In this chapter, we begin a new direction that will continue for the rest of the course. Up to now most of our attention has been focused on various aspects of Coq itself, while from now on we'll mostly be using Coq to formalize other things. (We'll continue to pause from time to time to introduce a few additional aspects of Coq.) Our first case study is a simple imperative programming language called Imp, embodying a tiny core fragment of conventional mainstream languages such as C and Java. Here is a familiar mathematical function written in Imp. This chapter looks at how to define the syntax and semantics of Imp; the chapters that follow develop a theory of program equivalence and introduce Hoare Logic, a widely used logic for reasoning about imperative programs.

Sflib

Note that we import earlier definitions from Sflib here, not Logic:

Arithmetic and Boolean Expressions

We'll present Imp in three parts: first a core language of arithmetic and boolean expressions, then an extension of these expressions with variables, and finally a language of commands including assignment, conditions, sequencing, and loops.

Syntax

Abstract syntax trees for arithmetic and boolean expressions:

For comparison, here's a conventional BNF (Backus-Naur Form) grammar defining the same abstract syntax:

Evaluation

Evaluating an arithmetic expression produces a number.

Similarly, evaluating a boolean expression yields a boolean.

Optimization

Coq Automation

That last proof was getting a little repetitive. Let's pause to learn a few more Coq tricks.

Tacticals

Tacticals is Coq's term for tactics that take other tactics as arguments — "higher-order tactics," if you will.

The repeat Tactical

The repeat tactical takes another tactic and keeps applying this tactic until the tactic fails. Here is an example showing that 100 is even using repeat.

The try Tactical

If T is a tactic, then try T is a tactic that is just like T except that, if T fails, try T successfully does nothing at all (instead of failing).

The ; Tactical (Simple Form)

In its most commonly used form, the ; tactical takes two tactics as argument: T;T' first performs the tactic T and then performs the tactic T' on each subgoal generated by T. For example:

We can simplify this proof using the ; tactical:

Using try and ; together, we can get rid of the repetition in the proof that was bothering us a little while ago.

This proof can be further improved by removing the trivial first case (for e = ANum n).

Defining New Tactic Notations

Coq also provides several ways of "programming" tactic scripts:

• Ltac: scripting language for tactics
• Tactic Notation: syntax extension for tactics
• OCaml tactic scripting API (only for wizards)

An example Tactic Notation:

Bulletproofing Case Analyses

(Case_aux implements the common functionality of Case, SCase, SSCase, etc. For example, Case "foo" is defined as Case_aux Case "foo".) For example, if a is a variable of type aexp, then doing will perform an induction on a (the same as if we had just typed induction a) and also add a Case tag to each subgoal generated by the induction, labeling which constructor it comes from. For example, here is yet another proof of optimize_0plus_sound, using aexp_cases:

The omega Tactic

The omega tactic implements a decision procedure for a subset of first-order logic called Presburger arithmetic. It is based on the Omega algorithm invented in 1992 by William Pugh. If the goal is a universally quantified formula made out of

• numeric constants, addition (+ and S), subtraction (- and pred), and multiplication by constants (this is what makes it Presburger arithmetic),
• equality (= and ≠) and inequality (≤), and
• the logical connectives ∧, ∨, ¬, and →,

then invoking omega will either solve the goal or tell you that it is actually false.

A Few More Handy Tactics

Finally, here are some miscellaneous tactics that you may find convenient.

• clear H: Delete hypothesis H from the context.
• subst x: Find an assumption x = e or e = x in the context, replace x with e throughout the context and current goal, and clear the assumption.
• subst: Substitute away all assumptions of the form x = e or e = x.
• rename... into...: Change the name of a hypothesis in the proof context. For example, if the context includes a variable named x, then rename x into y will change all occurrences of x to y.
• assumption: Try to find a hypothesis H in the context that exactly matches the goal; if one is found, behave just like apply H.
• contradiction: Try to find a hypothesis H in the current context that is logically equivalent to False. If one is found, solve the goal.
• constructor: Try to find a constructor c (from some Inductive definition in the current environment) that can be applied to solve the current goal. If one is found, behave like apply c.

Evaluation as a Relation

We have presented aeval and beval as functions defined by Fixpoints. Another way to think about evaluation — one that we will see is often more flexible — is as a relation between expressions and their values. This leads naturally to Inductive definitions like the following one for arithmetic expressions...

A standard notation for "evaluates to":

If we "reserve" the notation in advance, we can also use it in the definition:

Inference Rule Notation

For example, the constructor E_APlus... ...would be written like this as an inference rule:

e1 ⇓ n1
e2 ⇓ n2	(E_APlus)
APlus e1 e2 ⇓ n1+n2

There is nothing very deep going on here:

• rule name corresponds to a constructor name
• above the line are premises
• below the line is conclusion
• metavariables like e1 and n1 are implicitly universally quantified
• the whole collection of rules is implicitly wrapped in an Inductive (sometimes we write this slightly more explicitly, as "...closed under these rules...")

For example, ⇓ is the smallest relation closed under these rules:

	(E_ANum)
ANum n ⇓ n

e1 ⇓ n1
e2 ⇓ n2	(E_APlus)
APlus e1 e2 ⇓ n1+n2

e1 ⇓ n1
e2 ⇓ n2	(E_AMinus)
AMinus e1 e2 ⇓ n1-n2

e1 ⇓ n1
e2 ⇓ n2	(E_AMult)
AMult e1 e2 ⇓ n1*n2

Equivalence of the Definitions

It is straightforward to prove that the relational and functional definitions of evaluation agree on all possible arithmetic expressions...

We can make the proof quite a bit shorter by making more use of tacticals...

Computational vs. Relational Definitions

For the definitions of evaluation for arithmetic and boolean expressions, the choice of whether to use functional or relational definitions is mainly a matter of taste. In general, Coq has somewhat better support for working with relations. On the other hand, in some sense function definitions carry more information, because functions are necessarily deterministic and defined on all arguments; for a relation we have to show these properties explicitly if we need them. Functions also take advantage of Coq's computations mechanism. However, there are circumstances where relational definitions of evaluation are preferable to functional ones.

For example, suppose that we wanted to extend the arithmetic operations by considering also a division operation:

Extending the definition of aeval to handle this new operation would not be straightforward (what should we return as the result of ADiv (ANum 5) (ANum 0)?). But extending aevalR is straightforward.

Suppose, instead, that we want to extend the arithmetic operations by a nondeterministic number generator any:

Again, extending aeval would be tricky (because evaluation is not a deterministic function from expressions to numbers), but extending aevalR is no problem:

Expressions With Variables

Let's turn our attention back to defining Imp. The next thing we need to do is to enrich our arithmetic and boolean expressions with variables. To keep things simple, we'll assume that all variables are global and that they only hold numbers.

Identifiers

To begin, we'll need to formalize identifiers such as program variables. We could use strings for this — or, in a real compiler, fancier structures like pointers into a symbol table. But for simplicity let's just use natural numbers as identifiers.

We define a new inductive datatype Id so that we won't confuse identifiers and numbers. We use sumbool to define a computable equality operator on Id.

The following lemmas will be useful for rewriting terms involving eq_id_dec.

Exercise: 1 star, optional (neq_id)

☐

States

A state represents the current values of all the variables at some point in the execution of a program.

For proofs involving states, we'll need several simple properties of update.

Exercise: 1 star (update_eq)

☐

Exercise: 1 star (update_neq)

☐

Exercise: 1 star (update_shadow)

☐

Exercise: 2 stars (update_same)

☐

Exercise: 3 stars (update_permute)

☐

Syntax

We can add variables to the arithmetic expressions we had before by simply adding one more constructor:

Defining a few variable names as notational shorthands will make examples easier to read:

The definition of bexps is the same as before (using the new aexps):

Evaluation

Add an st parameter to both evaluation functions.

Commands

Now we are ready define the syntax and behavior of Imp commands (often called statements).

Syntax

Informally, commands c are described by the following BNF grammar: For example, here's the factorial function in Imp. When this command terminates, the variable Y will contain the factorial of the initial value of X.

As usual, we can use a few Notation declarations to make things more readable. We need to be a bit careful to avoid conflicts with Coq's built-in notations, so we'll keep this light — in particular, we won't introduce any notations for aexps and bexps to avoid confusion with the numerical and boolean operators we've already defined. We use the keyword IFB for conditionals instead of IF, for similar reasons.

For example, here is the factorial function again, written as a formal definition to Coq:

Examples

Assignment:

Loops:

An infinite loop:

Evaluation

Next we need to define what it means to evaluate an Imp command. The fact that WHILE loops don't necessarily terminate makes defining an evaluation function tricky...

Evaluation as a Function (Failed Attempt)

Here's an attempt at defining an evaluation function for commands, omitting the WHILE case.

In a traditional functional programming language like ML or Haskell we could write the WHILE case as follows:

  Fixpoint ceval_fun (st : state) (c : com) : state :=
    match c with
      ...
      | WHILE b DO c END =>
          if (beval st b1)
            then ceval_fun st (c1; WHILE b DO c END)
            else st
    end.

Coq doesn't accept such a definition ("Error: Cannot guess decreasing argument of fix") because the function we want to define is not guaranteed to terminate. Indeed, it doesn't always terminate: for example, the full version of the ceval_fun function applied to the loop program above would never terminate. Since Coq is not just a functional programming language, but also a consistent logic, any potentially non-terminating function needs to be rejected. Here is an (invalid!) Coq program showing what would go wrong if Coq allowed non-terminating recursive functions:

     Fixpoint loop_false (n : nat) : False := loop_false n.

That is, propositions like False would become provable (e.g. loop_false 0 would be a proof of False), which would be a disaster for Coq's logical consistency. Thus, because it doesn't terminate on all inputs, the full version of ceval_fun cannot be written in Coq — at least not without additional tricks (see chapter ImpCEvalFun if curious).

Evaluation as a Relation

Here's a better way: we define ceval as a relation rather than a function — i.e., we define it in Prop instead of Type, as we did for aevalR above. This is an important change. Besides freeing us from the awkward workarounds that would be needed to define evaluation as a function, it gives us a lot more flexibility in the definition. For example, if we added concurrency features to the language, we'd want the definition of evaluation to be non-deterministic — i.e., not only would it not be total, it would not even be a partial function! We'll use the notation c / st ⇓ st' for our ceval relation: c / st ⇓ st' means that executing program c in a starting state st results in an ending state st'. This can be pronounced "c takes state st to st'".

	(E_Skip)
SKIP / st ⇓ st

aeval st a1 = n	(E_Ass)
x := a1 / st ⇓ (update st x n)

c1 / st ⇓ st'
c2 / st' ⇓ st''	(E_Seq)
c1;;c2 / st ⇓ st''

beval st b1 = true
c1 / st ⇓ st'	(E_IfTrue)
IF b1 THEN c1 ELSE c2 FI / st ⇓ st'

beval st b1 = false
c2 / st ⇓ st'	(E_IfFalse)
IF b1 THEN c1 ELSE c2 FI / st ⇓ st'

beval st b1 = false	(E_WhileEnd)
WHILE b DO c END / st ⇓ st

beval st b1 = true
c / st ⇓ st'
WHILE b DO c END / st' ⇓ st''	(E_WhileLoop)
WHILE b DO c END / st ⇓ st''

The cost of defining evaluation as a relation instead of a function is that we now need to construct proofs that some program evaluates to some result state, rather than just letting Coq's computation mechanism do it for us.

Determinism of Evaluation

Reasoning About Imp Programs

We'll get much deeper into systematic techniques for reasoning about Imp programs in the following chapters, but we can do quite a bit just working with the bare definitions.

Additional Exercises

Exercise: 3 stars (stack_compiler)

HP Calculators, programming languages like Forth and Postscript, and abstract machines like the Java Virtual Machine all evaluate arithmetic expressions using a stack. For instance, the expression

   (2*3)+(3*(4-2))

would be entered as

   2 3 * 3 4 2 - * +

and evaluated like this:

  []            |    2 3 * 3 4 2 - * +
  [2]           |    3 * 3 4 2 - * +
  [3, 2]        |    * 3 4 2 - * +
  [6]           |    3 4 2 - * +
  [3, 6]        |    4 2 - * +
  [4, 3, 6]     |    2 - * +
  [2, 4, 3, 6]  |    - * +
  [2, 3, 6]     |    * +
  [6, 6]        |    +
  [12]          |

The task of this exercise is to write a small compiler that translates aexps into stack machine instructions. The instruction set for our stack language will consist of the following instructions:

• SPush n: Push the number n on the stack.
• SLoad x: Load the identifier x from the store and push it on the stack
• SPlus: Pop the two top numbers from the stack, add them, and push the result onto the stack.
• SMinus: Similar, but subtract.
• SMult: Similar, but multiply.

Write a function to evaluate programs in the stack language. It takes as input a state, a stack represented as a list of numbers (top stack item is the head of the list), and a program represented as a list of instructions, and returns the stack after executing the program. Test your function on the examples below. Note that the specification leaves unspecified what to do when encountering an SPlus, SMinus, or SMult instruction if the stack contains less than two elements. In a sense, it is immaterial what we do, since our compiler will never emit such a malformed program.

Next, write a function which compiles an aexp into a stack machine program. The effect of running the program should be the same as pushing the value of the expression on the stack.

After you've defined s_compile, uncomment the following to test that it works.

☐

Exercise: 3 stars, advanced (stack_compiler_correct)

The task of this exercise is to prove the correctness of the calculator implemented in the previous exercise. Remember that the specification left unspecified what to do when encountering an SPlus, SMinus, or SMult instruction if the stack contains less than two elements. (In order to make your correctness proof easier you may find it useful to go back and change your implementation!) Prove the following theorem, stating that the compile function behaves correctly. You will need to start by stating a more general lemma to get a usable induction hypothesis; the main theorem will then be a simple corollary of this lemma.

☐