Dan Grossman; Graduate Programming Languages; Lecture 4 Proofs Note: The is /not/ the version we wrote out live in class -- it's a cleaned up and more carefully proof-read version. ======================================================== Theorem: while 1 skip always deverges, i.e., Restated: For all H and n, there exists H' and s' such that H; while 1 skip -->n H'; s' TRY #1 Proof: By induction on n, the number of steps Base case: 0 steps After 0 steps, H'=H and s' = while 1 skip. Done. Inductive case n > 0 By induction, there exists an H'' and s'' such that H; while 1 skip -->n-1 H'';s'' So it suffices to show: for all H'';s'' there exists and H' and s' such that H'';s'' --> H';s' OOPS almost works except if s'' is skip (But it's kind of ridiculous because needed that every program can always take some step.) TRY #2 Stronger theorem: For all H and n, there exists H' and s' such that H; while 1 skip -->n H'; s' and s' is not skip Base case: 0 steps Like before, let H'=H and s'=while 1 skip and notice while 1 skip is not skip Inductive case: n > 0 By induction, there exists an H'' and s'' such that H; while 1 skip -->n-1 H'';s'' and s'' is not skip So it suffices to show: for all H'';s'' where s'' is not skip, there exists and H' and s' such that H'';s'' --> H';s' cases for all kinds of s and I'm done, right? OOPS NO, also have to show s' is not skip! skip;skip x:=e if 7 skip s once again, this induction hypothesis is too weak! TRY #3 Stronger theorem: For all H and n, H;while 1 skip -->n H; while 1 skip Base case: 0 steps Yes, after 0 steps we have H and while 1 skip Induction: n > 0 By induction H;while 1 skip -->n-1 H; while 1 skip So we just need that H;while 1 skip --> H; while 1 skip OOPS That's not true: it steps to H; if 1 (skip; while 1 skip) skip In fact, the theorem is not true. Lesson: If you strengthen too much you try to prove something false and that better not work. TRY #4 (correct) Stronger theorem: For all H and n, H;while 1 skip -->n H; s where s is one of: while 1 skip (call this s1) if 1 (skip; while 1 skip) skip (call this s2) skip ; while 1 skip (call this s3) By induction on n: Base case n=0: Let s be s1 Induction case n > 0: By induction H;while 1 skip -->n-1 H;s where s is s1, s2, or s3. Proceed by cases: case: If s is s1, then H;s1 --> H;s2. case: If s is s2, then H;s2 --> H;s3. case: If s is s3, then H;s3 --> H;s1. ===================================== Theorem: (For all H and s and n and H' and s'), if H and s have no negative constants and H;s -->n H';s', then H' and s' have no negative constants First, define the property "no negative constants" carefully -------- |noneg(e)| -------- [nnconst] [nnvar] [nnplus] [nntimes] c >= 0 noneg(e1) noneg(e2) noneg(e1) noneg(e2) -------- -------- ------------------- ------------------- noneg(c) noneg(x) noneg(e1+e2) noneg(e1*e2) -------- |noneg(H)| ________ [nnempty] [nnheap] c>=0 noneg(H) --------- --------------- noneg(.) noneg(H,x->c) -------- |noneg(s)| ________ [nnskip] [nnassign] [nnseq] noneg(e) noneg(s1) noneg(s2) ----------- ----------- ------------------- noneg(skip) noneg(x:=e) noneg(s1;s2) [nnif] [nnwhile] noneg(e) noneg(s1) noneg(s2) noneg(e) noneg(s) ---------------------------- ------------------- noneg(if e s1 s2) noneg(while e s) Restate theorem: If noneg(H) and noneg(s) and H;s-->n H';s' then noneg(H') and noneg(s'). Proof of main theorem: By induction on number of steps n: Base case: n=0 Then H'=H and s'=s so noneg(H) implies noneg(H') and noneg(s) implies noneg(s'). Inductive case: n > 0 Then there exists an H'' and s'' such that H;s -->n-1 H'';s'' and H'';s'' --> H';s'. By induction, noneg(H'') and noneg(s''). So given H'';s'' --> H';s', the following lemma suffices: Lemma: (For all H, s, H', s'), noneg(H) and noneg(s) and H;s-->H';s' then noneg(H') and noneg(s') Proof by induction on the derivation of H;s --> H';s' with cases for each rule being instantiated. case Seq1: Then s is skip;s1 for some s1 and s' is s1 and H' is H. So noneg(H) implies noneg(H'). And inversion on noneg(s) i.e., noneg(skip;s1) ensures noneg(s1), i.e., noneg(s'). [[What is this inversion thing? Long version: noneg(s) (which the lemma assumes) means there's a derivation of noneg(skip;s1) because s = skip;s1 /in this case/. Looking at /all/ the rules for deriving noneg(skip;s1), only [nnseq] applies. So the hypotheses of that rule must hold. So noneg(s1).]] case Seq2: Then s is s1;s2 for some s1 and s2 and H;s1 --> H';s1' for some s1' and s' is s1';s2. Inversion on noneg(s) i.e., noneg(s1;s2) ensures noneg(s1) and noneg(s2). By induction (since noneg(H) and noneg(s1) and H;s1-->H';s1), noneg(H') and noneg(s1'). To get noneg(s') i.e., noneg(s1';s2), we can derive noneg(s1') noneg(s2) ---------------------- noneg(s1';s2) case If1: Then s is if e s1 s2 for some e, s1, and s2 and H;s --> H;s1. Inversion on noneg(s), i.e., noneg(if e s1 s2) ensures noneg(s1). And H'=H so noneg(H'). case If2: Then s is if e s1 s2 for some e, s1, and s2 and H;s --> H;s2. Inversion on noneg(s), i.e., noneg(if e s1 s2) ensures noneg(s2). And H'=H so noneg(H'). case While: Then s is while e s1 for some e and s1 and H;s --> H; if e (s1; s) skip Inversion on noneg(s) i.e., noneg(while e s1) ensures noneg(e) and noneg(s1). H' = H so noneg(H') holds. We need noneg(if e (s1; s) skip). noneg(s1) noneg(s) ---------------- ----------- noneg(e) noneg(s1; s) noneg(skip) ------------------------------------ noneg(if e (s1; s) skip) case Assign: Then s is x:=e for some x and e and H' is H,x->c for some c where H;e V c. Oh, and s'=skip So noneg(s') follows from noneg(skip). noneg(H') follows from noneg(H) and c >= 0 provided that, uhm, c >= 0... Lemma: If noneg(H) and noneg(e) and H;e V c then c >= 0. Proof: By induction on height of the derivation of H;e V c. Base case: height is 1. In this case, the rule has to be Const or Var. Case Const: In this case e is c. Therefore noneg(e) ensures c >= 0. Case Var: In this case e is some x. Therefore noneg(H) ensures c, which is H(x) is >= 0. [Note: this really requires its own lemma but we will omit that here.] Induction case: height > 1. In this case, the rule has to be Plus or Times. Case Plus: In this case e is e1+e2 for some e1 and e2. By inversion on noneg(e), we know noneg(e1) and noneg(e2). By the hypotheses of the Plus rule, c is c1 blue+ c2 where H;e1 V c1 and H;e2 V c2. By induction with noneg(e1) and H;e1 V c1, c1 >= 0. By induction with noneg(e2) and H;e2 V c2, c2 >= 0. By the properties of blue+, c >= 0. Case Times: In this case e is e1*e2 for some e1 and e2. By inversion on noneg(e), we know noneg(e1) and noneg(e2). By the hypotheses of the Times rule, c is c1 blue* c2 where H;e1 V c1 and H;e2 V c2. By induction with noneg(e1) and H;e1 V c1, c1 >= 0. By induction with noneg(e2) and H;e2 V c2, c2 >= 0. By the properties of blue*, c >= 0.