[With some minor fixes/cleanups after class]
while 1 skip always diverges, i.e.,
For all H and n, there exists an H' and s such that
H; while 1 skip -->n H';s
Prove by induction on n:
n=0: Let H'=H and s=while 1 skip
n>0: Then by induction there exists some H'' and s' such that
H; while 1 skip -->n-1 H'';s'
So we need that H'';s' --> H';s for some H' and s
WRONG
Strengthen: For all H and n, there exists an H' and s such that
H; while 1 skip -->n H';s and s is not skip
Prove by induction on n:
n=0: Let H'=H and s=while 1 skip
n>0: Then by induction there exists some H'' and s' such that
H; while 1 skip -->n-1 H'';s' and s' is not skip
So we need that H'';s' --> H';s for some H' and s
where s is not skip
WRONG (maybe s' is if 17 skip skip)
Strengthen: For all H and n, there exists an H' and s such that
H; while 1 skip -->n H';s and s is while 1 skip
Prove by induction on n:
n=0: Let H'=H and s=while 1 skip
n>0: Then by induction there exists some H'' and s' such that
H; while 1 skip -->n-1 H'';s' and s' is while 1 skip
So after the next step we have if 1 (skip; while 1 skip) skip
and, uh, that's not while 1 skip
WRONG
Strengthen: For all H and n, there exists an H' and s such that
H; while 1 skip -->n H';s and s is while 1 skip or
if 1 (skip; while 1 skip) skip or (skip; while 1 skip)
Prove by induction on n:
n=0: Let H'=H and s=while 1 skip
n>0: Then by induction there exists some H'' and s' such that
H; while 1 skip -->n-1 H'';s' and s' is while 1 skip or
if 1 (skip; while 1 skip) skip or (skip; while 1 skip)
Proceed by cases:
* if s' is while 1 skip, then let s be
if 1 (skip; while 1 skip) skip
* if s' is if 1 (skip; while 1 skip) skip let s be
(skip; while 1 skip)
* if s' is (skip; while 1 skip) then let s be
while 1 skip
=======
Theorem: If H and s have no negative constants and
H;s -->* H';s', then H' and s' have no negative constants
noneg(e) noneg(H) noneg(s)
c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2)
-------- -------- ------------------- -------------------
noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2)
c>=0 noneg(H)
--------- ---------------
noneg(.) noneg(H,x->c)
noneg(e) noneg(s1) noneg(s2)
----------- ----------- -------------------
noneg(skip) noneg(x:=e) noneg(s1;s2)
noneg(e) noneg(s1) noneg(s2)
----------------------------
noneg(if e s1 s2)
noneg(e) noneg(s)
-------------------
noneg(while e s)
If noneg(H) and noneg(s) and H;s-->n H';s', then noneg(H') noneg(s')
Prove by induction on n:
n=0: Then H'=H and s'=s so done by assumption
n>0: Then there exists some H''; s'' such that
H;s -->n-1 H'';s'' and H'';s''-->H';s'
By induction noneg(H'') and noneg(s'')
So next lemma suffices:
Lemma:
If noneg(H) and noneg(s) and H;s-->H';s', then noneg(H') noneg(s')
By induction on (the height of) the derivation of H;s-->H';s'
Proceed by cases on the bottom rule in the derivation:
(If the height is 1, the bottom rule can be seq1, assign, if1, if2, or
while. If the height is n>1, the bottom rule can be seq2.)
seq1: Then s is skip;s' and H' is H. So noneg(H) means noneg(H').
And noneg(skip;s') can only be derived if noneg(s').
assign: Then s is some x:=e, s' is skip, and H' is H,x->c where
H;e V c.
So by lemma yet to be proven (below) since noneg(H) and noneg(e)
(the latter via noneg(s)), noneg(c). So noneg(H) and noneg(c) lets us
derive noneg(H,x->c) i.e., noneg(H'). And noneg(s') is trivial
because s' is skip.
seq2: Then s is some s1;s2 and s' is some s1';s2 and
H;s1 --> H';s1' via a shorter derivation. Since noneg(s), we
know noneg(s1). So by induction noneg(H') and noneg(s1').
Since noneg(s), we know noneg(s2). So we can derive
noneg(s1';s2).
if1: Then s is if e s1 s2 and s' is s1 and H' is H. Since noneg(s),
we know noneg(s1). And we're done.
if2: Then s is if e s1 s2 and s' is s2 and H' is H. Since noneg(s),
we know noneg(s2). And we're done.
while: Then s is while e s1 and s' is if e (s1; while e s1) skip
and H' is H. So noneg(H'). Since noneg(while e s1),
noneg(e) and noneg(s1). So we can derive:
noneg(s1) noneg(while e s1)
--------------------------- -----------
noneg(e) noneg(s1; while e s1) noneg(skip)
------------------------------------------------
noneg(if e (s1; while e s1) skip)
Lemma: If noneg(H) and noneg(e) and H;e V C then noneg(c).
By induction on (height of) derivation of H;e V c. Cases on bottom
rule:
* const: Then e is c and noneg(e) means noneg(c).
* var: Then e is some x and noneg(H) ensures noneg(H(x)).
* plus: Then e is some e1+e2 where noneg(e1) and noneg(e2).
And H;e1 V c1 and H;e2 V c2 and c is c1 blue-plus c2.
So by induction noneg(c1) and noneg(c2). So by math
c is non-negative.
* times: see plus (different math)