Syntactic proofs empower metatheory Derivation/proof D is a data - PowerPoint PPT Presentation

Syntactic proofs empower metatheory Derivation/proof D is a data structure Got a fact about all derivations? • It’s a fact about all terminating evaluations • They are in 1 to 1 correspondance Prove meta-theoretic properties by structural induction over derivations • aka “induction on height of derivation tree” Example: Evaluating an expression doesn’t create or destroy any global variables (the set of defined global variables is invariant)

Metatheorems often help implementors More example metatheorems: • OK to mutate environments if you use a stack (Impcore) • Interactive browser doesn’t leak space (POPL 2012) • Device driver can’t harm kernel (Microsoft Singularity)

Metatheorems come in stylized form � ′ such that � ′ , and For any e , � , � , � , v , � ′ � ′ h e h v ; � ; �; � i + ; ; �; i ; METATHEORETIC PROPERTY

Metatheorems are proved by induction Induction over height of derivation trees D These are “math-class proofs” ( not derivations) Proof • Goes by case analysis of the last rule in the derivation. • Has one case for each rule • Base cases don’t have proper sub-derivations. • Inductive cases assume the induction hypothesis for any proper sub-derivation Let’s try it!

Example metatheorem During the evaluation of an Impcore expression, evaluation does not change the set of defined global variables. � ′ such that � ′ , and Formally, for any e , � , � , � , v , � ′ � ′ h e h v ; � ; �; � i + ; ; �; i ; ( � ′ dom = dom ( � ) )

Literal case Base case: D = ( v h v h LITERAL ) ; � ; �; � i + ; � ; �; � i Both sides identical! dom � = dom �

Formal Var case Another base case: x 2 dom � D = ( x ) ; h � ( x ) ; h VAR � ; �; � i + � ; �; � i Both sides identical! dom � = dom �

Formal Assign case Assignment to formal parameter D r � ′ � ′ x h e h v 2 dom � ; � ; �; � i + ; ; �; i D = � ′ � ′ h SET ( x ; e h v f x 7! v ) ; � ; �; � i + ; ; �; gi � ′ By induction hypothesis on D r , dom � = dom Both sides have same domain!

IfTrue case True conditional D 1 D 2 � ′ � ′ � ′ � ′ � ′′ � ′′ 6 = 0 h e 1 h v 1 v 1 h e 2 h v 2 ; � ; �; � i + ; ; �; i ; ; �; i + ; ; �; i D = � ′′ � ′′ h IF ( e 1 ; e 2 ; e 3 h v 2 ) ; � ; �; � i + ; ; �; i � ′ By induction hypothesis on D 1 , dom � = dom � ′ � ′′ By induction hypothesis on D 2 , dom = dom Therefore, both sides have same domain: � ′′ dom � = dom

Global Assign: The only interesting case D r � ′ � ′ x x h e h v 2 = dom � 2 dom � ; � ; �; � i + ; ; �; i � ′ � ′ h SET ( x ; e h v f x 7! v ) ; � ; �; � i + ; g ; �; i Do both sides have same domain? ( � ′ • Does g ) ? f x 7! v dom � = dom � ′ By induction hypothesis on D r , dom � = dom ( � ′ � ′ And f x 7! v f x g f x g dom g ) = dom [ = dom � [ But x � ! So f x g 2 dom dom � [ = dom �