States

Since we'll want to look variables up to find out their current values, we'll use total maps from the Maps chapter. A machine state (or just state) represents the current values of all variables at some point in the execution of a program. For simplicity, we assume that the state is defined for all variables, even though any given program is only able to mention a finite number of them. Because each variable stores a natural number, we can represent the state as a total map from strings (variable names) to nat, and will use 0 as default value in the store.

Syntax

We can add variables to the arithmetic expressions we had before simply by including one more constructor:

Defining a few variable names as notational shorthands will make examples easier to read:

(This convention for naming program variables (X, Y, Z) clashes a bit with our earlier use of uppercase letters for types. Since we're not using polymorphism heavily in the chapters developed to Imp, this overloading should not cause confusion.) The definition of bexps is unchanged (except that it now refers to the new aexps):

Notations

To make Imp programs easier to read and write, we introduce some notations and implicit coercions. You do not need to understand exactly what these declarations do. Briefly, though:

• The Coercion declaration stipulates that a function (or constructor) can be implicitly used by the type system to coerce a value of the input type to a value of the output type. For instance, the coercion declaration for AId allows us to use plain strings when an aexp is expected; the string will implicitly be wrapped with AId.
• Declare Custom Entry com tells Coq to create a new "custom grammar" for parsing Imp expressions and programs. The first notation declaration after this tells Coq that anything between <{ and }> should be parsed using the Imp grammar. Again, it is not necessary to understand the details, but it is important to recognize that we are defining new interpretations for some familiar operators like +, -, ×, =, ≤, etc., when they occur between <{ and }>.

We can now write 3 + (X × 2) instead of APlus 3 (AMult X 2), and true && ~(X ≤ 4) instead of BAnd true (BNot (BLe X 4)).

Evaluation

The arith and boolean evaluators must now be extended to handle variables in the obvious way, taking a state st as an extra argument:

We can use our notation for total maps in the specific case of states -- i.e., we write the empty state as (_ !-> 0).

Also, we can add a notation for a "singleton state" with just one variable bound to a value.

Commands

Now we are ready to define the syntax and behavior of Imp commands (or statements).

Syntax

Informally, commands c are described by the following BNF grammar. c := skip | x := a | c ; c | if b then c else c end | while b do c end Here is the formal definition of the abstract syntax of commands:

As we did for expressions, we can use a few Notation declarations to make reading and writing Imp programs more convenient.

For example, here is the factorial function again, written as a formal Coq definition. When this command terminates, the variable Y will contain the factorial of the initial value of X.

Desugaring Notations

Coq offers a rich set of features to manage the increasing complexity of the objects we work with, such as coercions and notations. However, their heavy usage can make it hard to understand what the expressions we enter actually mean. In such situations it is often instructive to "turn off" those features to get a more elementary picture of things, using the following commands:

• Unset Printing Notations (undo with Set Printing Notations)
• Set Printing Coercions (undo with Unset Printing Coercions)
• Set Printing All (undo with Unset Printing All)

These commands can also be used in the middle of a proof, to elaborate the current goal and context.

Locate Again

Finding identifiers

When used with an identifier, the Locate prints the full path to every value in scope with the same name. This is useful to troubleshoot problems due to variable shadowing.

Finding notations

When faced with an unknown notation, you can use Locate with a string containing one of its symbols to see its possible interpretations.

More Examples

Assignment:

Loops

An infinite loop:

Evaluating Commands

Next we need to define what it means to evaluate an Imp command. The fact that while loops don't necessarily terminate makes defining an evaluation function tricky...

Evaluation as a Function (Failed Attempt)

Here's an attempt at defining an evaluation function for commands (with a bogus while case).

In a more conventional functional programming language like OCaml or Haskell we could add the while case as follows: Fixpoint ceval_fun (st : state) (c : com) : state := match c with ... | <{ while b do c end}> => if (beval st b) then ceval_fun st <{c ; while b do c end}> else st end. Coq doesn't accept such a definition ("Error: Cannot guess decreasing argument of fix") because the function we want to define is not guaranteed to terminate. Indeed, it doesn't always terminate: for example, the full version of the ceval_fun function applied to the loop program above would never terminate. Since Coq aims to be not just a functional programming language but also a consistent logic, any potentially non-terminating function needs to be rejected. Here is an example showing what would go wrong if Coq allowed non-terminating recursive functions: Fixpoint loop_false (n : nat) : False := loop_false n. That is, propositions like False would become provable (loop_false 0 would be a proof of False), which would be a disaster for Coq's logical consistency. Thus, because it doesn't terminate on all inputs, ceval_fun cannot be written in Coq -- at least not without additional tricks and workarounds (see chapter ImpCEvalFun if you're curious about those).

Evaluation as a Relation

Here's a better way: define ceval as a relation rather than a function -- i.e., make its result a Prop rather than a state, similar to what we did for aevalR above. This is an important change. Besides freeing us from awkward workarounds, it gives us a ton more flexibility in the definition. For example, if we add nondeterministic features like any to the language, we want the definition of evaluation to be nondeterministic -- i.e., not only will it not be total, it will not even be a function! We'll use the notation st =[ c ]=> st' for the ceval relation: st =[ c ]=> st' means that executing program c in a starting state st results in an ending state st'. This can be pronounced "c takes state st to st'".

Operational Semantics

Here is an informal definition of evaluation, presented as inference rules for readability:

---

(E_Skip) st = skip => st aeval st a = n

---

(E_Asgn) st = x := a => (x !-> n ; st) st = c1 => st' st' = c2 => st''

---

(E_Seq) st = c1;c2 => st'' beval st b = true st = c1 => st'

---

(E_IfTrue) st = if b then c1 else c2 end => st' beval st b = false st = c2 => st'

---

(E_IfFalse) st = if b then c1 else c2 end => st' beval st b = false

---

(E_WhileFalse) st = while b do c end => st beval st b = true st = c => st' st' = while b do c end => st''

---

(E_WhileTrue) st = while b do c end => st'' Here is the formal definition. Make sure you understand how it corresponds to the inference rules.

The cost of defining evaluation as a relation instead of a function is that we now need to construct a proof that some program evaluates to some result state, rather than just letting Coq's computation mechanism do it for us.

Exercise: 2 stars, standard (ceval_example2)

☐

Exercise: 3 stars, standard, optional (pup_to_n)

Write an Imp program that sums the numbers from 1 to X (inclusive: 1 + 2 + ... + X) in the variable Y. Your program should update the state as shown in theorem pup_to_2_ceval, which you can reverse-engineer to discover the program you should write. The proof of that theorem will be somewhat lengthy.

☐

Determinism of Evaluation

Changing from a computational to a relational definition of evaluation is a good move because it frees us from the artificial requirement that evaluation should be a total function. But it also raises a question: Is the second definition of evaluation really a partial function? Or is it possible that, beginning from the same state st, we could evaluate some command c in different ways to reach two different output states st' and st''? In fact, this cannot happen: ceval is a partial function:

Reasoning About Imp Programs

We'll get into more systematic and powerful techniques for reasoning about Imp programs in Programming Language Foundations, but we can already do a few things (albeit in a somewhat low-level way) just by working with the bare definitions. This section explores some examples.

Inverting Heval essentially forces Coq to expand one step of the ceval computation -- in this case revealing that st' must be st extended with the new value of X, since plus2 is an assignment.

Exercise: 3 stars, standard, optional (XtimesYinZ_spec)

State and prove a specification of XtimesYinZ.

☐

Exercise: 3 stars, standard, especially useful (loop_never_stops)

Proceed by induction on the assumed derivation showing that loopdef terminates. Most of the cases are immediately contradictory and so can be solved in one step with discriminate.

☐

Exercise: 3 stars, standard (no_whiles_eqv)

Consider the following function:

This predicate yields true just on programs that have no while loops. Using Inductive, write a property no_whilesR such that no_whilesR c is provable exactly when c is a program with no while loops. Then prove its equivalence with no_whiles.

☐

Exercise: 4 stars, standard (no_whiles_terminating)

Imp programs that don't involve while loops always terminate. State and prove a theorem no_whiles_terminating that says this. Use either no_whiles or no_whilesR, as you prefer.

☐

Additional Exercises

Exercise: 3 stars, standard (stack_compiler)

Old HP Calculators, programming languages like Forth and Postscript, and abstract machines like the Java Virtual Machine all evaluate arithmetic expressions using a stack. For instance, the expression (2*3)+(3*(4-2)) would be written as 2 3 * 3 4 2 - * + and evaluated like this (where we show the program being evaluated on the right and the contents of the stack on the left): | 2 3 * 3 4 2 - * + 2 | 3 * 3 4 2 - * + 3, 2 | * 3 4 2 - * + 6 | 3 4 2 - * + 3, 6 | 4 2 - * + 4, 3, 6 | 2 - * + 2, 4, 3, 6 | - * + 2, 3, 6 | * + 6, 6 | + 12 | The goal of this exercise is to write a small compiler that translates aexps into stack machine instructions. The instruction set for our stack language will consist of the following instructions:

• SPush n: Push the number n on the stack.
• SLoad x: Load the identifier x from the store and push it on the stack
• SPlus: Pop the two top numbers from the stack, add them, and push the result onto the stack.
• SMinus: Similar, but subtract the first number from the second.
• SMult: Similar, but multiply.

Write a function to evaluate programs in the stack language. It should take as input a state, a stack represented as a list of numbers (top stack item is the head of the list), and a program represented as a list of instructions, and it should return the stack after executing the program. Test your function on the examples below. Note that it is unspecified what to do when encountering an SPlus, SMinus, or SMult instruction if the stack contains fewer than two elements. In a sense, it is immaterial what we do, since a correct compiler will never emit such a malformed program. But for sake of later exercises, it would be best to skip the offending instruction and continue with the next one.

Next, write a function that compiles an aexp into a stack machine program. The effect of running the program should be the same as pushing the value of the expression on the stack.

After you've defined s_compile, prove the following to test that it works.

☐

Exercise: 3 stars, standard (execute_app)

Execution can be decomposed in the following sense: executing stack program p1 ++ p2 is the same as executing p1, taking the resulting stack, and executing p2 from that stack. Prove that fact.

☐

Exercise: 3 stars, standard (stack_compiler_correct)

Now we'll prove the correctness of the compiler implemented in the previous exercise. Begin by proving the following lemma. If it becomes difficult, consider whether your implementation of s_execute or s_compile could be simplified.

The main theorem should be a very easy corollary of that lemma.

☐

Exercise: 3 stars, standard, optional (short_circuit)

Most modern programming languages use a "short-circuit" evaluation rule for boolean and: to evaluate BAnd b1 b2, first evaluate b1. If it evaluates to false, then the entire BAnd expression evaluates to false immediately, without evaluating b2. Otherwise, b2 is evaluated to determine the result of the BAnd expression. Write an alternate version of beval that performs short-circuit evaluation of BAnd in this manner, and prove that it is equivalent to beval. (N.b. This is only true because expression evaluation in Imp is rather simple. In a bigger language where evaluating an expression might diverge, the short-circuiting BAnd would not be equivalent to the original, since it would make more programs terminate.)

Exercise: 4 stars, advanced (break_imp)

Imperative languages like C and Java often include a break or similar statement for interrupting the execution of loops. In this exercise we consider how to add break to Imp. First, we need to enrich the language of commands with an additional case.

Next, we need to define the behavior of break. Informally, whenever break is executed in a sequence of commands, it stops the execution of that sequence and signals that the innermost enclosing loop should terminate. (If there aren't any enclosing loops, then the whole program simply terminates.) The final state should be the same as the one in which the break statement was executed. One important point is what to do when there are multiple loops enclosing a given break. In those cases, break should only terminate the innermost loop. Thus, after executing the following... X := 0; Y := 1; while 0 <> Y do while true do break end; X := 1; Y := Y - 1 end ... the value of X should be 1, and not 0. One way of expressing this behavior is to add another parameter to the evaluation relation that specifies whether evaluation of a command executes a break statement:

Intuitively, st =[ c ]=> st' / s means that, if c is started in state st, then it terminates in state st' and either signals that the innermost surrounding loop (or the whole program) should exit immediately (s = SBreak) or that execution should continue normally (s = SContinue). The definition of the "st =[ c ]=> st' / s" relation is very similar to the one we gave above for the regular evaluation relation (st =[ c ]=> st') -- we just need to handle the termination signals appropriately:

• If the command is skip, then the state doesn't change and execution of any enclosing loop can continue normally.
• If the command is break, the state stays unchanged but we signal a SBreak.
• If the command is an assignment, then we update the binding for that variable in the state accordingly and signal that execution can continue normally.
• If the command is of the form if b then c1 else c2 end, then the state is updated as in the original semantics of Imp, except that we also propagate the signal from the execution of whichever branch was taken.
• If the command is a sequence c1 ; c2, we first execute c1. If this yields a SBreak, we skip the execution of c2 and propagate the SBreak signal to the surrounding context; the resulting state is the same as the one obtained by executing c1 alone. Otherwise, we execute c2 on the state obtained after executing c1, and propagate the signal generated there.
• Finally, for a loop of the form while b do c end, the semantics is almost the same as before. The only difference is that, when b evaluates to true, we execute c and check the signal that it raises. If that signal is SContinue, then the execution proceeds as in the original semantics. Otherwise, we stop the execution of the loop, and the resulting state is the same as the one resulting from the execution of the current iteration. In either case, since break only terminates the innermost loop, while signals SContinue.

Based on the above description, complete the definition of the ceval relation.

Now prove the following properties of your definition of ceval:

☐

Exercise: 3 stars, advanced, optional (while_break_true)

☐

Exercise: 4 stars, advanced, optional (ceval_deterministic)

☐

Exercise: 4 stars, standard, optional (add_for_loop)

Add C-style for loops to the language of commands, update the ceval definition to define the semantics of for loops, and add cases for for loops as needed so that all the proofs in this file are accepted by Coq. A for loop should be parameterized by (a) a statement executed initially, (b) a test that is run on each iteration of the loop to determine whether the loop should continue, (c) a statement executed at the end of each loop iteration, and (d) a statement that makes up the body of the loop. (You don't need to worry about making up a concrete Notation for for loops, but feel free to play with this too if you like.)