Theorem: while 1 skip always diverges, i.e., For all H and n, there exists H' and s' such that H; while 1 skip -->n H'; s' Try 1 Proof: By induction on n Base case 0: Let H' = H and s' = while 1 skip. That is what you have after 0 steps Inductive case n > 0: To show H; while 1 skip -->n H';s' for some H' and s' we need some H'' and s'' such that H; while 1 skip -->n-1 H'';s'' and H'';s''-->H';s' By induction H'' and s'' exist such that H; while 1 skip -->n-1 H'';s'' OOPS, we're stuck because s'' might be skip. Try 2 For all H and n, there exists H' and s' such that H; while 1 skip -->n H'; s' and s' is not skip Proof: By induction on n Base case 0: Let H' = H and s' = while 1 skip. That is what you have after 0 steps -- and notice that s' is not skip Inductive case n > 0: To show H; while 1 skip -->n H';s' for some H' and s' where s' is not skip we need some H'' and s'' such that H; while 1 skip -->n-1 H'';s'' and H'';s''-->H';s' By induction H'' and s'' exist such that H; while 1 skip -->n-1 H'';s'' and s'' is not skip So now (by an argument we'd have to make), H'';s'' will be able to step to some H';s' but OOPS s' could be skip (what about skip;skip or if 1 skip skip or ...) Try 3 For all H and n there exists an H' such that H; while 1 skip -->n H'; while 1 skip By induction on n: Base case 0: Let H' = H. Inductive case n > 0: We need an H'' and s'' such that H;while 1 skip-->n-1 H'';s'' and H'';s'' --> H';while 1 skip By induction, H'' exists and s'' is while 1 skip So I just need H'';while 1 skip --> H'; while 1 skip This is FALSE, the only thing H''; while 1 skip steps to is H'';if 1 (skip; while 1 skip) skip Try 4 (correct) For all H and n there exists an H' and s' such that H;while 1 skip -->n H'; s' and s' is one of the following: (1) while 1 skip (2) if 1 (skip; while 1 skip) skip (3) skip; while 1 skip By induction on n: Base case 0: Let H'=H and s'=while 1 skip, i.e., (1) Inductive case n > 0: We need an H'' and s'' such that H;while 1 skip-->n-1 H'';s'' and H'';s'' --> H';while 1 skip By induction, H'' exists and s'' is (1), (2), or (3) We just need that H'';s''--> H'; s' where s' is (1), (2), or (3). By cases: * If s'' is (1), then let H'=H'' and s' be (2) * If s'' is (2), then let H'=H'' and s' be (3) * If s'' is (3), then let H'=H'' and s' be (1) (We could show the step is possible in each case via a derivation.) ======================================================= Theorem: If H and s have no negative constants and H;s -->* H';s', then H' and s' have no negative constants First, let's state this more carefully by defining three judgments that will provide a concise definition of what it means to have no negative constants. -------- -------- -------- |noneg(e)| |noneg(H)| |noneg(s)| -------- -------- -------- c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2) -------- -------- ------------------- ------------------- noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2) c>=0 noneg(H) --------- --------------- noneg(.) noneg(H,x->c) noneg(e) noneg(s1) noneg(s2) ----------- ----------- ------------------- noneg(skip) noneg(x:=e) noneg(s1;s2) noneg(e) noneg(s1) noneg(s2) noneg(e) noneg(s) ---------------------------- ------------------- noneg(if e s1 s2) noneg(while e s) We can now restate our theorem as such: (For all H, s, n, H', and s'...) If noneg(H) and noneg(s) and H;s -->n H';s' then noneg(H') and noneg(s'). Proof: By induction on n: Base n=0: H'=H and s'=s So by assumption, noneg(H) and noneg(s) is exactly what we need. Induction n > 0: Then there exists H'';s'' such that H;s -->n-1 H'';s'' and H'';s''--> H';s' By induction, noneg(H'') and noneg(s''). So we just need this lemma: Lemma: If noneg(H) and noneg(s) and H;s-->H';s' then noneg(H') and noneg(s'). Proof by induction on the height of the derivation of H;s-->H';s' Height could be 1 (if the last rule used is Assign, Seq1, If1, If2, While) case Seq1: This means s is skip;s1 for some s1 and H'=H and s'=s1. So noneg(H') follows from noneg(H). By assumption noneg(skip;s1), so by inversion noneg(s1). [Inversion means that by looking at _all_ the rules for noneg of some statement, **only one rule** could apply to skip;s1, so since we know noneg(skip;s1), we also know the hypotheses of the instantiation of this one rule, namely noneg(skip) (though we knew that anyway) and noneg(s1) (which is exactly what we need).] case If1: This means s is (if e s1 s2) for some e, s1, and s2 and s' = s1 and H'=H. So noneg(H') follows from noneg(H). By assumption noneg(if e s1 s2), so by inversion noneg(s1). case If2: This means s is (if e s1 s2) for some e, s1, and s2 and s' = s2 and H'=H. So noneg(H') follows from noneg(H). By assumption noneg(if e s1 s2), so by inversion noneg(s2). case Assign: This means s is x := e for some x and e and s' = skip and H' = H,x->c where H;e V c. So noneg(s') is trivial since we can derive noneg(skip). For noneg(H'), we need noneg(H) (true by assumption) and c >= 0, which follows from this lemma: Lemma: If noneg(H) and noneg(e) and H;e V c, then c >= 0. By induction on height of the derivation of H;e V c. case Const: Then e is c and noneg(e) implies c>=0. case Var: Then e is some x and c is H(x) and noneg(H) implies H(x) >= 0 (small cheat: technically need an inductive lemma on the size of a heap). case Add: Then e is e1+e2 for some e1 and e2 and c is the sum of c1 and c2 where H;e1 V c1 and H;e2 V c2. By induction, c1>=0 and c2>=0. By how blue-plus works, c is >=0. case Times: Then e is e1*e2 for some e1, e2 and c is the product of c1 and c2 where H;e1 V c1 and H;e2 V c2. By induction, c1>=0 and c2>=0. By how blue-times works, c is >=0. case While: So s is while e s1 for some e and s1 and H' = H and s' = if e (s1; while e s1) skip. So noneg(H') is by assumption since noneg(H). I need noneg(if e (s1; while e s1) skip). I have by inverting noneg(s) that noneg(e) and noneg(s1). And by assumption noneg(s), i.e., noneg(while e s1). So I can derive: noneg(s1) noneg(while e s1) ----------------------------- ----------- noneg(e) noneg(s1; while e s1) noneg(skip) ------------------------------------------------------ noneg(if e (s1; while e s1) skip) Height could be greater than 1 (if the last rule used is Seq2) case Seq2: So s is some s1; s2 and s' is s1';s2 for some s1' and H;s1 --> H'; s1'. By induction therefore noneg(H') and noneg(s1'). We need noneg(s1';s2). By inverting noneg(s1; s2), we know noneg(s2). So I can derive: noneg(s1') noneg(s2) ------------------------ noneg(s1';s2)