ImpCEvalFunAn Evaluation Function for Imp

We saw in the Imp chapter how a naive approach to defining a function representing evaluation for Imp runs into difficulties. There, we adopted the solution of changing from a functional to a relational definition of evaluation. In this optional chapter, we consider strategies for getting the functional approach to work.

A Broken Evaluator

Here was our first try at an evaluation function for commands, omitting WHILE.

Open Scope imp_scope.
Fixpoint ceval_step1 (st : state) (c : com) : state :=
  match c with
    | SKIP ⇒
        st
    | l ::= a₁ ⇒
        (l !-> aeval st a₁ ; st)
    | c₁ ;; c₂ ⇒
        let st' := ceval_step1 st c₁ in
        ceval_step1 st' c₂
    | TEST b THEN c₁ ELSE c₂ FI ⇒
        if (beval st b)
          then ceval_step1 st c₁
          else ceval_step1 st c₂
    | WHILE b₁ DO c₁ END ⇒
        st (* bogus *)
  end.
Close Scope imp_scope.

As we remarked in chapter Imp, in a traditional functional programming language like ML or Haskell we could write the WHILE case as follows:

    | WHILE b₁ DO c₁ END =>
        if (beval st b₁) then
          ceval_step1 st (c₁;; WHILE b₁ DO c₁ END)
        else st

Coq doesn't accept such a definition (Error: Cannot guess decreasing argument of fix) because the function we want to define is not guaranteed to terminate. Indeed, the changed ceval_step1 function applied to the loop program from Imp.v would never terminate. Since Coq is not just a functional programming language, but also a consistent logic, any potentially non-terminating function needs to be rejected. Here is an invalid(!) Coq program showing what would go wrong if Coq allowed non-terminating recursive functions:

     Fixpoint loop_false (n : nat) : False := loop_false n.

That is, propositions like False would become provable (e.g., loop_false 0 would be a proof of False), which would be a disaster for Coq's logical consistency.

Thus, because it doesn't terminate on all inputs, the full version of ceval_step1 cannot be written in Coq -- at least not without one additional trick...

A Step-Indexed Evaluator

The trick we need is to pass an additional parameter to the evaluation function that tells it how long to run. Informally, we start the evaluator with a certain amount of "gas" in its tank, and we allow it to run until either it terminates in the usual way or it runs out of gas, at which point we simply stop evaluating and say that the final result is the empty memory. (We could also say that the result is the current state at the point where the evaluator runs out of gas -- it doesn't really matter because the result is going to be wrong in either case!)

Open Scope imp_scope.
Fixpoint ceval_step2 (st : state) (c : com) (i : nat) : state :=
  match i with
  | O ⇒ empty_st
  | S i' ⇒
    match c with
      | SKIP ⇒
          st
      | l ::= a₁ ⇒
          (l !-> aeval st a₁ ; st)
      | c₁ ;; c₂ ⇒
          let st' := ceval_step2 st c₁ i' in
          ceval_step2 st' c₂ i'
      | TEST b THEN c₁ ELSE c₂ FI ⇒
          if (beval st b)
            then ceval_step2 st c₁ i'
            else ceval_step2 st c₂ i'
      | WHILE b₁ DO c₁ END ⇒
          if (beval st b₁)
          then let st' := ceval_step2 st c₁ i' in
               ceval_step2 st' c i'
          else st
    end
  end.
Close Scope imp_scope.

Open Scope imp_scope.
Fixpoint ceval_step3 (st : state) (c : com) (i : nat)
                    : option state :=
  match i with
  | O ⇒ None
  | S i' ⇒
    match c with
      | SKIP ⇒
          Some st
      | l ::= a₁ ⇒
          Some (l !-> aeval st a₁ ; st)
      | c₁ ;; c₂ ⇒
          match (ceval_step3 st c₁ i') with
          | Some st' ⇒ ceval_step3 st' c₂ i'
          | None ⇒ None
          end
      | TEST b THEN c₁ ELSE c₂ FI ⇒
          if (beval st b)
            then ceval_step3 st c₁ i'
            else ceval_step3 st c₂ i'
      | WHILE b₁ DO c₁ END ⇒
          if (beval st b₁)
          then match (ceval_step3 st c₁ i') with
               | Some st' ⇒ ceval_step3 st' c i'
               | None ⇒ None
               end
          else Some st
    end
  end.
Close Scope imp_scope.

We can improve the readability of this version by introducing a bit of auxiliary notation to hide the plumbing involved in repeatedly matching against optional states.

Notation "'LETOPT' x <== e₁ 'IN' e₂"
   := (match e₁ with
         | Some x ⇒ e₂
         | None ⇒ None
       end)
   (right associativity, at level 60).

Open Scope imp_scope.
Fixpoint ceval_step (st : state) (c : com) (i : nat)
                    : option state :=
  match i with
  | O ⇒ None
  | S i' ⇒
    match c with
      | SKIP ⇒
          Some st
      | l ::= a₁ ⇒
          Some (l !-> aeval st a₁ ; st)
      | c₁ ;; c₂ ⇒
          LETOPT st' <== ceval_step st c₁ i' IN
          ceval_step st' c₂ i'
      | TEST b THEN c₁ ELSE c₂ FI ⇒
          if (beval st b)
            then ceval_step st c₁ i'
            else ceval_step st c₂ i'
      | WHILE b₁ DO c₁ END ⇒
          if (beval st b₁)
          then LETOPT st' <== ceval_step st c₁ i' IN
               ceval_step st' c i'
          else Some st
    end
  end.
Close Scope imp_scope.

Definition test_ceval (st:state) (c:com) :=
  match ceval_step st c 500 with
  | None ⇒ None
  | Some st ⇒ Some (st X, st Y, st Z)
  end.

(* Compute
     (test_ceval empty_st
         (X ::= 2;;
          TEST (X <= 1)
            THEN Y ::= 3
            ELSE Z ::= 4
          FI)).
   ====>
      Some (2, 0, 4)   *)

Relational vs. Step-Indexed Evaluation

Theorem ceval_step__ceval: ∀ c st st',
(∃ i, ceval_step st c i = Some st') →
st =[ c ]=> st'.

Theorem ceval_step_more: ∀ i₁ i₂ st st' c,
  i₁ ≤ i₂ →
  ceval_step st c i₁ = Some st' →
  ceval_step st c i₂ = Some st'.
Proof.
induction i₁ as [|i₁']; intros i₂ st st' c Hle Hceval.
  - (* i₁ = 0 *)
    simpl in Hceval. discriminate Hceval.
  - (* i₁ = S i₁' *)
    destruct i₂ as [|i₂']. inversion Hle.
    assert (Hle': i₁' ≤ i₂') by omega.
    destruct c.
    + (* SKIP *)
      simpl in Hceval. inversion Hceval.
      reflexivity.
    + (* ::= *)
      simpl in Hceval. inversion Hceval.
      reflexivity.
    + (* ;; *)
      simpl in Hceval. simpl.
      destruct (ceval_step st c₁ i₁') eqn:Heqst1'o.
      × (* st₁'o = Some *)
        apply (IHi1' i₂') in Heqst1'o; try assumption.
        rewrite Heqst1'o. simpl. simpl in Hceval.
        apply (IHi1' i₂') in Hceval; try assumption.
      × (* st₁'o = None *)
        discriminate Hceval.

    + (* TEST *)
      simpl in Hceval. simpl.
      destruct (beval st b); apply (IHi1' i₂') in Hceval;
        assumption.

    + (* WHILE *)
      simpl in Hceval. simpl.
      destruct (beval st b); try assumption.
      destruct (ceval_step st c i₁') eqn: Heqst1'o.
      × (* st₁'o = Some *)
        apply (IHi1' i₂') in Heqst1'o; try assumption.
        rewrite → Heqst1'o. simpl. simpl in Hceval.
        apply (IHi1' i₂') in Hceval; try assumption.
      × (* i₁'o = None *)
        simpl in Hceval. discriminate Hceval. Qed.

Theorem ceval__ceval_step: ∀ c st st',
      st =[ c ]=> st' →
      ∃ i, ceval_step st c i = Some st'.
Proof.
  intros c st st' Hce.
  induction Hce.
  (* FILL IN HERE *) Admitted.

Theorem ceval_and_ceval_step_coincide: ∀ c st st',
      st =[ c ]=> st'
  ↔ ∃ i, ceval_step st c i = Some st'.
Proof.
  intros c st st'.
  split. apply ceval__ceval_step. apply ceval_step__ceval.
Qed.

Determinism of Evaluation Again

Using the fact that the relational and step-indexed definition of evaluation are the same, we can give a slicker proof that the evaluation relation is deterministic.

Theorem ceval_deterministic' : ∀ c st st₁ st₂,
     st =[ c ]=> st₁ →
     st =[ c ]=> st₂ →
     st₁ = st₂.