Dan Grossman; Graduate Programming Languages; Lecture 4 Proofs
Note: The is /not/ the version we wrote out live in class -- it's a
cleaned up and more carefully proof-read version.
========================================================
Theorem: while 1 skip always deverges, i.e.,
Restated: For all H and n, there exists H' and s' such that
H; while 1 skip -->n H'; s'
TRY #1
Proof: By induction on n, the number of steps
Base case: 0 steps
After 0 steps, H'=H and s' = while 1 skip. Done.
Inductive case n > 0
By induction, there exists an H'' and s'' such that
H; while 1 skip -->n-1 H'';s''
So it suffices to show: for all H'';s'' there exists and H' and s'
such that H'';s'' --> H';s'
OOPS almost works except if s'' is skip
(But it's kind of ridiculous because needed that every program
can always take some step.)
TRY #2
Stronger theorem: For all H and n, there exists H' and s' such that
H; while 1 skip -->n H'; s' and s' is not skip
Base case: 0 steps
Like before, let H'=H and s'=while 1 skip and notice while 1 skip
is not skip
Inductive case: n > 0
By induction, there exists an H'' and s'' such that
H; while 1 skip -->n-1 H'';s'' and s'' is not skip
So it suffices to show: for all H'';s'' where s'' is not skip,
there exists and H' and s' such that H'';s'' --> H';s'
cases for all kinds of s and I'm done, right?
OOPS NO, also have to show s' is not skip!
skip;skip
x:=e
if 7 skip s
once again, this induction hypothesis is too weak!
TRY #3
Stronger theorem: For all H and n,
H;while 1 skip -->n H; while 1 skip
Base case: 0 steps
Yes, after 0 steps we have H and while 1 skip
Induction: n > 0
By induction H;while 1 skip -->n-1 H; while 1 skip
So we just need that H;while 1 skip --> H; while 1 skip
OOPS That's not true: it steps to H; if 1 (skip; while 1 skip) skip
In fact, the theorem is not true.
Lesson: If you strengthen too much you try to prove something
false and that better not work.
TRY #4 (correct)
Stronger theorem: For all H and n,
H;while 1 skip -->n H; s
where s is one of:
while 1 skip (call this s1)
if 1 (skip; while 1 skip) skip (call this s2)
skip ; while 1 skip (call this s3)
By induction on n:
Base case n=0:
Let s be s1
Induction case n > 0:
By induction H;while 1 skip -->n-1 H;s where s is s1, s2, or s3.
Proceed by cases:
case: If s is s1, then H;s1 --> H;s2.
case: If s is s2, then H;s2 --> H;s3.
case: If s is s3, then H;s3 --> H;s1.
=====================================
Theorem:
(For all H and s and n and H' and s'),
If H and s have no negative constants and
H;s -->n H';s', then H' and s' have no negative constants.
First, define the property "no negative constants" carefully
--------
|noneg(e)|
--------
[nnconst] [nnvar] [nnplus] [nntimes]
c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2)
-------- -------- ------------------- -------------------
noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2)
--------
|noneg(H)|
________
[nnempty] [nnheap]
c>=0 noneg(H)
--------- ---------------
noneg(.) noneg(H,x->c)
--------
|noneg(s)|
________
[nnskip] [nnassign] [nnseq]
noneg(e) noneg(s1) noneg(s2)
----------- ----------- -------------------
noneg(skip) noneg(x:=e) noneg(s1;s2)
[nnif] [nnwhile]
noneg(e) noneg(s1) noneg(s2) noneg(e) noneg(s)
---------------------------- -------------------
noneg(if e s1 s2) noneg(while e s)
Restate theorem: If noneg(H) and noneg(s) and H;s-->n H';s'
then noneg(H') and noneg(s').
Proof of main theorem: By induction on number of steps n:
Base case: n=0
Then H'=H and s'=s so noneg(H) implies noneg(H') and
noneg(s) implies noneg(s').
Inductive case: n > 0
Then there exists an H'' and s'' such that
H;s -->n-1 H'';s''
and H'';s'' --> H';s'.
By induction, noneg(H'') and noneg(s'').
So given H'';s'' --> H';s', the following lemma suffices:
Lemma: (For all H, s, H', s'),
noneg(H) and noneg(s) and H;s-->H';s' then noneg(H') and noneg(s')
Proof by induction on the derivation of H;s --> H';s' with cases
for each rule being instantiated.
case Seq1:
Then s is skip;s1 for some s1 and s' is s1 and H' is H.
So noneg(H) implies noneg(H').
And inversion on noneg(s) i.e., noneg(skip;s1) ensures
noneg(s1), i.e., noneg(s').
[[What is this inversion thing? Long version:
noneg(s) (which the lemma assumes)
means there's a derivation of noneg(skip;s1) because
s = skip;s1 /in this case/. Looking at /all/ the rules
for deriving noneg(skip;s1), only [nnseq] applies. So
the hypotheses of that rule must hold. So noneg(s1).]]
case Seq2:
Then s is s1;s2 for some s1 and s2 and H;s1 --> H';s1'
for some s1' and s' is s1';s2.
Inversion on noneg(s) i.e., noneg(s1;s2) ensures
noneg(s1) and noneg(s2).
By induction (since noneg(H) and noneg(s1) and H;s1-->H';s1'),
noneg(H') and noneg(s1').
To get noneg(s') i.e., noneg(s1';s2), we can derive
noneg(s1') noneg(s2)
----------------------
noneg(s1';s2)
case If1:
Then s is if e s1 s2 for some e, s1, and s2 and H;s --> H;s1.
Inversion on noneg(s), i.e., noneg(if e s1 s2) ensures noneg(s1).
And H'=H so noneg(H').
case If2:
Then s is if e s1 s2 for some e, s1, and s2 and H;s --> H;s2.
Inversion on noneg(s), i.e., noneg(if e s1 s2) ensures noneg(s2).
And H'=H so noneg(H').
case While:
Then s is while e s1 for some e and s1 and
H;s --> H; if e (s1; s) skip
Inversion on noneg(s) i.e., noneg(while e s1) ensures
noneg(e) and noneg(s1).
H' = H so noneg(H') holds.
We need noneg(if e (s1; s) skip).
noneg(s1) noneg(s)
---------------- -----------
noneg(e) noneg(s1; s) noneg(skip)
------------------------------------
noneg(if e (s1; s) skip)
case Assign:
Then s is x:=e for some x and e and H' is H,x->c for some c
where H;e V c. Oh, and s'=skip
So noneg(s') follows from noneg(skip).
noneg(H') follows from noneg(H) and c >= 0 provided that, uhm, c >= 0...
Lemma: If noneg(H) and noneg(e) and H;e V c then c >= 0.
Proof: By induction on the derivation of H;e V c, with cases for
each rule being instantiated.
Case Const: In this case, e is c. Therefore noneg(e) ensures c >= 0.
Case Var: In this case, e is some x. Therefore noneg(H) ensures
c, which is H(x), is >= 0. [Note: this really requires its own
lemma but we will omit that here.]
Case Plus: In this case, e is e1+e2 for some e1 and e2.
By inversion on noneg(e), we know noneg(e1) and noneg(e2).
By the hypotheses of the Plus rule, c is c1 blue+ c2 where
H;e1 V c1 and H;e2 V c2.
By induction with noneg(e1) and H;e1 V c1, c1 >= 0.
By induction with noneg(e2) and H;e2 V c2, c2 >= 0.
By the properties of blue+, c >= 0.
Case Times: In this case, e is e1*e2 for some e1 and e2.
By inversion on noneg(e), we know noneg(e1) and noneg(e2).
By the hypotheses of the Times rule, c is c1 blue* c2 where
H;e1 V c1 and H;e2 V c2.
By induction with noneg(e1) and H;e1 V c1, c1 >= 0.
By induction with noneg(e2) and H;e2 V c2, c2 >= 0.
By the properties of blue*, c >= 0.