Lecture notes 20210329 Small Step Semantics 2

Remark. Some material in this lecture is from << Software Foundation >> volume 1 and volume 2.

Require Import Coq.micromega.Psatz.
Require Import PL.Imp.
Require Import PL.ImpExt.
Require Import PL.RTClosure.

Import Assertion_D.
Import Abstract_Pretty_Printing.
Local Open Scope imp.

Review: Small Step

We learnt to describe program behavior via steps last time. Specifically, we defined a "small-step" relation between pairs of residue programs and program states: cstep (c₁, st₁) (c₂, st₂).

Simulation for Program Equivalence

Associativity of Sequential Composition

We have defined program equivalence via denotational semantics weeks ago. We will consider a new approach based on small step semantics. Specifically, we can surely say two programs c₁ and c₂ have the same behavior if their execution processes are step-wise corresponding to each other.

For example, we know that c₁ ;; (c₂ ;; c₃) and (c₁ ;; c₂);; c₃ have the same behavior for any c₁, c₂ and c₃, not only in the sense that they have the same pairs of initial states and ending states, but also in the sense that each one of them can simulate the other's execution step by step.

Here is a brief illustration:

      ( c₁  ;; (c₂ ;; c₃), st₁  )        ( (c₁  ;; c₂) ;; c₃, st₁  )
                   |                                  |
                   |                                  |
                   v                                  v
      ( c₁' ;; (c₂ ;; c₃), st₁' )        ( (c₁' ;; c₂) ;; c₃, st₁' )
                   |                                  |
                 [...]                              [...]
                   |                                  |
                   v                                  v
      ( Skip ;; (c₂ ;; c₃), st₂ )        ( (Skip ;; c₂) ;; c₃, st₂ )
                   |                                  |
                   |                                  |
                   v                                  v
                   ------> ( c₂  ;; c₃, st₂  ) <-------
                                    |
                                    |
                                    v
                           ( c₂' ;; c₃, st₂' )
                                    |
                                   ...
                                    |
                                    v
                           ( Skip ;; c₃, st₃ )
                                    |
                                    |
                                    v
                              ( c₃  , st₃  )
                                    |
                                    |
                                    v
                              ( c₃' , st₃' )
                                    |
                                   ...
                                    |
                                    v
                              ( Skip, st₄ )

We can formally define this correspondence.

Module SeqAssoc.

Inductive match_com: com -> com -> Prop :=
| MatSeqAssoc: ∀c₁ c₂ c₃,
match_com (c₁ ;; (c₂ ;; c₃)) ((c₁ ;; c₂);; c₃)
| MatRefl: ∀c,
match_com c c.

And we can proof the simulation between such two programs. Here, simulation mean: whenever one side takes a step, the other side can take a corresponding step.

                              step
                 A          -------->         B

                 |                            .
          match  |                            . match
                 |                            .
                 v                            v

                 A'         - - - - >         B' (∃)
                              step

Lemma L_simulate_R: ∀c₁ c₁' c₂' st₁ st₂,
  match_com c₁ c₁' ->
  cstep (c₁', st₁) (c₂', st₂) ->
  ∃c₂,
  match_com c₂ c₂' ∧ cstep (c₁, st₁) (c₂, st₂).

The proof is straightforward. We can prove it by a case analysis over

match_com c₁ c₂.

Case 1: MatRefl case, i.e. c₁ = c₂. The conclusion is obviously true.

Case 2: MatSeqAssoc case, i.e. c₁ = c1_1 ;; (c1_2 ;; c1_3)

Case 2-1: cstep (c1_1, st₁) (c2_1, st₂). New simulation is still based on MatSeqAssoc.

Case 2-1: c1_1 = CSkip. New simulation is based MatRefl.

Proof.
  intros.
  inversion H as [c1_1 c1_2 c1_3 |]; subst.
  2: { ∃c₂'; split; [constructor | exact H₀]. }
  inversion H₀; subst.
  inversion H₂ as [| | ? ? c2_1 | | | | |]; subst; clear H₀ H₂.
  + ∃(c2_1 ;; (c1_2 ;; c1_3)).
    split.
    - apply MatSeqAssoc.
    - constructor.
      apply H₁.
  + rename c₁' into c1_2.
    ∃(c1_2 ;; c1_3).
    split.
    - apply MatRefl.
    - constructor.
Qed.

The other direction is simular.

Lemma R_simulate_L: ∀c₁ c₂ c₁' st st',
  match_com c₁ c₂ ->
  cstep (c₁, st) (c₁', st') ->
  ∃c₂',
  match_com c₁' c₂' ∧ cstep (c₂, st) (c₂', st').

Proof.
  intros.
  inversion H; subst.
  2: { ∃c₁'; split; [constructor | exact H₀]. }
  inversion H₀; subst.
  + ∃((c₁'0 ;; c₃) ;; c₄).
    split.
    - apply MatSeqAssoc.
    - constructor.
      constructor.
      apply H₂.
  + ∃(c₃ ;; c₄).
    split.
    - apply MatRefl.
    - constructor.
      constructor.
Qed.

End SeqAssoc.

Removing Skips On the Left

We know that Skip does nothing and can be removed. We proved that c, c;; Skip and Skip;; c behave the same based on denotational semantics. Today, we first define a function to remove all Skip on the left side of sequential composition.

Example remove_skip_example_1:
remove_skip (Skip ;; (Skip ;; While BTrue Do Skip EndWhile)) =
While BTrue Do Skip EndWhile.
Proof. reflexivity. Qed.

Example remove_skip_example_2:
remove_skip ((Skip ;; Skip) ;; While BTrue Do Skip EndWhile) =
While BTrue Do Skip EndWhile.
Proof. reflexivity. Qed.

Example remove_skip_example_3: ∀(X: var),
remove_skip (Skip ;; X ::= 0 ;; Skip) =
(X ::= 0 ;; Skip).
Proof. intros. reflexivity. Qed.

It is easy to prove that c and remove_skip c always have the same denotation. But we can prove stronger claims based on small step semantics. That is, the steps of executing c will be simulated by the steps of executing remove_skip c, though some redundant skip-step can be removed. This conclusion can be formally stated as follows.

Definition cstep_or_not (X Y: com * state): Prop :=
X = Y ∨ cstep X Y.

Definition SimulationStatement_01 (match_com: com -> com -> Prop): Prop :=
  ∀c₁ c₂ c₁' st st',
  match_com c₁ c₂ ->
  cstep (c₁, st) (c₁', st') ->
  ∃c₂',
    match_com c₁' c₂' ∧ cstep_or_not (c₂, st) (c₂', st').

Let's start with an naive definition of match_com.

Module RemoveSkip_First_Attempt.

Definition match_com (c₁ c₂: com): Prop := c₂ = remove_skip c₁.

The following statement says: when c takes one step, remove_skip c will take zero step or one corresponding step.

Lemma R_simulate_L: ∀c₁ c₂ c₁' st st',
  match_com c₁ c₂ ->
  cstep (c₁, st) (c₁', st') ->
  ∃c₂',
    match_com c₁' c₂' ∧
    ((c₂, st) = (c₂', st') ∨ cstep (c₂, st) (c₂', st')).

Unfortunately, this statement is not true! Consider the execution of

X ::= 1;; Y ::= 0.

According to small step semantics, it takes three steps.

       X ::= 1;; Y ::= 0 -->
       Skip;; Y ::= 0 -->
       Y ::= 0 -->
       Skip

But remove_skip (Skip;; Y ::= 0) = (Y ::= 0). Thus, the first step above does not have a correspondence when the remove_skip transformation is taken. You can find where a Coq proof attempt will fail in the following scripts.

Proof.
  intros.
  unfold match_com in *.
  subst c₂.
  ∃(remove_skip c₁').
  split; [reflexivity |].
  induction_cstep H₀; simpl; intros.
  + simpl.
    right.
    constructor; tauto.
  + simpl.
    right.
    constructor; tauto.
  +
Abort.

End RemoveSkip_First_Attempt.

Module RemoveSkip.

In order to establish a simulation relation for remove_skip, we define a weaker version of match_com. The main idea is to reserve some left-side skips.

Fixpoint match_com (c₁ c₂: com): Prop :=
  match c₁ with
  | c1_1 ;; c1_2 ⇒
      remove_skip c1_1 = CSkip ∧ c₂ = remove_skip c1_2 ∨
      ∃c2_1, match_com c1_1 c2_1 ∧ c₂ = (c2_1 ;; remove_skip c1_2)
  | CIf b c1_1 c1_2 ⇒
      ∃c2_1, match_com c1_1 c2_1 ∧ c₂ = CIf b c2_1 (remove_skip c1_2)
  | _ ⇒
      c₂ = remove_skip c₁
  end.

For example, consider X ::= 1;; (Skip;; Y ::= 2), which will be transfered to X ::= 1;; Y ::=2 by remove_skip.

      X ::= 1;; (Skip;; Y ::= 2)               X ::= 1;; Y ::= 2
                   |                                  |
                   |                                  |
                   v                                  v
        Skip;; (Skip;; Y ::= 2)                  Skip;; Y ::= 2
                   |                                 | |
                   |                                 | |  (no step)
                   v                                 | |
            Skip;; Y ::= 2                       Skip;; Y ::= 2
                   |                                  |
                   |                                  |
                   v                                  v
                Y ::= 2                            Y ::= 2
                   |                                  |
                   |                                  |
                   v                                  v
                  Skip                               Skip

This new definition of match_com allows Skip;; (Skip;; Y ::= 2) to match Skip;; Y ::= 2, but not only restricted to Y ::= 2.

Here we prove this match_com relation is indeed a weaker one comparing to remove_skip.

Lemma match_com_remove_skip: ∀c, match_com c (remove_skip c).
Proof.
  intros.
  induction c; simpl; try tauto.
  + destruct (remove_skip c₁); try eauto.
  + eauto.
Qed.

Our proof strategy for simulation (defined as follows)

         ∀c₁ c₂ c₁' st st',
           match_com c₁ c₂ ->
           cstep (c₁, st) (c₁', st') ->
           ∃c₂',
             match_com c₁' c₂' ∧
             cstep_or_not (c₂, st) (c₂', st')

is based on an induction over its assumption

cstep (c₁, st) (c₁', st').

Corresponding to cstep's definition, our inductive proof includes 8 cases. For example, the proof step for the CS_AssStep case is to prove:

         astep st a a' ->
         match_com (CAss X a) c₂ ->
         ∃c₂',
           match_com (CAss X a') c₂' ∧
           cstep_or_not (c₂, st) (c₂', st)

which will be proved later (Lemma R_simulate_L_CS_AssStep).

Among all 8 cases, the most intersting case is the CS_SeqStep case, and we need two auxiliary lemmas for establishing the proof.

The following lemma remove_skip_skip_step says, if c₁ can be transformed to Skip by remove_skip (i.e. it is a sequential composition of many skips), then taking one step from c₁ results in another command c₂ s.t. remove_skip c₂ = Skip as well. The main proof idea is to apply an induction over c₁'s structure.

Lemma remove_skip_skip_step: ∀c₁ c₂ st₁ st₂,
  remove_skip c₁ = CSkip ->
  cstep (c₁, st₁) (c₂, st₂) ->
  st₁ = st₂ ∧ remove_skip c₂ = CSkip.

Proof.
  intros.
  revert st₁ c₂ st₂ H₀.
  induction c₁; try solve [inversion H]; intros.
  + inversion H₀.
  + simpl in H.
    destruct (remove_skip c1_1) eqn:?H; try solve [inversion H].
    specialize (IHc1_1 eq_refl).
    inversion H₀; subst.
    - specialize (IHc1_1 _ _ _ H₃).
      destruct IHc1_1.
      split; [auto | simpl].
      rewrite H₄, H.
      reflexivity.
    - auto.
Qed.

The following lemma says, if one or zero step takes (c₁, st) to (c₁', st') , then one or zero step can also take (c₁;; c₂, st) to (c₁';;c₂, st') . Its proof is straightforward.

Lemma cstep_or_not_congr_CSeq: ∀c₁ st c₁' st' c₂,
cstep_or_not (c₁, st) (c₁', st') ->
cstep_or_not (c₁;; c₂, st) (c₁';; c₂, st').

Proof.
  intros.
  destruct H; [left | right].
  + injection H as ? ?; subst; reflexivity.
  + apply CS_SeqStep, H.
Qed.

The following lemma states the induction step of CS_SeqStep. Since

match_com (c1_1;; c1_2) c₂,

either c₂ has a form of c2_1 ;; c2_2 s.t.

match_com c1_1 c2_1;
remove_skip c1_2 = c2_2;

or c₂ = remove_skip c1_2 and remove_skip c1_1 = CSkip. We prove the following lemma by such a case analysis.

Lemma R_simulate_L_CS_SeqStep: ∀c1_1 c1_2 st c1_1' st' c₂
  (IH:
     ∀c2_1,
       match_com c1_1 c2_1 ->
       ∃c2_1',
         match_com c1_1' c2_1' ∧
         cstep_or_not (c2_1, st) (c2_1', st')),
  cstep (c1_1, st) (c1_1', st') ->
  match_com (c1_1;; c1_2) c₂ ->
  ∃c₂',
    match_com (c1_1';; c1_2) c₂' ∧
    cstep_or_not (c₂, st) (c₂', st').
Proof.
  intros.
  simpl.
  simpl in H₀.
  destruct H₀ as [[? ?] | [c2_1 [? ?]]].
  + pose proof remove_skip_skip_step _ _ _ _ H₀ H as [? ?].
    subst st'.
    ∃c₂.
    split; [| left; reflexivity].
    subst c₂; simpl; rewrite H₃.
    auto.
  + specialize (IH _ H₀) as [c2_1' [? ?]].
    ∃(c2_1' ;; remove_skip c1_2).
    split; [right; eauto |].
    subst c₂.
    apply cstep_or_not_congr_CSeq, H₃.
Qed.

The following lemma proves the CS_Seq case. Its assumption

match_com (CSkip;; c1_2) c₂

also means two possibilities:

c₂ = CSkip;; remove_skip c1_2;
c₂ = remove_skip c1_2.

Lemma R_simulate_L_CS_Seq: ∀c1_2 c₂ st,
  match_com (CSkip;; c1_2) c₂ ->
  ∃c₂',
    match_com c1_2 c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).
Proof.
  intros.
  destruct H as [[? ?] | [c2_1 [? ?]]].
  + clear H.
    subst c₂.
    ∃(remove_skip c1_2).
    split; [apply match_com_remove_skip | left; reflexivity].
  + inversion H; subst.
    clear H.
    simpl (remove_skip Skip).
    ∃(remove_skip c1_2).
    split; [apply match_com_remove_skip |].
    right; apply CS_Seq.
Qed.

We then list other proof steps for building R_simulate_L.

Lemma R_simulate_L_CS_AssStep: ∀X a a' c₂ st,
  astep st a a' ->
  match_com (CAss X a) c₂ ->
  ∃c₂',
    match_com (CAss X a') c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).

Proof.
  intros.
  inversion H₀; subst; clear H₀.
  ∃(X ::= a').
  split; [constructor |].
  right; constructor; tauto.
Qed.

Lemma R_simulate_L_CS_Ass: ∀X n c₂ st₁ st₂,
  st₂ X = n ->
  (∀Y : var, X ≠ Y -> st₁ Y = st₂ Y) ->
  match_com (CAss X (ANum n)) c₂ ->
  ∃c₂',
    match_com CSkip c₂' ∧
    cstep_or_not (c₂, st₁) (c₂', st₂).

Proof.
  intros.
  inversion H₁; subst; clear H₁.
  ∃CSkip.
  split; [constructor |].
  right; apply CS_Ass; tauto.
Qed.

Lemma R_simulate_L_CS_IfStep: ∀b b' c1_1 c1_2 c₂ st,
  bstep st b b' ->
  match_com (If b Then c1_1 Else c1_2 EndIf) c₂ ->
  ∃c₂',
    match_com (If b' Then c1_1 Else c1_2 EndIf) c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).

Proof.
  intros.
  simpl.
  simpl in H₀.
  destruct H₀ as [c2_1 [? ?]].
  subst c₂.
  ∃(If b' Then c2_1 Else (remove_skip c1_2) EndIf).
  split; [eauto |].
  right; apply CS_IfStep, H.
Qed.

Lemma R_simulate_L_CS_IfTrue: ∀c1_1 c1_2 c₂ st,
  match_com (If BTrue Then c1_1 Else c1_2 EndIf) c₂ ->
  ∃c₂',
    match_com c1_1 c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).

Proof.
  intros.
  simpl.
  simpl in H.
  destruct H as [c2_1 [? ?]].
  subst c₂.
  ∃c2_1.
  split; [exact H |].
  right; apply CS_IfTrue.
Qed.

Lemma R_simulate_L_CS_IfFalse: ∀c1_1 c1_2 c₂ st,
  match_com (If BFalse Then c1_1 Else c1_2 EndIf) c₂ ->
  ∃c₂',
    match_com c1_2 c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).

Proof.
  intros.
  simpl.
  simpl in H.
  destruct H as [c2_1 [? ?]].
  subst c₂.
  ∃(remove_skip c1_2).
  split; [apply match_com_remove_skip |].
  right; apply CS_IfFalse.
Qed.

Lemma R_simulate_L_CS_While: ∀b c1_1 c₂ st,
  match_com (While b Do c1_1 EndWhile) c₂ ->
  ∃c₂',
    match_com (If b Then c1_1;; While b Do c1_1 EndWhile Else Skip EndIf) c₂' ∧
    cstep_or_not (c₂, st) (c₂', st).

Proof.
  intros.
  simpl in H.
  subst c₂.
  ∃(CIf b (remove_skip c1_1;; CWhile b (remove_skip c1_1)) Skip).
  split.
  + ∃(remove_skip c1_1;; CWhile b (remove_skip c1_1)).
    split.
    - right.
      ∃(remove_skip c1_1).
      split; [apply match_com_remove_skip | reflexivity].
    - reflexivity.
  + right.
    apply CS_While.
Qed.

Adding these proof steps together, we can prove the simulation.

Theorem R_simulate_L: SimulationStatement_01 match_com.

       ∀c₁ c₂ c₁' st st',
         match_com c₁ c₂ ->
         cstep (c₁, st) (c₁', st') ->
         ∃c₂',
           match_com c₁' c₂' ∧ cstep_or_not (c₂, st) (c₂', st').

Proof.
  unfold SimulationStatement_01.
  intros.
  revert c₂ H; induction_cstep H₀; intros.
  + eapply R_simulate_L_CS_AssStep; eassumption.
  + eapply R_simulate_L_CS_Ass; eassumption.
  + eapply R_simulate_L_CS_SeqStep; eassumption.
  + eapply R_simulate_L_CS_Seq; eassumption.
  + eapply R_simulate_L_CS_IfStep; eassumption.
  + eapply R_simulate_L_CS_IfTrue; eassumption.
  + eapply R_simulate_L_CS_IfFalse; eassumption.
  + eapply R_simulate_L_CS_While; eassumption.
Qed.

End RemoveSkip.

Properties of Simulation Relations

Simulation relations describes correspondences between single steps. Naturally, we would like to extend such discussion to multi-step relations.

Definition SimulationStatement_1 (match_com: com -> com -> Prop): Prop :=
  ∀c₁ c₂ c₁' st st',
  match_com c₁ c₂ ->
  cstep (c₁, st) (c₁', st') ->
  ∃c₂',
    match_com c₁' c₂' ∧ cstep (c₂, st) (c₂', st').

Lemma multi_cstep_Simulation_1: ∀match_com,
    SimulationStatement_1 match_com ->
    ∀c₁ c₂ c₁' st st',
      match_com c₁ c₂ ->
      multi_cstep (c₁, st) (c₁', st') ->
      ∃c₂',
        match_com c₁' c₂' ∧ multi_cstep (c₂, st) (c₂', st').
Proof.
  intros.
  revert c₂ H₀; induction_1n H₁; intros.
  + ∃c₂.
    split; [exact H₀ | reflexivity].
  + pose proof H _ _ _ _ _ H₂ H₀.
    destruct H₃ as [c' [? ?]].
    specialize (IHrt c' H₃).
    destruct IHrt as [c₂' [? ?]].
    ∃c₂'.
    split; [exact H₅ |].
    etransitivity_1n; [exact H₄ | exact H₆].
Qed.

The following lemma says, such properties about multi-step relation also holds for SimulationStatement_01.

Lemma multi_cstep_Simulation_01: ∀match_com,
    SimulationStatement_01 match_com ->
    ∀c₁ c₂ c₁' st st',
      match_com c₁ c₂ ->
      multi_cstep (c₁, st) (c₁', st') ->
      ∃c₂',
        match_com c₁' c₂' ∧ multi_cstep (c₂, st) (c₂', st').
Proof.
  intros.
  revert c₂ H₀; induction_1n H₁; intros.
  + ∃c₂.
    split; [exact H₀ | reflexivity].
  + pose proof H _ _ _ _ _ H₂ H₀.
    destruct H₃ as [c' [? ?]].
    specialize (IHrt c' H₃).
    destruct IHrt as [c₂' [? ?]].
    ∃c₂'.
    split; [exact H₅ |].
    destruct H₄.
    - injection H₄ as ? ?; subst.
      exact H₆.
    - etransitivity_1n; [exact H₄ | exact H₆].
Qed.

Lecture notes 20210329 Small Step Semantics 2

Review: Small Step

Simulation for Program Equivalence

Associativity of Sequential Composition

Removing Skips On the Left

Properties of Simulation Relations

More Reading: Unused Assignments