ImpCEvalFunAn Evaluation Function for Imp

We saw in the Imp chapter how a naive approach to defining a function representing evaluation for Imp runs into difficulties. There, we adopted the solution of changing from a functional to a relational definition of evaluation. In this optional chapter, we consider strategies for getting the functional approach to work.

A Broken Evaluator

From Coq Require Import Lia.
From Coq Require Import Arith.Arith.
From Coq Require Import Arith.PeanoNat.
Import Nat.
From Coq Require Import Arith.EqNat.
From LF Require Import Imp Maps.

Here was our first try at an evaluation function for commands, omitting while.

Fixpoint ceval_step1 (st : state) (c : com) : state :=
  match c with
    | <{ skip }> ⇒
        st
    | <{ l := a₁ }> ⇒
        (l !-> aeval st a₁ ; st)
    | <{ c₁ ; c₂ }> ⇒
        let st' := ceval_step1 st c₁ in
        ceval_step1 st' c₂
    | <{ if b then c₁ else c₂ end }> ⇒
        if (beval st b)
          then ceval_step1 st c₁
          else ceval_step1 st c₂
    | <{ while b₁ do c₁ end }> ⇒
        st (* bogus *)
  end.

As we remarked in chapter Imp, in a traditional functional programming language like ML or Haskell we could write the while case as follows:

    | while b₁ do c₁ end =>
        if (beval st b₁) then
          ceval_step1 st <{ c₁; while b₁ do c₁ end }>
        else st

Coq doesn't accept such a definition (Error: Cannot guess decreasing argument of fix) because the function we want to define is not guaranteed to terminate. Indeed, the changed ceval_step1 function applied to the loop program from Imp.v would never terminate. Since Coq is not just a functional programming language, but also a consistent logic, any potentially non-terminating function needs to be rejected. Here is an invalid(!) Coq program showing what would go wrong if Coq allowed non-terminating recursive functions:

     Fixpoint loop_false (n : nat) : False := loop_false n.

That is, propositions like False would become provable (e.g., loop_false 0 would be a proof of False), which would be a disaster for Coq's logical consistency.

Thus, because it doesn't terminate on all inputs, the full version of ceval_step1 cannot be written in Coq -- at least not without one additional trick...

A Step-Indexed Evaluator

The trick we need is to pass an additional parameter to the evaluation function that tells it how long to run. Informally, we start the evaluator with a certain amount of "gas" in its tank, and we allow it to run until either it terminates in the usual way or it runs out of gas, at which point we simply stop evaluating and say that the final result is the empty memory. (We could also say that the result is the current state at the point where the evaluator runs out of gas -- it doesn't really matter because the result is going to be wrong in either case!)

Fixpoint ceval_step2 (st : state) (c : com) (i : nat) : state :=
  match i with
  | O ⇒ empty_st
  | S i' ⇒
    match c with
      | <{ skip }> ⇒
          st
      | <{ l := a₁ }> ⇒
          (l !-> aeval st a₁ ; st)
      | <{ c₁ ; c₂ }> ⇒
          let st' := ceval_step2 st c₁ i' in
          ceval_step2 st' c₂ i'
      | <{ if b then c₁ else c₂ end }> ⇒
          if (beval st b)
            then ceval_step2 st c₁ i'
            else ceval_step2 st c₂ i'
      | <{ while b₁ do c₁ end }> ⇒
          if (beval st b₁)
          then let st' := ceval_step2 st c₁ i' in
               ceval_step2 st' c i'
          else st
    end
  end.

Note: It is tempting to think that the index i here is counting the "number of steps of evaluation." But if you look closely you'll see that this is not the case: for example, in the rule for sequencing, the same i is passed to both recursive calls. Understanding the exact way that i is treated will be important in the proof of ceval__ceval_step, which is given as an exercise below.

One thing that is not so nice about this evaluator is that we can't tell, from its result, whether it stopped because the program terminated normally or because it ran out of gas. Our next version returns an option state instead of just a state, so that we can distinguish between normal and abnormal termination.

Fixpoint ceval_step3 (st : state) (c : com) (i : nat)
                    : option state :=
  match i with
  | O ⇒ None
  | S i' ⇒
    match c with
      | <{ skip }> ⇒
          Some st
      | <{ l := a₁ }> ⇒
          Some (l !-> aeval st a₁ ; st)
      | <{ c₁ ; c₂ }> ⇒
          match (ceval_step3 st c₁ i') with
          | Some st' ⇒ ceval_step3 st' c₂ i'
          | None ⇒ None
          end
      | <{ if b then c₁ else c₂ end }> ⇒
          if (beval st b)
            then ceval_step3 st c₁ i'
            else ceval_step3 st c₂ i'
      | <{ while b₁ do c₁ end }> ⇒
          if (beval st b₁)
          then match (ceval_step3 st c₁ i') with
               | Some st' ⇒ ceval_step3 st' c i'
               | None ⇒ None
               end
          else Some st
    end
  end.

We can improve the readability of this version by introducing a bit of auxiliary notation to hide the plumbing involved in repeatedly matching against optional states.

Notation "'LETOPT' x <== e₁ 'IN' e₂"
   := (match e₁ with
         | Some x ⇒ e₂
         | None ⇒ None
       end)
   (right associativity, at level 60).

Fixpoint ceval_step (st : state) (c : com) (i : nat)
                    : option state :=
  match i with
  | O ⇒ None
  | S i' ⇒
    match c with
      | <{ skip }> ⇒
          Some st
      | <{ l := a₁ }> ⇒
          Some (l !-> aeval st a₁ ; st)
      | <{ c₁ ; c₂ }> ⇒
          LETOPT st' <== ceval_step st c₁ i' IN
          ceval_step st' c₂ i'
      | <{ if b then c₁ else c₂ end }> ⇒
          if (beval st b)
            then ceval_step st c₁ i'
            else ceval_step st c₂ i'
      | <{ while b₁ do c₁ end }> ⇒
          if (beval st b₁)
          then LETOPT st' <== ceval_step st c₁ i' IN
               ceval_step st' c i'
          else Some st
    end
  end.

Definition test_ceval (st:state) (c:com) :=
  match ceval_step st c 500 with
  | None ⇒ None
  | Some st ⇒ Some (st X , st Y , st Z )
  end.

Example example_test_ceval :
     test_ceval empty_st

     <{ X := 2;
        if (X ≤ 1)
        then Y := 3
        else Z := 4
        end }>

     = Some (2, 0, 4).
Proof. reflexivity. Qed.

Exercise: 2 stars, standard, especially useful (pup_to_n)

Write an Imp program that sums the numbers from 1 to X (inclusive: 1 + 2 + ... + X) in the variable Y. Make sure your solution satisfies the test that follows.

Definition pup_to_n : com
(* REPLACE THIS LINE WITH ":= _your_definition_ ." *). Admitted.

Example pup_to_n_1 :
test_ceval (X !-> 5) pup_to_n
= Some (0, 15, 0).
(* FILL IN HERE *) Admitted.
(*
Proof. reflexivity. Qed.
*)
☐

Exercise: 2 stars, standard, optional (peven)

Write an Imp program that sets Z to 0 if X is even and sets Z to 1 otherwise. Use test_ceval to test your program.

(* FILL IN HERE *)
☐

Relational vs. Step-Indexed Evaluation

As for arithmetic and boolean expressions, we'd hope that the two alternative definitions of evaluation would actually amount to the same thing in the end. This section shows that this is the case.

Theorem ceval_step__ceval: ∀ c st st',
(∃ i , ceval_step st c i = Some st') →
st =[ c ]=> st'.

Proof.
  intros c st st' H.
  inversion H as [i E].
  clear H.
  generalize dependent st'.
  generalize dependent st.
  generalize dependent c.
  induction i as [| i' ].

- (* i = 0 -- contradictory *)
intros c st st' H. discriminate H.

  - (* i = S i' *)
    intros c st st' H.
    destruct c;
           simpl in H; inversion H; subst; clear H.
      + (* skip *) apply E_Skip.
      + (* := *) apply E_Ass. reflexivity.

      + (* ; *)
        destruct (ceval_step st c₁ i') eqn:Heqr1.
        × (* Evaluation of r₁ terminates normally *)
          apply E_Seq with s.
            apply IHi'. rewrite Heqr1. reflexivity.
            apply IHi'. simpl in H₁. assumption.
        × (* Otherwise -- contradiction *)
          discriminate H₁.

      + (* if *)
        destruct (beval st b) eqn:Heqr.
        × (* r = true *)
          apply E_IfTrue. rewrite Heqr. reflexivity.
          apply IHi'. assumption.
        × (* r = false *)
          apply E_IfFalse. rewrite Heqr. reflexivity.
          apply IHi'. assumption.

      + (* while *) destruct (beval st b) eqn :Heqr.
        × (* r = true *)
         destruct (ceval_step st c i') eqn:Heqr1.
         { (* r₁ = Some s *)
           apply E_WhileTrue with s. rewrite Heqr.
           reflexivity.
           apply IHi'. rewrite Heqr1. reflexivity.
           apply IHi'. simpl in H₁. assumption. }
         { (* r₁ = None *) discriminate H₁. }
        × (* r = false *)
          injection H₁ as H₂. rewrite <- H₂.
          apply E_WhileFalse. apply Heqr. Qed.

Exercise: 4 stars, standard (ceval_step__ceval_inf)

Write an informal proof of ceval_step__ceval, following the usual template. (The template for case analysis on an inductively defined value should look the same as for induction, except that there is no induction hypothesis.) Make your proof communicate the main ideas to a human reader; do not simply transcribe the steps of the formal proof.

(* FILL IN HERE *)

(* Do not modify the following line: *)
Definition manual_grade_for_ceval_step__ceval_inf : option (nat ×string) := None.
☐

Theorem ceval_step_more: ∀ i₁ i₂ st st' c,
  i₁ ≤ i₂ →
  ceval_step st c i₁ = Some st' →
  ceval_step st c i₂ = Some st'.
Proof.
induction i₁ as [|i₁']; intros i₂ st st' c Hle Hceval.
  - (* i₁ = 0 *)
    simpl in Hceval. discriminate Hceval.
  - (* i₁ = S i₁' *)
    destruct i₂ as [|i₂']. inversion Hle.
    assert (Hle': i₁' ≤ i₂') by lia.
    destruct c.
    + (* skip *)
      simpl in Hceval. inversion Hceval.
      reflexivity.
    + (* := *)
      simpl in Hceval. inversion Hceval.
      reflexivity.
    + (* ; *)
      simpl in Hceval. simpl.
      destruct (ceval_step st c₁ i₁') eqn:Heqst1'o.
      × (* st₁'o = Some *)
        apply (IHi1' i₂') in Heqst1'o; try assumption.
        rewrite Heqst1'o. simpl. simpl in Hceval.
        apply (IHi1' i₂') in Hceval; try assumption.
      × (* st₁'o = None *)
        discriminate Hceval.

    + (* if *)
      simpl in Hceval. simpl.
      destruct (beval st b); apply (IHi1' i₂') in Hceval;
        assumption.

    + (* while *)
      simpl in Hceval. simpl.
      destruct (beval st b); try assumption.
      destruct (ceval_step st c i₁') eqn: Heqst1'o.
      × (* st₁'o = Some *)
        apply (IHi1' i₂') in Heqst1'o; try assumption.
        rewrite → Heqst1'o. simpl. simpl in Hceval.
        apply (IHi1' i₂') in Hceval; try assumption.
      × (* i₁'o = None *)
        simpl in Hceval. discriminate Hceval. Qed.

Exercise: 3 stars, standard, especially useful (ceval__ceval_step)

Finish the following proof. You'll need ceval_step_more in a few places, as well as some basic facts about ≤ and plus.

Theorem ceval__ceval_step: ∀ c st st',
      st =[ c ]=> st' →
      ∃ i , ceval_step st c i = Some st'.
Proof.
  intros c st st' Hce.
  induction Hce.
  (* FILL IN HERE *) Admitted.
☐

Theorem ceval_and_ceval_step_coincide: ∀ c st st',
      st =[ c ]=> st'
  ↔ ∃ i , ceval_step st c i = Some st'.
Proof.
  intros c st st'.
  split. apply ceval__ceval_step. apply ceval_step__ceval.
Qed.

Determinism of Evaluation Again

Using the fact that the relational and step-indexed definition of evaluation are the same, we can give a slicker proof that the evaluation relation is deterministic.

Theorem ceval_deterministic' : ∀ c st st₁ st₂,
     st =[ c ]=> st₁ →
     st =[ c ]=> st₂ →
     st₁ = st₂.

Proof.
  intros c st st₁ st₂ He₁ He₂.
  apply ceval__ceval_step in He₁.
  apply ceval__ceval_step in He₂.
  inversion He₁ as [i₁ E₁].
  inversion He₂ as [i₂ E₂].
  apply ceval_step_more with (i₂ := i₁ + i₂) in E₁.
  apply ceval_step_more with (i₂ := i₁ + i₂) in E₂.
  rewrite E₁ in E₂. inversion E₂. reflexivity.
  lia. lia. Qed.

(* 2021-03-18 17:23 *)