Programming

Mathematics for Programmers

Logic and Proofs
Relations
Mathematical Functions
Matrices
Binary Numbers
Trigonomtry
Finite State Machines
Turing Machines
Counting - Inclusion/Exclusion
Graph Algorithms

Data Structures and Algorithms

Algorithm Efficiency
Algorithm Correctness
Trees
Heaps, Stack, and Queues
Maps and Hashtables
Graphs and Graph Algorithms
Advanced Trees and Computability

Systems Programming

Command line control
Transition to C
Pointers
Memory Allocation
IO
Number representations
Assembly Programming
Structs and Unions
How memory works
Virtual Memory

The Practice of Programming

Distributed Systems

System Models
Naming and Distributed File Systems
Synchronisation and Concurrency
Fault Tolerance and Security
Clusters and Grids
Virtualisation
Data Centers
Mobile Computing

Programming Languages

Transition to Scala
Functional Programming
Syntax Analysis
Name Analysis
Type Analysis
Transformation and Compilation
Control Abstraction
Implementing Data Abstraction
Language Runtimes

Provably Correct Programs

Acknowledgements

This material is taken verbatim from Software Foundations V4.0

Copyright (c) 2016

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Assumed Knowledge:

* TODO

Learning Outcomes:

* TODO

Grab the Coq source file Equiv.v

Require Import Coq.Bool.Bool.
Require Import Coq.Arith.Arith.
Require Import Coq.Arith.EqNat.
Require Import Coq.omega.Omega.
Require Import Coq.Lists.List.
Require Import Coq.Logic.FunctionalExtensionality.
Import ListNotations.
Require Import Maps.
Require Import Imp.

Some general advice for working on exercises:

Most of the Coq proofs we ask you to do are similar to proofs that we've provided. Before starting to work on exercises problems, take the time to work through our proofs (both informally, on paper, and in Coq) and make sure you understand them in detail. This will save you a lot of time.
The Coq proofs we're doing now are sufficiently complicated that it is more or less impossible to complete them simply by random experimentation or "following your nose." You need to start with an idea about why the property is true and how the proof is going to go. The best way to do this is to write out at least a sketch of an informal proof on paper — one that intuitively convinces you of the truth of the theorem — before starting to work on the formal one. Alternately, grab a friend and try to convince them that the theorem is true; then try to formalize your explanation.
Use automation to save work! Some of the proofs in this chapter's exercises are pretty long if you try to write out all the cases explicitly.

Behavioral Equivalence

In an earlier chapter, we investigated the correctness of a very simple program transformation: the optimize_0plus function. The programming language we were considering was the first version of the language of arithmetic expressions — with no variables — so in that setting it was very easy to define what it means for a program transformation to be correct: it should always yield a program that evaluates to the same number as the original.

To go further and talk about the correctness of program transformations in the full Imp language, we need to consider the role of variables and state.

Definitions

For aexps and bexps with variables, the definition we want is clear. We say that two aexps or bexps are behaviorally equivalent if they evaluate to the same result in every state.

Definition aequiv (a₁ a₂ : aexp) : Prop :=
  ∀(st:state),
    aeval st a₁ = aeval st a₂.

Definition bequiv (b₁ b₂ : bexp) : Prop :=
  ∀(st:state),
    beval st b₁ = beval st b₂.

For commands, the situation is a little more subtle. We can't simply say "two commands are behaviorally equivalent if they evaluate to the same ending state whenever they are started in the same initial state," because some commands, when run in some starting states, don't terminate in any final state at all! What we need instead is this: two commands are behaviorally equivalent if, for any given starting state, they either both diverge or both terminate in the same final state. A compact way to express this is "if the first one terminates in a particular state then so does the second, and vice versa."

Definition cequiv (c₁ c₂ : com) : Prop :=
∀(st st' : state),
(c₁ / st ⇓ st') ↔ (c₂ / st ⇓ st').

Exercise: 2 stars (equiv_classes)

Given the following programs, group together those that are equivalent in Imp. Your answer should be given as a list of lists, where each sub-list represents a group of equivalent programs. For example, if you think programs (a) through (h) are all equivalent to each other, but not to (i), your answer should look like this:

[ [prog_a;prog_b;prog_c;prog_d;prog_e;prog_f;prog_g;prog_h] ;
[prog_i] ]

Write down your answer below in the definition of equiv_classes.

Definition prog_a : com :=
  WHILE BNot (BLe (AId X) (ANum 0)) DO
    X ::= APlus (AId X) (ANum 1)
  END.

Definition prog_b : com :=
  IFB BEq (AId X) (ANum 0) THEN
    X ::= APlus (AId X) (ANum 1);;
    Y ::= ANum 1
  ELSE
    Y ::= ANum 0
  FI;;
  X ::= AMinus (AId X) (AId Y);;
  Y ::= ANum 0.

Definition prog_c : com :=
  SKIP.

Definition prog_d : com :=
  WHILE BNot (BEq (AId X) (ANum 0)) DO
    X ::= APlus (AMult (AId X) (AId Y)) (ANum 1)
  END.

Definition prog_e : com :=
  Y ::= ANum 0.

Definition prog_f : com :=
  Y ::= APlus (AId X) (ANum 1);;
  WHILE BNot (BEq (AId X) (AId Y)) DO
    Y ::= APlus (AId X) (ANum 1)
  END.

Definition prog_g : com :=
  WHILE BTrue DO
    SKIP
  END.

Definition prog_h : com :=
  WHILE BNot (BEq (AId X) (AId X)) DO
    X ::= APlus (AId X) (ANum 1)
  END.

Definition prog_i : com :=
  WHILE BNot (BEq (AId X) (AId Y)) DO
    X ::= APlus (AId Y) (ANum 1)
  END.

Definition equiv_classes : list (list com)
  (* REPLACE THIS LINE WITH   := _your_definition_ . *) . Admitted.

☐

Examples

Here are some simple examples of equivalences of arithmetic and boolean expressions.

Theorem aequiv_example:
aequiv (AMinus (AId X) (AId X)) (ANum 0).

Proof.
intros st. simpl. omega.
Qed.

Theorem bequiv_example:
bequiv (BEq (AMinus (AId X) (AId X)) (ANum 0)) BTrue.

Proof.
intros st. unfold beval.
rewrite aequiv_example. reflexivity.
Qed.

For examples of command equivalence, let's start by looking at some trivial program transformations involving SKIP:

Theorem skip_left: ∀c,
  cequiv
     (SKIP;; c)
     c.
Proof.
  (* WORKED IN CLASS *)
  intros c st st'.
  split; intros H.
  - (* -> *)
    inversion H. subst.
    inversion H₂. subst.
    assumption.
  - (* <- *)
    apply E_Seq with st.
    apply E_Skip.
    assumption.
Qed.

Exercise: 2 stars (skip_right)

Prove that adding a SKIP after a command results in an equivalent program

Theorem skip_right: ∀c,
  cequiv
    (c ;; SKIP)
    c.
Proof.
  (* FILL IN HERE *) Admitted.

☐

Similarly, here is a simple transformations that optimizes IFB commands:

Theorem IFB_true_simple: ∀c₁ c₂,
  cequiv
    (IFB BTrue THEN c₁ ELSE c₂ FI)
    c₁.

Proof.
  intros c₁ c₂.
  split; intros H.
  - (* -> *)
    inversion H; subst. assumption. inversion H₅.
  - (* <- *)
    apply E_IfTrue. reflexivity. assumption. Qed.

Of course, few programmers would be tempted to write a conditional whose guard is literally BTrue. A more interesting case is when the guard is equivalent to true:

Theorem: If b is equivalent to BTrue, then IFB b THEN c₁ ELSE c₂ FI is equivalent to c₁.

Proof:

(→) We must show, for all st and st', that if IFB b THEN c₁ ELSE c₂ FI / st ⇓ st' then c₁ / st ⇓ st'.

Proceed by cases on the rules that could possibly have been used to show IFB b THEN c₁ ELSE c₂ FI / st ⇓ st', namely E_IfTrue and E_IfFalse.
- Suppose the final rule rule in the derivation of IFB b THEN c₁ ELSE c₂ FI / st ⇓ st' was E_IfTrue. We then have, by the premises of E_IfTrue, that c₁ / st ⇓ st'. This is exactly what we set out to prove.
- On the other hand, suppose the final rule in the derivation of IFB b THEN c₁ ELSE c₂ FI / st ⇓ st' was E_IfFalse. We then know that beval st b = false and c₂ / st ⇓ st'.
  
  Recall that b is equivalent to BTrue, i.e., forall st, beval st b = beval st BTrue. In particular, this means that beval st b = true, since beval st BTrue = true. But this is a contradiction, since E_IfFalse requires that beval st b = false. Thus, the final rule could not have been E_IfFalse.
(←) We must show, for all st and st', that if c₁ / st ⇓ st' then IFB b THEN c₁ ELSE c₂ FI / st ⇓ st'.

Since b is equivalent to BTrue, we know that beval st b = beval st BTrue = true. Together with the assumption that c₁ / st ⇓ st', we can apply E_IfTrue to derive IFB b THEN c₁ ELSE c₂ FI / st ⇓ st'. ☐

Here is the formal version of this proof:

Theorem IFB_true: ∀b c₁ c₂,
     bequiv b BTrue →
     cequiv
       (IFB b THEN c₁ ELSE c₂ FI)
       c₁.
Proof.
  intros b c₁ c₂ Hb.
  split; intros H.
  - (* -> *)
    inversion H; subst.
    + (* b evaluates to true *)
      assumption.
    + (* b evaluates to false (contradiction) *)
      unfold bequiv in Hb. simpl in Hb.
      rewrite Hb in H₅.
      inversion H₅.
  - (* <- *)
    apply E_IfTrue; try assumption.
    unfold bequiv in Hb. simpl in Hb.
    rewrite Hb. reflexivity. Qed.

Exercise: 2 stars, recommended (IFB_false)

Theorem IFB_false: ∀b c₁ c₂,
  bequiv b BFalse →
  cequiv
    (IFB b THEN c₁ ELSE c₂ FI)
    c₂.
Proof.
  (* FILL IN HERE *) Admitted.

☐

Exercise: 3 stars (swap_if_branches)

Show that we can swap the branches of an IF by negating its condition

Theorem swap_if_branches: ∀b e₁ e₂,
  cequiv
    (IFB b THEN e₁ ELSE e₂ FI)
    (IFB BNot b THEN e₂ ELSE e₁ FI).
Proof.
  (* FILL IN HERE *) Admitted.

☐

For WHILE loops, we can give a similar pair of theorems. A loop whose guard is equivalent to BFalse is equivalent to SKIP, while a loop whose guard is equivalent to BTrue is equivalent to WHILE BTrue DO SKIP END (or any other non-terminating program). The first of these facts is easy.

Theorem WHILE_false : ∀b c,
     bequiv b BFalse →
     cequiv
       (WHILE b DO c END)
       SKIP.

Proof.
  intros b c Hb. split; intros H.
  - (* -> *)
    inversion H; subst.
    + (* E_WhileEnd *)
      apply E_Skip.
    + (* E_WhileLoop *)
      rewrite Hb in H₂. inversion H₂.
  - (* <- *)
    inversion H; subst.
    apply E_WhileEnd.
    rewrite Hb.
    reflexivity. Qed.

Exercise: 2 stars, advanced, optional (WHILE_false_informal)

Write an informal proof of WHILE_false.

(* FILL IN HERE *)
☐

To prove the second fact, we need an auxiliary lemma stating that WHILE loops whose guards are equivalent to BTrue never terminate:

Lemma: If b is equivalent to BTrue, then it cannot be the case that (WHILE b DO c END) / st ⇓ st'.

Proof: Suppose that (WHILE b DO c END) / st ⇓ st'. We show, by induction on a derivation of (WHILE b DO c END) / st ⇓ st', that this assumption leads to a contradiction.

Suppose (WHILE b DO c END) / st ⇓ st' is proved using rule E_WhileEnd. Then by assumption beval st b = false. But this contradicts the assumption that b is equivalent to BTrue.
Suppose (WHILE b DO c END) / st ⇓ st' is proved using rule E_WhileLoop. Then we are given the induction hypothesis that (WHILE b DO c END) / st ⇓ st' is contradictory, which is exactly what we are trying to prove!
Since these are the only rules that could have been used to prove (WHILE b DO c END) / st ⇓ st', the other cases of the induction are immediately contradictory. ☐

Lemma WHILE_true_nonterm : ∀b c st st',
     bequiv b BTrue →
     ~( (WHILE b DO c END) / st ⇓ st' ).
Proof.
  (* WORKED IN CLASS *)
  intros b c st st' Hb.
  intros H.
  remember (WHILE b DO c END) as cw eqn:Heqcw.
  induction H;
    (* Most rules don't apply, and we can rule them out
       by inversion *)
    inversion Heqcw; subst; clear Heqcw.
  (* The two interesting cases are the ones for WHILE loops: *)
  - (* E_WhileEnd *) (* contradictory -- b is always true! *)
    unfold bequiv in Hb.
    (* rewrite is able to instantiate the quantifier in st *)
    rewrite Hb in H. inversion H.
  - (* E_WhileLoop *) (* immediate from the IH *)
    apply IHceval2. reflexivity. Qed.

Exercise: 2 stars, optional (WHILE_true_nonterm_informal)

Explain what the lemma WHILE_true_nonterm means in English.

(* FILL IN HERE *)
☐

Exercise: 2 stars, recommended (WHILE_true)

Prove the following theorem. Hint: You'll want to use WHILE_true_nonterm here.

Theorem WHILE_true: ∀b c,
     bequiv b BTrue →
     cequiv
       (WHILE b DO c END)
       (WHILE BTrue DO SKIP END).
Proof.
  (* FILL IN HERE *) Admitted.

☐

Theorem loop_unrolling: ∀b c,
  cequiv
    (WHILE b DO c END)
    (IFB b THEN (c;; WHILE b DO c END) ELSE SKIP FI).
Proof.
  (* WORKED IN CLASS *)

  intros b c st st'.
  split; intros Hce.
  - (* -> *)
    inversion Hce; subst.
    + (* loop doesn't run *)
      apply E_IfFalse. assumption. apply E_Skip.
    + (* loop runs *)
      apply E_IfTrue. assumption.
      apply E_Seq with (st' := st'0). assumption. assumption.
  - (* <- *)
    inversion Hce; subst.
    + (* loop runs *)
      inversion H₅; subst.
      apply E_WhileLoop with (st' := st'0).
      assumption. assumption. assumption.
    + (* loop doesn't run *)
      inversion H₅; subst. apply E_WhileEnd. assumption. Qed.

Exercise: 2 stars, optional (seq_assoc)

Theorem seq_assoc : ∀c₁ c₂ c₃,
cequiv ((c₁;;c₂);;c₃) (c₁;;(c₂;;c₃)).
Proof.
(* FILL IN HERE *) Admitted.

☐

Proving program properties involving assignments is one place where the functional-extensionality axiom introduced in the Logic chapter often comes in handy. Here are an example and an exercise.

Theorem identity_assignment : ∀(X:id),
  cequiv
    (X ::= AId X)
    SKIP.
Proof.
   intros. split; intro H.
     - (* -> *)
       inversion H; subst. simpl.
       replace (t_update st X (st X)) with st.
       + constructor.
       + apply functional_extensionality. intro.
         rewrite t_update_same; reflexivity.
     - (* <- *)
       replace st' with (t_update st' X (aeval st' (AId X))).
       + inversion H. subst. apply E_Ass. reflexivity.
       + apply functional_extensionality. intro.
         rewrite t_update_same. reflexivity.
Qed.

Exercise: 2 stars, recommended (assign_aequiv)

Theorem assign_aequiv : ∀X e,
  aequiv (AId X) e →
  cequiv SKIP (X ::= e).
Proof.
  (* FILL IN HERE *) Admitted.

☐

Properties of Behavioral Equivalence

We now turn to developing some of the properties of the program equivalences we have defined.

Behavioral Equivalence Is an Equivalence

First, we verify that the equivalences on aexps, bexps, and coms really are equivalences — i.e., that they are reflexive, symmetric, and transitive. The proofs are all easy.

Lemma refl_aequiv : ∀(a : aexp), aequiv a a.

Proof.
intros a st. reflexivity. Qed.

Lemma sym_aequiv : ∀(a₁ a₂ : aexp),
aequiv a₁ a₂ → aequiv a₂ a₁.

Proof.
intros a₁ a₂ H. intros st. symmetry. apply H. Qed.

Lemma trans_aequiv : ∀(a₁ a₂ a₃ : aexp),
aequiv a₁ a₂ → aequiv a₂ a₃ → aequiv a₁ a₃.

Proof.
unfold aequiv. intros a₁ a₂ a₃ H₁₂ H₂₃ st.
rewrite (H₁₂ st). rewrite (H₂₃ st). reflexivity. Qed.

Lemma refl_bequiv : ∀(b : bexp), bequiv b b.

Proof.
unfold bequiv. intros b st. reflexivity. Qed.

Lemma sym_bequiv : ∀(b₁ b₂ : bexp),
bequiv b₁ b₂ → bequiv b₂ b₁.

Proof.
unfold bequiv. intros b₁ b₂ H. intros st. symmetry. apply H. Qed.

Lemma trans_bequiv : ∀(b₁ b₂ b₃ : bexp),
bequiv b₁ b₂ → bequiv b₂ b₃ → bequiv b₁ b₃.

Proof.
unfold bequiv. intros b₁ b₂ b₃ H₁₂ H₂₃ st.
rewrite (H₁₂ st). rewrite (H₂₃ st). reflexivity. Qed.

Lemma refl_cequiv : ∀(c : com), cequiv c c.

Proof.
unfold cequiv. intros c st st'. apply iff_refl. Qed.

Lemma sym_cequiv : ∀(c₁ c₂ : com),
cequiv c₁ c₂ → cequiv c₂ c₁.

Proof.
  unfold cequiv. intros c₁ c₂ H st st'.
  assert (c₁ / st ⇓ st' ↔ c₂ / st ⇓ st') as H'.
  { (* Proof of assertion *) apply H. }
  apply iff_sym. assumption.
Qed.

Lemma iff_trans : ∀(P₁ P₂ P₃ : Prop),
(P₁ ↔ P₂) → (P₂ ↔ P₃) → (P₁ ↔ P₃).

Proof.
  intros P₁ P₂ P₃ H₁₂ H₂₃.
  inversion H₁₂. inversion H₂₃.
  split; intros A.
    apply H₁. apply H. apply A.
    apply H₀. apply H₂. apply A. Qed.

Lemma trans_cequiv : ∀(c₁ c₂ c₃ : com),
cequiv c₁ c₂ → cequiv c₂ c₃ → cequiv c₁ c₃.

Proof.
unfold cequiv. intros c₁ c₂ c₃ H₁₂ H₂₃ st st'.
apply iff_trans with (c₂ / st ⇓ st'). apply H₁₂. apply H₂₃. Qed.

Behavioral Equivalence Is a Congruence

Less obviously, behavioral equivalence is also a congruence. That is, the equivalence of two subprograms implies the equivalence of the larger programs in which they are embedded:

aequiv a₁ a₁'

cequiv (i ::= a₁) (i ::= a₁')

cequiv c₁ c₁'
cequiv c₂ c₂'

cequiv (c₁;;c₂) (c₁';;c₂')

...and so on for the other forms of commands.

(Note that we are using the inference rule notation here not as part of a definition, but simply to write down some valid implications in a readable format. We prove these implications below.)

We will see a concrete example of why these congruence properties are important in the following section (in the proof of fold_constants_com_sound), but the main idea is that they allow us to replace a small part of a large program with an equivalent small part and know that the whole large programs are equivalent without doing an explicit proof about the non-varying parts — i.e., the "proof burden" of a small change to a large program is proportional to the size of the change, not the program.

Theorem CAss_congruence : ∀i a₁ a₁',
aequiv a₁ a₁' →
cequiv (CAss i a₁) (CAss i a₁').

Proof.
  intros i a₁ a₂ Heqv st st'.
  split; intros Hceval.
  - (* -> *)
    inversion Hceval. subst. apply E_Ass.
    rewrite Heqv. reflexivity.
  - (* <- *)
    inversion Hceval. subst. apply E_Ass.
    rewrite Heqv. reflexivity. Qed.

The congruence property for loops is a little more interesting, since it requires induction.

Theorem: Equivalence is a congruence for WHILE — that is, if b₁ is equivalent to b₁' and c₁ is equivalent to c₁', then WHILE b₁ DO c₁ END is equivalent to WHILE b₁' DO c₁' END.

Proof: Suppose b₁ is equivalent to b₁' and c₁ is equivalent to c₁'. We must show, for every st and st', that WHILE b₁ DO c₁ END / st ⇓ st' iff WHILE b₁' DO c₁' END / st ⇓ st'. We consider the two directions separately.

(→) We show that WHILE b₁ DO c₁ END / st ⇓ st' implies WHILE b₁' DO c₁' END / st ⇓ st', by induction on a derivation of WHILE b₁ DO c₁ END / st ⇓ st'. The only nontrivial cases are when the final rule in the derivation is E_WhileEnd or E_WhileLoop.
- E_WhileEnd: In this case, the form of the rule gives us beval st b₁ = false and st = st'. But then, since b₁ and b₁' are equivalent, we have beval st b₁' = false, and E-WhileEnd applies, giving us WHILE b₁' DO c₁' END / st ⇓ st', as required.
- E_WhileLoop: The form of the rule now gives us beval st b₁ = true, with c₁ / st ⇓ st'0 and WHILE b₁ DO c₁ END / st'0 ⇓ st' for some state st'0, with the induction hypothesis WHILE b₁' DO c₁' END / st'0 ⇓ st'.
  
  Since c₁ and c₁' are equivalent, we know that c₁' / st ⇓ st'0. And since b₁ and b₁' are equivalent, we have beval st b₁' = true. Now E-WhileLoop applies, giving us WHILE b₁' DO c₁' END / st ⇓ st', as required.
(←) Similar. ☐

Theorem CWhile_congruence : ∀b₁ b₁' c₁ c₁',
  bequiv b₁ b₁' → cequiv c₁ c₁' →
  cequiv (WHILE b₁ DO c₁ END) (WHILE b₁' DO c₁' END).
Proof.
  (* WORKED IN CLASS *)
  unfold bequiv,cequiv.
  intros b₁ b₁' c₁ c₁' Hb1e Hc1e st st'.
  split; intros Hce.
  - (* -> *)
    remember (WHILE b₁ DO c₁ END) as cwhile
      eqn:Heqcwhile.
    induction Hce; inversion Heqcwhile; subst.
    + (* E_WhileEnd *)
      apply E_WhileEnd. rewrite ← Hb1e. apply H.
    + (* E_WhileLoop *)
      apply E_WhileLoop with (st' := st').
      * (* show loop runs *) rewrite ← Hb1e. apply H.
      * (* body execution *)
        apply (Hc1e st st'). apply Hce1.
      * (* subsequent loop execution *)
        apply IHHce2. reflexivity.
  - (* <- *)
    remember (WHILE b₁' DO c₁' END) as c'while
      eqn:Heqc'while.
    induction Hce; inversion Heqc'while; subst.
    + (* E_WhileEnd *)
      apply E_WhileEnd. rewrite → Hb1e. apply H.
    + (* E_WhileLoop *)
      apply E_WhileLoop with (st' := st').
      * (* show loop runs *) rewrite → Hb1e. apply H.
      * (* body execution *)
        apply (Hc1e st st'). apply Hce1.
      * (* subsequent loop execution *)
        apply IHHce2. reflexivity. Qed.

Exercise: 3 stars, optional (CSeq_congruence)

Theorem CSeq_congruence : ∀c₁ c₁' c₂ c₂',
  cequiv c₁ c₁' → cequiv c₂ c₂' →
  cequiv (c₁;;c₂) (c₁';;c₂').
Proof.
  (* FILL IN HERE *) Admitted.

☐

Exercise: 3 stars (CIf_congruence)

Theorem CIf_congruence : ∀b b' c₁ c₁' c₂ c₂',
  bequiv b b' → cequiv c₁ c₁' → cequiv c₂ c₂' →
  cequiv (IFB b THEN c₁ ELSE c₂ FI)
         (IFB b' THEN c₁' ELSE c₂' FI).
Proof.
  (* FILL IN HERE *) Admitted.

☐

For example, here are two equivalent programs and a proof of their equivalence...

Example congruence_example:
  cequiv
    (* Program 1: *)
    (X ::= ANum 0;;
     IFB (BEq (AId X) (ANum 0))
     THEN
       Y ::= ANum 0
     ELSE
       Y ::= ANum 42
     FI)
    (* Program 2: *)
    (X ::= ANum 0;;
     IFB (BEq (AId X) (ANum 0))
     THEN
       Y ::= AMinus (AId X) (AId X) (* <--- changed here *)
     ELSE
       Y ::= ANum 42
     FI).
Proof.
  apply CSeq_congruence.
    apply refl_cequiv.
    apply CIf_congruence.
      apply refl_bequiv.
      apply CAss_congruence. unfold aequiv. simpl.
        symmetry. apply minus_diag.
      apply refl_cequiv.
Qed.

Program Transformations

A program transformation is a function that takes a program as input and produces some variant of the program as output. Compiler optimizations such as constant folding are a canonical example, but there are many others.

A program transformation is sound if it preserves the behavior of the original program.

Definition atrans_sound (atrans : aexp → aexp) : Prop :=
  ∀(a : aexp),
    aequiv a (atrans a).

Definition btrans_sound (btrans : bexp → bexp) : Prop :=
  ∀(b : bexp),
    bequiv b (btrans b).

Definition ctrans_sound (ctrans : com → com) : Prop :=
  ∀(c : com),
    cequiv c (ctrans c).

The Constant-Folding Transformation

An expression is constant when it contains no variable references.

Constant folding is an optimization that finds constant expressions and replaces them by their values.

Fixpoint fold_constants_aexp (a : aexp) : aexp :=
  match a with
  | ANum n ⇒ ANum n
  | AId i ⇒ AId i
  | APlus a₁ a₂ ⇒
    match (fold_constants_aexp a₁, fold_constants_aexp a₂)
    with
    | (ANum n₁, ANum n₂) ⇒ ANum (n₁ + n₂)
    | (a₁', a₂') ⇒ APlus a₁' a₂'
    end
  | AMinus a₁ a₂ ⇒
    match (fold_constants_aexp a₁, fold_constants_aexp a₂)
    with
    | (ANum n₁, ANum n₂) ⇒ ANum (n₁ - n₂)
    | (a₁', a₂') ⇒ AMinus a₁' a₂'
    end
  | AMult a₁ a₂ ⇒
    match (fold_constants_aexp a₁, fold_constants_aexp a₂)
    with
    | (ANum n₁, ANum n₂) ⇒ ANum (n₁ * n₂)
    | (a₁', a₂') ⇒ AMult a₁' a₂'
    end
  end.

Example fold_aexp_ex₁ :
    fold_constants_aexp
      (AMult (APlus (ANum 1) (ANum 2)) (AId X))
  = AMult (ANum 3) (AId X).

Proof. reflexivity. Qed.

Note that this version of constant folding doesn't eliminate trivial additions, etc. — we are focusing attention on a single optimization for the sake of simplicity. It is not hard to incorporate other ways of simplifying expressions; the definitions and proofs just get longer.

Example fold_aexp_ex₂ :
    fold_constants_aexp
      (AMinus (AId X) (APlus (AMult (ANum 0) (ANum 6))
                             (AId Y)))
  = AMinus (AId X) (APlus (ANum 0) (AId Y)).

Proof. reflexivity. Qed.

Not only can we lift fold_constants_aexp to bexps (in the BEq and BLe cases), we can also find constant boolean expressions and evaluate them in-place.

Fixpoint fold_constants_bexp (b : bexp) : bexp :=
  match b with
  | BTrue ⇒ BTrue
  | BFalse ⇒ BFalse
  | BEq a₁ a₂ ⇒
    match (fold_constants_aexp a₁, fold_constants_aexp a₂)
    with
    | (ANum n₁, ANum n₂) ⇒
        if beq_nat n₁ n₂ then BTrue else BFalse
    | (a₁', a₂') ⇒
        BEq a₁' a₂'
    end
  | BLe a₁ a₂ ⇒
    match (fold_constants_aexp a₁, fold_constants_aexp a₂)
    with
    | (ANum n₁, ANum n₂) ⇒
        if leb n₁ n₂ then BTrue else BFalse
    | (a₁', a₂') ⇒
        BLe a₁' a₂'
    end
  | BNot b₁ ⇒
    match (fold_constants_bexp b₁) with
    | BTrue ⇒ BFalse
    | BFalse ⇒ BTrue
    | b₁' ⇒ BNot b₁'
    end
  | BAnd b₁ b₂ ⇒
    match (fold_constants_bexp b₁, fold_constants_bexp b₂)
    with
    | (BTrue, BTrue) ⇒ BTrue
    | (BTrue, BFalse) ⇒ BFalse
    | (BFalse, BTrue) ⇒ BFalse
    | (BFalse, BFalse) ⇒ BFalse
    | (b₁', b₂') ⇒ BAnd b₁' b₂'
    end
  end.

Example fold_bexp_ex₁ :
    fold_constants_bexp (BAnd BTrue (BNot (BAnd BFalse BTrue)))
  = BTrue.

Proof. reflexivity. Qed.

Example fold_bexp_ex₂ :
    fold_constants_bexp
      (BAnd (BEq (AId X) (AId Y))
            (BEq (ANum 0)
                 (AMinus (ANum 2) (APlus (ANum 1)
                                         (ANum 1)))))
  = BAnd (BEq (AId X) (AId Y)) BTrue.

Proof. reflexivity. Qed.

To fold constants in a command, we apply the appropriate folding functions on all embedded expressions.

Fixpoint fold_constants_com (c : com) : com :=
  match c with
  | SKIP ⇒
      SKIP
  | i ::= a ⇒
      CAss i (fold_constants_aexp a)
  | c₁ ;; c₂ ⇒
      (fold_constants_com c₁) ;; (fold_constants_com c₂)
  | IFB b THEN c₁ ELSE c₂ FI ⇒
      match fold_constants_bexp b with
      | BTrue ⇒ fold_constants_com c₁
      | BFalse ⇒ fold_constants_com c₂
      | b' ⇒ IFB b' THEN fold_constants_com c₁
                     ELSE fold_constants_com c₂ FI
      end
  | WHILE b DO c END ⇒
      match fold_constants_bexp b with
      | BTrue ⇒ WHILE BTrue DO SKIP END
      | BFalse ⇒ SKIP
      | b' ⇒ WHILE b' DO (fold_constants_com c) END
      end
  end.

Example fold_com_ex₁ :
  fold_constants_com
    (* Original program: *)
    (X ::= APlus (ANum 4) (ANum 5);;
     Y ::= AMinus (AId X) (ANum 3);;
     IFB BEq (AMinus (AId X) (AId Y))
             (APlus (ANum 2) (ANum 4)) THEN
       SKIP
     ELSE
       Y ::= ANum 0
     FI;;
     IFB BLe (ANum 0)
             (AMinus (ANum 4) (APlus (ANum 2) (ANum 1)))
     THEN
       Y ::= ANum 0
     ELSE
       SKIP
     FI;;
     WHILE BEq (AId Y) (ANum 0) DO
       X ::= APlus (AId X) (ANum 1)
     END)
  = (* After constant folding: *)
    (X ::= ANum 9;;
     Y ::= AMinus (AId X) (ANum 3);;
     IFB BEq (AMinus (AId X) (AId Y)) (ANum 6) THEN
       SKIP
     ELSE
       (Y ::= ANum 0)
     FI;;
     Y ::= ANum 0;;
     WHILE BEq (AId Y) (ANum 0) DO
       X ::= APlus (AId X) (ANum 1)
     END).

Proof. reflexivity. Qed.

Soundness of Constant Folding

Now we need to show that what we've done is correct.

Here's the proof for arithmetic expressions:

Theorem fold_constants_aexp_sound :
atrans_sound fold_constants_aexp.

Proof.
  unfold atrans_sound. intros a. unfold aequiv. intros st.
  induction a; simpl;
    (* ANum and AId follow immediately *)
    try reflexivity;
    (* APlus, AMinus, and AMult follow from the IH
       and the observation that
              aeval st (APlus a₁ a₂)
            = ANum ((aeval st a₁) + (aeval st a₂))
            = aeval st (ANum ((aeval st a₁) + (aeval st a₂)))
       (and similarly for AMinus/minus and AMult/mult) *)
    try (destruct (fold_constants_aexp a₁);
         destruct (fold_constants_aexp a₂);
         rewrite IHa1; rewrite IHa2; reflexivity). Qed.

Exercise: 3 stars, optional (fold_bexp_Eq_informal)

Here is an informal proof of the BEq case of the soundness argument for boolean expression constant folding. Read it carefully and compare it to the formal proof that follows. Then fill in the BLe case of the formal proof (without looking at the BEq case, if possible).

Theorem: The constant folding function for booleans, fold_constants_bexp, is sound.

Proof: We must show that b is equivalent to fold_constants_bexp, for all boolean expressions b. Proceed by induction on b. We show just the case where b has the form BEq a₁ a₂.

In this case, we must show

beval st (BEq a₁ a₂)
= beval st (fold_constants_bexp (BEq a₁ a₂)).

There are two cases to consider:

First, suppose fold_constants_aexp a₁ = ANum n₁ and fold_constants_aexp a₂ = ANum n₂ for some n₁ and n₂.

In this case, we have

    fold_constants_bexp (BEq a₁ a₂)
  = if beq_nat n₁ n₂ then BTrue else BFalse

and

    beval st (BEq a₁ a₂)
  = beq_nat (aeval st a₁) (aeval st a₂).

By the soundness of constant folding for arithmetic expressions (Lemma fold_constants_aexp_sound), we know

    aeval st a₁
  = aeval st (fold_constants_aexp a₁)
  = aeval st (ANum n₁)
  = n₁

and

    aeval st a₂
  = aeval st (fold_constants_aexp a₂)
  = aeval st (ANum n₂)
  = n₂,

so

    beval st (BEq a₁ a₂)
  = beq_nat (aeval a₁) (aeval a₂)
  = beq_nat n₁ n₂.

Also, it is easy to see (by considering the cases n₁ = n₂ and n₁ ≠ n₂ separately) that

    beval st (if beq_nat n₁ n₂ then BTrue else BFalse)
  = if beq_nat n₁ n₂ then beval st BTrue else beval st BFalse
  = if beq_nat n₁ n₂ then true else false
  = beq_nat n₁ n₂.

So

    beval st (BEq a₁ a₂)
  = beq_nat n₁ n₂.
  = beval st (if beq_nat n₁ n₂ then BTrue else BFalse),

as required.
Otherwise, one of fold_constants_aexp a₁ and fold_constants_aexp a₂ is not a constant. In this case, we must show

    beval st (BEq a₁ a₂)
  = beval st (BEq (fold_constants_aexp a₁)
                  (fold_constants_aexp a₂)),

which, by the definition of beval, is the same as showing

    beq_nat (aeval st a₁) (aeval st a₂)
  = beq_nat (aeval st (fold_constants_aexp a₁))
            (aeval st (fold_constants_aexp a₂)).

But the soundness of constant folding for arithmetic expressions (fold_constants_aexp_sound) gives us

  aeval st a₁ = aeval st (fold_constants_aexp a₁)
  aeval st a₂ = aeval st (fold_constants_aexp a₂),

completing the case. ☐

Theorem fold_constants_bexp_sound:
  btrans_sound fold_constants_bexp.
Proof.
  unfold btrans_sound. intros b. unfold bequiv. intros st.
  induction b;
    (* BTrue and BFalse are immediate *)
    try reflexivity.
  - (* BEq *)
    rename a into a₁. rename a₀ into a₂. simpl.

(Doing induction when there are a lot of constructors makes specifying variable names a chore, but Coq doesn't always choose nice variable names. We can rename entries in the context with the rename tactic: rename a into a₁ will change a to a₁ in the current goal and context.)

    remember (fold_constants_aexp a₁) as a₁' eqn:Heqa1'.
    remember (fold_constants_aexp a₂) as a₂' eqn:Heqa2'.
    replace (aeval st a₁) with (aeval st a₁') by
       (subst a₁'; rewrite ← fold_constants_aexp_sound; reflexivity).
    replace (aeval st a₂) with (aeval st a₂') by
       (subst a₂'; rewrite ← fold_constants_aexp_sound; reflexivity).
    destruct a₁'; destruct a₂'; try reflexivity.

The only interesting case is when both a₁ and a₂ become constants after folding

      simpl. destruct (beq_nat n n₀); reflexivity.
  - (* BLe *)
    (* FILL IN HERE *) admit.
  - (* BNot *)
    simpl. remember (fold_constants_bexp b) as b' eqn:Heqb'.
    rewrite IHb.
    destruct b'; reflexivity.
  - (* BAnd *)
    simpl.
    remember (fold_constants_bexp b₁) as b₁' eqn:Heqb1'.
    remember (fold_constants_bexp b₂) as b₂' eqn:Heqb2'.
    rewrite IHb1. rewrite IHb2.
    destruct b₁'; destruct b₂'; reflexivity.
(* FILL IN HERE *) Admitted.

☐

Exercise: 3 stars (fold_constants_com_sound)

Complete the WHILE case of the following proof.

Theorem fold_constants_com_sound :
  ctrans_sound fold_constants_com.
Proof.
  unfold ctrans_sound. intros c.
  induction c; simpl.
  - (* SKIP *) apply refl_cequiv.
  - (* ::= *) apply CAss_congruence.
              apply fold_constants_aexp_sound.
  - (* ;; *) apply CSeq_congruence; assumption.
  - (* IFB *)
    assert (bequiv b (fold_constants_bexp b)). {
      apply fold_constants_bexp_sound. }
    destruct (fold_constants_bexp b) eqn:Heqb;
      try (apply CIf_congruence; assumption).

(If the optimization doesn't eliminate the if, then the result is easy to prove from the IH and fold_constants_bexp_sound.)

    + (* b always true *)
      apply trans_cequiv with c₁; try assumption.
      apply IFB_true; assumption.
    + (* b always false *)
      apply trans_cequiv with c₂; try assumption.
      apply IFB_false; assumption.
  - (* WHILE *)
    (* FILL IN HERE *) Admitted.

☐

Soundness of (0 + n) Elimination, Redux

Exercise: 4 stars, advanced, optional (optimize_0plus)

Recall the definition optimize_0plus from the Imp chapter:

    Fixpoint optimize_0plus (e:aexp) : aexp :=
      match e with
      | ANum n ⇒
          ANum n
      | APlus (ANum 0) e₂ ⇒
          optimize_0plus e₂
      | APlus e₁ e₂ ⇒
          APlus (optimize_0plus e₁) (optimize_0plus e₂)
      | AMinus e₁ e₂ ⇒
          AMinus (optimize_0plus e₁) (optimize_0plus e₂)
      | AMult e₁ e₂ ⇒
          AMult (optimize_0plus e₁) (optimize_0plus e₂)
      end.

Note that this function is defined over the old aexps, without states.

Write a new version of this function that accounts for variables, plus analogous ones for bexps and commands:

     optimize_0plus_aexp
     optimize_0plus_bexp
     optimize_0plus_com

Prove that these three functions are sound, as we did for fold_constants_*. Make sure you use the congruence lemmas in the proof of optimize_0plus_com — otherwise it will be long!

Then define an optimizer on commands that first folds constants (using fold_constants_com) and then eliminates 0 + n terms (using optimize_0plus_com).

Give a meaningful example of this optimizer's output.
Prove that the optimizer is sound. (This part should be very easy.)

(* FILL IN HERE *)

☐

Proving That Programs Are Not Equivalent

Suppose that c₁ is a command of the form X ::= a₁;; Y ::= a₂ and c₂ is the command X ::= a₁;; Y ::= a₂', where a₂' is formed by substituting a₁ for all occurrences of X in a₂. For example, c₁ and c₂ might be:

       c₁  =  (X ::= 42 + 53;;
               Y ::= Y + X)
       c₂  =  (X ::= 42 + 53;;
               Y ::= Y + (42 + 53))

Clearly, this particular c₁ and c₂ are equivalent. Is this true in general?

We will see in a moment that it is not, but it is worthwhile to pause, now, and see if you can find a counter-example on your own.

Here, formally, is the function that substitutes an arithmetic expression for each occurrence of a given variable in another expression:

Fixpoint subst_aexp (i : id) (u : aexp) (a : aexp) : aexp :=
  match a with
  | ANum n ⇒
      ANum n
  | AId i' ⇒
      if beq_id i i' then u else AId i'
  | APlus a₁ a₂ ⇒
      APlus (subst_aexp i u a₁) (subst_aexp i u a₂)
  | AMinus a₁ a₂ ⇒
      AMinus (subst_aexp i u a₁) (subst_aexp i u a₂)
  | AMult a₁ a₂ ⇒
      AMult (subst_aexp i u a₁) (subst_aexp i u a₂)
  end.

Example subst_aexp_ex :
  subst_aexp X (APlus (ANum 42) (ANum 53))
             (APlus (AId Y) (AId X))
= (APlus (AId Y) (APlus (ANum 42) (ANum 53))).

Proof. reflexivity. Qed.

And here is the property we are interested in, expressing the claim that commands c₁ and c₂ as described above are always equivalent.

Definition subst_equiv_property := ∀i₁ i₂ a₁ a₂,
cequiv (i₁ ::= a₁;; i₂ ::= a₂)
(i₁ ::= a₁;; i₂ ::= subst_aexp i₁ a₁ a₂).

Sadly, the property does not always hold.

Theorem: It is not the case that, for all i₁, i₂, a₁, and a₂,

cequiv (i₁ ::= a₁;; i₂ ::= a₂)
(i₁ ::= a₁;; i₂ ::= subst_aexp i₁ a₁ a₂).

Proof: Suppose, for a contradiction, that for all i₁, i₂, a₁, and a₂, we have

cequiv (i₁ ::= a₁;; i₂ ::= a₂)
(i₁ ::= a₁;; i₂ ::= subst_aexp i₁ a₁ a₂).

Consider the following program:

X ::= APlus (AId X) (ANum 1);; Y ::= AId X

Note that

(X ::= APlus (AId X) (ANum 1);; Y ::= AId X)
/ empty_state ⇓ st₁,

where st₁ = { X ↦ 1, Y ↦ 1 }.

By our assumption, we know that

cequiv (X ::= APlus (AId X) (ANum 1);; Y ::= AId X)
(X ::= APlus (AId X) (ANum 1);; Y ::= APlus (AId X) (ANum 1))

so, by the definition of cequiv, we have

(X ::= APlus (AId X) (ANum 1);; Y ::= APlus (AId X) (ANum 1))
/ empty_state ⇓ st₁.

But we can also derive

(X ::= APlus (AId X) (ANum 1);; Y ::= APlus (AId X) (ANum 1))
/ empty_state ⇓ st₂,

where st₂ = { X ↦ 1, Y ↦ 2 }. Note that st₁ ≠ st₂; this is a contradiction, since ceval is deterministic! ☐

Theorem subst_inequiv :
¬ subst_equiv_property.

Proof.
  unfold subst_equiv_property.
  intros Contra.

  (* Here is the counterexample: assuming that subst_equiv_property
     holds allows us to prove that these two programs are
     equivalent... *)
  remember (X ::= APlus (AId X) (ANum 1);;
            Y ::= AId X)
      as c₁.
  remember (X ::= APlus (AId X) (ANum 1);;
            Y ::= APlus (AId X) (ANum 1))
      as c₂.
  assert (cequiv c₁ c₂) by (subst; apply Contra).

  (* ... allows us to show that the command c₂ can terminate
     in two different final states:
        st₁ = {X |-> 1, Y |-> 1}
        st₂ = {X |-> 1, Y |-> 2}. *)
  remember (t_update (t_update empty_state X 1) Y 1) as st₁.
  remember (t_update (t_update empty_state X 1) Y 2) as st₂.
  assert (H₁: c₁ / empty_state ⇓ st₁);
  assert (H₂: c₂ / empty_state ⇓ st₂);
  try (subst;
       apply E_Seq with (st' := (t_update empty_state X 1));
       apply E_Ass; reflexivity).
  apply H in H₁.

  (* Finally, we use the fact that evaluation is deterministic
     to obtain a contradiction. *)
  assert (Hcontra: st₁ = st₂)
    by (apply (ceval_deterministic c₂ empty_state); assumption).
  assert (Hcontra': st₁ Y = st₂ Y)
    by (rewrite Hcontra; reflexivity).
  subst. inversion Hcontra'. Qed.

Exercise: 4 stars, optional (better_subst_equiv)

The equivalence we had in mind above was not complete nonsense — it was actually almost right. To make it correct, we just need to exclude the case where the variable X occurs in the right-hand-side of the first assignment statement.

Inductive var_not_used_in_aexp (X:id) : aexp → Prop :=
  | VNUNum: ∀n, var_not_used_in_aexp X (ANum n)
  | VNUId: ∀Y, X ≠ Y → var_not_used_in_aexp X (AId Y)
  | VNUPlus: ∀a₁ a₂,
      var_not_used_in_aexp X a₁ →
      var_not_used_in_aexp X a₂ →
      var_not_used_in_aexp X (APlus a₁ a₂)
  | VNUMinus: ∀a₁ a₂,
      var_not_used_in_aexp X a₁ →
      var_not_used_in_aexp X a₂ →
      var_not_used_in_aexp X (AMinus a₁ a₂)
  | VNUMult: ∀a₁ a₂,
      var_not_used_in_aexp X a₁ →
      var_not_used_in_aexp X a₂ →
      var_not_used_in_aexp X (AMult a₁ a₂).

Lemma aeval_weakening : ∀i st a ni,
  var_not_used_in_aexp i a →
  aeval (t_update st i ni) a = aeval st a.
Proof.
  (* FILL IN HERE *) Admitted.

Using var_not_used_in_aexp, formalize and prove a correct verson of subst_equiv_property.

(* FILL IN HERE *)

☐

Exercise: 3 stars, optional (inequiv_exercise)

Prove that an infinite loop is not equivalent to SKIP

Theorem inequiv_exercise:
¬ cequiv (WHILE BTrue DO SKIP END) SKIP.
Proof.
(* FILL IN HERE *) Admitted.

☐

Extended Exercise: Nondeterministic Imp

As we have seen (in theorem ceval_deterministic in the Imp chapter), Imp's evaluation relation is deterministic. However, non-determinism is an important part of the definition of many real programming languages. For example, in many imperative languages (such as C and its relatives), the order in which function arguments are evaluated is unspecified. The program fragment

x = 0;;
f(++x, x)

might call f with arguments (1, 0) or (1, 1), depending how the compiler chooses to order things. This can be a little confusing for programmers, but it gives the compiler writer useful freedom.

In this exercise, we will extend Imp with a simple nondeterministic command and study how this change affects program equivalence. The new command has the syntax HAVOC X, where X is an identifier. The effect of executing HAVOC X is to assign an arbitrary number to the variable X, nondeterministically. For example, after executing the program:

HAVOC Y;;
Z ::= Y * 2

the value of Y can be any number, while the value of Z is twice that of Y (so Z is always even). Note that we are not saying anything about the probabilities of the outcomes — just that there are (infinitely) many different outcomes that can possibly happen after executing this nondeterministic code.

In a sense, a variable on which we do HAVOC roughly corresponds to an unitialized variable in a low-level language like C. After the HAVOC, the variable holds a fixed but arbitrary number. Most sources of nondeterminism in language definitions are there precisely because programmers don't care which choice is made (and so it is good to leave it open to the compiler to choose whichever will run faster).

We call this new language Himp (``Imp extended with HAVOC'').

Module Himp.

To formalize Himp, we first add a clause to the definition of commands.

Inductive com : Type :=
  | CSkip : com
  | CAss : id → aexp → com
  | CSeq : com → com → com
  | CIf : bexp → com → com → com
  | CWhile : bexp → com → com
  | CHavoc : id → com. (* <---- new *)

Notation "'SKIP'" :=
  CSkip.
Notation "X '::=' a" :=
  (CAss X a) (at level 60).
Notation "c₁ ;; c₂" :=
  (CSeq c₁ c₂) (at level 80, right associativity).
Notation "'WHILE' b 'DO' c 'END'" :=
  (CWhile b c) (at level 80, right associativity).
Notation "'IFB' e₁ 'THEN' e₂ 'ELSE' e₃ 'FI'" :=
  (CIf e₁ e₂ e₃) (at level 80, right associativity).
Notation "'HAVOC' l" := (CHavoc l) (at level 60).

Exercise: 2 stars (himp_ceval)

Now, we must extend the operational semantics. We have provided a template for the ceval relation below, specifying the big-step semantics. What rule(s) must be added to the definition of ceval to formalize the behavior of the HAVOC command?

Reserved Notation "c₁ '/' st '⇓' st'"
                  (at level 40, st at level 39).

Inductive ceval : com → state → state → Prop :=
  | E_Skip : ∀st : state, SKIP / st ⇓ st
  | E_Ass : ∀(st : state) (a₁ : aexp) (n : nat) (X : id),
      aeval st a₁ = n →
      (X ::= a₁) / st ⇓ t_update st X n
  | E_Seq : ∀(c₁ c₂ : com) (st st' st'' : state),
      c₁ / st ⇓ st' →
      c₂ / st' ⇓ st'' →
      (c₁ ;; c₂) / st ⇓ st''
  | E_IfTrue : ∀(st st' : state) (b₁ : bexp) (c₁ c₂ : com),
      beval st b₁ = true →
      c₁ / st ⇓ st' →
      (IFB b₁ THEN c₁ ELSE c₂ FI) / st ⇓ st'
  | E_IfFalse : ∀(st st' : state) (b₁ : bexp) (c₁ c₂ : com),
      beval st b₁ = false →
      c₂ / st ⇓ st' →
      (IFB b₁ THEN c₁ ELSE c₂ FI) / st ⇓ st'
  | E_WhileEnd : ∀(b₁ : bexp) (st : state) (c₁ : com),
      beval st b₁ = false →
      (WHILE b₁ DO c₁ END) / st ⇓ st
  | E_WhileLoop : ∀(st st' st'' : state) (b₁ : bexp) (c₁ : com),
      beval st b₁ = true →
      c₁ / st ⇓ st' →
      (WHILE b₁ DO c₁ END) / st' ⇓ st'' →
      (WHILE b₁ DO c₁ END) / st ⇓ st''
(* FILL IN HERE *)

  where "c₁ '/' st '⇓' st'" := (ceval c₁ st st').

As a sanity check, the following claims should be provable for your definition:

Example havoc_example1 : (HAVOC X) / empty_state ⇓ t_update empty_state X 0.
Proof.
(* FILL IN HERE *) Admitted.

Example havoc_example2 :
(SKIP;; HAVOC Z) / empty_state ⇓ t_update empty_state Z 42.
Proof.
(* FILL IN HERE *) Admitted.

☐

Finally, we repeat the definition of command equivalence from above:

Definition cequiv (c₁ c₂ : com) : Prop := ∀st st' : state,
c₁ / st ⇓ st' ↔ c₂ / st ⇓ st'.

Let's apply this definition to prove some nondeterministic programs equivalent / inequivalent.

Exercise: 3 stars (havoc_swap)

Are the following two programs equivalent?

Definition pXY :=
HAVOC X;; HAVOC Y.

Definition pYX :=
HAVOC Y;; HAVOC X.

If you think they are equivalent, prove it. If you think they are not, prove that.

Theorem pXY_cequiv_pYX :
cequiv pXY pYX ∨ ¬cequiv pXY pYX.
Proof. (* FILL IN HERE *) Admitted.

☐

Exercise: 4 stars, optional (havoc_copy)

Are the following two programs equivalent?

Definition ptwice :=
HAVOC X;; HAVOC Y.

Definition pcopy :=
HAVOC X;; Y ::= AId X.

If you think they are equivalent, then prove it. If you think they are not, then prove that. (Hint: You may find the assert tactic useful.)

Theorem ptwice_cequiv_pcopy :
cequiv ptwice pcopy ∨ ¬cequiv ptwice pcopy.
Proof. (* FILL IN HERE *) Admitted.

☐

The definition of program equivalence we are using here has some subtle consequences on programs that may loop forever. What cequiv says is that the set of possible terminating outcomes of two equivalent programs is the same. However, in a language with nondeterminism, like Himp, some programs always terminate, some programs always diverge, and some programs can nondeterministically terminate in some runs and diverge in others. The final part of the following exercise illustrates this phenomenon.

Exercise: 5 stars, advanced (p1_p2_equiv)

Prove that p₁ and p₂ are equivalent. In this and the following exercises, try to understand why the cequiv definition has the behavior it has on these examples.

Definition p₁ : com :=
  WHILE (BNot (BEq (AId X) (ANum 0))) DO
    HAVOC Y;;
    X ::= APlus (AId X) (ANum 1)
  END.

Definition p₂ : com :=
  WHILE (BNot (BEq (AId X) (ANum 0))) DO
    SKIP
  END.

Intuitively, the programs have the same termination behavior: either they loop forever, or they terminate in the same state they started in. We can capture the termination behavior of p₁ and p₂ individually with these lemmas:

Lemma p1_may_diverge : ∀st st', st X ≠ 0 →
¬ p₁ / st ⇓ st'.
Proof. (* FILL IN HERE *) Admitted.

Lemma p2_may_diverge : ∀st st', st X ≠ 0 →
¬ p₂ / st ⇓ st'.
Proof.
(* FILL IN HERE *) Admitted.

You should use these lemmas to prove that p₁ and p₂ are actually equivalent.

Theorem p1_p2_equiv : cequiv p₁ p₂.
Proof. (* FILL IN HERE *) Admitted.

☐

Exercise: 4 stars, advanced (p3_p4_inquiv)

Prove that the following programs are not equivalent.

Definition p₃ : com :=
  Z ::= ANum 1;;
  WHILE (BNot (BEq (AId X) (ANum 0))) DO
    HAVOC X;;
    HAVOC Z
  END.

Definition p₄ : com :=
  X ::= (ANum 0);;
  Z ::= (ANum 1).

Theorem p3_p4_inequiv : ¬ cequiv p₃ p₄.
Proof. (* FILL IN HERE *) Admitted.

☐

End Himp.

Additional Exercises

Exercise: 4 stars, optional (for_while_equiv)

This exercise extends the optional add_for_loop exercise from the Imp chapter, where you were asked to extend the language of commands with C-style for loops. Prove that the command:

      for (c₁ ; b ; c₂) {
          c₃
      }

is equivalent to:

       c₁ ;
       WHILE b DO
         c₃ ;
         c₂
       END

(* FILL IN HERE *)

☐

Exercise: 3 stars, optional (swap_noninterfering_assignments)

(Hint: You'll need functional_extensionality for this one.)

Theorem swap_noninterfering_assignments: ∀l₁ l₂ a₁ a₂,
  l₁ ≠ l₂ →
  var_not_used_in_aexp l₁ a₂ →
  var_not_used_in_aexp l₂ a₁ →
  cequiv
    (l₁ ::= a₁;; l₂ ::= a₂)
    (l₂ ::= a₂;; l₁ ::= a₁).
Proof.
(* FILL IN HERE *) Admitted.

☐

Exercise: 4 stars, advanced, optional (capprox)

In this exercise we define an asymmetric variant of program equivalence we call program approximation. We say that a program c₁ approximates a program c₂ when, for each of the initial states for which c₁ terminates, c₂ also terminates and produces the same final state. Formally, program approximation is defined as follows:

Definition capprox (c₁ c₂ : com) : Prop := ∀(st st' : state),
c₁ / st ⇓ st' → c₂ / st ⇓ st'.

For example, the program c₁ = WHILE X ≠ 1 DO X ::= X - 1 END approximates c₂ = X ::= 1, but c₂ does not approximate c₁ since c₁ does not terminate when X = 0 but c₂ does. If two programs approximate each other in both directions, then they are equivalent.

Find two programs c₃ and c₄ such that neither approximates the other.

Definition c₃ : com (* REPLACE THIS LINE WITH := _your_definition_ . *) . Admitted.
Definition c₄ : com (* REPLACE THIS LINE WITH := _your_definition_ . *) . Admitted.

Theorem c3_c4_different : ¬ capprox c₃ c₄ ∧ ¬ capprox c₄ c₃.
Proof. (* FILL IN HERE *) Admitted.

Find a program cmin that approximates every other program.

Definition cmin : com
(* REPLACE THIS LINE WITH := _your_definition_ . *) . Admitted.

Theorem cmin_minimal : ∀c, capprox cmin c.
Proof. (* FILL IN HERE *) Admitted.

Finally, find a non-trivial property which is preserved by program approximation (when going from left to right).

Definition zprop (c : com) : Prop
(* REPLACE THIS LINE WITH := _your_definition_ . *) . Admitted.

Theorem zprop_preserving : ∀c c',
zprop c → capprox c c' → zprop c'.
Proof. (* FILL IN HERE *) Admitted.

Software Technology: Program Equivalence

Some general advice for working on exercises:

Behavioral Equivalence

Definitions

Exercise: 2 stars (equiv_classes)

Examples

Exercise: 2 stars (skip_right)

Exercise: 2 stars, recommended (IFB_false)

Exercise: 3 stars (swap_if_branches)

Exercise: 2 stars, advanced, optional (WHILE_false_informal)

Exercise: 2 stars, optional (WHILE_true_nonterm_informal)

Exercise: 2 stars, recommended (WHILE_true)

Exercise: 2 stars, optional (seq_assoc)

Exercise: 2 stars, recommended (assign_aequiv)

Properties of Behavioral Equivalence

Behavioral Equivalence Is an Equivalence

Behavioral Equivalence Is a Congruence

Exercise: 3 stars, optional (CSeq_congruence)

Exercise: 3 stars (CIf_congruence)

Program Transformations

The Constant-Folding Transformation

Soundness of Constant Folding

Exercise: 3 stars, optional (fold_bexp_Eq_informal)

Exercise: 3 stars (fold_constants_com_sound)

Soundness of (0 + n) Elimination, Redux

Exercise: 4 stars, advanced, optional (optimize_0plus)

Proving That Programs Are Not Equivalent

Exercise: 4 stars, optional (better_subst_equiv)

Exercise: 3 stars, optional (inequiv_exercise)

Extended Exercise: Nondeterministic Imp

Exercise: 2 stars (himp_ceval)

Exercise: 3 stars (havoc_swap)

Exercise: 4 stars, optional (havoc_copy)

Exercise: 5 stars, advanced (p1_p2_equiv)

Exercise: 4 stars, advanced (p3_p4_inquiv)

Exercise: 5 stars, advanced, optional (p5_p6_equiv)

Additional Exercises

Exercise: 4 stars, optional (for_while_equiv)

Exercise: 3 stars, optional (swap_noninterfering_assignments)

Exercise: 4 stars, advanced, optional (capprox)