Home Explore Help
Register Sign In
thibaut
/
m2-pas-dm
1
0
Fork 0
Files
Branch: master
Branches Tags
m2-pas-dm
/
sections
/
correctness.tex

correctness.tex 6.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 
  1. \subsection{Correctness}
    2. 

  2. 

  3. \begin{definition}[Well typed value]
    4. 

  4. \label{wt-value}
    5. 

  5. A value $v \in Value$ is well typed regarding to a type $T$ (noted $v |- T$) when:
    6. 

  6. \begin{align*}
    7. 

  7. v |- int &<=> v \in \mathbb{N} \\
    8. 

  8. v |- \{f_1 : T_1, \dots, f_n : T_n\} &<=> v \in Field \rightharpoonup Value\text{ and }\forall f_i, f_i \in dom(v) \land v(f_i) |- T_i
    9. 

  9. \end{align*}
    10. 

  10. \end{definition}
    11. 

  11. 

  12. \begin{definition}[Well typed state]
    13. 

  13. \label{wt-state}
    14. 

  14. A state $\sigma \in State$, $\sigma \neq \bot$ is well typed with regards to a type system $\Gamma$ (noted $\sigma |- \Gamma$) when
    15. 

  15. \[\forall x \in Var,\ \Gamma |- x : T => \sigma x |- T\]
    16. 

  16. \end{definition}
    17. 

  17. 

  18. \begin{lemma}[Well typed expressions cannot go wrong]
    19. 

  19. $\forall e \in AExpr, \sigma \in State, \Gamma$ such as $\sigma |- \Gamma$:
    20. 

  20. \[\Gamma |- e : T => \mathcal{A}|[e|] \sigma |- T\]
    21. 

  21. In particular, $\mathcal{A}|[e|] \sigma \neq \bot$.
    22. 

  22. \end{lemma}
    23. 

  23. 

  24. \begin{proof}
    25. 

  25. We demonstrate this property by induction on the structure of the expression $e$.
    26. 

  26. First let assume that $\Gamma |- e : T$.
    27. 

  27. We can eliminate all trivial cases in contradiction with this assumption (for example when $e = 1 + 1$ and $T = \{\}$).
    28. 

  28. Here are the other base cases:
    29. 

  29. \begin{itemize}
    30. 

  30. \item $e = n, T = int$.
    31. 

  31. 

  32. $\mathcal{A}|[e|] \sigma = \mathcal{N}|[n|] \sigma$.
    33. 

  33. 

  34. $\mathcal{N}|[n|] \sigma \in \mathbb{N}$ so we have $\mathcal{A}|[e|] \sigma \in \mathbb{N}$ which means that $\mathcal{A}|[e|] \sigma |- T$.
    35. 

  35. 

  36. \item $e = x$.
    37. 

  37. 

  38. By definition $\mathcal{A}|[x|]\sigma = \sigma x$.
    39. 

  39. 

  40. $\sigma$ is well typed, so by definition \ref{wt-state}, $\sigma x |- T$. 
    41. 

  41. So we have $\mathcal{A}|[e|] \sigma |- T$.
    42. 

  42. \end{itemize}
    43. 

  43. 

  44. Now the inductive cases:
    45. 

  45. \begin{itemize}
    46. 

  46. \item $e = e_1\ o\ e_2, T = int$.
    47. 

  47. 

  48. By definition $\mathcal{A}|[e|]\sigma = \mathcal{A}|[e_1|]\sigma\ o\ \mathcal{A}|[e_2|]\sigma$.
    49. 

  49. 

  50. We also know that $\Gamma |- e_1 : int$ and $\Gamma |- e_2 : int$ (by definition of $|-$).
    51. 

  51. So by our hypothesis of induction, we have $\mathcal{A}|[e_1|]\sigma |- int$ and $\mathcal{A}|[e_2|]\sigma |- int$.
    52. 

  52. 

  53. This means that both $\mathcal{A}|[e_1|]\sigma$ and $\mathcal{A}|[e_2|]\sigma$ are in $\mathbb{N}$,
    54. 

  54. $\mathcal{A}|[e_1|]\sigma\ o\ \mathcal{A}|[e_2|]\sigma$ is defined and returns a value in $\mathbb{N}$.
    55. 

  55. 

  56. So we have $\mathcal{A}|[e|] \sigma |- T$.
    57. 

  57. 

  58. \item $e = e_1.f$.
    59. 

  59. 

  60. By definition, $\mathcal{A} |[ e |] \sigma = \mathcal{A}|[e_1|] \sigma f$.
    61. 

  61. But is it defined?
    62. 

  62. 

  63. By definition of $|-$,
    64. 

  64. \[
    65. 

  65.   \inference{\Gamma \vdash e_1 : \{f : T\}}{\Gamma \vdash e_1.f : T}
    66. 

  66. \]
    67. 

  67. 

  68. By our hypothesis of induction, we have $\mathcal{A}|[e_1|]\sigma |- T$.
    69. 

  69. So by definition \ref{wt-state} we have:
    70. 

  70. \begin{itemize}
    71. 

  71. \item $\mathcal{A}|[e_1|]\sigma \in Field \rightharpoonup Value$
    72. 

  72. \item $f \in dom(\mathcal{A}|[e_1|]\sigma)$
    73. 

  73. \item $\mathcal{A}|[e_1|]\sigma f |- T$
    74. 

  74. \end{itemize}
    75. 

  75. 

  76. This means that $\mathcal{A} |[ e |] \sigma = \mathcal{A}|[e_1|] \sigma f$ is defined,
    77. 

  77. and $\mathcal{A}|[e|] \sigma |- T$.
    78. 

  78. 

  79. \item $e = e_1[f \mapsto e_2]$.
    80. 

  80. 

  81. By definition, $\mathcal{A} |[ e |] \sigma = \mathcal{A}|[ e_1 |] \sigma [f \mapsto \mathcal{A}|[ e_2 |] \sigma ]$.
    82. 

  82. We need to ensure that it is defined, and well typed.
    83. 

  83. 

  84. By definition of $|-$,
    85. 

  85. \[
    86. 

  86.   \inference[append ]{\Gamma \vdash e_2 : T' & \Gamma \vdash e_1 : \{f_1 : T_1; \dots; f_n : T_n\}}{\Gamma \vdash e_1[f \mapsto e_2] : T = \{f : T'; f_1 : T_1; \dots; f_n : T_n\}}
    87. 

  87. \]
    88. 

  88. 

  89. or
    90. 

  90. 

  91. \[
    92. 

  92.   \inference[override ]{\Gamma \vdash e_2 : T' & \Gamma \vdash e_1 : \{f_1 : T_1; \dots; f_i : T_i; \dots; f_n : T_n\}}{\Gamma \vdash e_1[f_i \mapsto e_2] : T = \{f_1 : T_1; \dots; f_i : T'; \dots; f_n : T_n\}}
    93. 

  93. \]
    94. 

  94. 

  95. Let consider the first case (the other case works the same).
    96. 

  96. By our hypothesis of induction, we have $\mathcal{A}|[e_1|]\sigma |- \{f_1 : T_1; \dots; f_n : T_n\}$.
    97. 

  97. So by definition \ref{wt-state} we have:
    98. 

  98. \begin{itemize}
    99. 

  99. \item $\mathcal{A}|[e_1|]\sigma \in Field \rightharpoonup Value$
    100. 

  100. \item $f \in dom(\mathcal{A}|[e_1|]\sigma)$
    101. 

  101. %\item $\mathcal{A}|[e_1|]\sigma f |- T$
    102. 

  102. \end{itemize}
    103. 

  103. 

  104. We also have (by induction again), $\mathcal{A}|[e_2|]\sigma |- T'$.
    105. 

  105. 

  106. So $\mathcal{A} |[ e |] \sigma = \mathcal{A}|[ e_1 |] \sigma [f \mapsto \mathcal{A}|[ e_2 |]]$ is defined,
    107. 

  107. and moreover:
    108. 

  108. \begin{itemize}
    109. 

  109. \item $\mathcal{A}|[e|] \sigma \in Field \rightharpoonup Value$
    110. 

  110. \item $\forall f_i, 1 \leq i \leq n, f_i \in dom(\mathcal{A}|[e|]\sigma)$ (because it is in $dom(\mathcal{A}|[e_1|]\sigma)$)
    111. 

  111. \item $f \in dom(\mathcal{A}|[e|]\sigma)$ (because it has just been added), and finally,
    112. 

  112. \item $\mathcal{A}|[e|]\sigma f |- T'$.
    113. 

  113. \end{itemize}
    114. 

  114. 

  115. This matches the definition of $\mathcal{A}|[e|] \sigma |- T = \{f : T'; f_1 : T_1; \dots; f_n : T_n\}$.
    116. 

  116. 

  117. \item $e = \{f_1 = e_1; \dots; f_n = e_n\}$.
    118. 

  118. 

  119. By definition,
    120. 

  120. \[\mathcal{A} |[e|] \sigma f_i = \mathcal{A}|[e_i|] \sigma\]
    121. 

  121. This means that, $\forall f_i, 1 \leq i \leq n$:
    122. 

  122. \begin{itemize}
    123. 

  123. \item $\mathcal{A}|[e|] \sigma \in Field \rightharpoonup Value$
    124. 

  124. \item $f_i \in dom(\mathcal{A}|[e|]\sigma)$
    125. 

  125. \item $\mathcal{A}|[e|]\sigma f_i = \mathcal{A}|[e_i|]\sigma |- T_i$ (by induction).
    126. 

  126. \end{itemize}
    127. 

  127. 

  128. This matches the definition for $\mathcal{A}|[e|] \sigma |- T$.
    129. 

  129. 

  130. \end{itemize}
    131. 

  131. \end{proof}
    132. 

  132. 

  133. \begin{lemma}[Well typed programs cannot go wrong]
    134. 

  134. \label{wt-state-dgw}
    135. 

  135. \[\forall \Gamma P,\quad \Gamma \vdash P \; => \;\forall \sigma |- \Gamma,\; ((P, \sigma) \reduce \sigma' => \sigma' |- \Gamma) \land ((P, \sigma) \reduce (S, \sigma') => \sigma' |- \Gamma)\]
    136. 

  136. In particular this also means that:
    137. 

  137. \[\forall \Gamma P,\quad \Gamma \vdash P \; => \;\forall \sigma |- \Gamma,\; (P, \sigma) \not\reduce \bot \land (P, \sigma) \not\reduce (S, \bot)\]
    138. 

  138. \end{lemma}
    139. 

  139. 

  140. \begin{proof}
    141. 

  141. This proof can be done by induction on the length of the execution path of the program $P$.
    142. 

  142. Let's consider $\Gamma |- P$ and a state $\sigma |- \Gamma$.
    143. 

  143. \begin{itemize}
    144. 

  144. \item Let's prove that if $(P, \sigma) \rightarrow^0 \sigma' or (P, \sigma) \rightarrow^0 (S, \sigma')$ then $\sigma' |- \Gamma$.
    145. 

  145. Because $\sigma = (S, \sigma')$ is impossible, we are in the case where $\sigma = \sigma'$.
    146. 

  146. By hypothesis, $\sigma |- \Gamma$, so $\sigma' |- \Gamma$.
    147. 

  147. 

  148. \item We name $s$ the intermediate state such as $(P, \sigma) \rightarrow^k s$ for any $k$.
    149. 

  149. We have two cases:
    150. 

  150. \begin{itemize}
    151. 

  151. \item $s = \sigma'' \in State$
    152. 

  152. There is no transition from a terminal state, so this is trivially true.
    153. 

  153. \item $s = (S, \sigma'')$
    154. 

  154. By induction we know that $\sigma'' |- \Gamma$.
    155. 

  155. 

  156. We can prove by induction on the structure of $S$ that
    157. 

  157. $(S, \sigma'') \rightarrow \sigma' => \sigma' |- \Gamma$ and
    158. 

  158. $(S, \sigma'') \rightarrow (S', \sigma') => \sigma' |- \Gamma$.
    159. 

  159. 

  160. Sadely, We don't have time to terminate the proof...
    161. 

  161. \end{itemize}
    162. 

  162. \end{itemize}
    163. 

  163. \end{proof}
    164.