Theorem: while 1 skip always diverges, i.e.,
There exists an H' and s' such that
H; while 1 skip -->n H'; s'
Try 1:
Proof: By induction on n.
base case n=0: Let H'=H and s'=while 1 skip
induction n>0: By induction there exists H'' and s'' such that
H; while 1 skip -->n-1 H'';s''
So I just need that H'';s'' can step.
Uhm, that would work if s'' weren't skip, but how do I know that?
Try 2:
There exists an H' and s' such that
H; while 1 skip -->n H'; s' and s' is not skip
Proof: By induction on n.
base case n=0: Let H'=H and s'=while 1 skip (notice s' is not skip)
induction n>0: By induction
There exists H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and s'' is not skip.
I need that H'';s'' can step (would need an inductive
sort of proof) and I need to show that after that step
I don't have skip.
Oops: skip; skip or if x skip skip or while 0 s
Try 3: There exists an H' and s' such that
H; while 1 skip -->n H'; s' and s' is while 1 skip
Proof: By induction on n.
base case n=0: Let H'=H and s'=while 1 skip
induction n>0: By induction
There exists H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and s'' is while 1 skip.
So I just need there exists H' such that
H'';while 1 skip --> H'; while 1 skip
And that's not true.
Try 4: There exists an H' and s' such that
H; while 1 skip -->n H'; s' and s' is one of:
1. while 1 skip
2. if 1 (skip; while 1 skip) skip
3. skip; while 1 skip
Proof: By induction on n.
base case n=0: Let H'=H and s' = (1)
induction n>0: By induction
There exists H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and s'' is (1),(2),or(3)
So I just need there exists H' such that
H'';s''-->H';s' where s' is (1),(2),or(3)
Cases:
* If s'' is (1), then let s' be (2)
* If s'' is (2), then let s' be (3)
* If s'' is (3), then let s' be (1)
===========================================================
Theorem: If H and s have no negative constants and
H;s -->* H';s', then H' and s' have no negative constants
To be super careful and see the elegant structure of
a proof that *shows a property is preserved*,
let's carefully define the "noneg" property via judgments:
-------- -------- --------
|noneg(e)| |noneg(H)| |noneg(s)|
-------- -------- --------
c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2)
-------- -------- ------------------- -------------------
noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2)
c>=0 noneg(H)
--------- ---------------
noneg(.) noneg(H,x->c)
noneg(e) noneg(s1) noneg(s2)
----------- ----------- -------------------
noneg(skip) noneg(x:=e) noneg(s1;s2)
noneg(e) noneg(s1) noneg(s2) noneg(e) noneg(s)
---------------------------- -------------------
noneg(if e s1 s2) noneg(while e s)
So our theorem becomes:
If noneg(H) and noneg(s) and H;s-->n H';s',
then noneg(H') and noneg(s').
Proof: By induction on n.
Base n=0: H'=H and s'=s, so noneg(H) and noneg(s)
is all I need.
Induction n>0: Then there exists H'';s'' such that
H;s-->n-1 H'';s'' and H'';s''-->1 H';s'
By induction, noneg(H'') and noneg(s'').
So it suffices to show:
*** (Forall H,s,H',s') If noneg(H) and noneg(s)
and H;s-->1 H';s' then noneg(H') and noneg(s') ***
Proof of that by induction on height of the derivation of
H;s --> H';s'
(height 1 cases are Assign,If1,If2,Seq1,While and
height >1 cases are Seq2)
case Assign: So s is x:=e for some x and e and s' is skip
and H' is H,x->c where H;eVc. Since noneg(s),
we know noneg(e). If noneg(c), then we are done:
From noneg(H) and noneg(c) can derive
noneg(H,x->c) and that's noneg(H').
And noneg(skip) is trivially derivable.
So suffices to show: If noneg(H) and noneg(e),
and H,eVc, then noneg(c).
By induction on height of derivation of H,eVc:
case: constants easy e=c, so noneg(e)
imples noneg(c).
case: variables, so e=x and c=H(x), so
noneg(H) implies noneg(c)
(small cheat to skip induction over H)
case: add, so e=e1+e2 for some e1 and e2.
And noneg(e) implies noneg(e1) and
noneg(e2).
And H;e1Vc1 and H;e2Vc2 and c=c1+c2.
By induction noneg(c1) and noneg(c2).
So noneg(c) by math.
case: times, so e=e1*e2 for some e1 and e2.
And noneg(e) implies noneg(e1) and
noneg(e2).
And H;e1Vc1 and H;e2Vc2 and c=c1*c2.
By induction noneg(c1) and noneg(c2).
So noneg(c) by math.
case Seq1: So s is skip;s' and H'=H. I need noneg(H')
and noneg(s'). H'=H does the first one.
noneg(skip;s') ensures noneg(s').
case If1: So s is if e s' s2 for some s2 and H'=H.
I need noneg(H') and noneg(s').
H'=H does the first one.
noneg(if e s' s2) ensures noneg(s').
case If2: So s is if e s2 s' for some s2 and H'=H.
I need noneg(H') and noneg(s').
H'=H does the first one.
noneg(if e s2 s') ensures noneg(s').
case While: So s is while e s2 for some e and s2 and H'=H
and s' is if e (s2; while e s2) skip.
I need noneg(H') and noneg(s').
H'=H does the first one.
For the second, noneg(s) implies noneg(e)
and noneg(s2). From noneg(s), noneg(e), and noneg(s2)
I can derive:
noneg(s2) noneg(while e s2)
--------------------------- -----------
noneg(e) noneg(s2;while e s2) noneg(skip)
-------------------------------------------------
noneg(if e (s2; while e s2) skip)
case Seq2: So s is some s1;s2 and s' is s1';s2 for some s1'
and H;s1-->H';s1'.
Now, since noneg(s), it must be noneg(s1) and noneg(s2)
So by induction (using noneg(H), noneg(s1), and H;s1-->H';s1'),
noneg(H') and noneg(s1').
I need noneg(H') and noneg(s1';s2). noneg(H') is done.
From noneg(s1') and noneg(s2), I can derive noneg(s1';s2).