4/pull/2816
+@[simp] theorem decide_eq_true_eq' {i : Decidable p} : (@decide p i = true) = p :=
+  _root_.decide_eq_true_eq
+
+theorem eval_ite_ite' :
+    (ite (ite a b c) d e).eval f = (ite a (ite b d e) (ite c d e)).eval f := by
+  cases h : eval f a <;> simp_all
+
+/-- Custom size function for if-expressions, used for proving termination. -/
+@[simp] def normSize' : IfExpr → ℕ
+  | lit _ => 0
+  | var _ => 1
+  | .ite i t e => 2 * normSize' i + max (normSize' t) (normSize' e) + 1
+
+/-- Normalizes the expression at the same time as assigning all variables in
+`e` to the literal booleans given by `l` -/
+def normalize' (l : AList (fun _ : ℕ => Bool)) :
+    (e : IfExpr) → { e' : IfExpr //
+        (∀ f, e'.eval f = e.eval (fun w => (l.lookup w).elim (f w) (fun b => b)))
+        ∧ e'.normalized
+        ∧ ∀ (v : ℕ), v ∈ vars e' → l.lookup v = none }
+  | lit b => ⟨lit b, by simp⟩
+  | var v =>
+    match h : l.lookup v with
+    | none => ⟨var v, by simp_all⟩
+    | some b => ⟨lit b, by simp_all⟩
+  | .ite (lit true) t e =>
+    have ⟨t', ht'⟩ := normalize' l t
+    ⟨t', by simp_all⟩
+  | .ite (lit false) t e =>
+    have ⟨e', he'⟩ := normalize' l e
+    ⟨e', by simp_all⟩
+  | .ite (.ite a b c) d e =>
+    have ⟨t', ht₁, ht₂⟩ := normalize' l (.ite a (.ite b d e) (.ite c d e))
+    ⟨t', fun f => by rw [ht₁, eval_ite_ite'], ht₂⟩
+  | .ite (var v) t e =>
+    match h : l.lookup v with
+    | none =>
+      have ⟨t', ht₁, ht₂, ht₃⟩ := normalize' (l.insert v true) t
+      have ⟨e', he₁, he₂, he₃⟩ := normalize' (l.insert v false) e
+      ⟨if t' = e' then t' else .ite (var v) t' e', by
+        refine ⟨fun f => ?_, ?_, fun w b => ?_⟩
+        · simp only [eval, apply_ite, ite_eq_iff']
+          cases hfv : f v
+          · simp (config := {contextual := true}) only [cond_false, h, he₁]
+            refine ⟨fun _ => ?_, fun _ => ?_⟩
+            · congr
+              ext w
+              by_cases w = v <;> rename_i x
+              · substs h
+                simp_all
+              · simp_all
+            · congr
+              ext w
+              by_cases w = v <;> rename_i x
+              · substs h
+                simp_all
+              · simp_all
+          · simp only [cond_true, h, ht₁]
+            refine ⟨fun _ => ?_, fun _ => ?_⟩
+            · congr
+              ext w
+              by_cases w = v <;> rename_i x
+              · substs h
+                simp_all
+              · simp_all
+            · congr
+              ext w
+              by_cases w = v <;> rename_i x
+              · substs h
+                simp_all
+              · simp_all
+        · have := ht₃ v
+          have := he₃ v
+          simp_all? says simp_all only [Option.elim, ne_eq, normalized, Bool.and_eq_true,
+              Bool.not_eq_true', AList.lookup_insert]
+          obtain ⟨⟨⟨tn, tc⟩, tr⟩, td⟩ := ht₂
+          split <;> rename_i h'
+          · subst h'
+            simp_all
+          · simp_all? says simp_all only [ne_eq, hasNestedIf, Bool.or_self, hasConstantIf,
+              and_self, hasRedundantIf, Bool.or_false, beq_eq_false_iff_ne, not_false_eq_true,
+              disjoint, List.disjoint, Bool.and_true, Bool.and_eq_true, decide_eq_true_eq',
+              true_and]
+            constructor <;> assumption
+        · have := ht₃ w
+          have := he₃ w
+          by_cases w = v
+          · subst h; simp_all
+          · simp_all? says simp_all only [Option.elim, ne_eq, normalized, Bool.and_eq_true,
+              Bool.not_eq_true', not_false_eq_true, AList.lookup_insert_ne]
+            obtain ⟨⟨⟨en, ec⟩, er⟩, ed⟩ := he₂
+            split at b <;> rename_i h'
+            · subst h'; simp_all
+            · simp_all only [ne_eq, vars, List.singleton_append, List.cons_append,
+                Bool.not_eq_true, List.mem_cons, List.mem_append, false_or]
+              cases b <;> simp_all⟩
+    | some b =>
+      have ⟨e', he'⟩ := normalize' l (.ite (lit b) t e)
+      ⟨e', by simp_all⟩
+  termination_by normalize' e => e.normSize'
+
+example : IfNormalization :=
+  ⟨fun e => (normalize' ∅ e).1,
+   fun e => ⟨(normalize' ∅ e).2.2.1, by simp [(normalize' ∅ e).2.1]⟩⟩