-
Notifications
You must be signed in to change notification settings - Fork 7
/
Lab6.v
405 lines (358 loc) · 13.8 KB
/
Lab6.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
(** * 6.887 Formal Reasoning About Programs - Lab 6
* Type Systems *)
Require Import Frap.
(* Authors: Peng Wang ([email protected]), Adam Chlipala ([email protected]) *)
Set Implicit Arguments.
(** * Simply typed lambda calculus with extras: product types and sum types *)
(* In this challenge, we add pairs and disjoint unions to the simply typed
* lambda calculus from the lecture. Their types are called product types and
* sum types correspondingly. *)
Module ProductSum.
(* Expression syntax *)
Inductive exp :=
| Var (x : var)
| Const (n : nat)
| Plus (e1 e2 : exp)
| Abs (x : var) (e1 : exp)
| App (e1 e2 : exp)
(* New stuff from here *)
| Pair (e1 e2 : exp)
(* [Pair e1 e2] is how we construct a new pair, by putting two expressions
* together as the two components. *)
| Fst (e1 : exp)
| Snd (e1 : exp)
(* These are how we use an existing pair, by projecting out its first or
* second component. *)
(* For a language feature such as pairs, we sometimes talk about its
* "introduction forms", which are the syntax used to construct an instance
* (such as [Pair]); and its "elimination forms", which are the syntax used to
* pull apart an instance (such as [Fst] and [Snd]). *)
| Inl (e1 : exp)
| Inr (e1 : exp)
(* These are the introduction forms of disjoint unions. *)
| Match (e : exp) (x1 : var) (e1 : exp) (x2 : var) (e2 : exp)
(* This is the elimination form of disjoint unions. A disjoint union is an
* object that could have been constructed by either [Inl] ("left inject")
* or [Inr] (guess its meaning?). The way to use it is to case-analyse it, and
* in each case we can access the inner object used to construct the disjoint
* union. *)
.
(* Substitution (not capture-avoiding, for the usual reason) *)
Fixpoint subst (e1 : exp) (x : var) (e2 : exp) : exp :=
match e2 with
| Var y => if y ==v x then e1 else Var y
| Const n => Const n
| Plus e2' e2'' => Plus (subst e1 x e2') (subst e1 x e2'')
| Abs y e2' => Abs y (if y ==v x then e2' else subst e1 x e2')
| App e2' e2'' => App (subst e1 x e2') (subst e1 x e2'')
| Pair e2' e2'' => Pair (subst e1 x e2') (subst e1 x e2'')
| Fst e2' => Fst (subst e1 x e2')
| Snd e2' => Snd (subst e1 x e2')
| Inl e2' => Inl (subst e1 x e2')
| Inr e2' => Inr (subst e1 x e2')
| Match e2' x1 e2'' x2 e2''' => Match (subst e1 x e2')
x1 (if x1 ==v x then e2'' else subst e1 x e2'')
x2 (if x2 ==v x then e2''' else subst e1 x e2''')
end.
(* Values (final results of evaluation) *)
Inductive value : exp -> Prop :=
| VConst : forall n, value (Const n)
| VAbs : forall x e1, value (Abs x e1)
| VPair : forall e1 e2,
value e1
-> value e2
-> value (Pair e1 e2)
| VInl : forall e1,
value e1
-> value (Inl e1)
| VInr : forall e1,
value e1
-> value (Inr e1)
(* Pairs and disjoint unions are values when their components are all values. *)
.
(* Evaluation contexts *)
Inductive context :=
| Hole
| Plus1 (C : context) (e2 : exp)
| Plus2 (v1 : exp) (C : context)
| App1 (C : context) (e2 : exp)
| App2 (v1 : exp) (C : context)
| Pair1 (C : context) (e2 : exp)
| Pair2 (v1 : exp) (C : context)
(* [context] and [plug] rules for pairs will be similar to those for [App]. *)
| Fst1 (C : context)
| Snd1 (C : context)
| Inl1 (C : context)
| Inr1 (C : context)
| Match1 (C : context) (x1 : var) (e1 : exp) (x2 : var) (e2 : exp).
(* Plugging an expression into a context *)
Inductive plug : context -> exp -> exp -> Prop :=
| PlugHole : forall e, plug Hole e e
| PlugPlus1 : forall e e' C e2,
plug C e e'
-> plug (Plus1 C e2) e (Plus e' e2)
| PlugPlus2 : forall e e' v1 C,
value v1
-> plug C e e'
-> plug (Plus2 v1 C) e (Plus v1 e')
| PlugApp1 : forall e e' C e2,
plug C e e'
-> plug (App1 C e2) e (App e' e2)
| PlugApp2 : forall e e' v1 C,
value v1
-> plug C e e'
-> plug (App2 v1 C) e (App v1 e')
| PlugPair1 : forall e e' C e2,
plug C e e'
-> plug (Pair1 C e2) e (Pair e' e2)
| PlugPair2 : forall e e' v1 C,
value v1
-> plug C e e'
-> plug (Pair2 v1 C) e (Pair v1 e')
(* Evaluate the first component of a pair to a value, then evaluate the second
* component. *)
| PlugFst1 : forall e e' C,
plug C e e'
-> plug (Fst1 C) e (Fst e')
| PlugSnd1 : forall e e' C,
plug C e e'
-> plug (Snd1 C) e (Snd e')
| PlugInl1 : forall e e' C,
plug C e e'
-> plug (Inl1 C) e (Inl e')
| PlugInr1 : forall e e' C,
plug C e e'
-> plug (Inr1 C) e (Inr e')
| PlugMatch1 : forall e e' C x1 e1 x2 e2,
plug C e e'
-> plug (Match1 C x1 e1 x2 e2) e (Match e' x1 e1 x2 e2)
(* Evaluate the discriminee (thing being matched on) to a value, which should
* be in the form of either [Inl _] or [Inr _]). The actual matching will be
* done by the following [step0] relation. *)
.
(* Small-step, call-by-value evaluation *)
Inductive step0 : exp -> exp -> Prop :=
| Beta : forall x e v,
value v
-> step0 (App (Abs x e) v) (subst v x e)
| Add : forall n1 n2,
step0 (Plus (Const n1) (Const n2)) (Const (n1 + n2))
| GetFst : forall v1 v2,
value v1
-> value v2
-> step0 (Fst (Pair v1 v2)) v1
| GetSnd : forall v1 v2,
value v1
-> value v2
-> step0 (Snd (Pair v1 v2)) v2
(* Constructor and eliminator "cancel" each other. *)
| MatchInl : forall v x1 e1 x2 e2,
value v
-> step0 (Match (Inl v) x1 e1 x2 e2) (subst v x1 e1)
| MatchInr : forall v x1 e1 x2 e2,
value v
-> step0 (Match (Inr v) x1 e1 x2 e2) (subst v x2 e2)
(* Choose a branch according to the discriminee's value form and replace the
* variable in the chosen branch with the actual inner component of the
* discriminee. *)
.
Inductive step : exp -> exp -> Prop :=
| StepRule : forall C e1 e2 e1' e2',
plug C e1 e1'
-> plug C e2 e2'
-> step0 e1 e2
-> step e1' e2'.
Definition trsys_of (e : exp) := {|
Initial := {e};
Step := step
|}.
(* Syntax of types *)
Inductive type :=
| Nat
| Fun (dom ran : type)
| Prod (t1 t2 : type)
(* Product types for pairs *)
| Sum (t1 t2 : type)
(* Sum types for disjoint unions *)
.
(* Expression typing relation *)
Inductive hasty : fmap var type -> exp -> type -> Prop :=
| HtVar : forall G x t,
G $? x = Some t
-> hasty G (Var x) t
| HtConst : forall G n,
hasty G (Const n) Nat
| HtPlus : forall G e1 e2,
hasty G e1 Nat
-> hasty G e2 Nat
-> hasty G (Plus e1 e2) Nat
| HtAbs : forall G x e1 t1 t2,
hasty (G $+ (x, t1)) e1 t2
-> hasty G (Abs x e1) (Fun t1 t2)
| HtApp : forall G e1 e2 t1 t2,
hasty G e1 (Fun t1 t2)
-> hasty G e2 t1
-> hasty G (App e1 e2) t2
(* CHALLENGE #1: Fill in the rest of the typing rules here, translated from
* what's written on the blackboard. *)
.
Hint Constructors value plug step0 step hasty.
(* BEGIN some automation magic. The [t] tactic will be handy for you. *)
Ltac with12 t := (t; []) || (t; [|]).
Ltac t0 := match goal with
| [ H : ex _ |- _ ] => invert H
| [ H : _ /\ _ |- _ ] => invert H
| [ |- context[_ $+ (?x, _) $? ?y] ] => cases (x ==v y); simplify
| [ |- context[?x ==v ?y] ] => cases (x ==v y); simplify
| [ H : step _ _ |- _ ] => invert H
| [ H : step0 _ _ |- _ ] => invert1 H
| [ H : hasty _ ?e _, H' : value ?e |- _ ] => with12 ltac:(invert H'; invert H)
| [ H : hasty _ _ _ |- _ ] => invert2 H
| [ H : plug _ _ _ |- _ ] => invert1 H
| [ H : Some _ = Some _ |- _ ] => invert H
end; subst.
Ltac t := simplify; subst; propositional; repeat (t0; simplify); try equality.
(* END automation magic. Don't forget to try the [t] tactic;) *)
(* CHALLENGE #2: Prove the safety ("unstuckness") of any well-typed
* expression. *)
Theorem safety : forall e t, hasty $0 e t
-> invariantFor (trsys_of e)
(fun e' => value e'
\/ exists e'', step e' e'').
Proof.
Admitted.
End ProductSum.
(** *Extra extras: Lists and General Recursions *)
(* In this challenge we will add even more goodies to lambda calculus (yes, a
* large piece of PL research is adding goodies to lambda calculus). Lists
* could be useful, according to our Coq experience. General recursion could
* also be useful, according to our C experience, and our Coq experience having
* to work around not having it. It turns out that in simply typed lambda
* calculus, every expression terminates, so in order to have general recursion
* that can run forever, we need to explicitly add it to the
* language/calculus. *)
Module ListFixpoint.
(* Expression syntax *)
Inductive exp :=
| Var (x : var)
| UnitExp (* We include this extra value, as the sole inhabitant of the unit
* type. If we don't include some *base type* like unit, only
* including function and list types, then we can *prove* that no
* types exist! (That would be a fun exercise for the reader.) *)
| Abs (x : var) (e1 : exp)
| App (e1 e2 : exp)
(* New stuff from here *)
| Fix (x : var) (e : exp)
(* General recursion ("fixpoints").
* The evaluation rule for a fixpoint [fix x => e] is that it will always
* (unconditionally) "unwinds" to [ [(fix x => e)/x] e ], that is, replacing
* variable [x] with the whole fixpoint itself in the body [e]. *)
| Nil
| Cons (e1 e2 : exp)
| Match (e : exp) (e1 : exp) (hd tl : var) (e2 : exp)
(* Introduction and elimination forms for lists. Read [Match e e1 x1 x2 e2]
* as "match e with | Nil => e1 | Cons x1 x2 => e2 end". *)
.
(* Substitution (not capture-avoiding, for the usual reason) *)
Fixpoint subst (e1 : exp) (x : var) (e2 : exp) : exp :=
match e2 with
| Var y => if y ==v x then e1 else Var y
| UnitExp => UnitExp
| Abs y e2' => Abs y (if y ==v x then e2' else subst e1 x e2')
| App e2' e2'' => App (subst e1 x e2') (subst e1 x e2'')
| Fix y e2' => Fix y (if y ==v x then e2' else subst e1 x e2')
| Nil => Nil
| Cons e2' e2'' => Cons (subst e1 x e2') (subst e1 x e2'')
| Match e2' e2'' x1 x2 e2''' =>
Match (subst e1 x e2') (subst e1 x e2'')
x1 x2 (if x1 ==v x then e2''' else if x2 ==v x then e2''' else subst e1 x e2''')
end.
(* CHALLENGE #3: augment the following definitions with rules for lists and
* general recursion, and prove theorem [safety]. *)
(* Values (final results of evaluation) *)
Inductive value : exp -> Prop :=
| VUnit : value UnitExp
| VAbs : forall x e1, value (Abs x e1)
.
(* Evaluation contexts *)
Inductive context :=
| Hole
| App1 (C : context) (e2 : exp)
| App2 (v1 : exp) (C : context)
.
(* Plugging an expression into a context *)
Inductive plug : context -> exp -> exp -> Prop :=
| PlugHole : forall e, plug Hole e e
| PlugApp1 : forall e e' C e2,
plug C e e'
-> plug (App1 C e2) e (App e' e2)
| PlugApp2 : forall e e' v1 C,
value v1
-> plug C e e'
-> plug (App2 v1 C) e (App v1 e')
.
(* Small-step, call-by-value evaluation *)
Inductive step0 : exp -> exp -> Prop :=
| Beta : forall x e v,
value v ->
step0 (App (Abs x e) v) (subst v x e)
.
Inductive step : exp -> exp -> Prop :=
| StepRule : forall C e1 e2 e1' e2',
plug C e1 e1'
-> plug C e2 e2'
-> step0 e1 e2
-> step e1' e2'.
Definition trsys_of (e : exp) := {|
Initial := {e};
Step := step
|}.
(* Syntax of types *)
Inductive type :=
| Unit
| Fun (dom ran : type)
.
(* Expression typing relation *)
Inductive hasty : fmap var type -> exp -> type -> Prop :=
| HtVar : forall G x t,
G $? x = Some t
-> hasty G (Var x) t
| HtAbs : forall G x e1 t1 t2,
hasty (G $+ (x, t1)) e1 t2
-> hasty G (Abs x e1) (Fun t1 t2)
| HtApp : forall G e1 e2 t1 t2,
hasty G e1 (Fun t1 t2)
-> hasty G e2 t1
-> hasty G (App e1 e2) t2
.
Hint Constructors value plug step0 step hasty.
Ltac with12 t := (t; []) || (t; [|]).
(* Here's the tactic from before, which is probably going to fail dramatically
* in at least one case of the expanded proof! *)
Ltac t0 := match goal with
| [ H : ex _ |- _ ] => invert H
| [ H : _ /\ _ |- _ ] => invert H
| [ |- context[_ $+ (?x, _) $? ?y] ] => cases (x ==v y); simplify
| [ |- context[?x ==v ?y] ] => cases (x ==v y); simplify
| [ H : step _ _ |- _ ] => invert H
| [ H : step0 _ _ |- _ ] => invert1 H
| [ H : hasty _ ?e _, H' : value ?e |- _ ] => with12 ltac:(invert H'; invert H)
| [ H : hasty _ _ _ |- _ ] => invert2 H
| [ H : plug _ _ _ |- _ ] => invert1 H
| [ H : Some _ = Some _ |- _ ] => invert H
end; subst.
Ltac t := simplify; subst; propositional; repeat (t0; simplify); try equality.
(* Coq Hint: If Coq displays the message "No more subgoals but
* non-instantiated existential variables" before [Qed], it means there remain
* some existential variables whose values do not matter for the proof, but
* you still have to pick values for them. Use the command
* [Grab Existential Variables.] to convert these existential variables into
* subgoals, which you can then "solve" using the [exact E] tactic, to give a
* term of the requested type. *)
Theorem safety : forall e t, hasty $0 e t
-> invariantFor (trsys_of e)
(fun e' => value e'
\/ exists e'', step e' e'').
Proof.
Admitted.
End ListFixpoint.