Announcements
Proof Techniques for
Operational Semantics
• Homework 1 feedback/grades posted
• Homework 2 due tonight at 11:55pm
Meeting 10, CSCI 5535, Spring 2010
2
Plan
• Why Bother?
• Mathematical Induction
• Well-Founded Induction
• Structural Induction
Questions?
– “By induction on the structure of
the derivation D”
4
Mathematical Induction
Example (With IMP Eval. Semantics)
• Goal: prove ∀n ∈ N. P(n)
• Prove that if σ(x) ≤ 6 then
<while x ≤ 5 do x := x + 1, σ> ⇓ σ[x := 6]
• Base Case: prove P(0)
• Reformulate the claim:
• Inductive Step:
– Prove “For all n. if P(n), then P(n+1)”
– “Pick arbitrary n, assume P(n), prove P(n+1)”
• Why does induction work?
5
Most often,
– Let W = while x ≤ 5 do x := x + 1 the hard part!
– Let σi = σ[x:= 6 - i]
– Claim: For all i∈N. <W, σi> ⇓ σ0
• Now looks provable by mathematical
induction on i
6
1
Evaluation Example (Base Case)
Evaluation Example (Base Case)
• Base case: i = 0 or <W, σ0> ⇓ σ0
• Base case: i = 0 or <W, σ0> ⇓ σ0
– To prove an evaluation judgment, construct a
derivation tree:
– To prove an evaluation judgment, construct a
derivation tree:
σ0(x) = 6
<x, σ0> ⇓ 6
σ0(x) = 6
<6 ≤ 5, σ0> ⇓ false
<x, σ0> ⇓ 6
<x ≤ 5, σ0> ⇓ false
<6 ≤ 5, σ0> ⇓ false
<x ≤ 5, σ0> ⇓ false
<while x ≤ 5 do x := x + 1, σ0> ⇓ σ0
<while x ≤ 5 do x := x + 1, σ0> ⇓ σ0
σi = σ[x:= 6 - i]
7
σi = σ[x:= 6 - i]
8
Evaluation Example (Inductive Case)
Evaluation Example (Inductive Case)
• Must prove for all i ∈N. if <W, σi> ⇓ σ0 , then
<W, σi+1> ⇓ σ0
• Must prove ∀i ∈N. <W, σi> ⇓ σ0 ⇒ <W, σi+1> ⇓ σ0
– Pick an arbitrary i ∈ N
– Pick an arbitrary i ∈ N
– Assume that <W, σi> ⇓ σ0
– Now prove that <W, σi+1> ⇓ σ0
– Must construct a derivation tree:
– Assume that <W, σi> ⇓ σ0
– Now prove that <W, σi+1> ⇓ σ0
– Must construct a derivation tree:
<x, σi+1> ⇓ 5 - i
5-i≤5
<x ≤ 5, σi+1> ⇓ true
<x + 1, σi+1> ⇓ 6 - i
<x:=x+1, σi+1> ⇓ σi
<x, σi+1> ⇓ 5 - i
<W, σi> ⇓ σ0
<x ≤ 5, σi+1> ⇓ true
<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0
σi = σ[x:= 6 - i]
5-i≤5
<x + 1, σi+1> ⇓ 6 - i
<x:=x+1, σi+1> ⇓ σi
<W, σi> ⇓ σ0
<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0
9
σi = σ[x:= 6 - i]
Well-Founded Induction
Well-Founded Induction: Examples
• A relation ≺ ⊆ A × A is well-founded if there
are no infinite descending chains in A
• Consider p ⊆ Z × Z with x p y iff
(y < 0 Æ y = x - 1) Ç (y > 0 Æ y = x + 1). Says what?
– Example: <1 = { (x, x +1) | x ∈ N }
• aka the predecessor relation
10
– Induction principle:
P(0) ∧ ∀x ≤ 0. P(x) ⇒ P(x - 1) ∧ ∀x ≥ 0. P(x) ⇒ P(x + 1)
– Example: < = { (x, y) | x, y ∈ N and x < y }
• Well-founded induction:
• Consider p ⊆ (N × N) × (N × N) and (x1, y1) p (x2, y2) iff
x2 = x1 + 1 ∨ (x1 = x2 ∧ y2 = y1 + 1). Says what?
– To prove ∀x ∈ A. P(x) it is enough to prove
∀x ∈ A. (∀y ≺ x ⇒ P(y)) ⇒ P(x)
– Induction principle:
P(0,0) ∧ ∀ x,y,y’. (P(x,y) ⇒ P(x + 1, y’) ∧ P(x, y+ 1))
• If ≺ is <1 then we obtain mathematical
induction as a special case
11
This has a common
name. Anyone see?
12
2
Structural Induction (on Expressions)
Notes on Structural Induction
• For e ::= n | x | e1 + e2 | e1 * e2
• Define p ⊆ Aexp × Aexp such that
• Called structural induction because the
proof is guided by the structure of the
expression
• One proof case per form of expression
e1 p e1 + e2
e2 p e1 + e2
e1 p e1 * e2
e2 p e1 * e2
no other elements of Aexp × Aexp are related by p
• To prove ∀e ∈ Aexp. P(e)
–
prove ∀n ∈ Z. P(n)
–
–
–
prove ∀x ∈ L. P(x)
prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 + e2)
prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 * e2)
– Atomic expressions (with no subexpressions) are all
base cases
– Composite expressions are the inductive cases
• Structural induction is the most useful
form of induction in the study of PL
14
13
Example Proof Using Induction on the
Structure of Expressions
Example Proof Using Induction on the
Structure of Expressions
– Case e = e1 + e2:
• Let
L(e) be the # of literals and variable occurrences in e
O(e) be the # of operators in e
• Prove that for all e ∈ Aexp. L(e) = O(e) + 1
• Proof: By induction on the structure of e.
– Case e = n:
– Case e = e1 * e2:
– Case e = x:
15
Example Proof Using Induction on the
Structure of Expressions
16
“Try it at home!”
• Let
L(e) be the # of literals and variable occurrences in e
O(e) be the # of operators in e
• Prove that ∀e ∈ Aexp. L(e) = O(e) + 1
• Proof: By induction on the structure of e.
• Most proofs for the Aexp sublanguage
of IMP can work by structural induction
• Small-step and big-step semantics
obtain equivalent results:
– How do we state this formally?
– Case e = n: L(e) = 1 and O(e) = 0
– Case e = x: L(e) = 1 and O(e) = 0
– Case e = e1 + e2:
• L(e) = L(e1) + L(e2) and O(e) = O(e1) + O(e2) + 1
• By the induction hypothesis,
L(e1) = O(e1) + 1 and L(e2) = O(e2) + 1
• Thus, L(e) = O(e1) + O(e2) + 2 = O(e) + 1
– Case e = e1 * e2: Same as the case for +
17
18
3
“Try it at home!”
“Obvious, right?”
• Most proofs for the Aexp sublanguage
of IMP can work by structural induction
• Small-step and big-step semantics
obtain equivalent results:
• You are given a concrete state σ.
For all e ∈ Aexp. for all n ∈ Z. for all σ ∈ Σ.
<e, σ> →* <n, σ> iff <e, σ> ⇓ n
• You have
<x + 1, σ> ⇓ 5
• You also have
<x + 1, σ> ⇓ 88
• Is this possible?
Structural induction on Aexp works
here because all of the semantics
are syntax-directed
19
20
Let’s make sure
Let’s make sure
• Prove that IMP is deterministic
• Prove that IMP is deterministic
For all e ∈ Aexp. for all σ ∈ Σ. for all n, n’ ∈ Z.
if <e, σ> ⇓ n and <e, σ> ⇓ n’
then n = n’
For all e ∈ Aexp. for all σ ∈ Σ. for all n, n’ ∈ Z.
if <e, σ> ⇓ n and <e, σ> ⇓ n’
then n = n’
For all b ∈ Bexp. for all σ ∈ Σ. for all t, t’ ∈ B.
if <b, σ> ⇓ t and <b, σ> ⇓ t’
then t = t’
For all b ∈ Bexp. for all σ ∈ Σ. for all t, t’ ∈ B.
if <b, σ> ⇓ t and <b, σ> ⇓ t’
then t = t’
For all c ∈ Com. for all σ, σ’,σ’’ ∈ Σ.
if <c, σ> ⇓ σ’ and <c, σ> ⇓ σ’’
then σ’ = σ’’
For all c ∈ Com. for all σ, σ’,σ’’ ∈ Σ.
if <c, σ> ⇓ σ’ and <c, σ> ⇓ σ’’
then σ’ = σ’’
21
How do we prove it?
How do we prove it?
• Prove that IMP is deterministic
• Prove that IMP is deterministic
If <e, σ> ⇓ n and <e, σ> ⇓ n’ then n = n’
If <b, σ> ⇓ t and <b, σ> ⇓ t’ then t = t’
If <c, σ> ⇓ σ’ and <c, σ> ⇓ σ’’ then σ’ = σ’’
22
If <e, σ> ⇓ n and <e, σ> ⇓ n’ then n = n’
If <b, σ> ⇓ t and <b, σ> ⇓ t’ then t = t’
If <c, σ> ⇓ σ’ and <c, σ> ⇓ σ’’ then σ’ = σ’’
• No immediate way to use mathematical induction
• For commands we cannot use induction on the
structure of the command
• No immediate way to use mathematical induction
• For commands we cannot use induction on the
structure of the command
– Can you see why?
– Can you imagine why?
<b, σ> ⇓ true
<c, σ> ⇓ σ’
<while b do c, σ’> ⇓ σ’’
<while b do c, σ> ⇓ σ’’
23
24
4
How do we prove it?
We need something new!
• Prove that IMP is deterministic
If <e, σ> ⇓ n and <e, σ> ⇓ n’ then n = n’
If <b, σ> ⇓ t and <b, σ> ⇓ t’ then t = t’
If <c, σ> ⇓ σ’ and <c, σ> ⇓ σ’’ then σ’ = σ’’
Some more powerful form of induction
With all the bells and whistles!
• No immediate way to use mathematical induction
• For commands we cannot use induction on the
structure of the command
– while’s evaluation does not depend only on the evaluation of
its strict subexpressions
<b, σ> ⇓ true
<c, σ> ⇓ σ’
<while b do c, σ’> ⇓ σ’’
<while b do c, σ> ⇓ σ’’
26
25
Recall Proof Systems
Induction on the Structure of Derivations
• Operational semantics assigns
meanings to programs by listing
rules of inference that allow to
prove judgments by constructing
derivations.
• A derivation is a tree-structured
object made up of valid instances of
inference rules.
• Key idea: The hypothesis does not just assume a c ∈
Com but the existence of a derivation of <c, σ> ⇓ σ’
• Derivation trees are also defined inductively, just like
expression trees
• A derivation is built of subderivations:
Find the keyword in the above. Ideas?
<x + 1, σi+1> ⇓ 6 - i
<x, σi+1> ⇓ 5 - i
5-i≤5
<x ≤ 5, σi+1> ⇓ true
<x:=x+1, σi+1> ⇓ σi
<W, σi> ⇓ σ0
<x:=x+1; W, σi+1> ⇓ σ0
<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0
• Adapt the structural induction principle to work on the
structure of derivations
27
28
Induction on the Structure of Derivations
Notation: Naming Derivations
• To prove that for all derivations D of a
judgment, property P holds
• Write
D :: Judgment
to mean “D is the derivation that proves
Judgment”
• For each derivation rule of the form
H1 … Hn
C
• Assume P holds for derivations of Hi (i = 1..n)
• Prove the the property holds for the
derivation obtained from the derivations of
Hi using the given rule
29
• Example:
D :: <e1 + e2, σ> ⇓ n1 + n2
30
5
Proving Com Evaluation is Deterministic
If D:: <c, σ> ⇓ σ’ and D’:: <c, σ> ⇓ σ’’, then σ’ = σ’’.
• Note: recall that meta-variables are
universally-quantified (i.e., the above is
for all c ∈ Com, σ, σ’,σ’’ ∈ Σ, derivations
D and D’.
• Start by picking each to be arbitrary.
Proof By induction on the structure of
Proof:
derivation D.
31
6