Theorem: while 1 skip always diverges, i.e.,
For all H and n, there exists H' and s' such that
H; while 1 skip -->n H'; s'
Try 1
Proof:
By induction on n
Base case 0: Let H' = H and s' = while 1 skip.
That is what you have after 0 steps
Inductive case n > 0:
To show H; while 1 skip -->n H';s' for some H' and s'
we need some H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and H'';s''-->H';s'
By induction H'' and s'' exist such that
H; while 1 skip -->n-1 H'';s''
OOPS, we're stuck because s'' might be skip.
Try 2
For all H and n, there exists H' and s' such that
H; while 1 skip -->n H'; s' and s' is not skip
Proof:
By induction on n
Base case 0: Let H' = H and s' = while 1 skip.
That is what you have after 0 steps -- and notice
that s' is not skip
Inductive case n > 0:
To show H; while 1 skip -->n H';s' for some H' and s'
where s' is not skip
we need some H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and H'';s''-->H';s'
By induction H'' and s'' exist such that
H; while 1 skip -->n-1 H'';s'' and s'' is not skip
So now (by an argument we'd have to make), H'';s''
will be able to step to some H';s' but OOPS s' could be skip
(what about skip;skip or if 1 skip skip or ...)
Try 3
For all H and n there exists an H' such that
H; while 1 skip -->n H'; while 1 skip
By induction on n:
Base case 0: Let H' = H.
Inductive case n > 0:
We need an H'' and s'' such that
H;while 1 skip-->n-1 H'';s'' and H'';s'' --> H';while 1 skip
By induction, H'' exists and s'' is while 1 skip
So I just need
H'';while 1 skip --> H'; while 1 skip
This is FALSE, the only thing H''; while 1 skip
steps to is H'';if 1 (skip; while 1 skip) skip
Try 4 (correct)
For all H and n there exists an H' and s' such that
H;while 1 skip -->n H'; s' and s' is one of the
following:
(1) while 1 skip
(2) if 1 (skip; while 1 skip) skip
(3) skip; while 1 skip
By induction on n:
Base case 0: Let H'=H and s'=while 1 skip, i.e., (1)
Inductive case n > 0:
We need an H'' and s'' such that
H;while 1 skip-->n-1 H'';s'' and H'';s'' --> H';while 1 skip
By induction, H'' exists and s'' is (1), (2), or (3)
We just need that H'';s''--> H'; s' where s' is
(1), (2), or (3).
By cases:
* If s'' is (1), then let H'=H'' and s' be (2)
* If s'' is (2), then let H'=H'' and s' be (3)
* If s'' is (3), then let H'=H'' and s' be (1)
(We could show the step is possible in each case via a derivation.)
=======================================================
Theorem: If H and s have no negative constants and
H;s -->* H';s', then H' and s' have no negative constants
First, let's state this more carefully by defining three judgments that will
provide a concise definition of what it means to have no negative constants.
-------- -------- --------
|noneg(e)| |noneg(H)| |noneg(s)|
-------- -------- --------
c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2)
-------- -------- ------------------- -------------------
noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2)
c>=0 noneg(H)
--------- ---------------
noneg(.) noneg(H,x->c)
noneg(e) noneg(s1) noneg(s2)
----------- ----------- -------------------
noneg(skip) noneg(x:=e) noneg(s1;s2)
noneg(e) noneg(s1) noneg(s2) noneg(e) noneg(s)
---------------------------- -------------------
noneg(if e s1 s2) noneg(while e s)
We can now restate our theorem as such:
(For all H, s, n, H', and s'...)
If noneg(H) and noneg(s) and H;s -->n H';s' then
noneg(H') and noneg(s').
Proof:
By induction on n:
Base n=0: H'=H and s'=s So by assumption, noneg(H)
and noneg(s) is exactly what we need.
Induction n > 0:
Then there exists H'';s'' such that
H;s -->n-1 H'';s'' and H'';s''--> H';s'
By induction, noneg(H'') and noneg(s''). So we just
need this lemma:
Lemma: If noneg(H) and noneg(s) and H;s-->H';s' then
noneg(H') and noneg(s').
Proof by induction on the height of the derivation
of H;s-->H';s'
Height could be 1 (if the last rule used is
Assign, Seq1, If1, If2, While)
case Seq1: This means s is skip;s1 for some s1 and
H'=H and s'=s1. So noneg(H') follows from noneg(H).
By assumption noneg(skip;s1), so by inversion noneg(s1).
[Inversion means that by looking at _all_ the rules for
noneg of some statement, **only one rule** could apply to skip;s1, so
since we know noneg(skip;s1), we also know the hypotheses of
the instantiation of this one rule, namely noneg(skip)
(though we knew that anyway) and noneg(s1) (which is exactly what we
need).]
case If1: This means s is (if e s1 s2) for some e, s1, and
s2 and s' = s1 and H'=H.
So noneg(H') follows from noneg(H).
By assumption noneg(if e s1 s2),
so by inversion noneg(s1).
case If2: This means s is (if e s1 s2) for some e, s1, and
s2 and s' = s2 and H'=H.
So noneg(H') follows from noneg(H).
By assumption noneg(if e s1 s2),
so by inversion noneg(s2).
case Assign: This means s is x := e for some x and e and
s' = skip and H' = H,x->c where H;e V c.
So noneg(s') is trivial since we can derive noneg(skip).
For noneg(H'), we need noneg(H) (true by assumption) and c >= 0, which
follows from this lemma:
Lemma: If noneg(H) and noneg(e) and H;e V c, then c >= 0.
By induction on height of the derivation of H;e V c.
case Const: Then e is c and noneg(e) implies c>=0.
case Var: Then e is some x and c is H(x) and
noneg(H) implies H(x) >= 0 (small cheat: technically need
an inductive lemma on the size of a heap).
case Add: Then e is e1+e2 for some e1 and e2 and c is the sum
of c1 and c2 where H;e1 V c1 and H;e2 V c2.
By induction, c1>=0 and c2>=0.
By how blue-plus works, c is >=0.
case Times: Then e is e1*e2 for some e1, e2 and c is the product
of c1 and c2 where H;e1 V c1 and H;e2 V c2.
By induction, c1>=0 and c2>=0.
By how blue-times works, c is >=0.
case While: So s is while e s1 for some e and s1 and
H' = H and s' = if e (s1; while e s1) skip.
So noneg(H') is by assumption since noneg(H).
I need noneg(if e (s1; while e s1) skip).
I have by inverting noneg(s) that noneg(e) and
noneg(s1). And by assumption noneg(s), i.e.,
noneg(while e s1). So I can derive:
noneg(s1) noneg(while e s1)
----------------------------- -----------
noneg(e) noneg(s1; while e s1) noneg(skip)
------------------------------------------------------
noneg(if e (s1; while e s1) skip)
Height could be greater than 1 (if the last rule used is Seq2)
case Seq2: So s is some s1; s2 and s' is s1';s2 for some
s1' and H;s1 --> H'; s1'. By induction therefore
noneg(H') and noneg(s1'). We need noneg(s1';s2).
By inverting noneg(s1; s2), we know noneg(s2).
So I can derive:
noneg(s1') noneg(s2)
------------------------
noneg(s1';s2)