Proof Techniques for Operational Semanticsbec/courses/csci5535-s09/...1 Proof Techniques for Operational Semantics Meeting 6, CSCI 5535, Spring 2009 Announcements • Homework 0 is

1

Proof Techniques for Operational Semantics

Meeting 6, CSCI 5535, Spring 2009

Announcements

• Homework 0 is graded (post tonight)

• Homework 1 is due today

• Office hours:– M 5:30pm-6:30pm (after class)

– W 1:30pm-2:30pm

2

Review of Small-Step Operational Semantics

What is the key feature of small-step operational semantics?

• Why choose small-step versus big-step operational semantics?

4

What is contextual operational semantics?

5

Quick Summary

• Small-step operational semanticsmodels intermediate states– Execution is modeled as a (possible infinite) sequence of states

– Not quite as easy as large-step natural semantics, though

• Contextual operational semantics is a small-step operational semantics where the atomic execution step is a rewriteof the program

6

2

Small-Step View of Evaluation

• A sequence of atomic rewrites:

<x+(7-3),σ> → <x+(4),σ> → <5+4,σ> → <9,σ>

• Contextual view:

If <r, σσσσ> →→→→ <e, σσσσ’>

then <H[r], σσσσ> →→→→ <H[e], σσσσ’>

7

σ(x)=5

r : redexr : redexH : context (“exp with a hole”)

Context Decomposition Theorem

• If c is not “skipskipskipskip” then there exist unique H and r such that c is H[r]– “Exist” means progress

– “Unique” means determinism

8

• skip

• skip; x := 0

9

Redex or Not?Decomposition? Reduction?

• if true then x := -x else skip

• if 5 ≤ 0 then x := -x else skip

10


• if x ≤ 0 then x := -x else skip

• while true do x := x + 1

11


• while x ≤ n do x := x + 1

12


3

Summary:Contextual Operational Semantics

• Can view • as representing the program counter• The advancement rules for • are non-trivial

– At each step the entire command is decomposed– This makes contextual semantics inefficient to

implement directly

• The major advantage of contextual semantics: allows a mix of local and global reduction rules– For IMP we have only local reduction rules: only the

redex is reduced– Sometimes it is useful to work on the context too

13

End of Review

Today’s Plan

• Why Bother?

• Mathematical Induction

• Well-Founded Induction

• Structural Induction– “By induction on the structure of the derivation D”

15

One-Slide Summary

• Mathematical induction is a proof technique: If you can prove P(0) and you can prove that P(n) implies P(n+1), then you can conclude that for all natural numbers n, P(n) holds.

• Induction works because the natural numbers are well-founded: there are no infinite descending chainsn > n-1 > n-2 > ... > ... .

• Structural induction is induction on a formal structure, like an AST. The base cases use the leaves, the inductive steps use the inner nodes.

• Induction on a derivation is structural induction applied to a derivation D (e.g., D :: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’).

16

Why Bother?

• I must convince you op. sem. proof techniques are useful.

• Recall class goals:• Understand PL research techniques and

• Apply them to your research

17

Classic Example (Schema)

• “A well-typed program cannot go wrong.” – Robin Milner

• When you design a new type system, you must show that it is safe (= that the type system is sound with respect to the operational semantics).

• A Syntactic Approach to Type Soundness. Andrew K. Wright, Matthias Felleisen, 1992.– Preservation: “if you have a well-typed program and apply an

op. sem. rule, the result is well-typed.”

– Progress: “a well-typed program will never get stuck in a state with no applicable op. sem. rules”

• Done for real languages: SML, SPARK ADA, Java– plus basically every toy PL research language ever

18

4

Instances

• CCured Project (Berkeley) – A program that is instrumented with CCured run-time checks (=

“adheres to the CCured type system”) will not segfault (= “the x86 op. sem. rules will never get stuck”).

• Vault Language (Microsoft Research) – A well-typed Vault program does not leak any tracked resources and

invokes tracked APIs correctly (e.g., handles IRQL correctly in asynchronous Windows device drivers, cf. Capability Calculus)

• RC – Reference-Counted Regions For C (Intel Research) – A well-typed RC program gains the speed and convenience of region-

based memory management but need never worry about freeing a region too early (run-time checks).

• Typed Assembly Language (Cornell) – Reasonable C programs (e.g., device drivers) can be translated to

TALx86. Well-typed TALx86 programs are type- and memory-safe.

19

Induction!

• Probably most important technique for studying the formal semantics of PLs– To perform or understand PL research, you must grok this!

• Mathematical Induction (simple)

• Well-Founded Induction (general)

• Structural Induction (widely used in PL)

20

Mathematical Induction

• Goal: prove ∀n ∈ N. P(n)

• Base Case: prove P(0)

• Inductive Step:– Prove ∀ n. P(n) ⇒ P(n+1)

– “Pick arbitrary n, assume P(n), prove P(n+1)”

• Why does induction work? 21

Why does it work?

• There are no infinite descending chainsof natural numbers

• For any n, P(n) can be obtained by starting from the base case and applying n instances of the inductive step

22

Example (With IMP Eval. Semantics)

• Prove that if σ(x) ≤ 6 then<while x ≤ 5 do x := x + 1, σ> ⇓ σ[x := 6]

• Reformulate the claim:– Let W = while x ≤ 5 do x := x + 1

– Let σi = σ[x:= 6 - i]– Claim: ∀∀∀∀∀∀∀∀ii∈∈∈∈∈∈∈∈NNNNNNNN. <W, σi> ⇓ σ0

• Now looks provable by mathematical induction on i

23

Most often, the hard part!

Evaluation Example (Base Case)

• Base case: i = 0 or <W, σ0> ⇓ σ0

– To prove an evaluation judgment, construct a derivation tree:

24

σ0(x) = 6

<x, σ0> ⇓ 6 <6 ≤ 5, σ0> ⇓ false

<x ≤ 5, σ0> ⇓ false

<while x ≤ 5 do x := x + 1, σ0> ⇓ σ0

iσi = σ[x:= 6 - i]

5

Evaluation Example (Inductive Case)

• Must prove ∀i ∈N. <W, σi> ⇓ σ0 ⇒ <W, σi+1> ⇓ σ0

– Pick an arbitrary i ∈ N

– Assume that <W, σi> ⇓ σ0

– Now prove that <W, σi+1> ⇓ σ0

– Must construct a derivation tree:

25iσi = σ[x:= 6 - i]

<x, σi+1> ⇓ 5 - i 5 - i ≤ 5

<x ≤ 5, σi+1> ⇓ true

<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0

<x:=x+1, σi+1> ⇓ σi <W, σi> ⇓ σ0

<x + 1, σi+1> ⇓ 6 - i

Well-Founded Induction

• A relation ≺ ⊆ A × A is well-founded if there are no infinite descending chains in A– Example: <1 = { (x, x +1) | x ∈ N }

• aka the predecessor relation

– Example: < = { (x, y) | x, y ∈ N and x < y }

• Well-founded induction:– To prove ∀x ∈ A. P(x) it is enough to prove ∀x ∈ A. (∀y ≺ x ⇒ P(y)) ⇒ P(x)

• If ≺ is <1 then we obtain mathematical induction as a special case

26

Well-Founded Induction: Examples

• Consider p ⊆ Z × Z with x p y iff(y < 0 Æ y = x - 1) Ç (y > 0 Æ y = x + 1).– Induction principle:

P(0) ∧ ∀x ≤ 0. P(x) ⇒ P(x - 1) ∧ ∀x ≥ 0. P(x) ⇒ P(x + 1)

• Consider p ⊆ (N × N) × (N × N) and (x1, y1) p (x2, y2) iffx2 = x1 + 1 ∨ (x1 = x2 ∧ y2 = y1 + 1).– Induction principle:

P(0,0) ∧ ∀ x,y,y’. (P(x,y) ⇒ P(x + 1, y’) ∧ P(x, y+ 1))

27

Says what?

This has a common name. Anyone see?

Structural Induction (on Expressions)

• For e ::= n | x | e1 + e2 | e1 * e2

• Define p ⊆ Aexp × Aexp such thate1 p e1 + e2 e2 p e1 + e2

e1 p e1 * e2 e2 p e1 * e2

no other elements of Aexp × Aexp are related by p

• To prove ∀e ∈ Aexp. P(e) – prove ∀n ∈ Z. P(n)

– prove ∀x ∈ L. P(x)

– prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 + e2)

– prove ∀e1, e2 ∈ Aexp. P(e1) ∧ P(e2) ⇒ P(e1 * e2)

28

Notes on Structural Induction

• Called structural induction because the proof is guided by the structure of the expression

• One proof case per form of expression– Atomic expressions (with no subexpressions) are all

base cases

– Composite expressions are the inductive cases

• Structural induction is the most useful most useful form of inductionform of induction in the study of PL

29

Example Proof Using Induction on the Structure of Expressions

• LetL(e) be the # of literals and variable occurrences in eO(e) be the # of operators in e

• Prove that ∀e ∈ Aexp. L(e) = O(e) + 1• Proof: By induction on the structure of e.

– Case e = n:

– Case e = x:

30

6


– Case e = e1 + e2:

– Case e = e1 * e2:

31


• LetL(e) be the # of literals and variable occurrences in eO(e) be the # of operators in e

• Prove that ∀e ∈ Aexp. L(e) = O(e) + 1• Proof: By induction on the structure of e.

– Case e = n: L(e) = 1 and O(e) = 0– Case e = x: L(e) = 1 and O(e) = 0– Case e = e1 + e2:

• L(e) = L(e1) + L(e2) and O(e) = O(e1) + O(e2) + 1• By the induction hypothesis,

L(e1) = O(e1) + 1 and L(e2) = O(e2) + 1• Thus, L(e) = O(e1) + O(e2) + 2 = O(e) + 1

– Case e = e1 * e2: Same as the case for + 32

“Try it at home!”

• Most proofs for the Aexp sublanguage of IMP can work by structural induction

• Small-step and big-step semantics obtain equivalent results: ∀e ∈ Aexp. ∀n ∈ Z. e →* n ⇔ e ⇓ n

33

Structural induction on Aexp works Structural induction on Aexp works here because all of the semantics are syntax-directed

“Obvious, right?”

• You are given a concrete state σ.

• You have <x + 1, σ> ⇓ 5

• You also have <x + 1, σ> ⇓ 88

• Is this possible?

34

Let’s make sure

• Prove that IMP is deterministic∀e ∈ Aexp. ∀σ ∈ Σ. ∀n, n’ ∈ Z. <e, σ> ⇓ n ∧ <e, σ> ⇓ n’ ⇒ n = n’

∀b ∈ Bexp. ∀σ ∈ Σ. ∀t, t’ ∈ B. <b, σ> ⇓ t ∧ <b, σ> ⇓ t’ ⇒ t = t’

∀c ∈ Com. ∀σ, σ’,σ’’ ∈ Σ. <c, σ> ⇓ σ’ ∧ <c, σ> ⇓ σ’’ ⇒ σ’ = σ’’

• No immediate way to use mathematical induction

• For commands we cannot use induction on the structure of the command– while’s evaluation does notnot depend only on the evaluation of

its strict subexpressions

35

<while b do c, σ> ⇓ σ’’

<b, σ> ⇓ true <c, σ> ⇓ σ’ <while b do c, σ’> ⇓ σ’’

We need something new!

• Some more powerful form of induction

• With all the bells and whistles!

36

7

Recall Proof Systems

• Operational semantics assigns meanings to programs by listing rules of inference that allow to prove judgments by constructing derivations.

• A derivation is a tree-structured object made up of valid instances of inference rules.

37Find the keyword in the above. Ideas?

Induction on the Structure of DerivationsDerivations

• Key idea: The hypothesis does not just assume a c ∈Com but the existence of a derivation of <c, σσσσ> ⇓⇓⇓⇓ σσσσ’

• Derivation trees are also defined inductively, just like expression trees

• A derivation is built of subderivations:

• Adapt the structural induction principle to work on the structure of derivations

38

<x, σi+1> ⇓ 5 - i 5 - i ≤ 5

<x ≤ 5, σi+1> ⇓ true <x:=x+1; W, σi+1> ⇓ σ0

<while x ≤ 5 do x := x + 1, σi+1> ⇓ σ0

<x:=x+1, σi+1> ⇓ σi <W, σi> ⇓ σ0

<x + 1, σi+1> ⇓ 6 - i

Induction on the Structure of Derivations

• To prove that for all derivations D of a judgment, property P holds

• For each derivation rule of the form

• Assume P holds for derivations of Hi (i = 1..n) • Prove the the property holds for the

derivation obtained from the derivations of Hi using the given rule

39

C

H1 … Hn

Notation: Naming Derivations

• Write

D :: Judgment

to mean “D is the derivation that proves Judgment”

• Example:

D :: <e1 + e2, σ> ⇓ n1 + n2

40

Proving Com Evaluation is Deterministic

• Note: recall that meta-variables are universally-quantified (i.e., the above is for all c ∈ Com, σ, σ’,σ’’ ∈ Σ, derivations D and D’.

• Start by picking each to be arbitrary.

ProofProof: By induction on the structure of derivation D.

41

If D:: <c, > ’ and D’:: <c, > ’’, then ’ = ’’.If D:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’ and D’:: <c, σσσσ> ⇓⇓⇓⇓ σσσσ’’, then σσσσ’ = σσσσ’’.


• Case

– This means that c = skip and σ’ = σ.– By inversion, D’:: <c, σ> ⇓ σ’’ uses the rule for skip.– Thus, σ’’ = σ.

42


<skip, σ> ⇓ σD :: last rule used in D was

the one for skip

This is a base case in the induction.

8


• Case

– By inversion, D’ :: <c, σ> ⇓ σ’’ uses the rule for sequencing and has subderivationsD’1 :: <c1, σ> ⇓ σ’’1 and D’2 :: <c2, σ’’1> ⇓ σ’’

– By induction hypothesis on D1 (with D’1): σ1 = σ’’1– By induction hypothesis on D2 (with D’2): σ’ = σ’’

43


<c1; c2, σ> ⇓ σ’D ::

D1 :: <c1, σ> ⇓ σ1 D2 :: <c2, σ1> ⇓ σ’

This is a simple inductive case.


• Case

44


<while b do c, σ> ⇓ σ’D ::

D0 :: <b, σ> ⇓ true D1 :: <c, σ> ⇓ σ1 D2 :: <while b do c, σ1> ⇓ σ’

Name this command W


• Case

– By inversion and determinism of Bexp evaluation, D’ uses the rule for “while true” withsubderivationsD’1 :: <c, σ> ⇓ σ’’1 and D’2 :: <W, σ’’1> ⇓ σ’’

– By induction hypothesis on D1 (with D’1): σ1 = σ’’1– By induction hypothesis on D2 (with D’2): σ’ = σ’’

45


<while b do c, σ> ⇓ σ’D ::

D0 :: <b, σ> ⇓ true D1 :: <c, σ> ⇓ σ1 D2 :: <while b do c, σ1> ⇓ σ’

Name this command W


• Case

46


<if b do c1 else c2, σ> ⇓ σ’D ::

D1 :: <b, σ> ⇓ true D2 :: <c1, σ> ⇓ σ’

Try to do this on a piece of paper. In a moment, we’ll have some lucky winners come on down!

Summary: Induction on Derivations

• If you must prove ∀x ∈ A. P(x) ⇒ Q(x) – with A inductively defined and P(x) rule-defined

– we pick arbitrary x ∈ A and D :: P(x)

– we could do induction on both facts• x ∈ A leads to induction on the structure of x

• D :: P(x) leads to induction on the structure of D

– Generally, the induction on the structure of the derivation is more powerful and a safer bet

• Sometimes there are many choices for induction– choosing the right one is a trial-and-error process

– a bit of practice can help a lot 47

Summary: Operational Semantics

• Precise specification of dynamic semantics– order of evaluation (or that it doesn’t matter) – error conditions (sometimes implicitly, by rule

applicability: “no applicable rule” = “get stuck”) • Simple and abstract (vs. implementations)

– no low-level details such as stack and memory management, data layout, etc.

• Often not compositional (see while) • Basis for many proofs about a language

– Especially when combined with type systems!• Basis for much reasoning about programs• Point of reference for other semantics

48

Documents

Proof Techniques for Operational Semanticsbec/courses/csci5535-s09/...1 Proof Techniques for Operational Semantics Meeting 6, CSCI 5535, Spring 2009 Announcements • Homework 0 is