Proof Techniques for Operational Semantics
Transcript of Proof Techniques for Operational Semantics
1
Proof Techniques for Operational Semantics
Meeting 6, CSCI 5535, Spring 2009
Announcements
• Homework 0 is graded (post tonight)
• Homework 1 is due today
• Office hours:– M 5:30pm-6:30pm (after class)
– W 1:30pm-2:30pm
2
Review of Small-Step Operational Semantics
What is the key feature of small-step operational semantics?
• Why choose small-step versus big-step operational semantics?
4
What is contextual operational semantics?
5
Quick Summary
• Small-step operational semanticsmodels intermediate states– Execution is modeled as a (possible infinite) sequence of states
– Not quite as easy as large-step natural semantics, though
• Contextual operational semantics is a small-step operational semantics where the atomic execution step is a rewriteof the program
6
2
Small-Step View of Evaluation
• A sequence of atomic rewrites:
<x+(7-3),σ> → <x+(4),σ> → <5+4,σ> → <9,σ>
• Contextual view:
If <r, σσσσ> →→→→ <e, σσσσ’>
then <H[r], σσσσ> →→→→ <H[e], σσσσ’>
7
σ(x)=5
r : redexr : redexH : context (“exp with a hole”)
Context Decomposition Theorem
• If c is not “skipskipskipskip” then there exist unique H and r such that c is H[r]– “Exist” means progress
– “Unique” means determinism
8
• skip
• skip; x := 0
9
Redex or Not?Decomposition? Reduction?
• if true then x := -x else skip
• if 5 ≤ 0 then x := -x else skip
10
Redex or Not?Decomposition? Reduction?
• if x ≤ 0 then x := -x else skip
• while true do x := x + 1
11
Redex or Not?Decomposition? Reduction?
• while x ≤ n do x := x + 1
12
Redex or Not?Decomposition? Reduction?
3
Summary:Contextual Operational Semantics
• Can view • as representing the program counter• The advancement rules for • are non-trivial
– At each step the entire command is decomposed– This makes contextual semantics inefficient to
implement directly
• The major advantage of contextual semantics: allows a mix of local and global reduction rules– For IMP we have only local reduction rules: only the
redex is reduced– Sometimes it is useful to work on the context too
13
End of Review
Today’s Plan
• Why Bother?
• Mathematical Induction
• Well-Founded Induction
• Structural Induction– “By induction on the structure of the derivation D”
15
One-Slide Summary
• Mathematical induction is a proof technique: If you can prove P(0) and you can prove that P(n) implies P(n+1), then you can conclude that for all natural numbers n, P(n) holds.
• Induction works because the natural numbers are well-founded: there are no infinite descending chainsn > n-1 > n-2 > ... > ... .
• Structural induction is induction on a formal structure, like an AST. The base cases use the leaves, the inductive steps use the inner nodes.
• Induction on a derivation is structural induction applied to a derivation D (e.g., D :: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’).
16
Why Bother?
• I must convince you op. sem. proof techniques are useful.
• Recall class goals:• Understand PL research techniques and
• Apply them to your research
17
Classic Example (Schema)
• “A well-typed program cannot go wrong.” – Robin Milner
• When you design a new type system, you must show that it is safe (= that the type system is sound with respect to the operational semantics).
• A Syntactic Approach to Type Soundness. Andrew K. Wright, Matthias Felleisen, 1992.– Preservation: “if you have a well-typed program and apply an
op. sem. rule, the result is well-typed.”
– Progress: “a well-typed program will never get stuck in a state with no applicable op. sem. rules”
• Done for real languages: SML, SPARK ADA, Java– plus basically every toy PL research language ever
18
4
Instances
• CCured Project (Berkeley) – A program that is instrumented with CCured run-time checks (=
“adheres to the CCured type system”) will not segfault (= “the x86 op. sem. rules will never get stuck”).
• Vault Language (Microsoft Research) – A well-typed Vault program does not leak any tracked resources and
invokes tracked APIs correctly (e.g., handles IRQL correctly in asynchronous Windows device drivers, cf. Capability Calculus)
• RC – Reference-Counted Regions For C (Intel Research) – A well-typed RC program gains the speed and convenience of region-
based memory management but need never worry about freeing a region too early (run-time checks).
• Typed Assembly Language (Cornell) – Reasonable C programs (e.g., device drivers) can be translated to
TALx86. Well-typed TALx86 programs are type- and memory-safe.
19
Induction!
• Probably most important technique for studying the formal semantics of PLs– To perform or understand PL research, you must grok this!
• Mathematical Induction (simple)
• Well-Founded Induction (general)
• Structural Induction (widely used in PL)
20
Mathematical Induction
• Goal: prove ∀n ∈ N. P(n)
• Base Case: prove P(0)
• Inductive Step:– Prove ∀ n. P(n) ⇒ P(n+1)
– “Pick arbitrary n, assume P(n), prove P(n+1)”
• Why does induction work? 21
Why does it work?
• There are no infinite descending chainsof natural numbers
• For any n, P(n) can be obtained by starting from the base case and applying n instances of the inductive step
22
Example (With IMP Eval. Semantics)
• Prove that if σ(x) ≤ 6 then<while x ≤ 5 do x := x + 1, σ> ⇓ σ[x := 6]
• Reformulate the claim:– Let W = while x ≤ 5 do x := x + 1
– Let σi = σ[x:= 6 - i]– Claim: ∀∀∀∀∀∀∀∀ii∈∈∈∈∈∈∈∈NNNNNNNN. <W, σi> ⇓ σ0
• Now looks provable by mathematical induction on i
23
Most often, the hard part!
Evaluation Example (Base Case)
• Base case: i = 0 or <W, σ0> ⇓ σ0
– To prove an evaluation judgment, construct a derivation tree:
24
σ0(x) = 6
<x, σ0> ⇓ 6 <6 ≤ 5, σ0> ⇓ false
<x ≤ 5, σ0> ⇓ false
<while x ≤ 5 do x := x + 1, σ0> ⇓ σ0
iσi = σ[x:= 6 - i]
5
Evaluation Example (Inductive Case)
• Must prove ∀i ∈N. <W, σi> ⇓ σ0 ⇒ <W, σi+1> ⇓ σ0
– Pick an arbitrary i ∈ N
– Assume that <W, σi> ⇓ σ0
– Now prove that <W, σi+1> ⇓ σ0
– Must construct a derivation tree:
25iσi = σ[x:= 6 - i]
<x, σi+1> ⇓ 5 - i 5 - i ≤ 5
<x ≤ 5, σi+1> ⇓ true
<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0
<x:=x+1, σi+1> ⇓ σi <W, σi> ⇓ σ0
<x + 1, σi+1> ⇓ 6 - i
Well-Founded Induction
• A relation ≺ ⊆ A × A is well-founded if there are no infinite descending chains in A– Example: <1 = { (x, x +1) | x ∈ N }
• aka the predecessor relation
– Example: < = { (x, y) | x, y ∈ N and x < y }
• Well-founded induction:– To prove ∀x ∈ A. P(x) it is enough to prove ∀x ∈ A. (∀y ≺ x ⇒ P(y)) ⇒ P(x)
• If ≺ is <1 then we obtain mathematical induction as a special case
26
Well-Founded Induction: Examples
• Consider p ⊆ Z × Z with x p y iff(y < 0 Æ y = x - 1) Ç (y > 0 Æ y = x + 1).– Induction principle:
P(0) ∧ ∀x ≤ 0. P(x) ⇒ P(x - 1) ∧ ∀x ≥ 0. P(x) ⇒ P(x + 1)
• Consider p ⊆ (N × N) × (N × N) and (x1, y1) p (x2, y2) iffx2 = x1 + 1 ∨ (x1 = x2 ∧ y2 = y1 + 1).– Induction principle:
P(0,0) ∧ ∀ x,y,y’. (P(x,y) ⇒ P(x + 1, y’) ∧ P(x, y+ 1))
27
Says what?
This has a common name. Anyone see?
Structural Induction (on Expressions)
• For e ::= n | x | e1 + e2 | e1 * e2
• Define p ⊆ Aexp × Aexp such thate1 p e1 + e2 e2 p e1 + e2
e1 p e1 * e2 e2 p e1 * e2
no other elements of Aexp × Aexp are related by p
• To prove ∀e ∈ Aexp. P(e) – prove ∀n ∈ Z. P(n)
– prove ∀x ∈ L. P(x)
– prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 + e2)
– prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 * e2)
28
Notes on Structural Induction
• Called structural induction because the proof is guided by the structure of the expression
• One proof case per form of expression– Atomic expressions (with no subexpressions) are all
base cases
– Composite expressions are the inductive cases
• Structural induction is the most useful most useful form of inductionform of induction in the study of PL
29
Example Proof Using Induction on the Structure of Expressions
• LetL(e) be the # of literals and variable occurrences in eO(e) be the # of operators in e
• Prove that ∀e ∈ Aexp. L(e) = O(e) + 1• Proof: By induction on the structure of e.
– Case e = n:
– Case e = x:
30
6
Example Proof Using Induction on the Structure of Expressions
– Case e = e1 + e2:
– Case e = e1 * e2:
31
Example Proof Using Induction on the Structure of Expressions
• LetL(e) be the # of literals and variable occurrences in eO(e) be the # of operators in e
• Prove that ∀e ∈ Aexp. L(e) = O(e) + 1• Proof: By induction on the structure of e.
– Case e = n: L(e) = 1 and O(e) = 0– Case e = x: L(e) = 1 and O(e) = 0– Case e = e1 + e2:
• L(e) = L(e1) + L(e2) and O(e) = O(e1) + O(e2) + 1• By the induction hypothesis,
L(e1) = O(e1) + 1 and L(e2) = O(e2) + 1• Thus, L(e) = O(e1) + O(e2) + 2 = O(e) + 1
– Case e = e1 * e2: Same as the case for + 32
“Try it at home!”
• Most proofs for the Aexp sublanguage of IMP can work by structural induction
• Small-step and big-step semantics obtain equivalent results: ∀e ∈ Aexp. ∀n ∈ Z. e →* n ⇔ e ⇓ n
33
Structural induction on Aexp works Structural induction on Aexp works here because all of the semantics are syntax-directed
“Obvious, right?”
• You are given a concrete state σ.
• You have <x + 1, σ> ⇓ 5
• You also have <x + 1, σ> ⇓ 88
• Is this possible?
34
Let’s make sure
• Prove that IMP is deterministic∀e ∈ Aexp. ∀σ ∈ Σ. ∀n, n’ ∈ Z. <e, σ> ⇓ n ∧ <e, σ> ⇓ n’ ⇒ n = n’
∀b ∈ Bexp. ∀σ ∈ Σ. ∀t, t’ ∈ B. <b, σ> ⇓ t ∧ <b, σ> ⇓ t’ ⇒ t = t’
∀c ∈ Com. ∀σ, σ’,σ’’ ∈ Σ. <c, σ> ⇓ σ’ ∧ <c, σ> ⇓ σ’’ ⇒ σ’ = σ’’
• No immediate way to use mathematical induction
• For commands we cannot use induction on the structure of the command– while’s evaluation does notnot depend only on the evaluation of
its strict subexpressions
35
<while b do c, σ> ⇓ σ’’
<b, σ> ⇓ true <c, σ> ⇓ σ’ <while b do c, σ’> ⇓ σ’’
We need something new!
• Some more powerful form of induction
• With all the bells and whistles!
36
7
Recall Proof Systems
• Operational semantics assigns meanings to programs by listing rules of inference that allow to prove judgments by constructing derivations.
• A derivation is a tree-structured object made up of valid instances of inference rules.
37Find the keyword in the above. Ideas?
Induction on the Structure of DerivationsDerivations
• Key idea: The hypothesis does not just assume a c ∈Com but the existence of a derivation of <c, σσσσ> ⇓⇓⇓⇓ σσσσ’
• Derivation trees are also defined inductively, just like expression trees
• A derivation is built of subderivations:
• Adapt the structural induction principle to work on the structure of derivations
38
<x, σi+1> ⇓ 5 - i 5 - i ≤ 5
<x ≤ 5, σi+1> ⇓ true <x:=x+1; W, σi+1> ⇓ σ0
<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0
<x:=x+1, σi+1> ⇓ σi <W, σi> ⇓ σ0
<x + 1, σi+1> ⇓ 6 - i
Induction on the Structure of Derivations
• To prove that for all derivations D of a judgment, property P holds
• For each derivation rule of the form
• Assume P holds for derivations of Hi (i = 1..n) • Prove the the property holds for the
derivation obtained from the derivations of Hi using the given rule
39
C
H1 … Hn
Notation: Naming Derivations
• Write
D :: Judgment
to mean “D is the derivation that proves Judgment”
• Example:
D :: <e1 + e2, σ> ⇓ n1 + n2
40
Proving Com Evaluation is Deterministic
• Note: recall that meta-variables are universally-quantified (i.e., the above is for all c ∈ Com, σ, σ’,σ’’ ∈ Σ, derivations D and D’.
• Start by picking each to be arbitrary.
ProofProof: By induction on the structure of derivation D.
41
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
Proving Com Evaluation is Deterministic
• Case
– This means that c = skip and σ’ = σ.– By inversion, D’:: <c, σ> ⇓ σ’’ uses the rule for skip.– Thus, σ’’ = σ.
42
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
<skip, σ> ⇓ σD :: last rule used in D was
the one for skip
This is a base case in the induction.
8
Proving Com Evaluation is Deterministic
• Case
– By inversion, D’ :: <c, σ> ⇓ σ’’ uses the rule for sequencing and has subderivationsD’1 :: <c1, σ> ⇓ σ’’1 and D’2 :: <c2, σ’’1> ⇓ σ’’
– By induction hypothesis on D1 (with D’1): σ1 = σ’’1– By induction hypothesis on D2 (with D’2): σ’ = σ’’
43
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
<c1; c2, σ> ⇓ σ’D ::
D1 :: <c1, σ> ⇓ σ1 D2 :: <c2, σ1> ⇓ σ’
This is a simple inductive case.
Proving Com Evaluation is Deterministic
• Case
44
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
<while b do c, σ> ⇓ σ’D ::
D0 :: <b, σ> ⇓ true D1 :: <c, σ> ⇓ σ1 D2 :: <while b do c, σ1> ⇓ σ’
Name this command W
Proving Com Evaluation is Deterministic
• Case
– By inversion and determinism of Bexp evaluation, D’ uses the rule for “while true” withsubderivationsD’1 :: <c, σ> ⇓ σ’’1 and D’2 :: <W, σ’’1> ⇓ σ’’
– By induction hypothesis on D1 (with D’1): σ1 = σ’’1– By induction hypothesis on D2 (with D’2): σ’ = σ’’
45
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
<while b do c, σ> ⇓ σ’D ::
D0 :: <b, σ> ⇓ true D1 :: <c, σ> ⇓ σ1 D2 :: <while b do c, σ1> ⇓ σ’
Name this command W
Proving Com Evaluation is Deterministic
• Case
46
If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.
<if b do c1 else c2, σ> ⇓ σ’D ::
D1 :: <b, σ> ⇓ true D2 :: <c1, σ> ⇓ σ’
Try to do this on a piece of paper. In a moment, we’ll have some lucky winners come on down!
Summary: Induction on Derivations
• If you must prove ∀x ∈ A. P(x) ⇒ Q(x) – with A inductively defined and P(x) rule-defined
– we pick arbitrary x ∈ A and D :: P(x)
– we could do induction on both facts• x ∈ A leads to induction on the structure of x
• D :: P(x) leads to induction on the structure of D
– Generally, the induction on the structure of the derivation is more powerful and a safer bet
• Sometimes there are many choices for induction– choosing the right one is a trial-and-error process
– a bit of practice can help a lot 47
Summary: Operational Semantics
• Precise specification of dynamic semantics– order of evaluation (or that it doesn’t matter) – error conditions (sometimes implicitly, by rule
applicability: “no applicable rule” = “get stuck”) • Simple and abstract (vs. implementations)
– no low-level details such as stack and memory management, data layout, etc.
• Often not compositional (see while) • Basis for many proofs about a language
– Especially when combined with type systems!• Basis for much reasoning about programs• Point of reference for other semantics
48