「SF-PLF」1 Equiv
issues on coqc
module linking
Some module (e.g.Map
) not found
either maunally make map.vo
or proof general can solve that.
Behavioral Equivalence 行为等价
How to define the correctness of program transformation, e.g.
optimize_0plus
?
- in the setting w/o var (imp w/o var and state) : yield a program the evals to same number as original.
- in the setting w/ var (full imp w/ assignment) : we need to consider the role of var and state.
Definitions
Two
aexps
orbexps
are behaviorally equivalent if they evaluate to the same result in every state.
1 | Definition aequiv (a1 a2 : aexp) : Prop := |
For commands, We can’t simply say … if they evaluate to the same ending state
some commands don’t terminate in any final state at all!
So to define, they either or…
- both diverge 都发散
- both terminate in the same final state 都在同一个状态停机
A compact way is
“if the first one terminates in a particular state then so does the second, and vice versa.”
1 | Definition cequiv (c1 c2 : com) : Prop := |
Example 1 - Simple (but demonstrated)
1 | Theorem skip_left : forall c, |
Noticed that the inversion
is like use the inverse function of constructors.
Example 2 - WHILE true non-terminating
one interesting theorem is that we can prove WHILE <things ⇓ true>
is not terminating.
and is equivalent to any other non-terminating program, e.g. WHILE BTrue DO SKIP END
: (因为我们的「等价」只要求同「发散」即可)
1 | Theorem WHILE_true : ∀b c, |
Example 3 - Loop Unrolling
any number of copies of the body can be “unrolled” without changing meaning
1 | Theorem loop_unrolling : ∀b c, |
Example 4 - Use of extenionality 外延性
x !-> m x ; x
is same map with m
by extenionality!
1 | Theorem identity_assignment : ∀x, |
Properties of Behavioral Equivalence 行为等价的性质
等价关系 (Equivalence)
自反性(reflexive)、对称性(symmetric)和传递性 (transitive)
同余关系(Congruence)
That is, the equivalence of two subprograms implies the equivalence of the larger programs in which they are embedded
如果两个子程序等价,那么当二者所在的更大的程序中_只有二者不同_时, 这两个更大的程序也等价
aequiv a1 a1'
-----------------------------
cequiv (x ::= a1) (x ::= a1')
cequiv c1 c1'
cequiv c2 c2'
--------------------------
cequiv (c1;;c2) (c1';;c2')
这个术语应该是来自抽象代数 : 能在运算下保持的等价关系
…in the sense that algebraic operations done with equivalent elements will yield equivalent elements.
Congruence relation
1 | Theorem CAss_congruence : ∀x a1 a1', (** cequiv 是集合 commands 上的等价关系 **) |
在 commands 上等价但不同余的关系?
I guess…”both terminating” relation?
which is equivalence relation on commands, but the equivalence would not be maintained after, say C_WHILE
operation.
Example - Using Congruence
1 | Example congruence_example: |
Program Transformations 程序变换
A program transformation is sound if it preserves the behavior of the original program.
如果一个程序变换保留了其原始行为,那么它就是_可靠_的
我们可以定义在不同集合 aexp, bexp, com
上的 sound 关系:
(有趣的是,Inductive
定义的非 Prop
的 Type
, 确实就是 Set
, 这是一种 PL 和数学的 Correspondence)
- 当我们的 datatype 是 constructor 时 => 不交并
- 当我们的 datatype 有 recursive 时 => 集合的递归定义
1 | Definition atrans_sound (atrans : aexp → aexp) : Prop := |
Constant Folding 常量折叠
An expression is constant when it contains no variable references.
不引用变量的表达式为_常量_
Constant folding is an optimization that finds constant expressions and replaces them by their values.
常量折叠是一种找到常量表达式并把它们替换为其值的优化方法。
Soundness of Constant Folding
aexp
1 | Theorem fold_constants_aexp_sound : |
bexp
证明 btrans_sound fold_constants_bexp.
要难一些,因为其中还用到了 fold_constants_aexp
, 所以我们需要一些技巧
1 | (** 如果不记住而是直接 destruct 的话,这部分信息就丢失了 **) |
cmd
主要技巧在于配合使用 Congruence
与 IH
解决大部分 case,然后分类讨论 fold_constants_bexp
用 sound
做替换解决剩余 case.
Soundness of (0 + n)
类似,但是接下来我们就可以证明先 fold_constants
再 optimize_0plus
也是 sound 的.
这里我更 general 得证明了 ctrans
关系的传递性:
1 | Theorem trans_ctrans_sound : forall tr1 tr2, |
Proving Inequivalence 证明程序不等价
在这个例子中,subst_aexp
是 sound 得,被称为 Constant Propagation (常量传播)
1 | (** [X := 42 + 53](Y + X) => Y + (42 + 53) **) |
所以我们断言这么做是 always sound 得:
1 | Definition subst_equiv_property := ∀x1 x2 a1 a2, |
然而如果 a1
不是常量,副作用很容易让这个转换 unsound
那么怎么证明 ¬subst_equiv_property
(即该性质不成立)? 举一个反例就好
Informal proof
- provide a witness
Formal
- give counterexamples via
remember
, then show⊥
.
1 | (** 给出一组反例,使用性质证明他们 cequiv **) |
Extended Exercise: Nondeterministic Imp
HAVOC roughly corresponds to an uninitialized variable in a low-level language like C.
After the HAVOC, the variable holds a fixed but arbitrary number.
我们增加一个 HAVOC X
语句(大灾难),会为 X 随机赋一个值…类似于「未初始化变量」
1 | Inductive com : Type := |
Small-Step
deterministic
also the def of partial function?
solve_by_inverts
in LTac. (used to generate proof)
LTac doesn’t have termination check. (might not be able to find…)
match
is back-tracking point.
number passing in = depth of the iteration/recursion
ST_Plus2
need value v1
. not redundant with ST_Plus1
we might have things not value
but cannot take step as well.
Strong Progress
Normal form
= no relation related to (so cannot step to)
vs Value…
destruct (apply t)
.
can we do that?
Slide Q&A.
value_not_sae_as normal_form
e.g (1+2) + 7
e.g. 3 + 7
One-step
- plus
- left + 0
- right + 0
Inf-step -> Inf terms
go from 3 to 3+0
Stuck
No StepR
0 term can step into
Multi-Step Reduction ->*
1 | Inductive multi {X : Type} (R : relation X) : relation X := |
can be either defined as a “head + tail” style (or “tail + head” style), or “refl + trans” style (as in Rel.v
).
the trans
relation are underteministic in terms of the transtive relation using. (you can throw infinitely many trans
constructors in)
having multiple form so we can jump back and forth to pick one easier for proof.
PLT PM lang
multiple smallstep relation can be markded deepner state.qjw
er state.
IMP
astep
no need for `value``
for If
, in PLT we have 2 rules for T/F.
here we can compute…
Par w/o Concurrency is deterministic
(not vice versa)
suddenly / ->* /
tuple