Operational Semantics

Course Notes

Steffen van Bakel Department of Computing Imperial College of Science, Technology and Medicine

Spring 2002 These notes are based on slides prepared by Chris Hankin, and to be used in the course Op- erational Semantics 2.12 at the Department of Computing, Imperial College. The notes lean heavily on the book Semantics with Applications A Formal Introduction by Hanne Riis Nielson and Flemming Nielson, available at

http://www.daimi.au.dk/ bra8130/Wiley_book/wiley.html that is recommended for further reading. Contents

1 Why formal semantics? 1 1.1 States ...... 2 1.2 Operational Semantics ...... 2 1.3 Denotational Semantics ...... 3 1.4 Axiomatic Semantics ...... 4

2 Induction 4 2.1 Mathematical Induction ...... 4 2.2 Why does this work? ...... 5 2.3 Complete Induction ...... 7 2.4 Other induction ...... 8 2.5 Structural induction ...... 8 2.6 The general case ...... 9 2.7 How to use rules ...... 11 2.8 (Apparent) Static and Reverse Induction ...... 13 2.9 Alternatives ...... 14

3 Syntax 14 3.1 Concrete syntax ...... 14 3.2 Abstract syntax ...... 15

4 Natural Semantics 16 4.1 Natural Semantics of Arithmetic Expressions ...... 16 4.2 Determinism ...... 18 4.3 Denotational Semantics for Arithmetic Expressions ...... 18 4.4 Free variables ...... 19 4.5 The language While ...... 19 4.6 Semantics of Boolean expressions ...... 20 4.7 Natural Semantics of While ...... 20 4.8 Semantic Equivalence ...... 23

5 Structural Operational Semantics 26 5.1 Sequences ...... 27 5.2 Some properties ...... 28

6 Provably correct implementation 30 6.1 The abstract machine language ...... 31 6.2 Translation of expressions ...... 34 6.3 Translation of statements ...... 35 6.4 Correctness of translation ...... 35 6.5 Correctness for expressions ...... 36 6.6 Correctness for Statements ...... 37 7 Denotational Semantics 40 7.1 Fixed Point Construction ...... 43 7.2 Partial order relations ...... 47 7.3 Partial Ordered Set ...... 47 7.4 Least Upper Bounds ...... 49 7.5 Chains ...... 49 7.6 CCPO ...... 50 7.7 Monotone functions ...... 50 7.8 Continuous Functions ...... 51 7.9 The Fixed Point Theorem ...... 52 7.10 Denotational Semantics ...... 52 7.11 Existence ...... 54 7.12 Equivalence to Operational Semantics ...... 56

8 Extensions to While 57 8.1 Aborting ...... 57 8.2 Non-determinism ...... 59 8.3 Parallelism ...... 60 8.4 Blocks ...... 61 8.5 Procedures ...... 63 8.6 Dynamic / Dynamic ...... 64 8.7 Dynamic / Static ...... 65 8.8 Static / Static ...... 66 1 Why formal semantics?

¡ In dealing with programming, we distinguish two different aspects of programming languages. ¢

Syntax £ : Deals with the form of sentences:

¥§¦ ¨

The ﬁsh ¤ answered the walk

¤ ¥§¦ ¨ NP VP

Syntax is speciﬁed by a grammar, normally in BNF. ¢

Semantics £ : Expresses the meaning of sentences

while © do © “Execute repeatedly so long as the expression is true” Although many programmers could not be bothered with a formal semantics, it plays a major role in everyday programming. When learning a new programming language, normally we only look at the syntax, to know how certain language constructs are written. However, syntax is not concerned with ‘soundness’, it just deals with correctly formed sentences. This implies that the programmer is lost when it becomes necessary to check (argue) that the speciﬁed

program actually computes the intended operation.

In this process, normally the syntax suffices. Every language construct, like ‘while © do ’ has an intended meaning, formulated in natural language in text books, and it is this informal semantics that the programmer uses when writing an actual program. It is not uncommon, however, for a programmer to find that, although the structure of the program is correct in the sense that the programmer has used all language constructs in the right way and in the right order, the program still does not execute as it should. This is caused by the fact that the intended semantics only speaks in general terms, and does not give any means to actually check that the program is indeed the desired one. Programs normally are too big, too complex to understand and check ‘by hand.’ Frequently programming errors, even the most blatant ones, are overlooked for a long time. It is important that the semantics is formal, systematic and verifiable to provide: i) the user with an unambiguous description of the effect of a program. Specifications in natural language may be more easy to read, but they are also highly ambiguous. ii) a yardstick for implementation. With the formal semantics at hand, more efficient programs can be written, and code generation improved. iii) a basis for program analysis and synthesis.

Transformation.

Optimisation.

Veriﬁcation. It can be that actually showing a program to be correct is more work than writing the program itself, but it is not a task to be neglected. History has many examples of (large) programs that went horribly wrong, and the need for a formal semantics comes from the desire to be able to guarantee that a program does exactly what it is supposed to do, under all circumstances, not just in the testing environment.

1 1.1 States Semantics of programming languages deals with the meaning of programs that are supposed to be executing on a computer, i.e. run in memory and use the various resources available. Therefore, to express execution correctly, we need also to consider the status of the memory during execution. Not only because the contents of the memory changes (variables get updated, data bases change), but mostly because the content of a variable at the moment the program starts can have a major effect on the end result.

The state of the memory is therefore prominent in all deﬁnitions of semantics. However, normally only part of the memory is relevant to the semantics of a program. Moreover, since we will consider only programs that compute through variables1, we are not interested in the contents of actual physical addresses, but will abstract from the actual memory and focus on the representation of the values stored in those variables that are of interest to us. We will, formally, say that a state is a function that maps variable names to values, and use State for

the set of all possible states.

"! We will use the notation

as a denotation for the state of the memory, indicating the values for those variable that are relevant to the execution of the program.

Globally speaking, there are three approaches to semantics: ¢

Operational Semantics £ : This semantics is characterised by the fact that it focuses on how the effect of a computation is produced: it is an abstraction of machine execution in that it expresses the meaning of a program - running on a machine in a speciﬁc state - by returning

its result, the output. ¢

Denotational Semantics £ : This semantics focusses on what is the effect of a computation on the state of the machine. In this approach, the meaning of a program (construct) is a function,

that maps the state of the machine before execution to the state after execution. ¢

Axiomatic Semantics £ : With this semantics, the properties of the effect of executing the constructs are expressed as assertions.

We will compare these approaches using the (toy) example program

# # $

:= ; := $ ; :=

that swaps the values stored in the variables and $ .

1.2 Operational Semantics The idea behind Operational Semantics is to express the meaning of a program starting from a certain state by looking at its end result, i.e. the state in which the memory is after execution of the program. For example,

To execute a sequence of statements separated by ‘;’, execute the individual statements one after the other from left to right.

1It is not difficult to extend this to the more general approach, but this would increase the quantity of definition and notation significantly. We are concentrating on the essentials here.

To execute ‘ := $ ’, determine the value of and assign it to .

)( &

We use the notation ‘ %'& ’, that is to be read as ‘the semantics of program in state ’.

) * +, -. /!

# # #

$ $ $ ( 0

% := ; := ; :=

) * +, -. +1!

# #

% $ ( 0 $

:= $ ; :=

) * -. -. +1!

# #

%2$ ( 0

:= $

* -, +3 +)!

4 +, -. /1!

* -. +3 +)!

So, before starting the program the state of the memory is $ , and after the #

program has ﬁnished it is $ , which is also the meaning of the program

# # $

:= ; := $ ; :=

4 +, -. /!

# 0 in the state $ . The symbol ‘ ’ is used for ‘evaluates to’ or ‘means’. So, for operational semantics, you can only look at a program with a given input or initial state, you cannot say anything about a program alone.

1.3 Denotational Semantics

The idea behind this semantics is to look at a program as a mathematical function, i.e. the effect of a program is a mathematical function in State State.

The effect of a sequence of statements separated by ‘;’ is the functional composition of

the effects of the individual statements:

5 5 5

6 7

ds [[ ; ]] ds [[ ]] ds [[ ]]

(Notice the inversion of and .)

The effect of a statement ‘ := $ ’ is a function in State State, such that the new state

is identical to the old state except that the (new) value of is equal to the (old) value of $ .

6 6

$ $:9 [[ := ]] 8$ if ds ;

6 otherwise

For our example program, notice that

5 5 5 5

# # # #

6 7 7

$ $ $ ds [[ := ; := $ ; := ]] ds [[ := ]] ds [[ := ]] ds [[ := ]]

and, therefore

* +, -. /!

# # #

$ $ £

[[ := ; := $ ; := ]]

* +, -. /!

5 5 5

# # #

7 7 6

$ $ £

[[ $ := ]] [[ := ]] [[ := ]]

* +, -. +1!

ds ds ds

5 5

# #

7 6

$ $ £

[[ $ := ]] [[ := ]]

* -. -. +1!

ds ds

# #

$ £

[[ $ := ]]

* -. +, +)!

# $

For denotational semantics, the meaning of a program depends only on the pogram itself. No state information is needed to establish a meaning.

3 1.4 Axiomatic Semantics Axiomatic Semantics deals with the partial correctness (with respect to Pre- and Post-condition) of a given program.

Take the statement

< <

# #

6A? 6>= 6>?:@ 6>=B@

$ $ $

& $ := ; := ; := &

6C= 6C? 6C? 6C=

that expresses that if and $ , then and after the execution of the

# # $ program ‘ := ; := $ ; := ’.

Let

¢ < <

# #

6A= 6A?:@ 6A= 6>?:@

$ $

P1 £ : & := &

¢ < <

# #

6A= 6A?D@ 6A= 6>?:@

$ $

P2 £ : & := &

¢ < <

# #

6A= 6A?:@ 6A= 6A?D@

$ $

P3 £ : & := ; := &

¢ < <

# #

6A?D@ 6A= 6>?:@ 6A=

$ $

P4 £ : & := &

¢ < <

# #

6A?D@ 6A= 6A?:@ 6A=

$ $ $ $ P5 £ : & := ; := ; := &

Then it is easy to see that we can deduce P3 from P1 and P2, and P5 from P3 and P4, so for this kind of program the axiomatic approach works well.

But how to work on

< <

6A?D@ 6A= 6A?:@ 6A= $ & $ while true do skip &

is not easy to see.

2 Induction

Many of the deﬁnitions and properties we are about to study depend heavily on induction. Not only is the majority of our deﬁnitions inductive in nature, also most of the proofs are inductive. Since the kind of induction we use is of a more general nature than just induction over numbers, before discussing the real topic of this course, we have a close look at the principle of induction.

2.1 Mathematical Induction

The principle of Mathematical Induction over the set IN of natural numbers states: to prove a

¢ £

property E for all natural numbers if sufﬁces to show:

¢ ¢

E £

Base case £ : Prove .

¢ ¢ ¢

F E FG£ E F8HJI)£

Inductive Case £ : For every , using the assumption that holds, prove ; in other

¢ ¢

FG£ E FKH>I£ words: prove E .

= = £ These two proofs give you the ‘right’ to say that E holds for all .

In Logic the principle of induction over IN is formalised as follows:

/ !

¢ ¢ ¢

£ LMFON E FG£ E FKH>I)£

E IN

= =

N E £ L IN

(It should be noted that the Principle of Induction

P / ! !

¢ ¢ ¢ ¢ ¢

= =

E £ LMFON E F3£ E FQHAI)£ £ L N E £ L8E & IN IN

is not a theorem, i.e. it does not get a proof in mathematics. If anything, it is an axiom, that is assumed to be true. Stating that it is a principle is better, though, because it can be extended

to all inductively deﬁnable structures, as we will see shortly.)

¢ ¢ ¢^]

6 =\[ = [ =

UWVGXZY H>I£ HAI)££_`

Theorem 2.1 RTS /

Proof : By induction on the structure/ of IN.

¢ ¢

6 [ [

I I£a_1`

Base case £ : Immediate, since .

UWV3X

Rbac Y

Inductive Case £ :

¢ ¢ ¢

UWVGX

£MH FQHAI£ £ R Y

b IH

¢ ¢ ¢d] ¢

[ [ 6

F FKH>I)£ FQHAI)££_`eH FQHAI£

¢ ¢ ¢^] ¢

[ [ 6

F FQH>I£ FQHAI£MHf` FQHAI)£ £_1`

¢^] ]

F.ghHfiF HjFQHf`kF H>I FQHf`£_1`

¢a¢ ¢ ] ¢d]

[ [

FQH>I£ FQH £ FQHlik£a£_1`

Notice that in the second part of the proof, we are proving

¢¢ ¢ ] ¢d]

6 [ [

R UWVGXmY FKH>I£ FQH £ FKHli££_` bac

and that there we use the hypothesis (i.e., assume that it is true without checking)

¢ ¢ ¢^]

6 [ [

R UWVGXZY F FKH>I£ FKH>I)££_` b

so that formally we prove that the ﬁrst is implied by the second.

=on = Exercise 2.2 Prove that, for any natural number = , that there are exactly permutations of objects.

2.2 Why does this work?

The principle of induction is an accepted proof method, because you can ‘see’ that it works. If

= =

N E £ you need to show that L IN holds, then you could just produce a new proof for each

new number given. But, of course, it would be more constructive to have a method that, for

= =

N E £

every IN, shows that holds. Normally there are various methods, sometimes you can

= = =

/ £ N HpIN

even show E directly (like, for example, for the statement: IN IN). But if

¢ ¢

£ FON E F3£

you would prove E , and, for very IN, you have a method to extend a proof for to

¢ ¢

/ F3HqI£ E £

one for E (the inductive step), then, if asked for a proof for , it would sufﬁce to

= £

give the proof for E and extend it times. In a certain sense, if you automate the method

¢ ¢

E FG£ E FGHpI£

that builds the extension of the proof of to , then you could/ build a system, that,

¢ ¢

= =

£ E £ given the number , produces the proof for E from the proof for .

The secret is twofold. First of all, in the inductive step we are only interested in the proof

¢ ¢ ¢

FG£ E FGHqI£ E FG£ that we can extend a proof of E to one for . If itself is true is of no concern,

r the only thing that is of interest is:

¢ ¢

F3£ E F3HqI£ if E , then .

This means that we are looking to prove the implication, and we are allowed to assume that

¢ ¢

FG£ E F3HqI)£ E holds. If from this assumption we show , we have shown the implication to hold. Normally, inserting the assumption in your proof structure is called ‘by induction’ (and

not ‘by induction hypothesis’), and highlights the fact that you use the liberty to assume that

¢ FG£

E holds. = Secret number two lies in the fact that you can do it for every N IN, since the set IN of

natural numbers satisﬁes:

N IN

HAIN if N IN, then IN.

and IN is the least set with both of these properties, so the method sketched above does not miss out on certain numbers.

Usually, one would write ‘Proof: by induction on = ’, but the correct formulation is ‘Proof: by induction on the structure of natural numbers’.

That IN is indeed the smallest set that satisﬁes these criteria, is shown by the following: s

Theor/ em 2.3 Suppose satisﬁes the properties

Nqs

HAItNqs if Nps , then .

then IN uvs .

= =

Nqs N / FON

Proof : We will show: L IN , by mathematical induction over IN. Take IN. From

6 6

F F FkwxH>I FwkN FONqs /

the deﬁnition/ of IN, either , or , with IN. To show: .

£ s Nqs

F : By deﬁnition of , we have .

w w w

F H>I)£ F N F Nps s FyH F : Since IN, by induction also . Then, by deﬁnition of , also

ItNqs . FQNqs

So, for all FON IN, .

= =z[ F Exercise 2.4 Prove that, for every even number , F is even for any natural number .

Not every (correct) statement over numbers is proved by induction:

Theorem 2.5 There are inﬁnitely many prime numbers. |m{

Proof : Take { to be the set of prime numbers, and write for its size. We will show that

= 6A=

|m{ |m{

is not ﬁnite, by showing that there is no such that .

< ¢

6}= 6 @ ?~6 [f [

{ & & & & £HI

So, suppose |O{ , and let . Deﬁne . Then

S S

? ?

&Gw

either is prime, and obviously 9Np{ , or there is a prime number and number such

?6 [ 6 =

&Gw &GwxNq{ &Gw & I yY

that . Now the question is: is ? Suppose it is, so , for some .

U U U

[ ,[ [ ,[ ?

wUh

& & £HjI & & I & & &

Since & , also . Obviously , so also . This is

S S

w 9Nq{

impossible, so & .

= 6>= |O{ So there is no such that |O{ , so is inﬁnite.

6 2.3 Complete Induction An alternative to the rule for induction is the principle of Complete Induction (course of val-

ues):

¢ £

To prove a property E for all natural numbers:

¢ ¢

E £

Base case £ : Prove .

¢ ¢

£ F E Y£ Y

Inductive Case : For every , on the assumption that holds for every smaller than or

¢ ¢ ¢ ¢

E FGHpI)£ LY JF E Y££ E FGHpI£

equal to F , prove ; in other words: prove .

= = £ Also these two proofs give you the ‘right’ to say that E holds for all .

In Logic:

/ !

¢ ¢ ¢ ¢

E £ LMF LY JF E Y£a£ E F3HqI£

= =

L E £

Theorem 2.6 These two principles of induction coincide, i.e. accepting one principle you can show the other holds, and vice versa. Proof : The proof has two parts. First we show that Complete Induction implies Mathematical

Induction, and then we show the reverse.

Let E be a property, and assume

¢ £

E (1)

¢ ¢

E F3£ E F3HpI)£

LMF (2)

= =

E £ We have to show that L . We can reach this result using Complete Induction, but

then we need to show ﬁrst that

G !

¢ ¢ ¢

LY F E Y£a£ E FGHpI£

L8F (3)

LY F E Y£

For every F , this is an implication, that is shown as follows: assume , then,

¢ ¢ ¢ ¢

E FG£ E F3HqI£ LY JF E Y££ ! /

in particular, , and, by assumption (2), we have . So

¢ ¢ ¢ ¢ ¢

E FGHpI)£ F LMF LY JF E Y££ E FGHpI)£ E £

, for e very , so we have . Since also by

= =

E £

(1), we get L .

Let E be such that

¢ £

E (4)

G !

¢ ¢ ¢

L8F E Y£a£ E FGHpI£

LY F (5)

= =

E £ We have to show L . We can reach this result using Mathematical Induction, but

then we need to show ﬁrst that

P !

¢ ¢

E F3£ E FGHpI£

LMF (6)

¢ ¢ ¢

= = = =

£ L3h E ,£ L £

Let be the property deﬁned by P . We will show , using Mathe-

¢ ¢

= = = =

L L3h E ,£ L E £

/3 / /

matical Induction,/ so we will show , so, in particular, .

¢ ¢ ¢ ¢ ¢

6 6

£ £ L3h E ,£ E £ £

Base case : , so holds by assumption (4).

¢ ¢ ¢ ¢ ¢

FG£ FGHpI£ F FG£ LGh JF E ,£

Inductive case £ : To prove , for all , ﬁrst assume .

¢ ¢

E ,£ E FGHpI£

Then, of course, also LGeFGHpI , so, by assumption (5), , and, therefore,

¢ ¢

LGh JF3HqI E ,£ FGHpI)£

= =

£ So L .

7 2.4 Other induction In general, we will deﬁne many sets, relations, . . . , as the least ones satisfying a set of conditions or rules.

Example/ 2.7 Ev, the set of even numbers, is the least set such that:

N Ev.

]

FGH N

if FON Ev, then Ev. =

When looking to prove a property for all N Ev, we can, as much as for the set IN, use

= £

induction. The principle of induction for Ev gets formulated as follows: to prove E for all

= N

Ev, you /

¢ ¢

E £

Base case £ : Prove .

¢ ¢ ¢ ]

F E FG£ E FQH £

Inductive Case £ : For every , using the assumption that holds, prove .

= ? = ?

N H N

Example 2.8 If N Ev and Ev, then Ev.

P !

¢ ¢

? ?

£ L N H N E £

Proof : Take E to be Ev Ev . We will show by induction on the !

structure of Ev. P /

? ?

£ L N H N

! P !

Base case : Ev Ev . Immediate.

¢ ¢ ]

? ? ? ?

L N H £aH N L N H ! N

Inductive Case £ : To show: Ev Ev . By induction, Ev Ev .

¢ ]

? ?

H £8H N L N

Then, by the second part of the deﬁnition of Ev, also Ev Ev . Since

¢ ] ¢ ]

? 6 ?

H £8H H £8H H

P !

by associativity of , we are done.

= ? = ?

N E £ L N L N H N So we have shown L Ev , which is Ev Ev Ev .

2.5 Structural induction Our definitions often define sets of objects which are syntactic or have significant structure, in the sense that they are defined inductively. A ‘proof by induction’ over such a set is then

known as a ‘proof by structural induction.’ Take for example the deﬁnition of lists over natural ¢

numbers, List IN £ .

N List IN .

¢ ¢

= =z

N £ N £ If N IN, and List IN , then List IN .

Notice that this definition is inductive. Implicit in this definition is that ‘ ’ is a list-constructor that, given a number and a list of numbers, produces a list of numbers. A very common presentation of the inductive definition above is to use rules: premises conclusions with the intended meaning:

if all the premises hold, then so do the conclusions. ¢

Using rules, the deﬁnition of List IN £ then becomes

N £

N IN List IN

N £ £ N List IN List IN

= =

Using the convention that is always in IN, we can omit the premises N IN.

¢ ¢

^£ N £ In this case, an inductive proof that the property E holds, for every List IN , would

follow:

¢ ¢

E £

Base case £ : Prove .

¢ ¢ ¢

= =z

E ^£ N E ^£ Inductive Case £ : Assuming , for every IN, prove .

Example 2.9 Take the ‘Miranda’ program

maximum [ ] = 0 maximum (a:x) = a, a >= n n where n = maximum x

length [ ] = 0 length (a:x) = 1 + length x

sum [ ] = 0 sum (a:x) = a + sum x

then, using the deﬁnition of List(IN) given before, we can prove: let

6 [

^£

E sum maximum length

¢ ¢

N £ E ^£ !

then for all List ! IN , .

¢ ¢

E £

Base case £ : is trivial, since sum = 0 .

¢ £

Inductive Case : ¢

=\ 6

sum ^£

sum

[ =

H maximum length

¢ ¢

=z =\ [ 6

^£

maximum ^£H maximum length

¢ ¢

=z [ =\ ^£ maximum ^£ length

2.6 The general case As mentioned before, the principle of induction extends to every ‘inductive’ structure, i.e. to

every set s deﬁned in terms of

x s

Base case £ : Some constants are assumed to be in .

Inductive Case : There is a limited number of constructors , that, given a num- s

ber of elements of s , produce another element of :

Nqs £MNqs

if , then .

S) S1

. . .

Nqs £MNqs

if , then .

S S

¢ s Closure £ : is deﬁned as the smallest set satisfying the above two rules.

9 It is common to not separate constants from constructors, but rather to treat constants as

constructors of arity zero, and deal with both constants and constructors in one go. We will

use both expressions, whenever convenient.

£ Because of the third rule, the general form of structural induction states that to prove E

for all elements Nqs , it is sufﬁcient to:

¢ ¢ ¢

E £ E k£

Base case £ : Prove up to .

¢ ¢ ¢

£ E £ E £

Inductive Case : For every constructor , assuming that up to , prove that also

¢ ¢

£a£

E . S

Example 2.10

¡ ¡ ¡ ¡

[ ¢£6

zero £

or, alternatively

¡ ¡

N N

N Exp Exp Exp

¡ ¡

[

£MN N

zero N Exp Exp Exp

[¤ Constructors in this case are ‘ ’ and ‘ £ ’, and ‘zero’ is a constant.

Property 2.11 All elements of Exp have the same number of left parentheses and right parentheses.

Proof : Induction on the structure of elements of Exp.

Base case : The number of parentheses in zero is 0.

¡ ¡ ¡

6 [

Inductive Case 1 : , and by induction we can assume the property to hold for

¡ ¡ ¡

both and . Let the number of left (and right) parentheses in be , and that in

¡ ¡

= = = = = H

be . Then has H left and right parentheses, so the number of left -

and right parentheses in is equal.

¢ ¢

¡ ¡ ¡

£ £

Inductive Case 2 : , and by induction we can assume the property to hold for .

¡ ¡

= = Let the number of left (and right) parentheses in be , then has HI left (right) parentheses, so the number of left - and right parentheses in ¡ is equal.

We occasionally need to do a proof by structural induction over a number of domains si-

multaneously, like

¦§6 ¨ ¨

¦§6 ¨k¨

H ¥

Exercise 2.12 All -values have an even number of occurrences of the ¨ -token.

We have informally used rules in our inductive deﬁnitions: premises conclusions With the intended meaning of: if premises, then conclusions.

But since paper is patient, care is needed. What set is deﬁned by:

Nps

= HlieNqs

or: ]

H Nps

Nps

]

N4s9

H Nqs Nqs We can define many relations using rules. In fact, every ‘object’ that is defined in terms of ‘if . . . then . . . ’ can be formulated using rules. They are a very clean and precise notation for definitions that would otherwise take up a lot of words. However, one important thing to note is that, using systems defined by rules, the nature of the objects we work with changes. When we want to prove properties of a system that is defined only in terms of ‘if . . . then . . . ’, we would need to follow that structure. When using rules, however, the objects over which you prove become trees constructed by applying the rules, also called derivations.

2.7 How to use rules We will now focus on the particular details involved with using rules to deﬁne inductive sets.

As an example, we take the deﬁnition of (Implicative) Logic (IL), where we derive state-

ments of the shape ©\ª*« , whose intention is ‘ shows ’, or ‘from we can deduce ’.

©\ª*« ® ©\ª4«

©J « ªD®

¢ ¢ ¢

«vN¬©£

£ £

Ax £ I E

©\ª*«

©\ªD®

©\ª*« ®

How to read these three rules? They describe how to build derivations. The ﬁrst, Ax, states

« ©

that, for any set © of formulae, if occurs in , then

«jN¬©£ ©\ª:«

is a correct derivation. Moreover, suppose we have constructed a derivation ¯ that ends with

« ª® °

(or derived) ©A .

° ±

©> « ªD®

then by the second rule I £ , we will create a correct derivation when we draw a line under-

° ®

neath it, and put the line ©\ª*« under it all.

° ±

©> « ªD®

©\ª*« ®

(Notice that « has moved from left to right.)

¯ ¯ ©\ª*« ®

And, similarly, if we have two separate derivations and , one with last line ,

¢ £ the other with last line ©\ª*« , then by the last rule E , when we draw a line underneath

° °

them both, and put the line ©\ªD® under it all, we obtain a correct derivation.

° °

° ± ° ±

¯ ¯

± ±

©\ª*« ® ©\ª*« ©zªD®

These three steps are the only permitted to construct derivations; in other words: the set

of derivations for IL is the smallest set closed for the three derivation constructors, the rules

¢ ¢ ¢

£ £

Ax £ , I , and E given above.

¢ ©\ª*«

Ofﬁcially, the correct denotation for objects deﬁned by these rules would be ¯ , ©\ª*« meaning that ¯ is a derivation with last line . However, it is more common to use only

the expression ©\ª*« when speaking of objects in IL. This then is meant to say that

There exists a derivation built using the three rules above, that ends with ©\ª*« .

since, normally, we are not interested in the actual structure of the derivation showing ©\ª*« , but only in the fact that the formula is derivable. However, when you are aiming to prove properties of IL inductively, the actual structure of derivations becomes important. In fact, any (suitable) property over expressions in IL is actually a property over derivations and can normally be proven by induction on the structure of derivations. Therefore, globally, the structure of the proof would be the same as discussed above, i.e. ﬁrst prove the property to hold for the base cases, and then for the inductive steps. We can present the proof in a slightly different way, by giving it the following structure.

Proof: By induction on the structure of derivations. We focus on the last rule used. ¢

Ax £ : Here the derivation is nothing but an application of rule Ax.

«jN¬©£ ©\ª:« This is the base case of the induction, and you need to show directly that the property to prove

holds for this derivation.

° ¯²w

I £ : In this case, we have a derivation of the structure

° ±

©> « ªD®

©\ª*« ®

©³ « ªD® ¯ ©\ª*« ® The derivation ¯ with conclusion is a subderivation of for , and

so is smaller in the sense of the inductive structure. Now we can assume that the property to

w ¯

prove holds for ¯ , and use that to prove that the property holds for .

° °

w ¯

E £ : In this case, we have a derivation of the structure

° °

° ± ° ±

¯ ¯

± ±

©\ª*« ® ©\ª*« ©zªD®

¯ ¯ Again, the derivations ¯ and are subderivations of , and we can assume that the prop-

erty to prove holds for both, and use that to prove that the property holds for ¯²w . In each case, we can use the fact that we know what is the last rule applied, which gives us not only existence of the subderivations, but also all other properties that are specified in the rule. Notice that this is, in approach, sufficient for a complete inductive proof. The base case is covered by the first part, since, when the last applied rule is Ax, this is exactly the base case of the definition of derivations in IL. The other two cases deal with the constructors, the rules

that show how to construct new derivations from those that already exist.

¯£ Exercise 2.13 The height of a derivation ¯ , height , is inductively deﬁned by (we

focus on the last rule applied):

¢ ¢

¢ 6

£ ¯ ©zª*« «jN¬© ¯£ I

Ax : Then , where , and height .

¢ <

¢ ¢ @

¯ ©\ª*« ® ¯ ¯ ©´ « ªD®

I £ : Then , and has a sub-derivation . Then

¢ ¢

¯£ ¯¬w¢£8H>I

height height .

¢ ¢ ¢

¯ ©\ªD® ¯ ©\ª*« ® ¯ ©\ª*«

E £ : Then has two sub-derivations and .

¢ ¢ ¢ ¢

¯ £ ¯ ££8H>I

Then height ¯J£ max height height .

¯J£ The complexity of a derivation ¯ , comp , is inductively deﬁned by (we focus on the

last rule applied):

¢ ¢ ]

¢ 6

£ ¯ ©zª*« «jN¬© ¯£

Ax : Then , where , and comp .

¢ <

¢ ¢ @

¯ ©\ª*« ® ¯ ¯ ©´ « ªD®

I £ : Then , and has a sub-derivation . Then

¢ ¢

¯J£ ¯²w¢£8H>I

comp comp .

¢ ¢ ¢

¯ ©\ªD® ¯ ©\ª*« ® ¯ ©\ª*«

E £ : Then has two sub-derivations and .

¢ ¢ ¢

¯ £8H ¯ £

Then comp ¯£ comp comp .

¢ ¢ ¯£ Show that, for all derivations, height ¯£t comp .

2.8 (Apparent) Static and Reverse Induction The observations made above can become crucial when trying to prove properties over systems deﬁned with rules.

Take, for example, the (not so very exciting) system deﬁned by:

¶ ¶ ¶

µ µ E

« ® µ µ

Again, writing µ means that there exists a derivation that has that formula in the bottom

line.

¶ ¶ · ¶ · ¶ · ·

µ « ® µ ®

Exercise 2.14 Show: If µ , then either , or and , or

· « and µ .

In this exercise, the only point of difﬁculty could be the third rule.

Exercise 2.15 Let s be deﬁned by:

Nqs

Nps

=¹

= =Jº

Hfi¸Nps Nqs Nqs

Show that IN uvs .

13 2.9 Alternatives Using the deﬁnition of ‘height of a derivation’ suggested above, the ‘proof by induction on the structure of derivations’ could be replaced by a ‘proof by induction on the height of a derivation’. Notice that then you would need the ‘course of values’ variant of the principle of

induction for this technique, since, in general, a sub-derivation does not have a height that is ¢

precisely 1 smaller (see, for example, rule E £ ). Sometimes the structure we deal with has the special property that all rules have exactly one premise. Then a ‘proof by induction on the structure of derivations’ could become ‘proof by induction on the length of the derivation’. Because of these two observations, you can argue that any kind of induction is essentially induction on IN. It is the readability of proof, together with the speciﬁc objects you prove over, that decide which appearance the inductive proof will have.

3 Syntax

We will present our semantics in terms of the Abstract syntax of a programming language. This in contrast to normal programming languages that are deﬁned in the concrete syntax; the point is that details that are important to programmers, like how to exactly write a number, can be ignored for our purposes.

3.1 Concrete syntax The Concrete syntax deﬁnes the sequences of symbols allowable in a syntactically correct

program:

¢£6

( % ( % ( % ( % (

% exp num exp op exp

¢£6 º [

( H _

% op

¢£6

( % ( % ( % (

% num digit digit num

/ + - /

]

¢£6

)» ¼J1½J

% ( i ` digit I This syntax gives a sufﬁcient speciﬁcation of numbers. Notice, however, that although it allows us to parse all permitted expressions, this particular grammar is not precise enough, since it is ambiguous: when interpreting the expressions to understand what value they stand

for, i.e. to understand their semantics, it is not clear what the intended precedence of the

]

º [ » operations is in, for example, the expression I , and neither the associativity of the operations is clear.

Instead, take

¢£6

( % ( % ( % ( % (¾£

% exp num exp op exp

¢£6 º [

( H _

% op

¢£6

( % ( % ( % (

% num digit digit num

/ + - /

]

¢£6

)» ¼J1½J

( I i ` % digit

The bracketing now forces the computation, and it will be easier to deﬁne a correct semantics.

Exercise 3.1 Consider the following Abstract Syntax: =

N Numeral

N Variables N

Arithmetic Expressions N

& Procedure Names N

¯m¿ Declared Variables N

¯¸À Declared Procedures ¥

N Statements

¢§6 = º [

6 ¢§6

xÁ

A © © ©

¢§6

¯m¿

¯m¿ var := ;

¢§6

¯¸À ¯¸À

proc & is ;

¥ ¥ ¥ ¥ ¥

¢§6

:= skip ; if then else

¥ ¥

¯m¿t¯¸À & while © do begin end call Show that any program in the language has the same number of begin and end tokens.

3.2 Abstract syntax The Abstract syntax formalises the Allowable Parse Trees.

For the previous syntax for numbers, the abstract syntax speciﬁes the syntactic categories Ã

N exp

op N Op = N Numeral

and the deﬁnitions

¢£6 º [

op H

Ã Ã Ã

¢£6 = op £ (The second line should be read as: ‘An expression is either a number, or composed of two expressions with an operation in between them’.) These two (syntactic categories and definitions) together are sufficiently precise for our purposes. Notice that the main difference between the concrete and the abstract syntax is that in the latter we leave the syntactic construction of numbers (elements of Numeral) unspecified. In this way, we abstract from their actual syntax (hence the name abstract syntax). We also

assume that our alphabet of symbols is inﬁnite: = is used as a meta-variable, a place holder for any number, and we have no rule specifying the syntactic structure of numbers, nor any information on the set Numeral.

15 4 Natural Semantics

Ä We will now start concentrating on the semantics of a (toy) programming language, While. The ﬁrst semantics we will study is called the Natural Semantics; it caries that name because it is concentrating on the ‘result’ of a program, which is the natural thing to study. We will introduce this semantics in stages. First we deﬁne Natural Semantics of Arithmetic Expres- sions, which gives us the possibility to get acquainted with notation and do some elementary proofs, before focusing on a real language.

The syntactic categories used for the deﬁnition of arithmetic expressions are: N

Arithmetic Expressions =

N Numeral

N Variables

where Variables is supposed to be an inﬁnite set of variable names. The deﬁnitions are:

¢ ¢ ¢

¢£6 = º [

Hl £ £ £

4.1 Natural Semantics of Arithmetic Expressions Natural Semantics of Arithmetic Expressions is deﬁned as a transition system over the follow-

ing two kinds of conﬁgurations:

º )(

%Å Arithmetic Expressions and state

º an integer (in ZZ, the ﬁnal state)

Notice that we consider two sets of ‘numbers’ in this course.

Numeral, that stands for the syntactic representation of numbers (without specifying how numbers are written).

ZZ, the set of integers that are the actual numbers, or values, syntactically represented by elements of Numeral.

Of course, when writing down an element of ZZ, we need to use some syntax. For example,

/ / / + ÅÈ /

the forty-second positive number can be represented in different ways, depending the chosen

]x]])Æ ]1Ç ] Æ ]

6 6 6 6 6

I I « I syntax. One could have I . We will use the

normal decimal notation for both, and to distinguish between our syntax and that of elements »

in Numeral, we will underline if necessary. So, N Numeral is a syntactic representation of

» É

the fourth number, and N ZZ is its actual value. Sometimes, alternatively, we will use [[ ]],

» »

so É [[ ]] is the fourth element of IN.

In the Natural Semantics we are concerned with the relation between the initial and ﬁnal )( state, denoted by: %Å (remember that a state maps variables to values, and that an arithmetic expression should represent a value).

The rules that deﬁne the Natural Semantics for Arithmetic Expressions are:

Ê Ê

%^ )( %^ )(

¢ ¢ ¢

) Ê

£ £

NUMns £ VARns OPns

= =

% )( % )(

)( %Å op op

[ º

£ where ‘op’ is any of ‘ H ’. We will omit the brackets around op whenever con-

venient (like for the outermost pair).

¢ ¢

= = £ Notice that, in rule NUMns £ , both and are used. Similarly, in rule OPns , both op and op are used. The ﬁrst, op, is the syntactic representation of the intended operation, whereas op is the actual operation, that lives in the semantic setting. Since we map on to the ‘real’

world, we can immediately – or whenever convenient – perform the actual calculation there.

[

» ¼

i £OH

This implies / that, normally, is not written in our notation; instead, we will write ]

the ‘result’ . ( Also, notice that the Natural Semantics maps pairs of % expression state to a value, a num-

ber in ZZ. This implies that a state is a mapping from variables to the ‘real world’ of ZZ.

[

£3H

Example 4.1 Suppose you would want to know the semantics of i , in a state such

6 » that . Since the semantics is deﬁned using rules, what you need to do is to build a derivation that gives you the desired result.

You know that the last line in this derivation will be of the shape

ÌËx

[

% i £8H )(

¢ £

This leaves no choice for the last rule applied: H ns .

vË M vË

[

)( %Åi )( %

vË

[

)( % i £8H

vË ÌË

[

( % ( which leaves us with the task of ﬁnding derivations for both %Åi and . For the

ﬁrst, again the syntax of the expression involved tells us that the last rule applied must have

¢ [

been ns £ .

ÌË M ÌË

%Åi )( % )(

ÌË M vË

[

)( %Åi )( %

vË

[

)( % i £8H

ÌË ÌË B ÌË

)( % ( % )(

So we only need to ﬁnd the derivations for %^i , , and . Of course,

¢ ¢

£ £

by rule NUMns , this is easy for the ﬁrst two. We use rule VARns for the third, and use in the

» » derivation that we know that . Notice that this is a mathematical equation, so and

represent exactly the same value, and can be used both there. Since » carries more information

to us human beings, we prefer to write the actual number over a mysterious eË xpression. We can for these three (sub)derivations ﬁll in the open place kept by ‘ ’, and use these

results to ﬁll in the open places below. Thus we obtain:

%Åi )( i % )(

]

[

¼ ¼

%^i )( I % )(

¢ ]

[

% i £MH )( In what follows, we will often omit the underline, if from the immediate context it is clear if we intend the syntactic representation or the semantic value. Then the previous derivation

becomes:

%Åi )( i % )(

]

[

¼ ¼

%^i )( I % )(

¢ ]

[

% i £MH )(

Exercise 4.2 Write down a suitable abstract syntax for decimal numerals and deﬁne a seman-

tic function É which maps numerals to integers.

4.2 Determinism The Natural Semantics for natural numbers is deterministic, i.e., there is only one possible

derivation given an expression and a state:

Ê Í

)( %^ )( w w

Theorem 4.3 If %Å and , then .

Ê )( Proof : Assume %^ . Then by deﬁnition, there is a derivation that has this at the bottom

line. The proof goes by induction on the structure of derivations, where we focus on the last

rule applied.

6Î= 6Î= =

KN % )(

NUMns £ : Then Numeral, say , and . The only way to derive is

6>=

£ w

by a derivation consisting only of rule NUMns , so also .

6 6

KN % )( w

VARns £ : Then Variables, say , and . The only way to derive

£ w

is by a derivation consisting only of rule VARns , so also ; since is a function,

¢ ¢

£ £

) 1 )

OPns : Then op , op , and there are sub-derivations showing both

)( %^ )( %Å )(

%^ and . Likewise, op can only be obtained

via a derivation that ends with rule OPns , and again there are sub-derivations showing

6 6

)( w )( w %^ %Å w w

and . Now, by induction, and ; therefore, also

¢ ¢

6 6

w w w £

op op £ , so .

Exercise 4.4 The Natural Semantics for Arithmetic Expressions is terminating, i.e., for every

%Å )( QN Arithmetic Expressions, for all states , there is a such that .

4.3 Denotational Semantics for Arithmetic Expressions

We model the memory (or store) of the machine on which we are to run a program by functions of type

State 6 Variables ZZ

The Denotational Semantics on Arithmetic Expressions is a total function

Arithmetic Expressions State ZZ In deﬁning Ï , we will (as above), when needed, underline to give meaning to the syntactic

representation of the number and operations.

= 6 =

[[ ]]

Ï Ï Ï

[[ op ]] [[ ]] op [[ ]]

6 i

Example 4.5 Suppose . Then:

Ï Ï Ï

H>I ÐH I

[[ ]] [[ ]] [[ ]]

H I

iHAI

6 »

Exercise 4.6 Show that the Natural Semantics and the Denotational Semantics of Arithmetic Expressions are equivalent.

4.4 Free variables

¢ ,£ The free variables of an expression KN Arithmetic Expressions, FV , is the set of variables

occurring in and is inductively deﬁned by:

= 6 Ñ

FV £

¢ <

6 @

FV £

¢ ¢ ¢

£ £8 £

FV op FV FV

w w N ,£

Theorem 4.7 Let and be two states satisfying , for all FV . Then

Ï Ï

w [[ ]] [[ ]] .

Proof : By induction on the structure of terms in Arithmetic Expressions.

Ï Ï

= = 6A=*6 =

£ w

: [[ ]] [[ ]] .

¢ ¢ <

Ï Ï Ï

6 6 6 @

w w

£ £

: [[ ]] and [[ ]] , by deﬁnition of . Since FV , we get

, and therefore also A [[ ]] s = A [[ ]] s’.

¢ ¢

Ï Ï Ï Ï

£a£

op : By deﬁnition of , we have [[ op ]] [[ ]] op [[ ]] , as

¢ ¢

Ï Ï Ï

w w w

£¸u £

well as [[ op ]] [[ ]] op [[ ]] . Since FV FV op , the

Ï Ï

w w

states and agree on both and , so, by induction, we have [[ ]] [[ ]]

Ï Ï Ï Ï Ï Ï

6 6

w w w

and [[ ]] [[ ]] . But then [[ ]] op [[ ]] [[ ]] op [[ ]] , so

Ï Ï

w also [[ op ]] [[ op ]] .

4.5 The language While We will develop various semantics for a basic programming language, called While. Its

abstract syntax is given by: N

Arithmetic Expressions =

N Numeral

N Variables N

N Statements

¢ ¢ ¢

¢£6 = º [

Hf £ £ £

¢ ¢ ¢ ¢

¢£6 6

£ A £ ©£ © © £

¢ ¢ ¢

¥ ¥ ¥ ¥ ¥ ¥

¢£6

Example 4.8

¢ ¢

[ º 6

$ I $ $ I)£ := ;while I)£ do := ; :=

4.6 Semantics of Boolean expressions Below, we will deﬁne the Natural Semantics of the language While. Before we come to that,

we need to deﬁne the Denotational Semantics of Boolean Expressions as a function of the

Ò following type:

Boolean Expressions State TT

< @

where TT 6 tt ff , the set of (semantic) truth values – as follows:

Ò 6

[[true]] tt Ò 6

[[false]]

Ò ff

Ï Ï

6 6 6

[[ ]] tt, if [[ ]] [[ ]]

Ï Ï

6 6

¬9 [[ ]] [[ ]]

Ò ff, if

Ï Ï

A K

[[ ]] tt, if [[ ]] [[ ]]

Ï Ï

6 ¹

[[ ]] [[ ]] Ò

ff, if Ò

6 6

tt, if Ò ff

6 6

Ò Ò

Ò ff, if tt

6 6 6

6 ff, otherwise

Ï Ï

Alternatively, since [[ ]] [[ ]] lives in the semantic world, and has the same

value as tt if both values are equal, we can deﬁne the semantics like this:

Ò 6

[[true]]

Ò tt 6

[[false]]

Ò ff

Ï Ï

6 6 6

)£

[[ ]] [[ ]] [[ ]]

Ï Ï

A Q )£

[[ ]] [[ ]] [[ ]]

Ò Ò

Á Á

Ò Ò Ò

4.7 Natural Semantics of While We will now present the Natural Semantics of While. This semantics is deﬁned as a binary

relation between conﬁgurations, that are deﬁned being either:

¥ ¥

)(

% is to be executed from state º a terminal state, or value.

)( Transitions from the initial pair to the terminal state are denoted by % , and the

Natural Semantics is deﬁned by the set of (derivation) rules below:

Í Í

%Å )( %^ )(

¢ ¢

) Í £

NUMns £ OPns

= =

% )(

)(

%Å op op

¢ ¢

M £

VARns £ SKIPns

)( % )(

% skip

Í )

¥ ¥

%Å )( % ( % (

¢ ¢

) Ík! £

ASS £ COMP ¥

ns ns ¥

§6

( )( %

% ;

F [[ © ]] ff ¥

WHILEns £

% while do

¥ ¥

( % © (

% while do

¢ ¢

ns ¥

% (

while © do

% (

¢ ¢

)

COND £ [[ ]] tt ¥

ns ¥

% if then else

)

% (

¢ ¢

)

COND £ [[ ]] ff ¥

ns ¥

( ©

% if then else

ÓÊk!

In rule ASSns £ , the notation stands for the state (function) deﬁned by

Í! ;

6 6

$ $

6 6

9 $

8$ if ¢

Notice that rule NUMns £ is actually a rule-scheme: there is an instance of this rule for every = N Numeral. The present form of the rules needs some comments. Notice that, of course, it is possible to deﬁne the Natural Semantics of Boolean expressions, and use that above when we deﬁne the rules for the while -loop and the conditional. However, since a boolean expression as such is never a statement in Statements, and the rules are intended to specify the semantics for While, we will never actually want to derive the semantics for a boolean expression. To have slightly less complicated derivations in the system, we have used the semantics of a boolean expression in a side-condition to the rule, rather than build a separate derivation for it.

Remark that the same kind of reasoning also applies to Arithmetic Expressions. We could,

Ï therefore, have used the Denotational Semantics for Arithmetic Expressions, [[ ]] , and

have presented the rule

Ï £

ASSnsw

)(

% := [[ ]]

¢ ¢ ¢ ¢

£ £ £ instead of the rules NUMns £ , OPns , VARns , and ASSns above.

As before, the rules are used to construct derivations. In general, when looking for the ¥

semantics of a certain statement in a speciﬁc state , we would ﬁrst need to construct the

[

¼ £8H

derivation, as done above when looking for the semantics for i .

° ±

ÌË

% )(

In general, the syntax of ¥ guides the construction of the derivation; looking at its ‘top-level’ °

syntax construct, we know° what the last rule used in the derivation must have been.

° °

° ± ° ±

± ±

vË vË

± ±

¥ ¥

% ( % (

vË

% )(

vË vË

This enables us to build the derivation, ﬁlled with ‘?’, until we will, normally, end up looking

w¦( % w¦(

for derivations for % or skip . These are easily found, using the rules

¢ ¢ £

ASSns £ and SKIPns . ¢

° T

The only problem in this approach is the presence of rule WHILEns £ .

° ±

vË

% while do

The structure of ¯ depends on the value of [[ ]] , since that decides which of the rules ¢

¢ T F

£ ©

WHILEns £ or WHILEns has been used. Suppose [[ ]] tt, then the structure of the deriva- °

tion is as follows: °

° °

± ±

° °

¯ ¯

± ±

ÔË ÌË ÌË1

± ±

¥ ¥

( )( % ©

% while do

vË

)( ©

% while do

Ë Ë To ﬁnd ¯ , we ﬁnd ourselves with a problem similar to the one we started with; the only difference between the two is the use of in one and in the other. And in fact, for some

statements this approach does not terminate.° Take

° ±

vË

± )(

% while true do skip

Since [[true]] tt for all , after the ﬁrst step we obtain

° ±

vË

% )(

)(

% skip while true do skip

ÌË )(

% while true do skip

ÌË

which brings us on an inﬁnite search for the derivation . In fact, since the bottom line

% )( ¯ of ¯ , while true do skip , is exactly the same as the one for , we get that the

¯ ¯ ¯ derivations ¯ and must be identical. Since is a real sub-derivation of , it is impossible

for ¯ to exist. ¥

The execution of a statement on a state

% )( w

terminates if and only if there is a state w such that , and

% )( w loops if and only if there is no state w such that . Notice that these notions correspond exactly to what you would expect in real life, since the program while true do skip loops forever.

Exercise 4.9 Construct a derivation tree for the following While program.

# # #

HAI $G£

:= ;while $Õ do := ; :=

+ - $ in a state where has value I and has value .

4.8 Semantic Equivalence

We can use the semantics to determine whether two statements ¥ and are semantically w

equivalent, i.e. whether for all states and :

¥ ¥

w w

)( % )(

% if and only if .

% )( w

Notice that this deﬁnition is actually over derivations: a derivation exists for if

)( and only if a derivation exists for % ; notice that these derivations need not be similar in shape.

Lemma 4.10 The statements ¥

while © do

and

¥ ¥

© £ if © then ;while do else skip are semantically equivalent. Proof : We will show that, given a derivation for one result, we can construct a derivation for the other, and vice versa. This implies that if a derivation exists for the one, then a derivation

exists for the other, and vice versa, as requested.

The proof comes in two parts. We will show that, for all states and :

¥ ¥ ¥

and

¥ ¥ ¥

If % if then ;while do else skip , then while do .

i) If % while do , there is a derivation that has this as its conclusion.

° ±

% ©

while do )(

The structure of ¯ depends on the value of [[ ]] , since that decides which of the rules ¢

¢ F T £ WHILEns £ or WHILEns has been used. We have two choices:

£ ¯

% while do

so, in particular, . The following is easy to construct:

)(

% skip

£ [[ © ]]

¢ ff

¥ ¥

% if then ;while do else skip

° °

° ± ° ±

¯ ¯

± ±

¥ ¥

)( % © ( w

% while do

° ° °

We can now° construct:

° °

° ± ° ±

¯ ¯

± ±

¥ ¥

% while do

¥ ¥

)( ©

% ;while do

£ [[ © ]]

¢ tt

¥ ¥

% if then ;while do else skip

¥ ¥

as its conclusion. °

¥ ¥

% if then ;while do else skip ©

Again, the structure of ¯ depends on the value of B [[ ]] s, since that decides which of ¢

¢ F T

£ £

theÒ rules CONDns or CONDns has been used as the last rule. We have two choices:

£ ¯

)(

% skip

£ [[ © ]]

¢ ff

¥ ¥

% if then ;while do else skip

6 w

so, in particular, . The following is immediate:

% while do

£ ¯ [[ © ]] tt : Then the structure of is as follows:

° °

° ± ° ±

¯ ¯

± ±

¥ ¥

( w )( % ©

% while do

¥ ¥

% ;while do

£ [[ © ]]

¢ tt

¥ ¥

% if then ;while do else skip

° ° °

We can now° construct:

° °

± ±

¯ ¯

± ±

¥ ¥

( )( % ©

% while do

% )( while © do Which completes the proof.

(Notice that this has not been a proof by induction on the structure of derivations.)

¥ ¥

)( % )(

Theorem 4.11 The Natural Semantics is deterministic. i.e. if % and ,

then .

% )( Proof : Let ¯ be the derivation that shows . The proof is by induction on the

structure of derivations, by focusing on the last rule used. We only show some of the cases.

6 ¯

SKIPns £ : Then skip and is structured like

% )(

skip

% )(

so also . Likewise, the derivation that shows skip can only be com-

6 6

posed of SKIPns , so also . So, in particular, .

¢ ¢

¥ ¥ ¥

° °

£ ¯

COMPns £ : Then ; , and is structured like

° °

° ± ° ±

¯ ¯

± ±

% )(

% (

)

¥ ¥

)( %

;

¥ ¥

% )(

Let ¯ be the derivation that shows ; . The only rule that could have

¯ £ ¯ ¯

been applied last in is COMPns , so the structure of is similar to that of , and

¥ ¥

)( % (

in particular there are sub-derivations that show % and . Then,

6 6

by induction, , and therefore, again by induction, .

¥ ¥ °

T °

WHILEns £ : Then while do , and is structured like

° °

° ± ° ±

¯ ¯

± ±

% )(

% © (

while do

¯ % ©

Let be the derivation that shows while do )( . Again, the only rule

£ ¯

that could have been applied last in ¯ is WHILEns , so the structure of is similar

% )(

to that of ¯ , and in particular there are sub-derivations that show and

% while do . Then, by induction, , and therefore, again by induc-

tion, .

Exercise 4.12 Complete this proof, i.e. write out the missing parts.

The meaning of statements can now be summarised as a (partial) function from State to

State.

ns Statements State Ö State

¥ ¥

w w

% )( [[ ]] if ns

6 undeﬁned otherwise

(

This notion is well-deﬁned, because the Natural Semantics, % , is deterministic.

5 5

Note: the above deﬁned function ns is truly partial, because ns [[while true do skip]] is undeﬁned.

5 Structural Operational Semantics

In Structural Operational Semantics, the emphasis lies on the individual steps of the execution

(evaluation of operators). It is deﬁned, as Natural Semantics, by means of transitions, but of

)(l0 ×

the shape: % . A difference between Natural and Structural Operational Semantics ×

lies in the fact that now the right-hand side of the transition, , need not be the ﬁnal state, but

% w w¢( w

can be an intermediate result. In other words: × is of the form or . The conﬁgurations

% )(

are the same as for the Natural Semantics. We say that a conﬁguration is stuck if there

% )(l0 × is no × such that .

We give the Structural Operational Semantics for While.

¢ ¢

Ï £

ASSsos £ SKIPsos

§6

)(l0 )(l0 %

% [[ ]] skip

¥ ¥ ¥

% (f0 % (l0 % (

¢ ¢

T I

COMP £ COMP

¥ ¥ ¥ ¥ ¥ ¥

sos ¥ sos

(f0 % ( % (l0 % w (

% ; ; ;

T [[ © ]] tt

¥ ¥ ¥

CONDsos £

% if then else

F [[ © ]] ff

¥ ¥ ¥

CONDsos £

% © % )(

if then else )(Ø0

¥ ¥ ¥

WHILEsos £

Example 5.1

I )(l0 I

% :=

] ]

I $ )(l0 %2$ I (

% := ; := :=

] ]

# #

I $ i )(l0 %2$ i I ( % := ; := ; := := ; :=

Using the above rules, it is also possible to derive this result with an even shorter derivation.

I )(l0 I

% :=

] ]

# #

I $ i )(l0 %2$ i I ( % := ; := ; := := ; :=

Exercise 5.2 Extend the While-language with the statement

£6 for to do

and deﬁne both the Natural Semantics and the Structural Operational Semantics of this new construct. You may need to assume that you have an ‘inverse’ to the semantic function for numerals, so that there is a numeral for each number that may arise during the computation. The sematics for the for -loop should not rely on the semantics of the while -loop.

Exercise 5.3 Prove that the SOS-style semantics for While are deterministic.

Exercise 5.4 Use the Natural Semantics of While to show that

¥ ¥ ¥ w ;if © then else

is semantically equivalent to

¥ ¥ ¥ ¥ w

if © then ; else ;

providing that © does not depend on any of the variables modiﬁed by .

Exercise 5.5 Prove that, for the While-language,

)

¥ ¥ ¥ ¥

w w

% )(Q0 % )(Q0 % ( b b implies ;

5.1 Sequences

X X U U

× × × × % )( × 0Ù×

A (possibly/ inﬁnite) number of conﬁgurations , such that ,

for every ÌY , is called a sequence of a statement in state .

¥ ¥

A derivation sequence of a statement in state is a sequence of in such that either

=Ú

the sequence is ﬁnite (of length ), and × is terminal or stuck, or S

the sequence is inﬁnite.

× Y × × × × 0vÛt×

We write 0 if there is a sequence of length form to , and if there

× 0 × × 0 × Û is a sequence of ﬁnite length. Notice that (or ) not necessarily represents

a derivation sequence, since that would require × to be terminal or stuck. Also, for each step in the sequence there is a derivation tree, as deﬁned by the rules above.

¥ ¥

% )( For a given and it is always possible to find 1 derivation sequence from : apply the axioms and rules forever until a configuration is either a terminal or stuck. By close inspection of the abstract syntax and the rules, it becomes clear that, for the language While, there are no stuck configurations for the Structural Operational Semantics. Since also the Structural Operational Semantics for While is deterministic (will be shown later), it becomes clear that there is only 1 derivation sequence for each configuration.

5.2 Some properties ¥

The execution of a statement in

terminates if and only if there is a ﬁnite derivation sequence of in .

loops if and only if there is an inﬁnite derivation sequence of in .

w % )(O0 w terminates successfully if there is a such that Û . NB: any terminating execution is also successful in While - this does not hold for some of the extensions to that language we will discuss later.

A statement ¥ always terminates (loops) if it terminates (loops) on all states.

¥ ¥

% (Q0 F

Theorem 5.6 If ; b , then there exists a state and natural numbers and

¥ ¥

X X

F % (Q0 Ü % (Q0 F F HjF bÝ

such that b and , and .

Proof : By induction on the length (called ) of derivation sequences.

¥ ¥ ¥ ¥

=:6

% (K0 % (f0 I)£ : If ; , then ; , so there should be a derivation

showing this result. By inspecting the rules, it becomes clear that this is not possible; of

¢ ¢

£ £

all the rules, only ASSsos and SKIPsos end with a single state, and neither is of the

¥ ¥

shape ; . So the result holds vacuously.

¥ ¥ ¥ ¥ ¥ ¥

=z¹

% (Q0lSO % (f0 % (Q0fS1Þ

I)£ : If ; , then ; , for some and .

g g g By inspecting the rules, there are just two possibilitiesg for the last rule applied in the derivation for the ﬁrst step. ¢ I

COMPsos £ : So the bottom-end of the derivation looks like:

¥ ¥

( % (l0 % w

)

¥ ¥ ¥ ¥

% (l0 % (

; ;

¥ ¥ ¥ ¥ ¥ ¥

% w w (Q0fS1Þ

and w ; , for some . In particular, we have ; . So, by

g g

= =

induction, there are and such that

¥ ¥

X X

=oº 6>= =

w S S1

% % (K0 I H (K0 Ý

, , and .

¥ ¥ ¥

X X

% (f0 % w % (Q0fS1 (Q0lS1Ü

Then also , so c . And we are done:

= = 6>= notice that H>IH . ¢ T

COMPsos £ : Then the derivation ends like:

% (l0

) )

¥ ¥ ¥

(l0 % (

% ;

= 6 = 6>=º I

and we are done: take I , and .

¥ ¥

We say that statements and are semantically equivalent if for all states :

¥ ¥

)(Q0vÛZ× % )(O0jÛh× × % if and only if whenever is a conﬁguration that is either stuck

or terminal, and

¥ ¥

there is an inﬁnite derivation sequence for in if and only if there is one for in .

Note that, in the ﬁrst case, the number of steps in the derivation sequence may be different.

As before, the meaning of statements can now be summarised as a (partial) function from

State to State.

sos Statements State Ö State

¥ ¥

w w

% )(O0jÛt [[ ]] if sos

6 undeﬁned otherwise

We can now express the equivalence of the Natural and Structural Operational semantics.

5 5

¥ ¥ ¥

Theorem 5.7 For every statement of While, ns [[ ]] 6 sos [[ ]], i.e., they are equal as

5 5

¥ ¥

functions, so, for every state , ns [[ ]] sos [[ ]] .

In other words: both terminate in the same ﬁnal state, or both loop. This result follows from

the following lemmae.

¥ ¥ ¥ ¥

(Q0 % ( % (K0 % b

Lemma 5.8 If b , then ; .

% (Q0

Proof : Induction over the structure of the derivation for b .

¥ ¥ ¥

% ( % (Q0

Lemma 5.9 For every statement and states and , implies Û .

So, if the execution of starting from state terminates in state in the Natural Semantics,

it will terminate in the same state in the Structural Operational Semantics.

(

Proof : By induction over the shape of the derivation tree for % . We only show one

case, the others follow by straightforward induction.

¥ ¥ ¥ ¥

( £ % % ( % (

) )

COMPns : ; because and . Then, by induction

¥ ¥ ¥ ¥ g g ¥

(K0 % ( % (K0 % (Q0 %

Û Û

(twice), we obtain Û and , so ; by

¥ ¥

g g g

% (Q0 0 Û Lemma 5.8, and the result ; Û then follows from the deﬁnition of .

Exercise 5.10 Finish this proof.

¥ ¥

F % (K0

Lemma 5.11 For every statement , and states and , and natural number , b

% (

implies . ¥

So, if the execution of from terminates in the structural operational semantics, it will

terminate in the same state in the natural semantics.

I % (K0vÛ

Proof : By induction on the length ( ) of the derivation sequence . We

¥ ¥ ¥ ¥

% (K0 % (l0 % (

focus on the ﬁrst step of b¾c . Let be such that and

¥ ¥

g g g g

% (K0 % (

b . Then, by induction, we can assume that .

¥ ¥

g g g g

(f0 % ( % (f0 ¯

Since % , by deﬁnition of , there is a derivation that shows

g ¥ this result. We will completeg the proof by cases on the structure of , analysing, if necessary,

what ¯ must be.

F I)£

f !

: There are only two cases to consider here.

¢ ¢ ¢

6 6

,£a£ ¯ £

:= : Then consists of rule ASSsos , and [[ ]] . Then

( we are done, since % := [[ ]] .

¢ ¢

6 6

¯ £ % ( skip £ : Then consists of rule SKIPsos , and . Notice that skip

F I)£

: The remaining cases are:

¢ ¢

¥ ¥ ¥ ¥ ¥

££ (K0 %

; : By Theorem 5.6 ; b implies that there exists a state

F F I

and natural numbers and (both ) such that

¥ ¥

X X

% (K0 Ü % (Q0 F F HjF

b b

and , and .

¥ ¥ ¥ ¥

X X

( % ( % (

Then, by induction, % and , so also ; , by

rule COMPns .

¢ ¢

¥ ¥ ¥

6 6

if then else : We have to distinguish two cases: [[ ]] tt, or ¢

T ¥

[[ ]] ff. In the ﬁrst case, ﬁnishes with rule CONDsos , so b ,

¥ ¥

¥ T

6 6

% ( £

, and . Since, by induction, , by rule CONDns , also

g g

)

¥ ¥

( ©

% if then else

The second case, [[ ]] ff, is similar.

¢ ¢ ¢

¥ ¥

££ ¯ £

while © do : Then consists of nothing but rule WHILEsos , and

)

¥ ¥ ¥

% ( % © © £ (Q0

if then ;while do else skip b

g g g

and, by induction,

¥ ¥

% if then ;while do else skip

¥ ¥

We have seen before that the statements ‘if © then ;while do else skip’ ¥

and ‘while © do ’ are equivalent for Natural Semantics. So also

( ©

% while do

Now we can come back to the proof of the theorem: For an arbitrary statement and state

5 5

¥ ¥

6 6

it follows from Lemma 5.9 and 5.11 that if ns [[ ]] , then sos [[ ]] , and vice

5 5

¥ ¥ versa. Thus ns [[ ]] 6 sos [[ ]]. So, if one is defined on a state, then so is the other, and, therefore, if one is not defined on a state, then neither is the other. NB: This proof approach would need modification for a non-deterministic language.

6 Provably correct implementation

We will now focus on the definition of an abstract machine (language), and the definition of a translation (compilation) of programs in While to programs for this abstract machine. The goal of this new approach will be to define a new semantics for While via this translation, and prove that this translation respects both the Natural and Structural Operational Semantics we have seen before. In this way, we will prove the ‘compiler’ defined here to be correct.

While

Compilation ß

Assembly language

30 The steps we will focus on are:

Deﬁne the meaning of the abstract machine instructions.

Deﬁne the translation functions.

In this context, the problem of correctness is formulated by: if we translate a program

written in While into a program written in the abstract machine language and execute that 5

code on the abstract machine, we get the same result - a state - as was speciﬁed by ns or

sos.

Ã )(

The abstract machine AM has conﬁgurations %^à where

à is the code (sequence of instructions) to be executed,

ØÃ is the evaluation stack, and

is the storage.

The evaluation stack is a new feature that can be seen as an inﬁnite list; its elements are either in ZZ or in TT, and therefore the stack is a semantic entity. It is used to evaluate arithmetic

and boolean expressions:

£ N Stack ZZ TT Û The idea is that, while establishing the semantics of expressions, you put the semantics of

subexpressions onto the stack; it is used to store intermediate results. We also have N State, as before.

6.1 The abstract machine language The deﬁnition of the abstract machine programming language is very much like the deﬁnition of While above. The difference lies in the fact that the statements themselves are more ‘primitive’, e.g. they explicitly deal with stack handling. The syntactic categories are:

inst N Machine Instructions

N à Code sequence of instructions

The abstract syntax is deﬁned by:

¦§6 º=

inst PUSH ADD MULT SUB TRUE FALSE EQ LE AND NEG

¢ ¢

º º

à£ à à £

FETCH STORE NOOP BRANCH à LOOP

¦§6

Â¸ à

à inst

= º= º Notice that, for every there is an instruction PUSH , and, likewise, there are many FETCH

and STORE º instructions. As mentioned above, we will deﬁne our machine semantics (translation from programs in

While to programs in Code) using the following conﬁgurations:

[ [

)( N

%^à Code Stack State

)( à We call %^à terminal if , i.e. if there is no more instruction to execute.

The transition relation ¹ is deﬁned over pairs of conﬁgurations

Ã Ã

%^à )( %^àÔw w w¢(

and specifies how to execute instructions. (Notice that, in these configurations, only the first

component à is syntactic: is a list in ZZ TT, which is semantic, and is a mapping from

syntactic to semantic entities.) It is formally deﬁned by:

Ã Ã

º=z ¹ =

à )( %dà É )(

% PUSH [[ ]]

# # Ã # # Ã

à )( %dà H )(

% ADD

# # Ã # # Ã

¹ º

% )( %dà )(

SUB à

# # Ã # # Ã

¹ [

à )( %dà )(

% MULT

Ã Ã

à )( %dà )(

% TRUE tt

Ã Ã

% )( %dà )(

FALSE à ff

# # Ã # # Ã # #

¹ 6

à )( %dà £ )( N

% EQ if ZZ

# # Ã # # Ã # #

à )( %dà £ )( N

% LE if ZZ

Ã Ã

)( )( à © © %dà © © £ © © N

% AND & if TT

Ã Ã

)( % à © %dà )( ©hN

NEG © if TT

Ã Ã

º ¹

)( à )( %dà £

% FETCH

Ó !

# Ã Ã #

º ¹

% )( %dà (

STORE à

Ã Ã

% )( %dà )(

NOOP à

Ã Ã

¹ 6

)( à à £ à © %dà à )( ©

% BRANCH if tt

Ã Ã

¹ 6

)( à à £ à © %dà à )( ©

% BRANCH if ff

¢ ¢ ¢

Ã Ã

à £ à )( à £ à %dà à à £ à )(

% LOOP BRANCH LOOP NOOP

The last rule needs some commments. The LOOP-instruction has two operands, that inten-

tionally are: a boolean à and a statement (notice that the syntax is not speciﬁc here; in

¢ £

fact, also LOOP I TRUE is a correct program, although it will not execute much). As can be

expected, the boolean decides on whether or not the statement will be executed. However, the

à à

boolean needs to be evaluated ﬁrst, before, using BRANCH, we can decide to execute or not. So we put à at the head of the code, which forces its evaluation on the stack. By the time

that is ﬁnished, BRANCH will ﬁnd the semantic representation of à (either tt or ff) on top of the stack, and will act accordingly.

Since the deﬁnition of ¹ follows the (intended) execution of the programs written in the

abstract machine language, the definition of ¹ gives an SOS-style semantics for programs in AM. We can define a computation sequence by analogy to a derivation sequence. We will use the convention that initial configurations always have an empty evaluation stack.

Example 6.1 Take the code

º º º

PUSH I FETCH ADD STORE

i and such that , then

º º º ¹

I )(

% PUSH FETCH ADD STORE

º º ¹

I )(

% FETCH ADD STORE

º ¹

i I )(

% ADD STORE

B !

º ¹

» Â Â »

% % ( STORE )(

Notice that, as for the Natural and the Structural Operational Semantics, some conﬁgura-

tion sequences are inﬁnite: LOOP (TRUE, NOOP) is non-terminating. On the other hand, it is

Â )( now possible for a conﬁguration to not ﬁt any of the rules: for example, % ADD is stuck. But then again, we will only be interested in code obtained by translating programs, so this particular problem never appears.

Exercise 6.2 Specify how to generate code for a for-loop for the abstract machine, AM. You may have to extend the instruction set; you should specify the semantics of any new instructions.

Exercise 6.3 AM refers to variables by their names rather than by their address. The abstract

machine AM differs from AM in that

? ?

%dà (

i) The conﬁgurations have the form where , the memory, is a ﬁnite list of values;

º º= º=

ii) The instructions FETCH º and STORE are replaced by instructions GET and PUT

= !

where is a natural number (an address).

= =

Specify the operational semantics of the machine. You may write ? to select the -th value

= ? in the list ? (where is positive but less than or equal to the length of ). What happens if we reference an address that is outside the memory?

By analogy with the SOS-style semantics of While we can prove properties of AM by

induction on the length of computation sequences.

) )

Ã Ã Ã Ã Ã Ã

¹ ¹

w w w w w w

( )( %^à )( %^à %^à à %dà à ( b

Lemma 6.4 If b , then ¹

Proof : By cases, using the deﬁnition of . Notice that none of the cases in the deﬁnition of ¹

specify anything but the ﬁrst instruction in à .

º=

PUSH : Since

Ã Ã

º=z ¹ =

( à )( %^à É % PUSH [[ ]]

by the ﬁrst line of the deﬁnition, by that same line also

Ã Ã Ã Ã

º=z ¹ =

à à )( %dà à É ( % PUSH [[ ]]

The other cases are similar.

Ã Ã Ã

¹ 6

%^à à ( % ( F F F HqF

Lemma 6.5 If b , then there are and such that

g g

Ã Ã Ã Ã

¹ ¹

Â Â

%^à ( % ( %dà ( % ( F

Ý b

, and b and .

g g

Proof : (Notice that we have proven a similar result for Natural Semantics.) By induction on

the length of computation sequences.

¢ ]

F £ à à

: Then both and are elementary instructions, and the proof follows from the

¹ 6 6

F I deﬁnition of , and F .

Ã Ã Ã

¹ ¹

w Â w w

F I)£ %dà à ( % ( à

: If b , then there are such that

g g

)

Ã Ã Ã Ã

¹ ¹

w w w w w w Þ Â

( ( à à %dà à ( %dà %^à % (

and b

g g

6 º

Fkw Fkw w Fw HØFw F I

Then, by induction, there are w such that , and

)

Ã Ã Ã Ã

¹ ¹

w w w Â w w Â w w

( ( ( %^à % %dà % (

bá baá

and Ý

g g

Then, by deﬁnition of ¹ , we also have:

Ã Ã Ã Ã

¹ ¹eâ

w ( w w ( ( %^àÔw %dà ( % w

%dà , so also

Ã Ã

6 6 6 6

w w w w

HpI F F F

So take F , and , and .

Theorem 6.6 The machine semantics is deterministic:

¹ ¹ 6

× × × × × × × ×

For all × , if and , then .

g g g Proof : Exercise.

Using the definitions and results above, we can now approach the main result for the AM. To this end, we will first define a semantics for elements of Code, define a suitable translation of programs in While to instructions in Code, and show that the translation is correct, in the sense that both a program in While and its translation in Code are mapped onto the same

state. The meaning of a sequence of instructions can be expressed as a partial function from

State to State.

sos Code State Ö State

6 ¹

w w Â Â Â

( %^à )( %

[[ à ]] if

6 undeﬁned otherwise

6.2 Translation of expressions To deﬁne our translation, we start by deﬁning the translation of Arithmetic Expressions into

Code:

Ï ä

Arithmetic Expressions Code

6 º=

[[ = ]] PUSH

ä º

[[ ]] 6 FETCH

Ï Ï Ï

ä ä ä

[[ ]] [[ ]] [[ ]] ADD

Ï Ï Ï

ä ä ä

º 6

[[ ]] [[ ]] [[ ]] SUB

Ï Ï Ï

ä ä ä

[ 6

[[ ]] [[ ]] [[ ]] MULT

Notice the inversion of and .

Next, we deﬁne the translation of Boolean Expressions into Code:

Boolean Expressions Code

Ò ä

[[true]] 6 TRUE

Ò ä

[[false]] 6 FALSE

Ï Ï

ä ä ä

6 6

[[ ]] [[ ]] [[ ]] EQ

Ï Ï

ä ä ä

[[ ]] [[ ]] [[ ]] LE

Ò Ò

ä ä

Á ©

Ò Ò Ò

ä ä ä

6.3 Translation of statements

We ﬁnish by deﬁning the translation of Statements into Code:

äa5

Statements Code

ä¾5 ä

6 º

[[ := ]] [[ ]] STORE ä¾5

[[skip]] 6 NOOP

ä¾5 ä¾5 ä¾5

¥ ¥ ¥ ¥

[[ ; ]] 6 [[ ]] [[ ]]

ä¾5 ä ä¾5 ä¾5

¥ ¥ ¥ ¥

[[if © then else ]] [[ ]] BRANCH [[ ]] [[ ]]

äa5 ä ä¾5

¥ ¥

© £ [[while © do ]] LOOP [[ ]] [[ ]] These definitions open the way to define a new semantics for elements of Statements. The meaning of a statement ¥ can now be obtained by first translating it into code for AM and

next executing the code on the abstract machine:

am Statements State Ö State

5 ä5 7

am 6

5 ä5

¥ ¥

6 7 so am [[ ]] [[ ]] £ .

Exercise 6.7 Use ä¾5 to generate code for the statement:

# # #

$Õ $G£

:= ;while do := HAI ; :=

I $ Trace + the computation of the code starting from a storage where has value and has value .

Exercise 6.8 Let AM w be as in Exercise 6.3. Modify the code generation so as to translate w While into code for the abstract machine AM . You may assume the existence of a function

env Variables IN that maps variables to their addresses.

Exercise 6.9 Prove that the code generated for AM w by the previous exercise is correct. What assumptions do you need to make about env?

6.4 Correctness of translation

Correctness for the machine semantics of elements of Statements is expressed by:

5 5

ns 6 am

5 5

sos 6 am These two results need proof, and express that, if we first translate a statement into code for AM and the execute that code, we must obtain the same result as specified by the operational semantics for While. In proving this result, we will deal with expressions and statements separately: we will first

show

Ï Ï

Â Â

% )( % )(

[[ ]] Û [[ ]] Ò

Ò and

Â Â

and use these results to show

5 5

¥ ¥

ns [[ ]] 6 am [[ ]]

6.5 Correctness for expressions Correctness of the translation from While into the Abstract Machine Language, restricted to

the set of Arithmetic Expressions is formulated by:

Ï Ï

Â Â

)( % % )( Theorem 6.10 [[ ]] Û [[ ]]

Proof : By induction on the structure of arithmetic expressions. We illustrate three cases:

= = 6 º=

i) . Then [[ ]] PUSH . Notice that

º= ¹ =

Â Â

É )( % )(

% PUSH [[ ]]

= 6 =

and that [[ ]] [[ ]]. So we’re done.

6 º

ii) . Then [[ ]] FETCH . Notice that

B B

º ¹

Â Â

)( )( %

% FETCH

and that [[ ]] . So we’re done.

Ï Ï Ï

ä ä ä

H³ Hf

iii) . Then [[ ]] [[ ]] [[ ]] ADD. By induction we can

assume:

Ï Ï

Â Â

% )( % )(

[[ ]] Û [[ ]] and

Ï Ï

Â Â

)( Û % )( % [[ ]] [[ ]]

Using Lemma 6.4, we get:

Hl )(

% [[ ]]

Ï Ï

ä ä

% )(

[[ ]] [[ ]] ADD Û By Lemma 6.4 and induction

Ï Ï

% )(

[[ ]] ADD [[ ]] Û By Lemma 6.4 and induction

Ï Ï

ADD [[ ]] [[ ]] )(

Ï Ï Ï

Â Â

tH )( % Hf )( % [[ ]] [[ ]] [[ ]]

Booleans are dealt with in a similar way.

36 6.6 Correctness for Statements

For every statement ¥ of While we have to show:

5 5

ns 6 am

This equality expresses two properties:

If the execution of from some state terminates in one of the semantics, then it also

terminates in the other semantics and the resulting states will be equal.

Furthermore, if the execution of from some state loops in one of the semantics, if will

also loop in the other.

( We will start our proof by showing that, if the Natural Semantics for % is , then

also the Machine Semantics gives (i.e. after translation, also the obtained code evaluates to) a

conﬁguration with state .

Lemma 6.11 For every statement and states and ,

ä¾5

¥ ¥

Â Â Â

( ( ( % Û% if % , then [[ ]]

Proof : By induction on the structure of derivation trees in Natural Semantics. We cover three

of the cases:

6 6

ASSns £ : Then := , and [[ ]] . By deﬁnition of CS,

ä¾5 ä

6 º [[ := ]] [[ ]] STORE

and by correctness of the translation for Arithmetic Expressions, Theorem 6.10 we have

Ï Ï

Â Â

% ( % ( [[ ]] Û [[ ]]

Thus (using Lemma 6.4)

B B

Ï Ï

º ¹ º

( Û % (

% [[ ]] STORE STORE [[ ]]

Â Â

(

% [[ ]]

and we’re done.

¥ ¥ ¥ ¥ ¥ ¥ ¥

% ( % (

COMPns £ : Then ; , and , for some , and .

g g g

Now

ä¾5 ä¾5 ä¾5

¥ ¥ ¥ ¥ [[ ; ]] 6 [[ ]] [[ ]]

By induction, we can assume both

ä¾5

Â Â Â

% % ( (

[[ ]] Û g

and

ä¾5

Â Â Â

% ( % (

[[ ]] Û g

Thus (using Lemma 6.4)

äa5 ä¾5 ä¾5

¥ ¥ ¥

Â Â

( Û % (

% [[ ]] [[ ]] [[ ]]

Â Â

% ( Û

and we’re done.

¥ ¥

T ¥

WHILEns £ : Then while do and there exists an such that and

g g

% while do . Since

ä¾5 ä ä¾5

¥ ¥

we can assume, using induction, that

ä¾5

Â Â Â

( Û % (

% [[ ]] g

Ò and

ä¾5 ä

Â Â Â

% © £ ( % (

LOOP [[ ]] [[ ]] Û

ä ä¾5

Â Â Â

Now

ä ä¾5

% LOOP [[ ]] [[ ]]

Ò Ò

¢ ¢

ä äa5 ä ä¾5

¥ ¥

% [[ ]] BRANCH [[ ]] LOOP [[ ]] [[ ]] NOOP

Ò Ò

¢ ¢

äa5 ä ä¾5

¥ ¥

% © £ £ © (

Û BRANCH [[ ]] LOOP [[ ]] [[ ]] NOOP [[ ]]

ä¾5 ä ä¾5

¥ ¥

Now, using the results we can assume by induction, and Lemma 6.4, we get

ä¾5 ä¾5 ä

¥ ¥

% © £ (

[[ ]] LOOP [[ ]] [[ ]] Û

ä ä¾5

Â Â Â

% LOOP [[ ]] [[ ]] g

Exercise 6.12 Finish this proof.

In the second part of our proof we will show that, if the Machine Semantics of a conﬁgura-

tion with a translation for statement and state returns a conﬁguration with state , then

(

also the Natural Semantics for % is .

ä¾5

¥ ¥

Â Â

( ( % %

Lemma 6.13 For every statement , states : if [[ ]] b , then

(

% .

Proof : By Complete Induction on the number of steps; we only show part of the proof.

¢ ¢

ä¾5 ä

6 º

,£

Base Case £ : := : Remember that [[ := ]] [[ ]] STORE , so

º ¹

Â Â

% ( % (å

[[ ]] STORE b

Ã F

then, by Lemma 6.5, there are F , and such that

Â Â

% ( % (

[[ ]] b

g g

Ã Ã

º ¹

( % ( % Ý

STORE b

)

g g

F F HØF

6 6

æ !

But, by correctness of expressions, we have [[ ]] and . Therefore,

g g

6 6 ¹ º

[[ ]] and by the deﬁnition of , case STORE . To

(

conclude, notice that % := [[ ]] .

¢ ¥

Inductive Case £ : We distinguish the following cases for :

¢ ¢

ä¾5 ä ä¾5

¥ ¥ ¥

£ © © £

while © do : Notice that [[while do ]] LOOP [[ ]] [[ ]] , so

ä ä¾5

Â Â

% © £ ( % (å LOOP [[ ]] [[ ]] b

Then, the deﬁnition of ¹ , case LOOP:

ä¾5 ä

% LOOP [[ ]] [[ ]]

Ò Ò

¢ ¢

ä ä¾5 ä ä¾5

¥ ¥

% [[ ]] BRANCH [[ ]] LOOP [[ ]] [[ ]] NOOP

Þ % (

F F

Again by Lemma 6.5, there are such that

g g

Â Â

% © ( % (

[[ ]] b

g g

¢ ¢

ä¾5 ä ä¾5

¥ ¥

Ã Ã

% © £ £ ( % (

BRANCH [[ ]] LOOP [[ ]] [[ ]] NOOP bÝ

g g

º 6

F I F HjF

6 6

Thus [[ ]] , and there are two cases to consider:

g g

Â Â Â

( ( %

% NOOP

Ã F

6 6 6

£ ©

So and . Using rule WHILEns , and that [[ ]] ff, we get the

( % ©

Ò desired result: while do .

¢ ¢

ä¾5 ä¾5 ä

¥ ¥

% BRANCH [[ ]] LOOP [[ ]] [[ ]] NOOP

Ò tt

ä¾5 ä ä¾5

¥ ¥

% [[ ]] LOOP [[ ]] [[ ]]

Â Â

( Þ %

F F

Now, again by Lemma 6.5, we have , and such that

g g g

ä¾5

Â Â

( % ( %

[[ ]] bç

g g

ä¾5 ä

Ã Ã

% ( © £ ( %

LOOP [[ ]] [[ ]] bÝ

g g

F F HjF g

Notice that both instructions are obtained by translation (the ﬁrst from ¥ , the ¥

second from while © do ), and that the computation sequences involved are of

length smaller than F , so by induction (ﬁnally), we can assume

¥ ¥

% ( % © (

and while do

g g

¢ T The desired result follows from these two by applying rule WHILEns £ .

Exercise 6.14 Finish this proof, i.e. add the missing cases. 5

We could have used sos instead - the proof for equivalence might have been easier because

5 5 both sos and am focus on single steps.

7 Denotational Semantics ¡

In the operational approach we were interested in how a program is executed. In the denota-

¢ £ tional approach we are interested in the effect, in terms of functions of type State Ö State , of executing a program. The basic idea is:

Deﬁne a semantic function for each syntactic category - it maps each syntactic construct to a mathematical object (which describes the effect of executing the construct).

In Denotational Semantics, the semantic functions are deﬁned compositionally:

there is a semantic clause for each of the basic elements of the syntactic category.

for each method of constructing a composite element there is a semantic clause deﬁned in

terms of the semantic function applied to the immediate constituents of the composite element.

Ï 5

We have seen examples of denotational semantics before: , , and non-examples: ns, 5 sos. When deﬁning semantics for While as a function from State to State, certain cases are

easy to deal with, and we can deﬁne the meaning of a statement ¥ as a (partial) function from

State to State:

ds Statements State Ö State

Ó !

ds [[ := ]] [[ ]] 5

[[skip]] 6 id

5 5 5

¥ ¥ ¥ ¥ 7

[[ ; ]] 6 [[ ]] [[ ]]

ds ds ds

5 5 5

¥ ¥ ¥ ¥

ds [[if © then else ]] cond [[ ]] ds [[ ]] ds [[ ]]

¥ 6

ds [[while © do ]] Problematic . . .

5 ¥

Before coming to formulating the problem behind the ‘ ds [[while © do ]]’, we focus on

some of the notation introduced. In the above deﬁnition, id is the identity function on states.

5 5 5 Notice that ds is partial for the same reasons as hold for the partiality of ns and sos; for this reason, the part above that deals with composition of statements has to deal with the fact

that perhaps one of the two functions involved is not deﬁned. This implies that, formally

5 5 5

¥ ¥ ¥ ¥

6 7 £G

[[ ; ]] [[ ]] [[ ]]

ds ds ds

5 5

¥ ¥ 6

[[ ]] [[ ]] )£

ds ds

èé

é ¥

é if there exists an such that [[ ]] ,

é ds

ê and ds [[ ]] .

é undeﬁned if [[ ]] undeﬁned, or if there exists an

é ds

éë

such that ds [[ ]] , but

¥ 6 ds [[ ]] undeﬁned. The conditional function cond used above is deﬁned very much like the AM instruction

BRANCH we have seen before:

¢ ¢ ¢ ¢

[ [

Ö £ Ö £ Ö £ cond State TT £ State State State State State State

ì ì

)

¢2ì ì ì

ë if tt

£G ì

cond ì

if ff g

Notice that the denotational semantics for Boolean Expressions is a total function, i.e. is al-

ways deﬁned; therefore, the meaning of a conditional is ‘undeﬁned’ if either the predicate is

5 5

¥ ¥

true, and ds [[ ]] is ‘undeﬁned’, or the predicate is false and ds [[ ]] is ‘undeﬁned’.

The major task in the deﬁnition of Denotational Semantics for While is to deﬁne the effect ¥

of ‘while © do ’. In view of previous results, however we deﬁne it, it should be equal to the

¥ ¥

effect of ‘if © then ;while do else skip’ and therefore:

5 5

¥ ¥ ¥

[[while © do ]] [[if then ;while do else skip]]

ds ds

5 5

¥ ¥

cond Ò

ds ds

5 5

¥ ¥

6 7

Notice that this analysis does not brings us any closer to understanding what the denota-

¥ ¥ © tional semantics of ‘while © do ’ is supposed to be: ds [[while do ]] appears in exactly the same form in the expression on the right, and is not expressed, for example, as the composition of already deﬁned functions. The main problem to tackle is to deﬁne a notion of function and to set up the right mathematical context to give a solution for this equation.

Let’s have a closer look at the above expression. Assume that the denotational semantics

í í

for ‘while © do ’ is a function . Then the equation above expresses that this should at

least satisfy:

7 6

í © £

í cond [[ ]] ds [[ ]] id

Focus on the right-hand term of this equation. Replace í by and notice that we can now

deﬁne a functional î as follows:

7 6

î cond [[ ]] ds [[ ]] id î

We can see that the function í we are looking for is a special kind of input for : when we

í í

apply î to , we get !

6 7 6

îOí cond [[ ]] ds [[ ]] id

ï ïÐ$ $ This special property has a name: we call a point $ a ﬁxed point of a function , if .

So, to reformulate the above:

5 5

¥ ¥

6 7

î îOí © í £ ds [[while © do ]] is a ﬁxed point of , where cond [[ ]] ds [[ ]] id .

Again, this property is just natural since any reasonable semantics should give the same mean-

¥ ¥ ¥

ing to ‘while © do ’ and ‘if then ;while do else skip’.

Example 7.1 Fixed points of functions do exist:

í I í I í

Take , with ZZ/ ZZ, then is a ﬁxed point of .

]

6 [ í Take í , then is a ﬁxed point of .

Exercise 7.2 Determine the functional î , associated with:

¢ ¢

6 [ º

I£ $ I)£ while do $ := ; :=

Determine at least two different ﬁxed points for î .

We will develop a context where every function will have a ﬁxed point, and even deﬁne a í

special function that, given an input function í , constructs the ﬁxed point of . We will call r this function Fix. The intention is to construct ﬁxed points for functions like î above, so there

Fix would be of type:

¢ ¢ ¢

£ Ö £ Ö £

Fix State Ö State State State State State î

and, of course, the intention is that Fix î is a ﬁxed point of :

îm£ î î Fix Fix

In general, the ﬁxed point construction follows the following general scheme. Let í be

deﬁned by

6 í í ‘some expression in which’ ‘appears’

then we can deﬁne î by:

ì ì 6 î ‘some expression in which’ ‘appears’

and the solution for the ﬁrst equation is then Fix î .

The intended types for the functions mentioned are:

fñ

Ùð í

í ( is a function)

lñ lñ

ð ð

î £

Øñ lñ lñ

¢¢

ð ð ð £ Fix £

Unfortunately, this does not sufﬁce:

There are functionals which have more than one ﬁxed point. For example, the function

Ãò

6 6 º

í I

í has inﬁnitely many ﬁxed points, and has two.

ì ì

There are functionals which have no ﬁxed points at all. For example, let 9 , and

deﬁne by:

ì ì ì

6 ì

ë if

6 ó ì otherwise

Our solution to these two problems is:

to impose requirements on the ﬁxed points such that there is at most one ﬁxed point satisfying them.

to establish a framework such that every functional does have at least one ﬁxed point satisfying the requirements.

42 7.1 Fixed Point Construction Before we come to a formalisation of the problem and its solution, we again have a look at the

problem. Remember that we want the denotational semantics to satisfy:

5 5 5

¥ ¥ ¥

6 7

ds [[while © do ]] cond [[ ]] ds [[while do ]] ds [[ ]] id

¥ í

Therefore, ds [[while © do ]] should be a function such that (using the deﬁnitions above):

7 6

í © £

í cond [[ ]] [[ ]] id Ò

7 6

£ ©

í [[ ]] [[ ]] ë

if Ò tt

if [[ ]] ff

î î

We observed that, therefore, ds [[while © do ]] should be a ﬁxed point of , where is Ò

deﬁned by:

7 6

£G © í [[ ]] [[ ]]

ë tt

if Ò

îOí

if [[ ]] ff

6 Á Example 7.3 Take the While program ‘while £ do skip’. The intended semantics

for this program, using the construction discussed above, í , viewed as a function from State

to State, has the following behaviour:

¢ ¢

6 6 7

£ í £G í [[ ]]

cond Ò id id

¢ ¢

6 6

í £

cond [[ £ ]] id

í 9

ë if

Since í reappears on the right-hand side, we have to use a ﬁxed point construction to ﬁnd

í . As suggested above, we write

íK 9

ë if

î¤íô

Now, once we have a ﬁxed point for î , we have a solution for our problem. Well, notice

that è

ë undeﬁned if

is a ﬁxed point of :

9 ï

ë if

î¤ï

ë undeﬁned if

6 ïe

Ö î

Notice that, if í is supposed to be a function of type State State, then this is of type

¢ ¢

£ Ö £ îOí Ö

State Ö State State State . In particular, is a function of type State State, so

îOí íw î íw íw w there is some íw such that . We can now apply to to obtain , and so forth, ad inﬁnitum. We will look at a few example statements, and try to establish their semantics, guided by

our intuition. The idea is to approach the ﬁnal, looked-for solution, but approximating it.

X í

We will start with the ﬁrst approximation , the function that carries no information, i.e. is nowhere deﬁned. We will use that function to build the second approximation í , and that to

build the third í , etc., until we have reached the solution.

Example 7.4 Take ‘while true do skip’. Following the above deﬁnition, we get:

6 7

í £G

îOí cond [[true]] [[skip]] id Ò

7 6

£G

í [[skip]] [[true]] ë

if Ò tt

if [[true]] ff

7 6

í £

ë id if tt tt

6 6

if tt ff

X X X X

6 6

îmí í í î

Take í undeﬁned, for all . Notice that , so is a ﬁxed point of . Moreover, X í is the intended semantics for ‘while true do skip’, i.e. the semantics you would want it

to have. Notice that, however, all functions are ﬁxed points of î ; therefore, we need a process X that chooses í amongst all these solutions: it should put the least restrictions on the resulting

function, and select the ‘most undeﬁned function’.

/ +

Example 7.5 Take ‘while 6 do := ’. Following the above deﬁnition, we get:

/ +

6 6 7

í £G

îOí cond [[ ]] [[ := ]] id

+ /

6 7 6

£G

í [[ := ]] [[ ]] ë

if Ò tt

6 6

if [[ ]] ff

+)! /

í £

ë if

Take í undeﬁned, for all . Then

+)! /

í £

ë if

6 6

í îmí

ë undeﬁned if

9 if

+1! /

and è

í £

ë if

6 6

í îOí

Ó +1! /

èé

ë undeﬁned if

Ó +1! /÷ö ø +)!õ

ê 6

ë if

+)!d /

ë if

9 if

applying the construction again, we get:

+)! /

í £

ë if

6 6

í îOí

+)!§ +)! +1! /

ë if

ö ø

+)!õ +1! /

ê 6

9 ë

é if

/ Ó +1!d

ë if

/ +

6 6

í í í / î +

So , and, therefore, is a ﬁxed point of . Moreover, since ‘while do := ’

/ +

is essentially the same as ‘ if then := else skip’ which has exactly as 6

semantics, we can see that í is the intended semantics for ‘while do := ’.

¹ º

Example 7.6 Now take ‘while do := I ’. Following the above deﬁnition, we

get:

6 ¹ 7 º

í I £G

îmí cond [[ ]] [[ := ]] id

7 º ¹ 6

í I

[[ := ]] £G [[ ]] ë

if Ò tt

¹ 6

if [[ ]] ff

/ !

¢ ¢

¹ º

í I£ £

ë if

Take í undeﬁned, for all . Then

/ !

¢ ¢

¹ º

í I£ £

ë if

6 6

í îOí

ë undeﬁned if

and

! /

¢ ¢

º ¹

í I)£ £

ë if

6 6

í îOí

! /

º ¹

I£

ë undeﬁned if

!d ! /æö

¢ if

º º

I£ I£ ë

é if

èé

¹ I

undeﬁned if

Í/!d

éë

Applying the construction again, we get:

!d /

º ¹

í I£

ë if

6 6

í îOí

Ó !

é é

º ¹

I)£ I

é /

undeﬁned if

J ! ÓÍ/1!õ Ó !

¢ ¢

é é

º º 6

é é

I)£ I)£ I

if if

J !d Ó ! /

¢ ¢

º º

I)£ I)£

èé

]

é ¹

undeﬁned if

/1!õ

]

and

!d /

º ¹

í I£

ë if

6 6

í îOí

Ó !

èé

èé é

¢ ]

é é

º ¹

I)£

é /

undeﬁned if

J ! ÓÍ/1!õ Ó !

¢ ¢ ]

é é

º º 6

éë é

I)£ I)£ I

if if

J !d Ó ! /

¢ ¢

º º

éë

I)£ I)£

èé

]

é ¹

undeﬁned if

/1!õ

]

I i

Continuing this construction, after the = -th step we get:

é ¹j=

undeﬁned if

/1!d

6 =

í éë

If we continue ad inﬁnitum, we will obtain the function

/1!õ /

ë if

í)úû

¹ º which is exactly the intended semantics for ‘while do := I ’.

These last three examples share one property: for each, we constructed the functional î

that underlies the deﬁnition of the semantics of the loop, and starting from í undeﬁned,

after performing sufﬁciently many steps, we obtained a ﬁxed point for î , that also gives us the intended semantics. Below, we will show that this is no coincidence: we will give the mathematical framework that shows and guarantees that this construction is always successful. We will now formalise the requirements on Fix.

7.2 Partial order relations

Above, starting from í undeﬁned, we constructed a sequence of functions that eventually give us a ﬁxed point for the underlying functional. Close inspection of this sequence shows

that each iteration of the production process gives a result that has gained information, i.e. each

of these functions shows that each new function created is a true extension of the previous, in

í í

the sense that if í is deﬁned, then so is , and then their values coincide. So is

S S S

c c

identical to í whenever the latter is deﬁned, but is perhaps deﬁned on a larger set. Such a S

relation will be deﬁned formally below as a partial order r elation on functions.

We deﬁne an ordering, ü , on the function space State State, such that:

ì ì

means that

ì ì

6 6

if then

which expresses two properties:

ì ì ì the domain of (i.e. the set where is deﬁned) is a subset of the domain of (the

converse need not hold), and

ì ì ì and are identical on the domain of .

Example 7.7

Take then

ý þ

ë if

undeﬁned otherwise ì1Æ

þ ý

ë if

g undeﬁned otherwise

ìÆ

ë if

6 undeﬁned otherwise

7.3 Partial Ordered Set

We will have a closer look at the relation ü on State State . A partial ordered set

%d¯ (

(poset) is a pair ü such that

ÿqüØÿ LÿôNy¯ (Reﬂexivity)

)

ÿ ÿ Ny¯ ÿ üjÿ ÿ üjÿ 0 ÿ üjÿ

Lÿ & (Transitivity)

g g g

Lÿ ÿ Ny¯ ÿ ÿ ÿ ÿ 0 ÿ ÿ ü

ü & (Anti-symmetry)

üjÿ ÿ ÿ ÿKNy¯

If ÿ , we say that approximates . An element satisfying

w w

Lÿ Ny¯ ÿqüjÿ

is called a least element of ¯ : it is said to contain no information.

üÌ(

Exercise 7.8 If a partially ordered set %d¯ has a least element, then it is unique.

¢¡

We often denote the least element of ¯ by or just (pronounced ‘bottom’).

6 Ñ

Exercise 7.9 Let 9 and deﬁne

¢ <¤£ £

¥ ¥

6 @

{ £ u

£ uô( Then %{ is a poset.

Lemma 7.10 The space of partial functions from State to State, with ü as deﬁned above, is

a poset, and the nowhere deﬁned function is its least element , so, for all states ¦

State ¥ State

, undeﬁned. ¦ State ¥ State

Proof : We have to verify the three conditions:

¢ ì ì ì

£ ü N Ö

Reﬂexivity : Clearly , for all State State.

¢ ì ì ì ì

£ ü ü ü Ö

Transitivity : Assume , and . Then by deﬁnition of on State State, if

ì ì ì ì ì ì

6 6 6 6 6 6

w w w w w w

, then , and if , then . So, if , then ,

ì ì

g g

so .

¢ ì ì ì ì ì ì

6 6

£ ü ü w w

Anti-symmetry : Assume , and . Then, if , then , and if

ì ì ì ì ì ì

6 6 6 6

w w w w

, then . So if and only if , so and coincide, and

are actually the same function.

6 í

That the function ‘ í undeﬁned’ is least can be understood by the fact that, for this , if

ì ì

6 6

w w

íô , then holds for all , since the condition is always false.

Notice that the least element of the function space is also called ( to be

¥ ¦ ì

ì State State

Ö ü

precise). So, for all N State State, . ¦ State ¥ State

We can now give a more precise statement of the requirements we want Fix î to satisfy:

îO£ î

î Fix Fix .

ì ì ì ì

î î î î

Fix is a least ﬁxed point of , i.e. if, for some , , then Fix ü . î

The second requirement makes Fix î unique for each .

¨§

Exercise 7.11 The effect of a function í is expressed by its graph:

B §

¢ <

6 [ 6 @

í % $G(Nps $

graph í£

ì ì ¢ì ¢2ì

0 £ £ Show that: ü graph graph .

48 7.4 Least Upper Bounds We now develop a general theory that gives more structure to the posets and that imposes restrictions on the functionals so that they have least ﬁxed points.

Above, we have deﬁned a relation on functions that expresses adequately what we observed

6 î before. Starting from the function í undeﬁned, applying the functional repeatedly, we

obtained a sequence of functions that are in the relation, ü : ¦

State ¥ State

í üÌí üÌí ü

We will now focus on deﬁning the context that guarantees that this ‘path’ has an end, i.e. that

í ü}í í

there exists a precisely deﬁned function í such that, for all , . This will then be

§ §

shown to be the semantic function we were looking for.

u ¯ %d¯ üÌ( § Consider and . An upper bound of summarises all of the information of

§ §Î

LÿwkN ÿwüØÿ

If ÿ is an upper bound of , then .

§ §

An upper bound ÿ of is the least upper bound (lub) of if and only if:

§ ÿqüjÿw

If ÿw is an upper bound of , then .

§ § (A§ lub of will add as little extra information as possible to the information already present

in .) We denote the lub of as .

7.5 Chains

)

Although we aim to build a framework that guarantees the existence of lubs, we will only

í í í

do so for particular sets: we only need the lub to exist for sets such that

üÌí üví § ü

í . Such a set is called a chain:

§÷

We call a chain if

Lÿ ÿ N ÿ üjÿ ÿ üjÿ

So a chain is a particular subset on which the (partial) order relation ü is total.

¢< < < <

@ 6 Ñ @ @k@

Example 7.12 Consider . Then is a chain. The sets

< < < <

@ @ @ @

w © à à à ©

§ §

and are upper bounds of , and its lub is . Notice that in not an

< < ¢<

@ @ @

upper bound, since . For any chain in , will be the

< < < <

Ñ @ @x@ @

largest element of . The set is not a chain, but its lub is à . Notice that also

Ñ Ñm6³Ñ

is a chain, and that .

Example 7.13 Let State Ö State be deﬁned by:

é ¹v=

undeﬁned if

!õ /

éë

§ /

ì ì < ì

=\Ú = ? 6 @

It is easy to verify that ü , whenever , and that, therefore, is a

S S

!õ /

chain. Then è

I ³

ë if

7.6 CCPO

§ §

üÌ( § §

A poset %^¯ is a chain-complete poset (ccpo) whenever exists for all chains . It is ¯

a complete lattice if exists for all subsets of .

¥ ¥

£ üÌ(

Exercise 7.14 %{ is a complete lattice, and (hence) a ccpo, for all non-empty .

üv(

Exercise 7.15 If %d¯ is a ccpo, it has a least element .

¥ ¥

% £ (

Exercise 7.16 Let be any non-empty set. Show that is a partially ordered set and

6 @

determine the least element. Draw a picture of the ordering when .

Exercise 7.17 State Ö State is not a complete lattice.

§ §

Lemma 7.18 State Ö State is a ccpo. The least upper bound of a chain of functions , ,

¢ < ¢2ì ì

6 @

£ £ N

is given by graph graph , i.e.:

§ © §÷

¢ ì ì

6 6

£ w 0 N w

7.7 Monotone functions

%d¯ ü ( %^¯ ü ( í ¯ ¯ í

Let and be ccpos and . We call monotone if and only if, for

ÿ Ny¯ ÿ ü ÿ íÿ ü íÿ

all ÿ , if , then .

¢< ¢<

@ @

Example 7.19 Take í , deﬁned by:

< < < < < < <

@ @ @ @ @ @ @ Ñ

< < < < < < <

Ã Ã Ã Ã

@ @ @ @ Ñ @ @ @

í s ÿ ÿ ÿ ÿ ÿ ÿ

< < < < < < < <

Ã Ã Ã Ã

@ @ @ @ @ @ @ @

í s ÿ ÿ ÿ ÿ

Then í is monotone, and is not.

) 4

%d¯ ü ( %^¯ ü ( %d¯ ü ( í ¯ ¯

Exer cise 7.20 Let , and be ccpos and let and

¯ ¯ í í ¯ ¯

í be monotone functions, then is a monotone function.

g g

) T

%d¯ ü ( %^¯ ü ( í ¯ ¯

Lemma§ 7.21 Let and be ccpos and be a monotone function.

íÿ ÿKN ¯

If is a chain in ¯ , then is a chain in . Furthermore,

§ §

< ¢

íÿ ÿKN ü í £

Exercise 7.22 Prove this lemma.

§ §

[ [

u s u

Exercise 7.23 Let graph be as in Exercise 7.11. If and , the

compositon of followed by , denoted , is deﬁned by:

M § M !

# #

7 6 [ @

% (Nqs $QN % $G(BN %Å$ (BN

Show that:

¢ ¢ ¢

7 6 7

í £ í £ í £ graph í graph graph

Prove that î deﬁned by:

ì ì ì

6 7 î is continuous. (Hint: you will need to use Lemma ??.)

In general, we cannot expect that a monotone function preserves lubs on chains, i.e.

§ §

< ¢

@ 6

íÿ ÿKN í £

only holds in special cases, as illustrated by the next example.

¢ < ¢ <

@ @

{ £ { £

Example 7.24 Consider í IN IN , deﬁned by:

s s

ë if is ﬁnite

ís

s s if is inﬁnite

Clearly, í is monotone. But consider the set

§ /3 ) /

6 =@ =Ú @

§ 6

Then IN. Now

§ § §

< <

@ 6 @ 6 6

ís s N s s N

But §

¢ <

6 6 @

£ í í IN IN

7.8 Continuous Functions

í ¯ ¯

)

We shall be interested in functions which do preserve lubs of chains. An deﬁned

ü ( %d¯ ü (

on ccpos %d¯ and is called continuous if it is monotone and, moreover:

§ §

< ¢

@ 6

íÿ ÿKN í £

%d¯ ü (

holds for all non-empty chains in . (When this also holds for the empty chain, so

< ¢ ¢

Ñm6 Ñ.@Q6 Ñ 6 Ñ

í £ í £ í

, we say that is strict).

( ( ( ¯ %^¯ %d¯ %^¯ í ¯ í

ü ü ü T

Lemma 7.25 , and be ccpos and let and

¯ í í ¯ ¯

¯ be continuous functions. Then is a continuous function.

g g

7 7

í í í Proof : Notice that, by a previous result, í is monotone. We only need to show that

preserves lubs of chains, i.e.:

§ §

<,¢ ¢ ¢

7 @ 6 7

í í £,ÿ ÿKN í í £ £

§ g

ü ( í

holds for all non-empty chains in %^¯ . We know, by continuity of , that

§ §

< ¢

@ 6

í ÿ ÿôN í £

%^¯ ( í

for all chains in ü , and by continuity of , that

§ §

< ¢

@ 6

í ÿ ÿôN í £

§ ) g §

§ § ü ( í

for all chains in %^¯ . Notice that, by the fact that is monotone, if is a chain, then

¢ <

6 @

£ í ÿ ÿ N

also í is a chain as well. So, we obtain that

§ §

<,¢ ¢ < ¢ ¢

7 @ 6 @

í í £ £ í í £

g g

< ¢ ¢ <

@k@ 6

ÿ N í £ í í ÿ £

is continuous

¢ < ¢

6 @

í í £ £

¢ < ¢ ¢

6 @

£ í £ £ í

í is continuous

¢ ¢

í í ££

¢ ¢

6 7

í í £ £

51 7.9 The Fixed Point Theorem Above, we have deﬁned continuous functions as functions that are monotone, i.e. preserve the

order, and continuous, i.e. preserve lubs of chains.

¯ ¯ %^¯ üô( Lemma 7.26 Let í be a continuous function on the ccpo with least element

. Let

í id

6 7 =Ú

íS í íS c for

Then /

6 =Ú @

íS

Fix í í deﬁnes an element of ¯ and this element is the least ﬁxed point of .

Proof : We divide the proof in two parts: /

=Ú @

í íS

i) We ﬁrst show that Fix is well-deﬁned, by showing that the set is a chain

=Ú @

ÿ ÿ N í

in ¯ , so its lub is deﬁned. So, we need to show that, for all ,

= ?

üAÿ ÿ üAÿ í Îü³í

either ÿ or . We will show that , whenever . We start

S S

üÌí ÿ

showing that, for all , í ; this follows by induction on numbers.

X X

6 6

í í ÿ ÿ üjÿ ÿKN¬¯

Base step £ : Notice that , , and for all .

S S

í ü}í ÿ ÿôNy¯

Induction step £ : We can assume that , for all . Now, from the fact

í íS üÌíS ÿ ÿôNy¯ c

that is monotone, we also have c , for all .

üÌíSÿ

So, for all , íS .

? Ú = 6

/ í ÞS íS ü}íSÿ íS ü}í

Let , and ÿ , then, in particular, , so . Hence

=jÚ @

¯ ¯ íS is a non-empty chain in , and therefore, its lub exists because is a

ccpo, so Fix í exists.

í í í£ í

ii) We will now show that Fix í is indeed a ﬁxed point of , i.e.: Fix Fix . Well:

¢ ¢ < ¢

6 =Ú @

í£ í íS £ í £

í Fix is continuous

< ¢

6 =Ú @

í íS O£

§ § §

< ¢ ¢ <

6 =DÚ @ @ 6

í I L £ £

¢< <

6 =Ú @ @

í I £

6 =DÚ @

íS

6 Fix í

iii) We will now show that Fix í is the least ﬁxed point. To accomplish that, we need to

ÿw í ÿxw í ÿxw¢£ ÿxw ÿ ÿw /

show: if is another ﬁxed-point of , i.e. also for , , then ü . Well,

=ÎÚ

w S S w w

ü}ÿ í í üæí ÿ ÿ

since , by continuity of , we have , for all ./ Since is a

6 = =´Ú

w S w S w w

/ / í ÿ í Cü}ÿ ÿ

ﬁxed-point, ÿ for all , so we get that , for all . So is an

< <

=¤Ú @ =¤Ú @

/ ÿ íS

upper bound of íS . Since is the least upper bound of (so

6 =Ú @

íS ÿqüjÿxw ÿ ), .

7.10 Denotational Semantics Using the result above, we can now deﬁne the Denotational Semantics for a program in While.

The meaning of a statement ¥ is a (partial) function from State to State:

ds Statements State Ö State

ds [[ := ]] [[ ]] 5

[[skip]] 6 id

5 5 5

¥ ¥ ¥ ¥ 7

[[ ; ]] 6 [[ ]] [[ ]]

ds ds ds

5 5 5

¥ ¥ ¥ ¥

ds ds ds

Fix Ò

ì ¢ ì

6 7

Example 7.27 Consider the function

í 9

ë if

îmí

=Ú @

The elements of îôS are deﬁned as follows:

î id

6 undeﬁned

6 7

î ¤ î î £ ¤

î 9

ë if

ë undeﬁned if

6 7

î ¤ î î £ ¤

9 î

ë if

ë undeﬁned if

/ ø

if 9

é if

ë undeﬁned if

6 î

So î . We could continue this construction, but we would not achieve anything by it:

=Ú 6

I îôS îôS

for all , c , so

< <

@K6 =Ú @K6

î î î î

Therefore,

ë undeﬁned if

/ 6

Fix î

Exercise 7.28 Compute the semantics of

# # #

HpI $G£ := ;while $ do := ; :=

7.11 Existence

As already observed above, we want to achieve

5 5 5

¥ ¥ ¥

6 7

We now want to show that the underlying functional for this deﬁnition,

6 7

îOí cond [[ ]] ds [[ ]] id

ì ¢ ì ì ¢ ì

î î î £ î © £

is continuous. Observe that we can write as , where cond [[ ]] id ,

ì ì

6 7

and î ds [[ ]] are.

Then, using results shown above, we have that î is continuous if we manage to show that î

î and . We will do that in a more general setting:

Ö ©

Lemma 7.29 Let ï State State, State TT, and deﬁne

ì ¢ ì

Then î is continuous.

Proof : Notice that

ì ¢ ì

î cond

ë if tt

6 ©

ïe if ff

We prove the following two things:

ì ì ¢ ì ì

î î £ î

ü ü

is monotone : Assume . We have to show that . Notice that, since

ì ì ì ì

6 6

w w

, implies .

¢ ì ì

6 6

tt : Then, since , the ﬁrst is deﬁned exactly when the latter is. Since

ì ì ì ì ì

6 6 6 6

w w î î w

implies , and , we get that implies

ì ì ì

î î üjî

. So .

¢ ì ì ì

6 6 6

£ î î ï © ï î

ff : Since , is deﬁned precisely when is, which is

precisely when § is.

£ Ö

î preserves lubs : Let be a non-empty chain in State State. We must show that

§ §

¢ < ì ì

î £ ü î N

6 (Actually, we need to show this with ‘ ’ instead of ‘ ü ’, but the part ‘ ’ follows from

the fact that î is monotone.) So, we need to show that

§ §

¢ ¢ < ¢ ì ì

££ u î £ N

graph î graph

§ §

¢ ì ì

6 6

w w

£G N î

Exercise 7.30 if î , then there is a such that .

ì ì

6 7

Ö î ï î Lemma 7.31 Let ï State State, and deﬁne . Then is continuous.

Proof : As above, we would need to show that î is monotone and preserves lubs, but we will skip this.

Now we are done, and the complete deﬁnition of denotational semantics for While be-

comes:

ds Statements State Ö State

ds [[ := ]] [[ ]] 5

[[skip]] 6 id

5 5 5

¥ ¥ ¥ ¥ 7

[[ ; ]] 6 [[ ]] [[ ]]

ds ds ds

5 5 5

¥ ¥ ¥ ¥

ds ds ds

Fix Ò

ì ¢ ì

6 7

The final result to show for the denotational semantics is: 5 Theorem 7.32 The semantic definition ds defines a total function.

Proof : By induction on the structure of ¥ . There is only one interesting case:

¥ ¥ £

functions

ì ¢ ì

î cond [[ ]] id

ì ì

6 7

î ds [[ ]]

5 ¥

deﬁned. ¥

As before, ¥ and are called semantically equivalent if and only if

5 5

¥ ¥

ds [[ ]] 6 ds [[ ]]

¥ ¥

Example 7.33 å skip and are semantically equivalent.

5 5 5

¥ ¥

6 7

ds [[ å skip]] ds [[skip]] ds [[ ]]

¥ 7

6 id ds [[ ]]

5 ¥

6 ds [[ ]]

Exercise 7.34 Show that

¥ ¥ ¥

; ; £

is semantically equivalent to

¥ ¥ ¥

; £ ; g

55 7.12 Equivalence to Operational Semantics

Lemma 7.35 Notice that:

í ¯ ¯ ÿQN¬¯ íÿpüjÿ íüjÿ

Let be continuous, and let satisfy . Then Fix .

¥ ¥ ¥ ¥

% (K0 % (Q0 % ( b

If b , then ; .

‘ 7 ’ and cond are monotone.

We conclude the discussion of Denotational Semantics, by showing that, for the language While, there is no difference between this semantics and the Structural Operational Seman- tics.

Theorem 7.36 For every statement ¥ of While:

5 5

¥ ¥

sos [[ ]] 6 ds [[ ]]

i.e.:

5 5

¥ ¥

sos [[ ]] ü ds [[ ]]

and

5 5

¥ ¥

ds [[ ]] ü sos [[ ]]

Proof :

5 5 5

¥ ¥ ¥ ¥

£ % (K0

sos [[ ]] ds [[ ]] : So, we have to show that Û implies ds [[ ]] .

% (Q0

This follows by induction on the length of the derivation sequence for b .

For this, it sufﬁces to show that:

¥ ¥

% (l0

implies ds [[ ]] , and

5 5

¥ ¥ ¥ ¥

(l0 % w ( w % implies ds [[ ]] ds [[ ]] .

This result follows by induction over the shape of the derivation for the single step, where

we focus on the last step. We just consider two cases:

¥ ¥

I ¥ w

COMPsos £ : Then there are such that

¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥

6 6

w w

(f0 % w (

; ; and %

5 5

¥ ¥

Then, by induction, ds [[ ]] ds [[ ]] , so we have

5 5 5

¥ ¥ ¥ ¥

6 7

[[ å ]] [[ ]] [[ ]]

ds ds ds

5 5

¥ ¥

6 £

[[ ]] [[ ]] (IH)

ds ds

5 5

¥ ¥

[[ ]] [[ ]] £

ds ds

5 5

¥ ¥

7 6 £

[[ ]] [[ w ]]

ds ds

¥ ¥ 6

ds [[ ; ]]

¥ ¥ ¥

6 6

£ © ©

WHILEsos : Then there are and such that while do , and ,

¥ ¥ ¥

and if then ;while do £ else skip. By deﬁnition of ,

ì ¢ ì

5 5 ¥

¥ ds

6 6 7

î î © £

6 î

î îO£

Fix Ò

5 5

¥ ¥

7 6

cond Ò id

ds ds

¥ ¥

5 5 5

¥ ¥ ¥

6 6

So, we have shown: if sos [[ ]] Ó9 undeﬁned, then sos [[ ]] ds [[ ]] , which, of

5 5

¥ ¥

course, is the same as sos [[ ]] ü ds [[ ]].

5 5

¥ ¥ £

ds [[ ]] ü sos [[ ]] : This part is shown by induction on the structure of statements. We

only consider two cases:

¥ ¥

; £ : Notice that:

)

‘ ’ is monotone in both arguments, and

¥ ¥ ¥ ¥

% (l0 % (l0 % (

if , then ; .

5 5 5 5

¥ ¥ ¥ ¥ ü

By induction, we obtain both ds [[ ]] ü sos [[ ]] and ds [[ ]] sos [[ ]]. So,

5 5 5

¥ ¥ ¥ ¥ 7

[[ ; ]] 6 [[ ]] [[ ]] (IH)

ds ds ds

5 5

¥ ¥

7 7

ü [[ ]] [[ ]] ( is monotone)

sos sos

¥ ¥

ü sos [[ ; ]]

¥ ¥

£ © © î

while do : Since ds [[while do ]] is the ﬁxed point of a functional , where

ì ì ¢

7 6

î cond [[ ]] ds [[ ]] id , it is sufﬁcient to prove:

5 5

¥ ¥

since,

ü © 0

Fix î sos [[while do ]]

5 5

¥ ¥

ü ©

5 5

¥ ¥

Notice that we have, by induction, ds [[ ]] ü sos [[ ]], so

¢ ¢

5 5 5

¥ ¥ ¥

6 7

cond Ò id

sos sos ds

5 5

¥ ¥

(IH) cond Ò id

sos sos

¥ ¥

ü © £

8 Extensions to While

We have seen that Operational Semantics are good for formally describing implementation aspects of programming languages. Furthermore:

Structural Operational Semantics are good for describing low-level details (abstract machine).

Natural Semantics are good for reasoning (more abstract - more intuitive)

We will now see some other differences. We will do that by deﬁning extensions to the language While, adding new language constructs.

8.1 Aborting

We start by adding the new statement abort

57 Intuitively, attempting to execute abort stops the execution of the whole program. There are various ways of interpreting this instruction, depending on what the intention of the instruction is: do you want a program just to halt without executing further, or do you want an error message to appear. Using this difference, we will consider two approaches to giving semantics

to the new statement.

)( %

Approach 1 £ : Consider abort to be a stuck conﬁguration. In this case, there is no need

to add an extra rule to either the Natural or the Structural Operational Semantics, and we can

% ( % (l0

use the original deﬁnition of both and . Since no new rule is added, no )( transformation for abort is deﬁned, so in both systems % abort will not evaluate, and therefore be stuck.

However, now there is a difference between the two systems. Note that

( ( %

% while true do skip implies abort

and

( % ( % abort implies while true do skip are both vacuously true, so, in the Natural Semantics, the statements ‘while true do skip’ and ‘abort’ are equivalent. This is not true in Structural Operational Semantics, the statement

‘while true do skip’ generates an inﬁnite number of steps,

)(

% while true do skip

0 % )(

if true then skip;while true do skip £ else skip

0 %

skip;while true do skip )(

)( % 0 while true do skip . .

and ‘abort’ none )( % abort is stuck

So, in Natural Semantics, looping and abnormal termination are equivalent, whereas in Struc- tural Operational Semantics, abnormal termination is equivalent to reaching a stuck conﬁgu-

ration. ¢

Approach 2 £ : Add a new terminal conﬁguration to the system, error, and extend the deﬁ-

nition of Natural Semantics by

ABORTns £

( % abort error

and that of Structural Operational Semantics by

ABORTsos £

% (f0 abort error

Because we have added a terminal state that cannot be reached by any other statement, we can now distinguish between ‘while true do skip’ and ‘abort’ in both semantics.

8.2 Non-determinism

¥ ¥

We add the statement construct ‘ or ’, so extend the deﬁnition of Statements by ‘ or ’, ¥ that has the intuitive semantics that either ¥ or will be executed, which one being chosen

non-deterministically. For example:

] ¢ ¢ ]

H £

:= I)£ or := ; :=

» could result in a statewhere has value I , or in a state where has value . The rules for

Natural Semantics are exended by adding:

¥ ¥

% ( % (

¢ ¢ ¢ ¢

)

L R

£ £ £

OR £ OR

¥ ¥ ¥

ns ¥ ns

( % ( % or or

Then we have the following derivations:

I )( I

% :=

¢ ] ]

I H £ )( I % := or := ; :=

and

! ! !

] ] ] ]

H ( )( %

% := :=

J !

] ]

H )(

% := ; :=

¢ ] ]

I H £ )( % := or := ; :=

Notice that non-determinism suppresses looping (if possible), since we can derive

¢ ¢ ] ]

£ H £ )( % while true do skip or := ; :=

Likewise, the deﬁnition of Structural Operational Semantics is extended by:

) )

¥ ¥ ¥ ¥ ¥ ¥

)(l0 % )( % )(l0 % )( % or and or

Then we have:

¢ ] ]

% I I )( £ )( 0 %

:= or := ; := H :=

Ó !

0 I

and

¢ ] ]

I H £ )(

% := or := ; :=

] ]

% H )(

0 := ; :=

] ]

% H (

0 :=

Ó !

But replacing ‘ := I ’ by ‘while true do skip’ will still give two derivation sequences;

one will be inﬁnite:

¢ ¢ ] ]

£ H £ )(

% while true do skip or := ; :=

% )(

0 while true do skip

0 % )(

if true then skip;while true do skip £ else skip

% )(

0 skip;while true do skip

% )( 0 while true do skip . .

and the other is ﬁnite:

¢ ¢ ] ]

£ H £ )(

% while true do skip or := ; :=

] ]

% H )(

0 := ; :=

] ]

0 % (

:= H

J !

So, in a certain sense, Structural Operational Semantics can ‘choose the wrong branch’.

8.3 Parallelism

We can now add the statement construct ‘ par ’, so extend the deﬁnition of Statements by

¥ ¥ ¥

the alternative ‘ ¥ par ’, and expect the execution of and to be ‘interleaved’. For

example, the program

¢ ¢ ] ]

H £ := I)£ par := ; := has the following different ways to execute:

Step 1 Step 2 Step 3 Result

] ]

:= I := :=

] ]

H i

:= := I :=

] ]

I I := := H :=

For the Structural Operational Semantics, to deal with the new construct, the derivation rules

need to be extended with:

¥ ¥ ¥

% (f0 % (l0 % w (

¢ ¢

) ) ) )

LT LI

PAR £ PAR

¥ ¥ ¥ ¥ ¥ ¥

sos ¥ sos

(l0 % ( % (l0 % w (

% par par par

)

¥ ¥ ¥

% (f0 % (l0 % w (

¢ ¢

RT RI

PAR £ PAR

¥ ¥ ¥ ¥ ¥ ¥

sos ¥ sos

% (l0 % ( % (l0 % w ( par par par

Exercise 8.1 Verify that the three results above are allowed by this semantics.

To accomplish the same expressive power in Natural Semantics, we run into problems. Assume the rules that need to be added are:

)

¥ ¥ ¥ ¥

% ( % ( % ( % (

g g

¥ ¥ ¥ ¥

( % (

% par par

g g

Although these rules look perfectly reasonable, they only manage to express that the order

¥ ¥

in which and are executed is arbitrary (which could be desirable for a language that

¥ ¥

allo ws the speciﬁcation of threads). Although we are free to devide a statement into and

¥ ¥ ¥ as we see fit, still the rules express that either first runs, and then , or vice versa; the required interleaving is not expressed. Using Natural Semantics, we cannot describe the intuitive semantics, because Natural Semantics is defined using the immediate constituents of a program, not the individual computation step. In a sense, Natural Semantics is too abstract.

Exercise 8.2 Specify a SOS-style semantics for arithmetic expressions where the individual parts of an expression can be computed in parallel. Try to prove that you still obtain the result that was speciﬁed by Ï .

Exercise 8.3 Consider an extension of While that in addition to the par-construct also con- tains the construct protect ¥ end

The idea is that the statement S has to be executed as an atomic entity; so that for example:

] ¢ ]

H £

:= I par protect := ; := end » only has two possible outcomes, namely I and . Extend the SOS semantics to express this. Can you specify a natural semantics for the extended language?

8.4 Blocks We now focus on how to deal with declarations, the scope for declared identiﬁers and blocks in semantics. We start by considering a new programming language Block, that is an extension

of While. Its abstract syntax is given by: =

N Numeral

N Variables N

Arithmetic Expressions N

¯m¿ Declared Variables ¥

N Statements

¢§6 = º [

6 ¢§6

xÁ

A © © ©

¢§6

¯m¿

¯m¿ var := ;

¥ ¥ ¥ ¥ ¥

¢§6

:= skip ; if then else

¥ ¥

¯m¿ while © do begin end The idea is that variables are local to the block in which they are declared, and it is possible to use an identiﬁer more than once in a declaration in a program.

Example 8.4 The following is an example of a program in Block:

]

I I $ H>I $QH begin var $ := ; := ;begin var := ; := end; := end

In more readable form, this becomes

begin var $ := ;

:= I ; ]

begin var := ; HAI

$ := end;

:= $KH end

The semantics of statements is deﬁned in the same way as was done for While, so using

the same rules as before, but with the addition of the following rule for the block construct:

%^¯m¿ ( % (

BLOCK £ ¢

ns ¥

¯m¿ ( ¯m¿ £

% begin end DV

( Notice that this rules uses some features that need speciﬁcation, like ‘ %^¯m¿ ’. First of

all, the function DV, applied to a list of variable declarations, determines the set of variables

¯m¿

declared in :

¢ < ¢

6 @

¯m¿ £ ¯m¿£

DV var := ; DV

6 Ñ Â

DV £

£ £

and is a state as , except for at variables in the set where it is speciﬁed by :

ë if

N 9 if

For the semantics of variable declarations, we have:

(

%d¯m¿ [[ ]]

DECLns £

¯m¿ (

% var := ;

NO-DECLns £

% )(

Which completes the definition of Natural Semantics for Block. It is much more difficult to define the Structural Operational Semantics (although possible, just not done here).

62 8.5 Procedures We extend the language Block to Proc, a language that allows for the deﬁnition of (parame-

terless) procedure declarations , by =

N Numeral

N Variables N

Arithmetic Expressions N

& Procedure Names

¯ N

¿ Declared Variables N

¯¸À Declared Procedures ¥

N Statements

¢§6 = º [

6 ¢§6

xÁ

A © © ©

¢§6

¯m¿

¯m¿ var := ;

¢§6

¯¸À ¯¸À

proc & is ;

¥ ¥ ¥ ¥ ¥

¢§6

:= skip ; if then else

¥ ¥

For this new language, in particular for the added features, we shall give three different semantics, that differ in how a procedure declaration is dealt with:

Dynamic scope for variables as well as procedures.

Dynamic scope for variables, and static scope for procedures.

Static scope for variables as well as procedures.

The difference in binding is important in programming languages where it is possible to

re-use variable and procedure names inside new blocks. Imagine a program in which you call a procedure & that is deﬁned outside the current block, that calls another procedure that is

deﬁned both in- and outside the block.

¢ Dynamic £ : With this kind of binding, only the last deﬁnition counts; the call to will use

the most recent declaration.

¢ Static £ : With static binding, calling would give you the deﬁnition that was declared in the

block where & is deﬁned.

Example 8.5 Consider the following program:

begin var := ;

] [

proc & is := ; &

proc is call ;

begin var := ;

H>I proc & is := ;

call ;

$ := end end

The different scope rules have the following effect for the end result of the program:

With dynamic scope for variables as well as procedures, the result of this program will be

` $

that $ . The value of depends on the value of , which depends on the ‘call ’ on the

& &

line above. will do a ‘call ’, which will used the ‘last’ declaration for (in time), i.e. the

& H´I

one stating ‘proc is := ’. Since it will use the ‘last’ declaration for (in time),

` $

‘var := ’, the result of ‘call & ’ will be that has value , which will be assigned to .

With dynamic scope/ for variables, and static scope for procedures, the result of this pro-

]

6 [

$ I &

gram will be that . Now will use ‘proc is := ’, since that is the one deﬁned

+ /

in the block where is declared. However, since it will use the ‘last’ declaration for (in I time), ‘var := ’, the result of call & will be that has value , which will be assigned

to $ .

W+ ith static scope for variables as well as procedures, the result of this program will be that

]

6 [

$ &

. Now will use ‘proc is := ’, since that is the one deﬁned at the time is

declared. It will also use the local declaration for , ‘var := ’, and multiply that variable.

+ +

The assignment ‘ $ := ’, however, uses its locally declared , ‘var := ’, that still has $ value (it is not touched), so the result of ‘call & ’ will be that has value .

8.6 Dynamic / Dynamic

We introduce a procedure environment

À Ö envÀÐN Env Procedure Names Statements

which records the body of each procedure, by linking procedure names to statements. Since only the last declaration counts, a simple connection between procedure name and body suf- ﬁces; when leaving a block, the environment of the context of the block will be used, and the connections within the block are lost.

The transition rules for the system will now be of the form:

ª % ( envÀ

(so only a minor change of the previous notation; this should look familiar).

64 Most of the rules are similar to the original with the addition of the extra environment

information, like, for example,

¥ ¥

( ÀQªf% (

envÀOªf% env

¥ ¥

(

envÀQªf% ; g

For the semantics of blocks, we need to be able to update the environment. UpdateÀ is a procedure that, given a list of procedure declarations, produces an environment that links

procedure names to procedure bodies.

¢ ¢

¥ ¥

& ¯¸À À£ ¯¸À À & £ À

UpdateÀ proc is ; env Update env

À À UpdateÀ env env

We add two rules, one that deals with the new language construct ‘call & ’, the other for

the blocks.

À¸ª¤% (

¢ env

rec

À& £

CALLns £ env

( &

envÀôªû% call

%d¯O¿ ( ¯¸À À£ªf% (

¢ Update env

BLOCK £ ¢

ns ¥

¯m¿t¯¸À ( ¯m¿ £

envÀOªf% begin end DV g Note that procedures can always be recursive, since we use the environment in the pre- ¢ rec

misse of the rule CALLns £ . Moreover, the way in which the semantics for the structure ¥

‘begin ¯m¿Ü¯¸À end’ is established shows that the statement inside is evaluated in a changed

environment, where all the local declarations have been considered. For the block as a whole,

¯ ¯ À the environment used is not inﬂuenced by the declarations in ¿ or .

8.7 Dynamic / Static In this setting, procedures will now use those declarations for the procedures they call that are deﬁned at the moment the procedure itself was declared, not just the last one. So we now also need to state the environment in which procedures are deﬁned, linking the names of

procedures called to their bodies and the environment in which they were deﬁned:

6 [

Ö À EnvÀ Procedure Names Statements Env

(Note that the concrete procedure environments are always built from smaller ones.) UpdateÀ is now deﬁned as a procedure that, given a list of procedure declarations, produces an envi-

ronment that links procedure names to a body and a procedure context.

¢ ¢ ¢

¥ ¥

& ¯¸À À£ ¯¸À À & À£ £ À

UpdateÀ proc is ; env Update env env

À£ À

UpdateÀ env env ¢

We then just need to update the rule CALLns £ . If procedures in Proc are non-recursive, we

use:

ª¤% (

¢ ¢

¢ env

£ À& w £a£

CALLns env envÀ

& ( envÀôªû% call

But if procedures are recursive, we need:

¥ ¥

w w

& £ ªû% (

À À

¢ ¢

¢ env env

rec

£ & w ££ À

CALLns env envÀ

& ( envÀôªû% call Exercise 8.6 Try to construct a statement which illustrates the difference between these two rules.

8.8 Static / Static To specify static scope not only for procedures, but also for variables, we not only use the approach deﬁned above, but also need to model the fact that variables can appear in more than one declaration. This implies that we can no longer simply use states, that mapped variables

names to values, but need to replace the state with two mappings:

6 ¿

env ¿N Env Variables Locations

6 @ store N Store Locations next ZZ

where, essentially, Locations 6 ZZ, and next is a special token which holds the next free

location. The idea is that the machine is now represented not as a mapping from variable

names to values, but as a inﬁnite number of locations, and a variable now will point to a ¿ location through a mapping that is called a variable environment, env ¿ . The location env

points at will hold its value through the function store that maps locations to values. Entering

a new block can mak e that will be redeclared, without losing the old declaration. This is

modelled by making point to a new location (the old location is kept, but not pointed at), and to store the new value for there. Since we have the need for a ‘new location’ on a regular

basis, we also use a function ‘new’ that produces the number of the next free location.

new Locations Locations

6 GH>I

new

6 7

(Note that store env ¿ .) The initial variable environment could map all variables to location 0, and the initial store might map next to 1. Since the semantics of programs now also depend on what the value (location) is that a

variable is currently (in this block) pointing at, we need to consider transitions of the form

%d¯m¿ ¿ ( £ env store env ¿ store

For evaluating the variable declarations, we have rules

!d Ík!§ !

%d¯m¿ ¿ ( £

env store next new env ¿ store

% ¯m¿ ¿ ( £

var := ; env store env ¿ store

¿ ( ¿ £ % env store env store

where

6 7

[[ ]] store env ¿ 6 store next

66 In view of the fact that also variable environments are used, we must further update proce-

dure environments:

6 [ [

¿ À

EnvÀ Procedure Names Statements Env Env

¢ ¢ ¢

¥ ¥

& ¯¸À ¿ À£ ¯¸À ¿ À & ¿ À£ £ À

UpdateÀ proc is ; env env Update env env env env

¿ À À UpdateÀ env env env

The transition system for statements now has rules of the form

À ª % ( env ¿ env store store

Most rules are similar to their original, like:

)

¥ ¥

ÀOªf% ( ¿ ÀQªf% (

env ¿ env store store env env store store

¥ ¥

( ÀQªf%

env ¿ env ; store store g

but the rule for blocks is modiﬁed:

w w w

( £ ( %d¯m¿ ¿ ªf%

¿ À

env store env ¿ store env env store store

( ÀQªl% ¯m¿¯¸À

env ¿ env begin end store store

where

w ¯ w £

À À

À ¿

envÀ Update env env

¯m¿£ (Why is there no analogue of DV ?)

And the new rules for call & are:

w w

ªû% (

¿ À

¢ env env store store

CALLns £

Àôªû% & (

env ¿ env call store store

¥ ¥

w w w w

& £ ªû% (

¿ À ¿ À

¢ env env env env store store

rec

CALLns £

Àôªû% & (

env ¿ env call store store

where

w w £

À À env env ¿ env

Exercise 8.7 Modify the synax of procedure declarations so that procedures take two call-by-

value parameters:

¢£6

& £ ¯¸À

¯¸À proc is ;

¥ ¥ ¥ ¥ ¥

¢£6

:= skip ; if then else

¥ ¥

Procedure environments will now be elements of:

6 [ [ [ [

Ö ¿ À EnvÀ Procedure Names Variables Variables Statements Env Env Modify the semantics to handle this language. In particular, provide new rules for procedure calls: one for non-recursive and another for recursive procedures.