In this chapter, we begin a new direction that we'll continue for the rest of the course: up to now we've been mostly studying Coq itself, but from now on we'll mostly be using Coq to formalize other things. Our first case study is a simple imperative programming language called Imp. Here is a familiar mathematical function written in Imp. This chapter looks at how to define the syntax and semantics of Imp; the chapters that follow develop a theory of program equivalence and introduce Hoare Logic, the best known logic for reasoning about imperative programs.

Sflib

A minor technical point: Instead of asking Coq to import our earlier definitions from Logic.v, we import a small library called Sflib.v, containing just a few definitions and theorems from earlier chapters that we'll actually use in the rest of the course. You won't notice much difference, since most of what's missing from Sflib has identical definitions in the Coq standard library. The main reason for doing this is to tidy the global Coq environment so that, for example, it is easier to search for relevant theorems.

Arithmetic and Boolean Expressions

We'll present Imp in three parts: first a core language of arithmetic and boolean expressions, then an extension of these expressions with variables, and finally a language of commands including assignment, conditions, sequencing, and loops.

Syntax

These two definitions specify the abstract syntax of arithmetic and boolean expressions.

In this chapter, we'll elide the translation from the concrete syntax that a programmer would actually write to these abstract syntax trees — the process that, for example, would translate the string "1+2*3" to the AST APlus (ANum 1) (AMult (ANum 2) (ANum 3)). The file ImpParser.v develops a simple implementation of a lexical analyzer and parser that can perform this translation. You do not need to understand that file to understand this one, but if you haven't taken a course where these techniques are covered (e.g., a compilers course) you may want to skim it. For comparison, here's a conventional BNF (Backus-Naur Form) grammar defining the same abstract syntax: Compared to the Coq version above...

• The BNF is more informal — for example, it gives some suggestions about the surface syntax of expressions (like the fact that the addition operation is written + and is an infix symbol) while leaving other aspects of lexical analysis and parsing (like the relative precedence of +, -, and *) unspecified. Some additional information — and human intelligence — would be required to turn this description into a formal definition (when implementing a compiler, for example).
  The Coq version consistently omits all this information and concentrates on the abstract syntax only.
• On the other hand, the BNF version is lighter and arguably easier to read. Its informality makes it flexible, which is a huge advantage in situations like discussions at the blackboard, where conveying general ideas is more important than getting every detail nailed down precisely.
  Indeed, there are dozens of BNF-like notations and people switch freely among them, usually without bothering to which form of BNF they're using because there is no need to: a rough-and-ready informal understanding is all that's needed.

It's good to be comfortable with both sorts of notations: informal ones for communicating between humans and formal ones for carrying out implementations and proofs.

Evaluation

Evaluating an arithmetic expression reduces it to a single number.

Similarly, evaluating a boolean expression yields a boolean.

Optimization

We haven't defined very much yet, but we can already get some mileage out of the definitions. Suppose we define a function that takes an arithmetic expression and slightly simplifies it, changing every occurrence of 0+e (i.e., (APlus (ANum 0) e) into just e.

To make sure our optimization is doing the right thing we can test it on some examples and see if the output looks OK.

But if we want to be sure the optimization is correct — i.e., that evaluating an optimized expression gives the same result as the original — we should prove it.

Coq Automation

The repetition in this last proof is starting to be a little annoying. It's still just about bearable, but if either the language of arithmetic expressions or the optimization being proved sound were significantly more complex, it would begin to be a real problem. So far, we've been doing all our proofs using just a small handful of Coq's tactics and completely ignoring its very powerful facilities for constructing proofs automatically. This section introduces some of these facilities, and we will see more over the next several chapters. Getting used to them will take some energy — Coq's automation is a power tool — but it will allow us to scale up our efforts to more complex definitions and more interesting properties without becoming overwhelmed by boring, repetitive, or low-level details.

Tacticals

Tactical is Coq's term for tactics that take other tactics as arguments — "higher-order tactics," if you will.

The try Tactical

One very simple tactical is try: If T is a tactic, then try T is a tactic that is just like T except that, if T fails, try T does nothing at all (instead of failing).

The ; Tactical

Another very basic tactical is written ;. If T, T1, ..., Tn are tactics, then is a tactic that first performs T and then performs T1 on the first subgoal generated by T, performs T2 on the second subgoal, etc. In the special case where all of the Ti's are the same tactic T', we can just write T;T' instead of: That is, if T and T' are tactics, then T;T' is a tactic that first performs T and then performs T' on each subgoal generated by T. This is the form of ; that is used most often in practice. For example, consider the following trivial lemma:

We can simplify the proof above using the ; tactical.

Using try and ; together, we can get rid of the repetition in the proof that was bothering us a little while ago.

In practice, Coq experts often use try with a tactic like induction to take care of many similar "straightforward" cases all at once. Naturally, this practice has an analog in informal proofs. Here is an informal proof of this theorem that matches the structure of the formal one: Theorem: For all arithmetic expressions e, Proof: By induction on e. The AMinus and AMult cases follow directly from the IH. The remaining cases are as follows:

• Suppose e = ANum n for some n. We must show
    aeval (optimize_0plus (ANum n)) = aeval (ANum n).
  This is immediate from the definition of optimize_0plus.
• Suppose e = APlus e1 e2 for some e1 and e2. We must show
    aeval (optimize_0plus (APlus e1 e2)) 
  = aeval (APlus e1 e2).
  Consider the possible forms of e1. For most of them, optimize_0plus simply calls itself recursively for the subexpressions and rebuilds a new expression of the same form as e1; in these cases, the result follows directly from the IH.
  The interesting case is when e1 = ANum n for some n. If n = ANum 0, then
    optimize_0plus (APlus e1 e2) = optimize_0plus e2
  and the IH for e2 is exactly what we need. On the other hand, if n = S n' for some n', then again optimize_0plus simply calls itself recursively, and the result follows from the IH. ☐

This proof can still be improved: the first case (for e = ANum n) is very trivial — even more trivial than the cases that we said simply followed from the IH — yet we have chosen to write it out in full. It would be better and clearer to drop it and just say, at the top, "Most cases are either immediate or direct from the IH. The only interesting case is the one for APlus..." We can make the same improvement in our formal proof too. Here's how it looks:

Defining New Tactic Notations

Coq also provides several ways of "programming" tactic scripts.

• The Tactic Notation command gives a handy way to define "shorthand tactics" that, when invoked, apply several tactics at the same time.
• For more sophisticated programming, Coq offers a small built-in programming language called Ltac with primitives that can examine and modify the proof state. The details are a bit too complicated to get into here (and it is generally agreed that Ltac is not the most beautiful part of Coq's design!), but they can be found in the reference manual, and there are many examples of Ltac definitions in the Coq standard library that you can use as examples.
• There is also an OCaml API that can be used to build new tactics that access Coq's internal structures at a lower level, but this is seldom worth the trouble for ordinary Coq users.

The Tactic Notation mechanism is the easiest to come to grips with, and it offers plenty of power for many purposes. Here's an example.

This defines a new tactical called simpl_and_try which takes one tactic c as an argument, and is defined to be equivalent to the tactic simpl; try c. For example, writing "simpl_and_try reflexivity." in a proof would be the same as writing "simpl; try reflexivity." The next subsection gives a more sophisticated use of this feature...

Bulletproofing Case Analyses

Being able to deal with most of the cases of an induction or destruct all at the same time is very convenient, but it can also be a little confusing. One problem that often comes up is that maintaining proofs written in this style can be difficult. For example, suppose that, later, we extended the definition of aexp with another constructor that also required a special argument. The above proof might break because Coq generated the subgoals for this constructor before the one for APlus, so that, at the point when we start working on the APlus case, Coq is actually expecting the argument for a completely different constructor. What we'd like is to get a sensible error message saying "I was expecting the AFoo case at this point, but the proof script is talking about APlus." Here's a nice little trick that smoothly achieves this.

(Case_aux implements the common functionality of Case, SCase, SSCase, etc. For example, Case "foo" is defined as Case_aux Case "foo".) For example, if e is a variable of type aexp, then doing will perform an induction on e (the same as if we had just typed induction e) and also add a Case tag to each subgoal generated by the induction, labeling which constructor it comes from. For example, here is yet another proof of optimize_0plus_sound, using aexp_cases:

Exercise: 3 stars (optimize_0plus_b)

Since the optimize_0plus tranformation doesn't change the value of aexps, we should be able to apply it to all the aexps that appear in a bexp without changing the bexp's value. Write a function which performs that transformation on bexps, and prove it is sound. Use the tacticals we've just seen to make the proof as elegant as possible.

☐

Exercise: 4 stars, optional (optimizer)

Design exercise: The optimization implemented by our optimize_0plus function is only one of many imaginable optimizations on arithmetic and boolean expressions. Write a more sophisticated optimizer and prove it correct. (* FILL IN HERE *)
☐

The omega Tactic

The omega tactic implements a decision procedure for a subset of first-order logic called Presburger arithmetic. It is based on the Omega algorithm invented in 1992 by William Pugh. If the goal is a universally quantified formula made out of

• numeric constants, addition (+ and S), subtraction (- and pred), and multiplication by constants (this is what makes it Presburger arithmetic),
• equality (= and <>) and inequality (<=), and
• the logical connectives ∧, ∨, ~, and →,

then invoking omega will either solve the goal or tell you that it is actually false.

Andrew Appel calls this the "Santa Claus tactic."

A Few More Handy Tactics

Finally, here are some miscellaneous tactics that you may find convenient.

• clear H: Delete hypothesis H from the context.
• subst x: Find an assumption x = e or e = x in the context, replace x with e throughout the context and current goal, and clear the assumption.
• subst: Substitute away all assumptions of the form x = e or e = x.
• rename... into...: Change the name of a hypothesis in the proof context. For example, if the ontext includes a variable named x, then rename x into y will change all occurrences of x to y.
• assumption: Try to find a hypothesis H in the context that exactly matches the goal; if one is found, behave just like apply H.
• contradiction: Try to find a hypothesis H in the current context that is equivalent to False. If one is found, solve the goal.
• constructor: Try to find a constructor c (from some Inductive definition in the current environment) that can be applied to solve the current goal. If one is found, behave like apply c.

We'll see many examples of these in the proofs below.

Evaluation as a Relation

We have presented aeval and beval as functions defined by Fixpoints. An alternative way to think about evaluation is as a relation between expressions and their values. This leads naturally to Coq Inductive definitions like the following one for arithmetic expressions...

As is often the case with relations, we'll find it convenient to define infix notation for aevalR. We'll write e ⇓ n to mean that arithmetic expression e evaluates to value n. (This notation is one place where the limitation to ascii symbols becomes a little bothersome. The standard notation for the evaluation relation is a double down-arrow. We'll typeset it like this in the HTML version of the notes and use a double vertical bar as the closest approximation in ascii .v files.)

In fact, Coq provides a way to use this notation in the definition of aevalR itself. This avoids situations where we're working on a proof involving statements in the form e ⇓ n but we have to refer back to a definition written using the form aevalR e n. We do this by first "reserving" the notation, then giving the definition together with a declaration of what the notation means.

It is straightforward to prove that the relational and functional definitions of evaluation agree on all possible arithmetic expressions...

A shorter proof making more aggressive use of tacticals:

Exercise: 2 stars, optional (bevalR)

Write a relation bevalR in the same style as aevalR, and prove that it is equivalent to beval.

For the definitions of evaluation for arithmetic and boolean expressions, the choice of whether to use functional or relational definitions is mainly a matter of taste. In general, Coq has somewhat better support for working with relations; in particular, we can more readily do induction over them. On the other hand, in some sense function definitions carry more information, because functions are necessarily deterministic and defined on all arguments; for a relation we have to show these properties explicitly if we need them. However, there are circumstances where relational definitions of evaluation are greatly preferable to functional ones, as we'll see shortly.

Inference Rule Notation

In informal discussions, it is convenient write the rules for aevalR and similar relations in a more readable "graphical" form called inference rules, where the premises above the line allow you to derive the conclusion below the line. For example, the constructor E_APlus... ...would be written like this as an inference rule:

e1 ⇓ n1
e2 ⇓ n2	(E_APlus)
APlus e1 e2 ⇓ n1+n2

Formally, there is nothing very deep about inference rules: they are just implications. You can read the rule name on the right as the name of the constructor and read each of the linebreaks between the premises above the line and the line itself as →. All the variables mentioned in the rule (e1, n1, etc.) are implicitly bound by universal quantifiers at the beginning. The whole collection of rules is understood as being wrapped in an Inductive declaration (this is either left completely implicit or else indicated informally by saying something like "Let aevalR be the smallest relation closed under the following rules..."). For example, ⇓ is the smallest relation closed under these rules:

	(E_ANum)
ANum n ⇓ n

e1 ⇓ n1
e2 ⇓ n2	(E_APlus)
APlus e1 e2 ⇓ n1+n2

e1 ⇓ n1
e2 ⇓ n2	(E_AMinus)
AMinus e1 e2 ⇓ n1-n2

e1 ⇓ n1
e2 ⇓ n2	(E_AMult)
AMult e1 e2 ⇓ n1*n2

Expressions With Variables

Now let's turn our attention back to defining Imp. The next thing we need to do is to enrich our arithmetic and boolean expressions with variables. To keep things simple, we'll assume that all variables are global and that they only hold numbers.

Identifiers

To begin, we'll need to formalize identifiers, such as program variables. We could use strings for this, or (in a real compiler) some kind of fancier structures like pointers into a symbol table. But for simplicity let's just use natural numbers as identifiers. (We hide this section in a module because these definitions are actually in SfLib.v, but we want to repeat them here so that we can explain them.)

We define a new inductive datatype Id so that we won't confuse identifiers and numbers.

Now, having "wrapped" numbers as identifiers in this way, it is convenient to recapitulate a few properties of numbers as analogous properties of identifiers, so that we can work with identifiers in definitions and proofs abstractly, without unwrapping them to expose the underlying numbers. Since all we need to know about identifiers is whether they are the same or different, just a few basic facts are all we need.

Exercise: 1 star, optional (beq_id_eq)

For this and the following exercises, do not use induction, but rather apply similar results already proved for natural numbers. Some of the tactics mentioned above may prove useful.

☐

Exercise: 1 star, optional (beq_id_false_not_eq)

☐

Exercise: 1 star, optional (not_eq_beq_id_false)

☐

Exercise: 1 star, optional (beq_id_sym)

☐

States

A state represents the current values of all the variables at some point in the execution of a program. For simplicity (to avoid dealing with partial functions), we let the state be defined for all variables, even though any given program is only going tomention a finite number of them.

We'll need a few simple properties of update.

Exercise: 2 stars, optional (update_eq)

☐

Exercise: 2 stars, optional (update_neq)

☐

Exercise: 2 stars, optional (update_example)

Before starting to play with tactics, make sure you understand exactly what the theorem is saying!

☐

Exercise: 2 stars (update_shadow)

☐

Exercise: 2 stars, optional (update_same)

☐

Exercise: 2 stars, optional (update_permute)

☐

Syntax

We can add variables to the arithmetic expressions we had before by simply adding one more constructor:

Shorthands for variables:

(This convention for naming program variables (X, Y, Z) clashes a bit with our earlier use of uppercase letters for types. Since we're not using polymorphism heavily in this part of the course, this overloading should not cause confusion.) The definition of bexps is the same as before (using the new aexps):

Evaluation

The arith and boolean evaluators are extended to handle variables in the obvious way:

Commands

Now we are ready define the syntax and behavior of Imp commands (or statements).

Syntax

Informally, commands are described by the following BNF grammar: For example, here's the factorial function in Imp. When this command terminates, the variable Y will contain the factorial of the variable X. Here is the formal definition of the syntax of commands:

As usual, we can use a few Notation declarations to make things more readable. However, we need to be a bit careful to avoid conflicts with Coq's built-in notations, so we'll keep this light — in particular, we won't introduce any notations for aexps and bexps to avoid confusion with the numerical and boolean operators we've already defined. (We use the keyword IFB for conditionals instead of the usual IF for similar reasons.)

For example, here is the factorial function again, written as a formal definition to Coq:

Examples

Here are some more examples... Assignment:

Loops:

An infinite loop:

Factorial again (broken up into smaller pieces this time, for convenience when we come back to proving things about it later).

Evaluation

Next we need to define what it means to evaluate an Imp command. WHILE loops actually make this a bit tricky...

Evaluation Function

Here's a first try at an evaluation function for commands, omitting WHILE.

Second try, using an extra numeric argument as a "step index" to ensure that evaluation always terminates.

Note: It is tempting to think that the index i here is counting the "number of steps of evaluation." But if you look closely you'll see that this is not the case: for example, in the rule for sequencing, the same i is passed to both recursive calls. Understanding the exact way that i is treated will be important in the proof of ceval__ceval_step, which is given as an exercise below. Third try, returning an option state instead of just a state so that we can distinguish between normal and abnormal termination.

We can improve the readability of this definition by introducing a bit of auxiliary notation to hide the "plumbing" involved in repeatedly matching against optional states.

Exercise: 2 stars, recommended (pup_to_n)

Write an Imp program that sums the numbers from 1 to X (inclusive: 1 + 2 + ... + X) in the variable Y. Make sure your solution satisfies the test that follows.

☐

Exercise: 2 stars, optional (peven)

Write a While program that sets Z to 0 if X is even and sets Z to 1 otherwise. Use ceval_test to test your program.

☐

Evaluation as a Relation

Here's a better way: define ceval as a relation rather than a function — i.e., define it in Prop instead of Type, as we did for aevalR and bevalR above. This is an important change. Besides freeing us from the silliness of passing around step indices all over the place, it gives us a lot more flexibility in the definition. For example, if we added concurrency features to the language, we'd want the definition of evaluation to be non-deterministic — i.e., not only would it not be total, it would not even be a partial function! We'll use the notation c / st ⇓ st' for our ceval relation, that is c / st ⇓ st' means that executing program c in a starting state st results in an ending state st'. This can be pronounced "c takes state st to st'".

	(E_Skip)
SKIP / st ⇓ st

aeval st a1 = n	(E_Ass)
l := a1 / st ⇓ (update st l n)

c1 / st ⇓ st'
c2 / st' ⇓ st''	(E_Seq)
c1;c2 / st ⇓ st''

beval st b1 = true
c1 / st ⇓ st'	(E_IfTrue)
IF b1 THEN c1 ELSE c2 FI / st ⇓ st'

beval st b1 = false
c2 / st ⇓ st'	(E_IfFalse)
IF b1 THEN c1 ELSE c2 FI / st ⇓ st'

beval st b1 = false	(E_WhileEnd)
WHILE b1 DO c1 END / st ⇓ st

beval st b1 = true
c1 / st ⇓ st'
WHILE b1 DO c1 END / st' ⇓ st''	(E_WhileLoop)
WHILE b1 DO c1 END / st ⇓ st''

Here is the formal definition. (Make sure you understand how it corresponds to the inference rules.)

The cost of defining evaluation as a relation instead of a function is that we now need to construct proofs that some program evaluates to some result state, rather than just letting Coq's computation mechanism do it for us.

Exercise: 2 stars (ceval_example2)

☐

Equivalence of Relational and Step-Indexed Evaluation

As with arithmetic and boolean expressions, we'd hope that the two alternative definitions of evaluation actually boil down to the same thing. This section shows that this is the case. Make sure you understand the statements of the theorems and can follow the structure of the proofs.

Exercise: 4 stars (ceval_step__ceval_inf)

Write an informal proof of ceval_step__ceval, following the usual template. (The template for case analysis on an inductively defined value should look the same as for induction, except that there is no induction hypothesis.) Make your proof communicate the main ideas to a human reader; do not simply transcribe the steps of the formal proof. (* FILL IN HERE *)
☐

Exercise: 3 stars, recommended (ceval__ceval_step)

Finish the following proof. You'll need ceval_step_more in a few places, as well as some basic facts about <= and plus.

☐

Determinacy of Evaluation

Changing from a computational to a relational definition of evaluation is a good move because it allows us to escape from the artificial requirement (imposed by Coq's restrictions on Fixpoint definitions) that evaluation should be a total function. But it also raises a question: Is the second definition of evaluation actually a partial function? That is, is it possible that, beginning from the same state st, we could evaluate some command c in different ways to reach two different output states st' and st''? In fact, this cannot happen: the evaluation relation ceval is a partial function. Here's the proof:

Here's a slicker proof, using the fact that the relational and step-indexed definition of evaluation are the same.

Reasoning About Programs

We'll get much deeper into systematic techniques for reasoning about programs in Imp in the following chapters, but we can do quite a bit just working with the bare definitions. This section explores some examples.

Basic Examples

Exercise: 3 stars, recommended (XtimesYinZ_spec)

State and prove a specification of the XtimesYinZ Imp program.

☐

Exercise: 3 stars, recommended (loop_never_stops)

☐

Exercise: 2 stars, optional (no_whilesR)

The no_whiles property yields true on just those programs that have no while loops. Using Inductive, write a property no_whilesR such that no_whilesR c is provable exactly when c is a program with no while loops. Then prove its equivalence with no_whiles.

☐

Exercise: 4 stars, optional (no_whiles_terminating)

Imp programs that don't involve while loops always terminate. State and prove a theorem that says this. (Use either no_whiles or no_whilesR, as you prefer.)

☐

Proving a Program Correct (Optional)

Recall the factorial program:

Here is an alternative "mathematical" definition of the factorial function:

We would like to show that they agree — if we start fact_com in a state where variable X contains some number x, then it will terminate in a state where variable Y contains the factorial of x. To show this, we rely on the critical idea of a loop invariant.

Patching it all together...

One might wonder whether all this work with poking at states and unfolding definitions could be ameliorated with some more powerful lemmas and/or more uniform reasoning principles... Indeed, this is exactly the topic of the next chapter (Hoare.v)!

Exercise: 4 stars, optional (subtract_slowly_spec)

Prove a specification for subtract_slowly, using the above specification of fact_com and the invariant below as guides.

☐

Additional Exercises

Exercise: 4 stars, optional (add_for_loop)

Add C-style for loops to the language of commands, update the ceval definition to define the semantics of for loops, and add cases for for loops as needed so that all the proofs in this file are accepted by Coq. A for loop should be parameterized by (a) a statement executed initially, (b) a test that is run on each iteration of the loop to determine whether the loop should continue, (c) a statement executed at the end of each loop iteration, and (d) a statement that makes up the body of the loop. (You don't need to worry about making up a concrete Notation for for loops, but feel free to play with this too if you like.)

☐

Exercise: 3 stars, optional (short_circuit)

Most modern programming languages use a "short-circuit" evaluation rule for boolean and: to evaluate BAnd b1 b2, first evaluate b1. If it evaluates to false, then the entire BAnd expression evaluates to false immediately, without evaluating b2. Otherwise, b2 is evaluated to determine the result of the BAnd expression. Write an alternate version of beval that performs short-circuit evaluation of BAnd in this manner, and prove that it is equivalent to beval.

Exercise: 4 stars, recommended (stack_compiler)

HP Calculators, programming languages like Forth and Postscript, and abstract machines like the Java Virtual Machine all evaluate arithmetic expressions using a stack. For instance, the expression

   (2*3)+(3*(4-2))

would be entered as

   2 3 * 3 4 2 - * +

and evaluated like this:

  []            |    2 3 * 3 4 2 - * +
  [2]           |    3 * 3 4 2 - * +
  [3, 2]        |    * 3 4 2 - * +
  [6]           |    3 4 2 - * +
  [3, 6]        |    4 2 - * +
  [4, 3, 6]     |    2 - * +
  [2, 4, 3, 6]  |    - * +
  [2, 3, 6]     |    * +
  [6, 6]        |    +
  [12]          | 

The task of this exercise is to write a small compiler that translates aexps into stack machine instructions, and to prove its correctness. The instruction set for our stack language will consist of the following instructions:

• SPush n: Push the number n on the stack.
• SLoad X: Load the identifier X from the store and push it on the stack
• SPlus: Pop the two top numbers from the stack, add them, and push the result onto the stack.
• SMinus: Similar, but subtract.
• SMult: Similar, but multiply.

Write a function to evaluate programs in the stack language. It takes as input a state, a stack represented as a list of numbers (top stack item is the head of the list), and a program represented as a list of instructions, and returns the stack after executing the program. Test your function on the examples below. Note that the specification leaves unspecified what to do when encountering an SPlus, SMinus, or SMult instruction if the stack contains less than two elements. In a sense it is immaterial, since our compiler will never emit such a malformed program. However, when you do the correctness proof you may find some choices makes the proof easier than others.

Next, write a function which compiles an aexp into a stack machine program. The effect of running the program should be the same as pushing the value of the expression on the stack.

Finally, prove the following theorem, stating that the compile function behaves correctly. You will need to start by stating a more general lemma to get a usable induction hypothesis.

☐