annotate src/OpSem.v @ 330:49c6aa7d2148

Another Match exercise
author Adam Chlipala <adam@chlipala.net>
date Tue, 27 Sep 2011 18:20:23 -0400
parents d5787b70cf48
children
rev   line source
adam@292 1 (* Copyright (c) 2009-2010, Adam Chlipala
adamc@190 2 *
adamc@190 3 * This work is licensed under a
adamc@190 4 * Creative Commons Attribution-Noncommercial-No Derivative Works 3.0
adamc@190 5 * Unported License.
adamc@190 6 * The license text is available at:
adamc@190 7 * http://creativecommons.org/licenses/by-nc-nd/3.0/
adamc@190 8 *)
adamc@190 9
adamc@262 10 (* begin hide *)
adamc@262 11 Require Import Arith List.
adamc@190 12
adam@314 13 Require Import CpdtTactics.
adamc@190 14
adamc@262 15 Set Implicit Arguments.
adamc@262 16 (* end hide *)
adamc@190 17
adamc@262 18
adamc@262 19 (** %\chapter{Higher-Order Operational Semantics}% *)
adamc@262 20
adamc@263 21 (** The last few chapters have shown how PHOAS can make it relatively painless to reason about program transformations. Each of our example languages so far has had a semantics that is easy to implement with an interpreter in Gallina. Since Gallina is designed to rule out non-termination, we cannot hope to give interpreter-based semantics to Turing-complete programming languages. Falling back on standard operational semantics leaves us with the old bureaucratic concerns about capture-avoiding substitution. Can we encode Turing-complete, higher-order languages in Coq without sacrificing the advantages of higher-order encoding?
adamc@263 22
adam@292 23 Any approach that applies to basic untyped lambda calculus is likely to extend to most object languages of interest. We can attempt the %``%#"#obvious#"#%''% way of equipping a PHOAS definition for use in an operational semantics, without mentioning substitution explicitly. Specifically, we try to work with expressions with [var] instantiated with a type of values. *)
adamc@263 24
adamc@263 25 Section exp.
adamc@263 26 Variable var : Type.
adamc@263 27
adamc@263 28 Inductive exp : Type :=
adamc@263 29 | Var : var -> exp
adamc@263 30 | App : exp -> exp -> exp
adamc@263 31 | Abs : (var -> exp) -> exp.
adamc@263 32 End exp.
adamc@263 33
adamc@263 34 (** [[
adamc@263 35 Inductive val : Type :=
adamc@263 36 | VAbs : (val -> exp val) -> val.
adamc@263 37
adamc@263 38 Error: Non strictly positive occurrence of "val" in
adamc@263 39 "(val -> exp val) -> val".
adamc@263 40
adamc@263 41 ]]
adamc@263 42
adamc@263 43 We would like to represent values (which are all function abstractions) as functions from variables to expressions, where we represent variables as the same value type that we are defining. That way, a value can be substituted in a function body simply by applying the body to the value. Unfortunately, the positivity restriction rejects this definition, for much the same reason that we could not use the classical HOAS encoding.
adamc@263 44
adamc@263 45 We can try an alternate approach based on defining [val] like a usual class of syntax. *)
adamc@263 46
adamc@263 47 Section val.
adamc@263 48 Variable var : Type.
adamc@263 49
adamc@263 50 Inductive val : Type :=
adamc@263 51 | VAbs : (var -> exp var) -> val.
adamc@263 52 End val.
adamc@263 53
adamc@263 54 (** Now the puzzle is how to write the type of an expression whose variables are represented as values. We would like to be able to write a recursive definition like this one:
adamc@263 55
adamc@263 56 [[
adamc@263 57 Fixpoint expV := exp (val expV).
adamc@263 58
adamc@263 59 ]]
adamc@263 60
adam@292 61 Of course, this kind of definition is not structurally recursive, so Coq will not allow it. Getting %``%#"#substitution for free#"#%''% seems to require some similar kind of self-reference.
adamc@263 62
adamc@263 63 In this chapter, we will consider an alternate take on the problem. We add a level of indirection, introducing more explicit syntax to break the cycle in type definitions. Specifically, we represent function values as numbers that index into a %\emph{%#<i>#closure heap#</i>#%}% that our operational semantics maintains alongside the expression being evaluated. *)
adamc@263 64
adamc@263 65
adamc@262 66 (** * Closure Heaps *)
adamc@262 67
adamc@263 68 (** The essence of the technique is to store function bodies in lists that are extended monotonically as function abstractions are evaluated. We can define a set of functions and theorems that implement the core functionality generically. *)
adamc@263 69
adamc@262 70 Section lookup.
adamc@262 71 Variable A : Type.
adamc@262 72
adamc@263 73 (** We start with a [lookup] function that generalizes last chapter's function of the same name. It selects the element at a particular position in a list, where we number the elements starting from the end of the list, so that prepending new elements does not change the indices of old elements. *)
adamc@263 74
adamc@262 75 Fixpoint lookup (ls : list A) (n : nat) : option A :=
adamc@262 76 match ls with
adamc@262 77 | nil => None
adamc@262 78 | v :: ls' => if eq_nat_dec n (length ls') then Some v else lookup ls' n
adamc@262 79 end.
adamc@262 80
adamc@263 81 Infix "##" := lookup (left associativity, at level 1).
adamc@263 82
adamc@263 83 (** The second of our two definitions expresses when one list extends another. We will write [ls1 ~> ls2] to indicate that [ls1] could evolve into [ls2]; that is, [ls1] is a suffix of [ls2]. *)
adamc@263 84
adamc@262 85 Definition extends (ls1 ls2 : list A) := exists ls, ls2 = ls ++ ls1.
adam@292 86 (** printing ~> $\leadsto$ *)
adamc@263 87 Infix "~>" := extends (no associativity, at level 80).
adamc@262 88
adamc@263 89 (** We prove and add as hints a few basic theorems about [lookup] and [extends]. *)
adamc@262 90
adamc@262 91 Theorem lookup1 : forall x ls,
adamc@262 92 (x :: ls) ## (length ls) = Some x.
adamc@262 93 crush; match goal with
adamc@262 94 | [ |- context[if ?E then _ else _] ] => destruct E
adamc@262 95 end; crush.
adamc@262 96 Qed.
adamc@262 97
adamc@262 98 Theorem extends_refl : forall ls, ls ~> ls.
adamc@262 99 exists nil; reflexivity.
adamc@262 100 Qed.
adamc@262 101
adamc@262 102 Theorem extends1 : forall v ls, ls ~> v :: ls.
adamc@262 103 intros; exists (v :: nil); reflexivity.
adamc@262 104 Qed.
adamc@262 105
adamc@262 106 Theorem extends_trans : forall ls1 ls2 ls3,
adamc@262 107 ls1 ~> ls2
adamc@262 108 -> ls2 ~> ls3
adamc@262 109 -> ls1 ~> ls3.
adamc@262 110 intros ? ? ? [l1 ?] [l2 ?]; exists (l2 ++ l1); crush.
adamc@262 111 Qed.
adamc@262 112
adamc@262 113 Lemma lookup_contra : forall n v ls,
adamc@262 114 ls ## n = Some v
adamc@262 115 -> n >= length ls
adamc@262 116 -> False.
adamc@262 117 induction ls; crush;
adamc@262 118 match goal with
adamc@262 119 | [ _ : context[if ?E then _ else _] |- _ ] => destruct E
adamc@262 120 end; crush.
adamc@262 121 Qed.
adamc@262 122
adamc@262 123 Hint Resolve lookup_contra.
adamc@262 124
adamc@262 125 Theorem extends_lookup : forall ls1 ls2 n v,
adamc@262 126 ls1 ~> ls2
adamc@262 127 -> ls1 ## n = Some v
adamc@262 128 -> ls2 ## n = Some v.
adamc@262 129 intros ? ? ? ? [l ?]; crush; induction l; crush;
adamc@262 130 match goal with
adamc@262 131 | [ |- context[if ?E then _ else _] ] => destruct E
adamc@262 132 end; crush; elimtype False; eauto.
adamc@262 133 Qed.
adamc@262 134 End lookup.
adamc@262 135
adamc@262 136 Infix "##" := lookup (left associativity, at level 1).
adamc@262 137 Infix "~>" := extends (no associativity, at level 80).
adamc@262 138
adamc@262 139 Hint Resolve lookup1 extends_refl extends1 extends_trans extends_lookup.
adamc@262 140
adamc@263 141 (** We are dealing explicitly with the nitty-gritty of closure heaps. Why is this better than dealing with the nitty-gritty of variables? The inconvenience of modeling lambda calculus-style binders comes from the presence of nested scopes. Program evaluation will only involve one %\emph{%#<i>#global#</i>#%}% closure heap. Also, the short development that we just finished can be reused for many different object languages. None of these definitions or theorems needs to be redone to handle specific object language features. By adding the theorems as hints, no per-object-language effort is required to apply the critical facts as needed. *)
adamc@263 142
adamc@262 143
adamc@262 144 (** * Languages and Translation *)
adamc@262 145
adamc@263 146 (** For the rest of this chapter, we will consider the example of CPS translation for untyped lambda calculus with boolean constants. It is convenient to include these constants, because their presence makes it easy to state a final translation correctness theorem. *)
adamc@263 147
adamc@262 148 Module Source.
adamc@263 149 (** We define the syntax of source expressions in our usual way. *)
adamc@263 150
adamc@262 151 Section exp.
adamc@262 152 Variable var : Type.
adamc@262 153
adamc@262 154 Inductive exp : Type :=
adamc@262 155 | Var : var -> exp
adamc@262 156 | App : exp -> exp -> exp
adamc@262 157 | Abs : (var -> exp) -> exp
adamc@262 158 | Bool : bool -> exp.
adamc@262 159 End exp.
adamc@262 160
adamc@262 161 Implicit Arguments Bool [var].
adamc@262 162
adamc@262 163 Definition Exp := forall var, exp var.
adamc@262 164
adamc@263 165 (** We will implement a big-step operational semantics, where expressions are mapped to values. A value is either a function or a boolean. We represent a function as a number that will be interpreted as an index into the global closure heap. *)
adamc@263 166
adamc@262 167 Inductive val : Set :=
adamc@262 168 | VFun : nat -> val
adamc@262 169 | VBool : bool -> val.
adamc@262 170
adamc@263 171 (** A closure, then, follows the usual representation of function abstraction bodies, where we represent variables as values. *)
adamc@263 172
adamc@262 173 Definition closure := val -> exp val.
adamc@262 174 Definition closures := list closure.
adamc@262 175
adamc@263 176 (** Our evaluation relation has four places. We map an initial closure heap and an expression into a final closure heap and a value. The interesting cases are for [Abs], where we push the body onto the closure heap; and for [App], where we perform a lookup in a closure heap, to find the proper function body to execute next. *)
adamc@263 177
adamc@262 178 Inductive eval : closures -> exp val -> closures -> val -> Prop :=
adamc@262 179 | EvVar : forall cs v,
adamc@262 180 eval cs (Var v) cs v
adamc@262 181
adamc@262 182 | EvApp : forall cs1 e1 e2 cs2 v1 c cs3 v2 cs4 v3,
adamc@262 183 eval cs1 e1 cs2 (VFun v1)
adamc@262 184 -> eval cs2 e2 cs3 v2
adamc@262 185 -> cs2 ## v1 = Some c
adamc@262 186 -> eval cs3 (c v2) cs4 v3
adamc@262 187 -> eval cs1 (App e1 e2) cs4 v3
adamc@262 188
adamc@262 189 | EvAbs : forall cs c,
adamc@262 190 eval cs (Abs c) (c :: cs) (VFun (length cs))
adamc@262 191
adamc@262 192 | EvBool : forall cs b,
adamc@262 193 eval cs (Bool b) cs (VBool b).
adamc@262 194
adamc@263 195 (** A simple wrapper produces an evaluation relation suitable for use on the main expression type [Exp]. *)
adamc@263 196
adamc@263 197 Definition Eval (cs1 : closures) (E : Exp) (cs2 : closures) (v : val) :=
adamc@263 198 eval cs1 (E _) cs2 v.
adamc@263 199
adamc@263 200 (** To prove our translation's correctness, we will need the usual notions of expression equivalence and well-formedness. *)
adamc@262 201
adamc@262 202 Section exp_equiv.
adamc@262 203 Variables var1 var2 : Type.
adamc@262 204
adamc@262 205 Inductive exp_equiv : list (var1 * var2) -> exp var1 -> exp var2 -> Prop :=
adamc@262 206 | EqVar : forall G v1 v2,
adamc@262 207 In (v1, v2) G
adamc@262 208 -> exp_equiv G (Var v1) (Var v2)
adamc@262 209
adamc@262 210 | EqApp : forall G f1 x1 f2 x2,
adamc@262 211 exp_equiv G f1 f2
adamc@262 212 -> exp_equiv G x1 x2
adamc@262 213 -> exp_equiv G (App f1 x1) (App f2 x2)
adamc@262 214 | EqAbs : forall G f1 f2,
adamc@262 215 (forall v1 v2, exp_equiv ((v1, v2) :: G) (f1 v1) (f2 v2))
adamc@262 216 -> exp_equiv G (Abs f1) (Abs f2)
adamc@262 217
adamc@262 218 | EqBool : forall G b,
adamc@262 219 exp_equiv G (Bool b) (Bool b).
adamc@262 220 End exp_equiv.
adamc@262 221
adamc@262 222 Definition Wf (E : Exp) := forall var1 var2, exp_equiv nil (E var1) (E var2).
adamc@262 223 End Source.
adamc@262 224
adamc@263 225 (** Our target language can be defined without introducing any additional tricks. *)
adamc@263 226
adamc@262 227 Module CPS.
adamc@262 228 Section exp.
adamc@262 229 Variable var : Type.
adamc@262 230
adamc@262 231 Inductive prog : Type :=
adamc@262 232 | Halt : var -> prog
adamc@262 233 | App : var -> var -> prog
adamc@262 234 | Bind : primop -> (var -> prog) -> prog
adamc@262 235
adamc@262 236 with primop : Type :=
adamc@262 237 | Abs : (var -> prog) -> primop
adamc@262 238
adamc@262 239 | Bool : bool -> primop
adamc@262 240
adamc@262 241 | Pair : var -> var -> primop
adamc@262 242 | Fst : var -> primop
adamc@262 243 | Snd : var -> primop.
adamc@262 244 End exp.
adamc@262 245
adamc@262 246 Implicit Arguments Bool [var].
adamc@262 247
adamc@262 248 Notation "x <- p ; e" := (Bind p (fun x => e))
adamc@262 249 (right associativity, at level 76, p at next level).
adamc@262 250
adamc@262 251 Definition Prog := forall var, prog var.
adamc@262 252 Definition Primop := forall var, primop var.
adamc@262 253
adamc@262 254 Inductive val : Type :=
adamc@262 255 | VFun : nat -> val
adamc@262 256 | VBool : bool -> val
adamc@262 257 | VPair : val -> val -> val.
adamc@262 258 Definition closure := val -> prog val.
adamc@262 259 Definition closures := list closure.
adamc@262 260
adamc@262 261 Inductive eval : closures -> prog val -> val -> Prop :=
adamc@262 262 | EvHalt : forall cs v,
adamc@262 263 eval cs (Halt v) v
adamc@262 264
adamc@262 265 | EvApp : forall cs n v2 c v3,
adamc@262 266 cs ## n = Some c
adamc@262 267 -> eval cs (c v2) v3
adamc@262 268 -> eval cs (App (VFun n) v2) v3
adamc@262 269
adamc@262 270 | EvBind : forall cs1 p e cs2 v1 v2,
adamc@262 271 evalP cs1 p cs2 v1
adamc@262 272 -> eval cs2 (e v1) v2
adamc@262 273 -> eval cs1 (Bind p e) v2
adamc@262 274
adamc@262 275 with evalP : closures -> primop val -> closures -> val -> Prop :=
adamc@262 276 | EvAbs : forall cs c,
adamc@262 277 evalP cs (Abs c) (c :: cs) (VFun (length cs))
adamc@262 278
adamc@262 279 | EvPair : forall cs v1 v2,
adamc@262 280 evalP cs (Pair v1 v2) cs (VPair v1 v2)
adamc@262 281 | EvFst : forall cs v1 v2,
adamc@262 282 evalP cs (Fst (VPair v1 v2)) cs v1
adamc@262 283 | EvSnd : forall cs v1 v2,
adamc@262 284 evalP cs (Snd (VPair v1 v2)) cs v2
adamc@262 285
adamc@262 286 | EvBool : forall cs b,
adamc@262 287 evalP cs (Bool b) cs (VBool b).
adamc@262 288
adamc@262 289 Definition Eval (cs : closures) (P : Prog) (v : val) := eval cs (P _) v.
adamc@262 290 End CPS.
adamc@262 291
adamc@262 292 Import Source CPS.
adamc@262 293
adamc@263 294 (** Finally, we define a CPS translation in the same way as in our previous example for simply-typed lambda calculus. *)
adamc@263 295
adam@292 296 (** printing <-- $\longleftarrow$ *)
adamc@262 297 Reserved Notation "x <-- e1 ; e2" (right associativity, at level 76, e1 at next level).
adamc@262 298
adamc@262 299 Section cpsExp.
adamc@262 300 Variable var : Type.
adamc@262 301
adamc@262 302 Import Source.
adamc@262 303
adamc@262 304 Fixpoint cpsExp (e : exp var)
adamc@262 305 : (var -> prog var) -> prog var :=
adamc@262 306 match e with
adamc@262 307 | Var v => fun k => k v
adamc@262 308
adamc@262 309 | App e1 e2 => fun k =>
adamc@262 310 f <-- e1;
adamc@262 311 x <-- e2;
adamc@262 312 kf <- CPS.Abs k;
adamc@262 313 p <- Pair x kf;
adamc@262 314 CPS.App f p
adamc@262 315 | Abs e' => fun k =>
adamc@262 316 f <- CPS.Abs (var := var) (fun p =>
adamc@262 317 x <- Fst p;
adamc@262 318 kf <- Snd p;
adamc@262 319 r <-- e' x;
adamc@262 320 CPS.App kf r);
adamc@262 321 k f
adamc@262 322
adamc@262 323 | Bool b => fun k =>
adamc@262 324 x <- CPS.Bool b;
adamc@262 325 k x
adamc@262 326 end
adamc@262 327
adamc@262 328 where "x <-- e1 ; e2" := (cpsExp e1 (fun x => e2)).
adamc@262 329 End cpsExp.
adamc@262 330
adamc@262 331 Notation "x <-- e1 ; e2" := (cpsExp e1 (fun x => e2)).
adamc@262 332
adamc@262 333 Definition CpsExp (E : Exp) : Prog := fun _ => cpsExp (E _) (Halt (var := _)).
adamc@262 334
adamc@262 335
adamc@262 336 (** * Correctness Proof *)
adamc@262 337
adamc@263 338 (** Our proof for simply-typed lambda calculus relied on a logical relation to state the key induction hypothesis. Since logical relations proceed by recursion on type structure, we cannot apply them directly in an untyped setting. Instead, we will use an inductive judgment to relate source-level and CPS-level values. First, it is helpful to define an abbreviation for the compiled version of a function body. *)
adamc@263 339
adamc@262 340 Definition cpsFunc var (e' : var -> Source.exp var) :=
adamc@262 341 fun p : var =>
adamc@262 342 x <- Fst p;
adamc@262 343 kf <- Snd p;
adamc@262 344 r <-- e' x;
adamc@262 345 CPS.App kf r.
adamc@262 346
adamc@263 347 (** Now we can define our correctness relation [cr], which is parameterized by source-level and CPS-level closure heaps. *)
adamc@263 348
adamc@262 349 Section cr.
adamc@262 350 Variable s1 : Source.closures.
adamc@262 351 Variable s2 : CPS.closures.
adamc@262 352
adamc@262 353 Import Source.
adamc@262 354
adamc@263 355 (** Only equal booleans are related. For two function addresses [l1] and [l2] to be related, they must point to valid functions in their respective closure heaps. The address [l1] must point to a function [f1], and [l2] must point to the result of compiling function [f2]. Further, [f1] and [f2] must be equivalent syntactically in some variable environment [G], and every variable pair in [G] must itself belong to the relation we are defining. *)
adamc@263 356
adamc@262 357 Inductive cr : Source.val -> CPS.val -> Prop :=
adamc@263 358 | CrBool : forall b,
adamc@263 359 cr (Source.VBool b) (CPS.VBool b)
adamc@263 360
adamc@262 361 | CrFun : forall l1 l2 G f1 f2,
adamc@262 362 (forall x1 x2, exp_equiv ((x1, x2) :: G) (f1 x1) (f2 x2))
adamc@262 363 -> (forall x1 x2, In (x1, x2) G -> cr x1 x2)
adamc@262 364 -> s1 ## l1 = Some f1
adamc@262 365 -> s2 ## l2 = Some (cpsFunc f2)
adamc@263 366 -> cr (Source.VFun l1) (CPS.VFun l2).
adamc@262 367 End cr.
adamc@262 368
adam@292 369 (** printing |-- $\vdash$ *)
adam@292 370 (** printing ~~ $\sim$ *)
adamc@262 371 Notation "s1 & s2 |-- v1 ~~ v2" := (cr s1 s2 v1 v2) (no associativity, at level 70).
adamc@262 372
adamc@262 373 Hint Constructors cr.
adamc@262 374
adamc@263 375 (** To prove our main lemma, it will be useful to know that source-level evaluation never removes old closures from a closure heap. *)
adamc@263 376
adamc@262 377 Lemma eval_monotone : forall cs1 e cs2 v,
adamc@262 378 Source.eval cs1 e cs2 v
adamc@262 379 -> cs1 ~> cs2.
adamc@262 380 induction 1; crush; eauto.
adamc@262 381 Qed.
adamc@262 382
adamc@263 383 (** Further, [cr] continues to hold when its closure heap arguments are evolved in legal ways. *)
adamc@263 384
adamc@262 385 Lemma cr_monotone : forall cs1 cs2 cs1' cs2',
adamc@262 386 cs1 ~> cs1'
adamc@262 387 -> cs2 ~> cs2'
adamc@262 388 -> forall v1 v2, cs1 & cs2 |-- v1 ~~ v2
adamc@262 389 -> cs1' & cs2' |-- v1 ~~ v2.
adamc@262 390 induction 3; crush; eauto.
adamc@262 391 Qed.
adamc@262 392
adamc@262 393 Hint Resolve eval_monotone cr_monotone.
adamc@262 394
adamc@263 395 (** We state a trivial fact about the validity of variable environments, so that we may add this fact as a hint that [eauto] will apply. *)
adamc@263 396
adamc@262 397 Lemma push : forall G s1 s2 v1' v2',
adamc@262 398 (forall v1 v2, In (v1, v2) G -> s1 & s2 |-- v1 ~~ v2)
adamc@262 399 -> s1 & s2 |-- v1' ~~ v2'
adamc@262 400 -> (forall v1 v2, (v1', v2') = (v1, v2) \/ In (v1, v2) G -> s1 & s2 |-- v1 ~~ v2).
adamc@262 401 crush.
adamc@262 402 Qed.
adamc@262 403
adamc@262 404 Hint Resolve push.
adamc@262 405
adamc@263 406 (** Our final preparation for the main lemma involves adding effective hints about the CPS language's operational semantics. The following tactic performs one step of evaluation. It uses the Ltac code [eval hnf in e] to compute the %\emph{%#<i>#head normal form#</i>#%}% of [e], where the head normal form of an expression in an inductive type is an application of one of that inductive type's constructors. The final line below uses [solve] to ensure that we only take a [Bind] step if a full evaluation derivation for the associated primop may be found before proceeding. *)
adamc@263 407
adamc@262 408 Ltac evalOne :=
adamc@262 409 match goal with
adamc@262 410 | [ |- CPS.eval ?cs ?e ?v ] =>
adamc@262 411 let e := eval hnf in e in
adamc@262 412 change (CPS.eval cs e v);
adamc@262 413 econstructor; [ solve [ eauto ] | ]
adamc@262 414 end.
adamc@262 415
adamc@263 416 (** For primops, we rely on [eauto]'s usual approach. For goals that evaluate programs, we instead ask to treat one or more applications of [evalOne] as a single step, which helps us avoid passing [eauto] an excessively large bound on proof tree depth. *)
adamc@263 417
adamc@262 418 Hint Constructors evalP.
adamc@262 419 Hint Extern 1 (CPS.eval _ _ _) => evalOne; repeat evalOne.
adamc@262 420
adamc@263 421 (** The final lemma proceeds by induction on an evaluation derivation for an expression [e1] that is equivalent to some [e2] in some environment [G]. An initial closure heap for each language is quantified over, such that all variable pairs in [G] are compatible. The lemma's conclusion applies to an arbitrary continuation [k], asserting that a final CPS-level closure heap [s2] and a CPS-level program result value [r2] exist.
adamc@263 422
adamc@263 423 Three conditions establish that [s2] and [r2] are chosen properly: Evaluation of [e2]'s compilation with continuation [k] must be equivalent to evaluation of [k r2]. The original program result [r1] must be compatible with [r2] in the final closure heaps. Finally, [s2'] must be a proper evolution of the original CPS-level heap [s2]. *)
adamc@263 424
adamc@262 425 Lemma cpsExp_correct : forall s1 e1 s1' r1,
adamc@262 426 Source.eval s1 e1 s1' r1
adamc@262 427 -> forall G (e2 : exp CPS.val),
adamc@262 428 exp_equiv G e1 e2
adamc@262 429 -> forall s2,
adamc@262 430 (forall v1 v2, In (v1, v2) G -> s1 & s2 |-- v1 ~~ v2)
adamc@262 431 -> forall k, exists s2', exists r2,
adamc@262 432 (forall r, CPS.eval s2' (k r2) r
adamc@262 433 -> CPS.eval s2 (cpsExp e2 k) r)
adamc@262 434 /\ s1' & s2' |-- r1 ~~ r2
adamc@262 435 /\ s2 ~> s2'.
adamc@263 436
adamc@263 437 (** The proof script follows our standard approach. Its main loop applies three hints. First, we perform inversion on any derivation of equivalence between a source-level function value and some other value. Second, we eliminate redundant equality hypotheses. Finally, we look for opportunities to instantiate inductive hypotheses.
adamc@263 438
adamc@263 439 We identify an IH by its syntactic form, noting the expression [E] that it applies to. It is important to instantiate IHes in the right order, since existentially-quantified variables in the conclusion of one IH may need to be used in instantiating the universal quantifiers of a different IH. Thus, we perform a quick check to [fail 1] if the IH we found applies to an expression that was evaluated after another expression [E'] whose IH we did not yet instantiate. The flow of closure heaps through source-level evaluation is used to implement the check.
adamc@263 440
adamc@263 441 If the hypothesis [H] is indeed the right IH to handle next, we use the [guess] tactic to guess values for its universal quantifiers and prove its hypotheses with [eauto]. This tactic is very similar to [inster] from Chapter 12. It takes two arguments: the first is a value to use for any properly-typed universal quantifier, and the second is the hypothesis to instantiate. The final inner [match] deduces if we are at the point of executing the body of a called function. If so, we help [guess] by saying that the initial closure heap will be the current closure heap [cs] extended with the current continuation [k]. In all other cases, [guess] is smart enough to operate alone. *)
adamc@263 442
adamc@262 443 induction 1; inversion 1; crush;
adamc@262 444 repeat (match goal with
adamc@262 445 | [ H : _ & _ |-- Source.VFun _ ~~ _ |- _ ] => inversion H; clear H
adamc@262 446 | [ H1 : ?E = _, H2 : ?E = _ |- _ ] => rewrite H1 in H2; clear H1
adamc@262 447 | [ H : forall G e2, exp_equiv G ?E e2 -> _ |- _ ] =>
adamc@262 448 match goal with
adamc@262 449 | [ _ : Source.eval ?CS E _ _, _ : Source.eval _ ?E' ?CS _,
adamc@262 450 _ : forall G e2, exp_equiv G ?E' e2 -> _ |- _ ] => fail 1
adamc@262 451 | _ => match goal with
adamc@263 452 | [ k : val -> prog val, _ : _ & ?cs |-- _ ~~ _,
adamc@263 453 _ : context[VFun] |- _ ] =>
adamc@262 454 guess (k :: cs) H
adamc@262 455 | _ => guess tt H
adamc@262 456 end
adamc@262 457 end
adamc@262 458 end; crush); eauto 13.
adamc@262 459 Qed.
adamc@262 460
adamc@263 461 (** The final theorem follows easily from this lemma. *)
adamc@263 462
adamc@263 463 Theorem CpsExp_correct : forall E cs b,
adamc@262 464 Source.Eval nil E cs (Source.VBool b)
adamc@262 465 -> Wf E
adamc@262 466 -> CPS.Eval nil (CpsExp E) (CPS.VBool b).
adamc@262 467 Hint Constructors CPS.eval.
adamc@262 468
adamc@262 469 unfold Source.Eval, CPS.Eval, CpsExp; intros ? ? ? H1 H2;
adamc@262 470 generalize (cpsExp_correct H1 (H2 _ _) (s2 := nil)
adamc@262 471 (fun _ _ pf => match pf with end) (Halt (var := _))); crush;
adamc@262 472 match goal with
adamc@262 473 | [ H : _ & _ |-- _ ~~ _ |- _ ] => inversion H
adamc@262 474 end; crush.
adamc@262 475 Qed.