Equiv: Program Equivalence

Before You Get Started:

• Create a fresh directory for this volume. (Do not try to mix the files from this volume with files from Logical Foundations in the same directory: the result will not make you happy.) You can either start with an empty directory and populate it with the files listed below, or else download the whole PLF zip file and unzip it.
• The new directory should contain at least the following files:
  • Imp.v (make sure it is the one from the PLF distribution, not the one from LF: they are slightly different);
  • Maps.v (ditto)
  • Equiv.v (this file)
  • _CoqProject, containing the following line:
    • Q . PLF
• If you see errors like this...
  Compiled library PLF.Maps (in file /Users/.../plf/Maps.vo) makes inconsistent assumptions over library Coq.Init.Logic
  ... it may mean something went wrong with the above steps. Doing "make clean" (or manually removing everything except .v and _CoqProject files) may help.
• If you are using VSCode with the VSCoq extension, you'll then want to open a new window in VSCode, click Open Folder > plf, and run make. If you get an error like "Cannot find a physical path..." error, it may be because you didn't open plf directly (you instead opened a folder containing both lf and plf, for example).

Advice for Working on Exercises:

• Most of the Coq proofs we ask you to do in this chapter are similar to proofs that we've provided. Before starting to work on exercises, take the time to work through our proofs (both informally and in Coq) and make sure you understand them in detail. This will save you a lot of time.
• The Coq proofs we're doing now are sufficiently complicated that it is more or less impossible to complete them by random experimentation or following your nose. You need to start with an idea about why the property is true and how the proof is going to go. The best way to do this is to write out at least a sketch of an informal proof on paper -- one that intuitively convinces you of the truth of the theorem -- before starting to work on the formal one. Alternately, grab a friend and try to convince them that the theorem is true; then try to formalize your explanation.
• Use automation to save work! The proofs in this chapter can get pretty long if you try to write out all the cases explicitly.

Behavioral Equivalence

In an earlier chapter, we investigated the correctness of a very simple program transformation: the optimize_0plus function. The programming language we were considering was the first version of the language of arithmetic expressions -- with no variables -- so in that setting it was very easy to define what it means for a program transformation to be correct: it should always yield a program that evaluates to the same number as the original. To talk about the correctness of program transformations for the full Imp language -- in particular, assignment -- we need to consider the role of mutable state and develop a more sophisticated notion of correctness, which we'll call behavioral equivalence. For example:

• X + 2 is behaviorally equivalent to 1 + X + 1
• X - X is behaviorally equivalent to 0
• (X - 1) + 1 is not behaviorally equivalent to X

Definitions

For aexps and bexps with variables, the definition we want is clear: Two aexps or bexps are "behaviorally equivalent" if they evaluate to the same result in every state.

Here are some simple examples of equivalences of arithmetic and boolean expressions.

For commands, the situation is a little more subtle. We can't simply say "two commands are behaviorally equivalent if they evaluate to the same ending state whenever they are started in the same initial state," because some commands, when run in some starting states, don't terminate in any final state at all! What we need instead is this: two commands are behaviorally equivalent if, for any given starting state, they either (1) both diverge or (2) both terminate in the same final state. A compact way to express this is "if the first one terminates in a particular state then so does the second, and vice versa."

We can also define an asymmetric variant of this relation: We say that c1 refines c2 if they produce the same final states when c1 terminates (but c1 may not terminate in some cases where c2 does).

Simple Examples

For examples of command equivalence, let's start by looking at a trivial program equivalence involving skip:

Exercise: 2 stars, standard (skip_right)

Prove that adding a skip after a command results in an equivalent program

☐ Similarly, here is a simple equivalence that optimizes if commands:

Of course, no (human) programmer would write a conditional whose condition is literally true. But they might write one whose condition is equivalent to true: Theorem: If b is equivalent to true, then if b then c1 else c2 end is equivalent to c1. Proof:

• (→) We must show, for all st and st', that if st =[ if b then c1 else c2 end ]=> st' then st =[ c1 ]=> st'.
  Proceed by cases on the rules that could possibly have been used to show st =[ if b then c1 else c2 end ]=> st', namely E_IfTrue and E_IfFalse.
  • Suppose the final rule in the derivation of st =[ if b then c1 else c2 end ]=> st' was E_IfTrue. We then have, by the premises of E_IfTrue, that st =[ c1 ]=> st'. This is exactly what we set out to prove.
  • On the other hand, suppose the final rule in the derivation of st =[ if b then c1 else c2 end ]=> st' was E_IfFalse. We then know that beval st b = false and st =[ c2 ]=> st'.
    Recall that b is equivalent to true, i.e., forall st, beval st b = beval st <{true}> . In particular, this means that beval st b = true, since beval st <{true}> = true. But this is a contradiction, since E_IfFalse requires that beval st b = false. Thus, the final rule could not have been E_IfFalse.
• (<-) We must show, for all st and st', that if st =[ c1 ]=> st' then st =[ if b then c1 else c2 end ]=> st'.
  Since b is equivalent to true, we know that beval st b = beval st <{true}> = true. Together with the assumption that st =[ c1 ]=> st', we can apply E_IfTrue to derive st =[ if b then c1 else c2 end ]=> st'. ☐

Here is the formal version of this proof:

Exercise: 2 stars, standard, especially useful (if_false)

☐

Exercise: 3 stars, standard (swap_if_branches)

Show that we can swap the branches of an if if we also negate its condition.

☐ For while loops, we can give a similar pair of theorems. A loop whose guard is equivalent to false is equivalent to skip, while a loop whose guard is equivalent to true is equivalent to while true do skip end (or any other non-terminating program). The first of these facts is easy.

Exercise: 2 stars, advanced, optional (while_false_informal)

Write an informal proof of while_false. ☐ To prove the second fact, we need an auxiliary lemma stating that while loops whose guards are equivalent to true never terminate. Lemma: If b is equivalent to true, then it cannot be the case that st =[ while b do c end ]=> st'. Proof: Suppose that st =[ while b do c end ]=> st'. We show, by induction on a derivation of st =[ while b do c end ]=> st', that this assumption leads to a contradiction. The only two cases to consider are E_WhileFalse and E_WhileTrue, the others are contradictory.

• Suppose st =[ while b do c end ]=> st' is proved using rule E_WhileFalse. Then by assumption beval st b = false. But this contradicts the assumption that b is equivalent to true.
• Suppose st =[ while b do c end ]=> st' is proved using rule E_WhileTrue. We must have that:
  1. beval st b = true, 2. there is some st0 such that st =[ c ]=> st0 and st0 =[ while b do c end ]=> st', 3. and we are given the induction hypothesis that st0 =[ while b do c end ]=> st' leads to a contradiction,
  We obtain a contradiction by 2 and 3. ☐

Exercise: 2 stars, standard, optional (while_true_nonterm_informal)

Explain what the lemma while_true_nonterm means in English. ☐

Exercise: 2 stars, standard, especially useful (while_true)

Prove the following theorem. Hint: You'll want to use while_true_nonterm here.

☐ A more interesting fact about while commands is that any number of copies of the body can be "unrolled" without changing meaning. Loop unrolling is an important transformation in any real compiler: its correctness is of more than academic interest!

Exercise: 2 stars, standard, optional (seq_assoc)

☐ Proving program properties involving assignments is one place where the fact that program states are treated extensionally (e.g., x !-> m x ; m and m are equal maps) comes in handy.

Exercise: 2 stars, standard, especially useful (assign_aequiv)

☐

Exercise: 2 stars, standard (equiv_classes)

Given the following programs, group together those that are equivalent in Imp. Your answer should be given as a list of lists, where each sub-list represents a group of equivalent programs. For example, if you think programs (a) through (h) are all equivalent to each other, but not to (i), your answer should look like this: [prog_a;prog_b;prog_c;prog_d;prog_e;prog_f;prog_g;prog_h] ; [prog_i] Write down your answer below in the definition of equiv_classes.

☐

Properties of Behavioral Equivalence

We next consider some fundamental properties of program equivalence.

Behavioral Equivalence Is an Equivalence

First, let's verify that the equivalences on aexps, bexps, and coms really are equivalences -- i.e., that they are reflexive, symmetric, and transitive. The proofs are all easy.

Behavioral Equivalence Is a Congruence

Less obviously, behavioral equivalence is also a congruence. That is, the equivalence of two subprograms implies the equivalence of the larger programs in which they are embedded: aequiv a a'

---

cequiv (x := a) (x := a') cequiv c1 c1' cequiv c2 c2'

---

cequiv (c1;c2) (c1';c2') ... and so on for the other forms of commands. (Note that we are using the inference rule notation here not as part of an inductive definition, but simply to write down some valid implications in a readable format. We prove these implications below.) We will see a concrete example of why these congruence properties are important in the following section (in the proof of fold_constants_com_sound), but the main idea is that they allow us to replace a small part of a large program with an equivalent small part and know that the whole large programs are equivalent without doing an explicit proof about the parts that didn't change -- i.e., the "proof burden" of a small change to a large program is proportional to the size of the change, not the program!

The congruence property for loops is a little more interesting, since it requires induction. Theorem: Equivalence is a congruence for while -- that is, if b is equivalent to b' and c is equivalent to c', then while b do c end is equivalent to while b' do c' end. Proof: Suppose b is equivalent to b' and c is equivalent to c'. We must show, for every st and st', that st =[ while b do c end ]=> st' iff st =[ while b' do c' end ]=> st'. We consider the two directions separately.

• (→) We show that st =[ while b do c end ]=> st' implies st =[ while b' do c' end ]=> st', by induction on a derivation of st =[ while b do c end ]=> st'. The only nontrivial cases are when the final rule in the derivation is E_WhileFalse or E_WhileTrue.
  • E_WhileFalse: In this case, the form of the rule gives us beval st b = false and st = st'. But then, since b and b' are equivalent, we have beval st b' = false, and E_WhileFalse applies, giving us st =[ while b' do c' end ]=> st', as required.
  • E_WhileTrue: The form of the rule now gives us beval st b = true, with st =[ c ]=> st'0 and st'0 =[ while b do c end ]=> st' for some state st'0, with the induction hypothesis st'0 =[ while b' do c' end ]=> st'.
    Since c and c' are equivalent, we know that st =[ c' ]=> st'0. And since b and b' are equivalent, we have beval st b' = true. Now E_WhileTrue applies, giving us st =[ while b' do c' end ]=> st', as required.
• (<-) Similar. ☐

Exercise: 3 stars, standard, optional (CSeq_congruence)

☐

Exercise: 3 stars, standard (CIf_congruence)

☐ For example, here are two equivalent programs and a proof of their equivalence using these congruence theorems...

Exercise: 3 stars, advanced (not_congr)

We've shown that the cequiv relation is both an equivalence and a congruence on commands. Can you think of a relation on commands that is an equivalence but not a congruence? Write down the relation (formally), together with an informal sketch of a proof that it is an equivalence but not a congruence.

☐

Program Transformations

A program transformation is a function that takes a program as input and produces a modified program as output. Compiler optimizations such as constant folding are a canonical example, but there are many others. A program transformation is said to be sound if it preserves the behavior of the original program.

The Constant-Folding Transformation

An expression is constant if it contains no variable references. Constant folding is an optimization that finds constant expressions and replaces them by their values.

Note that this version of constant folding doesn't do other "obvious" things like eliminating trivial additions (e.g., rewriting 0 + X to just X).: we are focusing attention on a single optimization for the sake of simplicity. It is not hard to incorporate other ways of simplifying expressions -- the definitions and proofs just get longer. We'll consider optimizations in the exercises.

Not only can we lift fold_constants_aexp to bexps (in the BEq, BNeq, and BLe cases); we can also look for constant boolean expressions and evaluate them in-place as well.

To fold constants in a command, we apply the appropriate folding functions on all embedded expressions.

Soundness of Constant Folding

Now we need to show that what we've done is correct. Here's the proof for arithmetic expressions:

Exercise: 3 stars, standard, optional (fold_bexp_Eq_informal)

Here is an informal proof of the BEq case of the soundness argument for boolean expression constant folding. Read it carefully and compare it to the formal proof that follows. Then fill in the BLe case of the formal proof (without looking at the BEq case, if possible). Theorem: The constant folding function for booleans, fold_constants_bexp, is sound. Proof: We must show that b is equivalent to fold_constants_bexp b, for all boolean expressions b. Proceed by induction on b. We show just the case where b has the form a1 = a2. In this case, we must show beval st <{ a1 = a2 }> = beval st (fold_constants_bexp <{ a1 = a2 }>). There are two cases to consider:

• First, suppose fold_constants_aexp a1 = ANum n1 and fold_constants_aexp a2 = ANum n2 for some n1 and n2.
  In this case, we have
  fold_constants_bexp <{ a1 = a2 }> = if n1 =? n2 then <{true}> else <{false}>
  and
  beval st <{a1 = a2}> = (aeval st a1) =? (aeval st a2).
  By the soundness of constant folding for arithmetic expressions (Lemma fold_constants_aexp_sound), we know
  aeval st a1 = aeval st (fold_constants_aexp a1) = aeval st (ANum n1) = n1
  and
  aeval st a2 = aeval st (fold_constants_aexp a2) = aeval st (ANum n2) = n2,
  so
  beval st <{a1 = a2}> = (aeval a1) =? (aeval a2) = n1 =? n2.
  Also, it is easy to see (by considering the cases n1 = n2 and n1 ≠ n2 separately) that
  beval st (if n1 =? n2 then <{true}> else <{false}>) = if n1 =? n2 then beval st <{true}> else beval st <{false}> = if n1 =? n2 then true else false = n1 =? n2.
  So
  beval st (<{ a1 = a2 }>) = n1 =? n2. = beval st (if n1 =? n2 then <{true}> else <{false}>),
  as required.
• Otherwise, one of fold_constants_aexp a1 and fold_constants_aexp a2 is not a constant. In this case, we must show
  beval st <{a1 = a2}> = beval st (<{ (fold_constants_aexp a1) = (fold_constants_aexp a2) }>),
  which, by the definition of beval, is the same as showing
  (aeval st a1) =? (aeval st a2) = (aeval st (fold_constants_aexp a1)) =? (aeval st (fold_constants_aexp a2)).
  But the soundness of constant folding for arithmetic expressions (fold_constants_aexp_sound) gives us
  aeval st a1 = aeval st (fold_constants_aexp a1) aeval st a2 = aeval st (fold_constants_aexp a2),
  completing the case. ☐

☐

Exercise: 3 stars, standard (fold_constants_com_sound)

Complete the while case of the following proof.

☐

Soundness of (0 + n) Elimination, Redux

Exercise: 4 stars, standard, optional (optimize_0plus_var)

Recall the definition optimize_0plus from the Imp chapter of Logical Foundations: Fixpoint optimize_0plus (a:aexp) : aexp := match a with | ANum n => ANum n | <{ 0 + a2 }> => optimize_0plus a2 | <{ a1 + a2 }> => <{ (optimize_0plus a1) + (optimize_0plus a2) }> | <{ a1 - a2 }> => <{ (optimize_0plus a1) - (optimize_0plus a2) }> | <{ a1 * a2 }> => <{ (optimize_0plus a1) * (optimize_0plus a2) }> end. Note that this function is defined over the old version of aexps, without states. Write a new version of this function that deals with variables (by leaving them alone), plus analogous ones for bexps and commands: optimize_0plus_aexp optimize_0plus_bexp optimize_0plus_com

Prove that these three functions are sound, as we did for fold_constants_×. Make sure you use the congruence lemmas in the proof of optimize_0plus_com -- otherwise it will be long!

Finally, let's define a compound optimizer on commands that first folds constants (using fold_constants_com) and then eliminates 0 + n terms (using optimize_0plus_com).

Prove that this optimizer is sound.

☐

Proving Inequivalence

Next, let's look at some programs that are not equivalent. Suppose that c1 is a command of the form X := a1; Y := a2 and c2 is the command X := a1; Y := a2' where a2' is formed by substituting a1 for all occurrences of X in a2. For example, c1 and c2 might be: c1 = (X := 42 + 53; Y := Y + X) c2 = (X := 42 + 53; Y := Y + (42 + 53)) Clearly, this particular c1 and c2 are equivalent. Is this true in general? We will see in a moment that it is not, but it is worthwhile to pause, now, and see if you can find a counter-example on your own. More formally, here is the function that substitutes an arithmetic expression u for each occurrence of a given variable x in another expression a:

And here is the property we are interested in, expressing the claim that commands c1 and c2 as described above are always equivalent.

Sadly, the property does not always hold. Here is a counterexample: X := X + 1; Y := X If we perform the substitution, we get X := X + 1; Y := X + 1 which clearly isn't equivalent.

Exercise: 4 stars, standard, optional (better_subst_equiv)

The equivalence we had in mind above was not complete nonsense -- in fact, it was actually almost right. To make it correct, we just need to exclude the case where the variable X occurs in the right-hand side of the first assignment statement.

Using var_not_used_in_aexp, formalize and prove a correct version of subst_equiv_property.

Exercise: 3 stars, standard (inequiv_exercise)

Prove that an infinite loop is not equivalent to skip

☐

Extended Exercise: Nondeterministic Imp

As we have seen (in theorem ceval_deterministic in the Imp chapter), Imp's evaluation relation is deterministic. However, non-determinism is an important part of the definition of many real programming languages. For example, in many imperative languages (such as C and its relatives), the order in which function arguments are evaluated is unspecified. The program fragment x = 0; f(++x, x) might call f with arguments (1, 0) or (1, 1), depending how the compiler chooses to order things. This can be a little confusing for programmers, but it gives the compiler writer useful freedom. In this exercise, we will extend Imp with a simple nondeterministic command and study how this change affects program equivalence. The new command has the syntax HAVOC X, where X is an identifier. The effect of executing HAVOC X is to assign an arbitrary number to the variable X, nondeterministically. For example, after executing the program: HAVOC Y; Z := Y * 2 the value of Y can be any number, while the value of Z is twice that of Y (so Z is always even). Note that we are not saying anything about the probabilities of the outcomes -- just that there are (infinitely) many different outcomes that can possibly happen after executing this nondeterministic code. In a sense, a variable on which we do HAVOC roughly corresponds to an uninitialized variable in a low-level language like C. After the HAVOC, the variable holds a fixed but arbitrary number. Most sources of nondeterminism in language definitions are there precisely because programmers don't care which choice is made (and so it is good to leave it open to the compiler to choose whichever will run faster). We call this new language Himp (``Imp extended with HAVOC'').

To formalize Himp, we first add a clause to the definition of commands.

Exercise: 2 stars, standard (himp_ceval)

Now, we must extend the operational semantics. We have provided a template for the ceval relation below, specifying the big-step semantics. What rule(s) must be added to the definition of ceval to formalize the behavior of the HAVOC command?

As a sanity check, the following claims should be provable for your definition:

☐ Finally, we repeat the definition of command equivalence from above:

Let's apply this definition to prove some nondeterministic programs equivalent / inequivalent.

Exercise: 3 stars, standard (havoc_swap)

Are the following two programs equivalent?

If you think they are equivalent, prove it. If you think they are not, prove that.

☐

Exercise: 4 stars, standard, optional (havoc_copy)

Are the following two programs equivalent?

If you think they are equivalent, then prove it. If you think they are not, then prove that. (Hint: You may find the assert tactic useful.)

☐ The definition of program equivalence we are using here has some subtle consequences on programs that may loop forever. What cequiv says is that the set of possible terminating outcomes of two equivalent programs is the same. However, in a language with nondeterminism, like Himp, some programs always terminate, some programs always diverge, and some programs can nondeterministically terminate in some runs and diverge in others. The final part of the following exercise illustrates this phenomenon.

Exercise: 4 stars, advanced (p1_p2_term)

Consider the following commands:

Intuitively, p1 and p2 have the same termination behavior: either they loop forever, or they terminate in the same state they started in. We can capture the termination behavior of p1 and p2 individually with these lemmas:

☐

Exercise: 4 stars, advanced (p1_p2_equiv)

Use these two lemmas to prove that p1 and p2 are actually equivalent.

☐

Exercise: 4 stars, advanced (p3_p4_inequiv)

Prove that the following programs are not equivalent. (Hint: What should the value of Z be when p3 terminates? What about p4?)