Extensibella: Extensibella Example: simple

Language Specification

File: list.sos

Module simple_imp:list

Builds on simple_imp:host

/*New Expressions and Projections*/
e ::= ...
    | nil(ty) /*we need the type to satisfy a host property*/
    | cons(e, e)
    | null(e)
    | head(e)
    | tail(e)
    | index(e, e) /*lst[i]*/
    | length(e)


--------------------------------------------- [Proj-Nil]
|{e}- nil(Ty) ~~>
      recBuild(addRecFieldExprs("null", true,
               endRecFieldExprs))


---------------------------------------------------------- [Proj-Cons]
|{e}- cons(E1, E2) ~~>
      recBuild(
         addRecFieldExprs("null", false,
         addRecFieldExprs("head", E1,
         addRecFieldExprs("tail", E2, endRecFieldExprs))))


------------------- [Proj-Null]
|{e}- null(E) ~~> E


------------------- [Proj-Head]
|{e}- head(E) ~~> E


------------------- [Proj-Tail]
|{e}- tail(E) ~~> E


/*Actually computing the length or index from records would require
  conditionals, so we'll take advantage of the lax projection
  constraints and translate to something unrelated to the actual
  value.*/
-------------------------------------------------- [Proj-Index]
|{e}- index(Lst, Index) ~~> and(null(Lst),
                                eq(num(0), Index))


--------------------- [Proj-Length]
|{e}- length(E) ~~> E



/*New Type and Projection*/
ty ::= ...
     | listTy(ty)


/*Strictly speaking, an empty list doesn't have the head or tail
  fields.  However, we don't have any projection constraints on types,
  so we can do whatever we want, and this is close.*/
----------------------------------------------- [Proj-ListTy]
|{ty}- listTy(T) ~~>
       recTy([("head", T), ("tail", listTy(T)),
              ("null", boolTy)])



/*New Value and Projection*/
value ::= ...
        | nilVal
        | consVal(value, value)


------------------------------------------------ [Proj-NilVal]
|{value}- nilVal ~~> recVal([("null", trueVal)])


--------------------------------------------- [Proj-ConsVal]
|{value}- consVal(Hd, Tl) ~~>
          recVal([("head", Hd), ("tail", Tl),
                  ("null", falseVal)])

File: list_vars.sos

[Reduce File] [Raw File]

Module simple_imp:list

/*Expression Vars*/

--------------- [V-Nil]
vars nil(Ty) []


vars E1 D1
vars E2 D2
D1 ++ D2 = D
------------------- [V-Cons]
vars cons(E1, E2) D


vars E D
-------------- [V-Null]
vars null(E) D


vars E D
-------------- [V-Head]
vars head(E) D


vars E D
-------------- [V-Tail]
vars tail(E) D


vars E1 D1
vars E2 D2
D1 ++ D2 = D
-------------------- [V-Index]
vars index(E1, E2) D


vars E D
---------------- [V-Length]
vars length(E) D

File: list_typing.sos

[Reduce File] [Raw File]

Module simple_imp:list

/*Expression Typing*/

--------------------------- [T-Nil]
typeOf G nil(Ty) listTy(Ty)


typeOf G E1 Ty
typeOf G E2 listTy(Ty)
-------------------------------- [T-Cons]
typeOf G cons(E1, E2) listTy(Ty)


typeOf G E listTy(Ty)
----------------------- [T-Null]
typeOf G null(E) boolTy


typeOf G E listTy(Ty)
--------------------- [T-Head]
typeOf G head(E) Ty


typeOf G E listTy(Ty)
--------------------------- [T-Tail]
typeOf G tail(E) listTy(Ty)


typeOf G List listTy(Ty)
typeOf G Index intTy
------------------------------ [T-Index]
typeOf G index(List, Index) Ty


typeOf G Lst listTy(Ty)
-------------------------- [T-Length]
typeOf G length(Lst) intTy




/*Value Typing*/

--------------------------- [TV-Nil]
typeOfVal nilVal listTy(Ty)


typeOfVal V1 Ty
typeOfVal V2 listTy(Ty)
------------------------------------ [TV-Cons]
typeOfVal consVal(V1, V2) listTy(Ty)

File: list_eval.sos

[Reduce File] [Raw File]

Module simple_imp:list

/*Expression Evaluation*/

----------------------- [E-Nil]
eval_e G nil(Ty) nilVal


eval_e G E1 V1
eval_e G E2 V2
------------------------------------- [E-Cons]
eval_e G cons(E1, E2) consVal(V1, V2)


eval_e G E nilVal
---------------------- [E-NullTrue]
eval_e G null(E) trueVal


eval_e G E consVal(V1, V2)
-------------------------- [E-NullFalse]
eval_e G null(E) falseVal


eval_e G E consVal(V1, V2)
-------------------------- [E-Head]
eval_e G head(E) V1


eval_e G E consVal(V1, V2)
-------------------------- [E-Tail]
eval_e G tail(E) V2


/*To address proof problems, explicitly make indexing H::T
  We need this form in order for indexing to succeed anyway
  Another option would be to make indexRel fixed*/
eval_e G E1 consVal(Hd, Tl)
eval_e G E2 intVal(I)
indexRel consVal(Hd, Tl) I V
---------------------------- [E-Index]
eval_e G index(E1, E2) V


eval_e G E ListVal
lengthRel ListVal Length
--------------------------------- [E-Length]
eval_e G length(E) intVal(Length)


/*Support for list expression evaluation*/
Judgment indexRel : value* int value

----------------------------- [Index-0]
indexRel consVal(Hd, Tl) 0 Hd


Index - 1 = SubIndex
indexRel Tl SubIndex V
-------------------------------- [Index-Step]
indexRel consVal(Hd, Tl) Index V


|{value}- V ~~> VT
indexRel VT I Result
-------------------- [Index-D]*
indexRel V I Result


Judgment lengthRel : value* int

--------------- [Len-Nil]
lengthRel nilVal 0


lengthRel Tl SubLen
SubLen + 1 = Len
----------------------------- [Len-Cons]
lengthRel consVal(Hd, Tl) Len


|{value}- V ~~> VT
lengthRel VT Len
------------------ [Len-D]*
lengthRel V Len




/*Value Equality*/

-------------------- [VE-NilVal]
val_eq nilVal nilVal


val_eq V11 V21
val_eq V12 V22
------------------------------------------ [VE-ConsVal]
val_eq consVal(V11, V12) consVal(V21, V22)

Reasoning

[Show All Proofs] [Hide All Proofs] [Raw File]

Click on a command or tactic to see a detailed view of its use.

Module simple_imp:list.


Prove_Constraint simple_imp:host:proj_e_unique. [Show Proof]

%nil
 case Hyp1. search.
%cons
 case Hyp1. search.
%null
 case Hyp1. search.
%head
 case Hyp1. search.
%tail
 case Hyp1. search.
%index
 case Hyp1. search.
%length
 case Hyp1. search.
Prove_Constraint simple_imp:host:proj_e_is. [Show Proof]

%nil
 search 8. %too big to solve at default depth
%cons
 case Hyp1. search 10. %too big
%null
 case Hyp1. search 7.
%head
 case Hyp1. search 7.
%tail
 case Hyp1. search 7.
%index
 case Hyp1. search.
%length
 case Hyp1. search.


Prove_Constraint simple_imp:host:proj_rf_unique.
Prove_Constraint simple_imp:host:proj_rf_is.
Prove_Constraint simple_imp:host:proj_c_unique.
Prove_Constraint simple_imp:host:proj_c_is.
Prove_Constraint simple_imp:host:proj_recFields_unique.
Prove_Constraint simple_imp:host:proj_recFields_is.


Prove_Constraint simple_imp:host:proj_ty_unique. [Show Proof]

%listTy
 case Hyp1. search.
Prove_Constraint simple_imp:host:proj_ty_is. [Show Proof]

%listTy
 case Hyp1. search 11.


Prove_Constraint simple_imp:host:proj_value_unique. [Show Proof]

%nilVal
 case Hyp1. search.
%consVal
 case Hyp1. search.
Prove_Constraint simple_imp:host:proj_value_is. [Show Proof]

%nilVal
 search 9.
%consVal
 case Hyp1. search 11.

Prove simple_imp:host:vars_join,
      simple_imp:host:vars_rf_join. [Show Proof]

%vars_join
 %nil
  search.
 %cons
  J2: apply IH to Vars2 with D = D. J1: apply IH to Vars1 with D = D'.
  JApp: apply append_associative_back to J2 J1.
  apply append_unique to Vars3 JApp. search.
 %null
  apply IH to Vars1 with D = D. search.
 %head
  apply IH to Vars1 with D = D. search.
 %tail
  apply IH to Vars1 with D = D. search.
 %index
  J2: apply IH to Vars2 with D = D. J1: apply IH to Vars1 with D = D'.
  JApp: apply append_associative_back to J2 J1.
  apply append_unique to Vars3 JApp. search.
 %length
  apply IH to Vars1 with D = D. search.


Prove simple_imp:host:vars_unique,
      simple_imp:host:vars_rf_unique. [Show Proof]

%vars_unique
 %nil
  case Vars2. search.
 %cons
  Vars2: case Vars2. apply IH to Vars3 Vars2. apply IH to Vars4 Vars6.
  apply append_unique to Vars5 Vars7. search.
 %null
  Vars2: case Vars2. apply IH to Vars3 Vars2. search.
 %head
  Vars2: case Vars2. apply IH to Vars3 Vars2. search.
 %tail
  Vars2: case Vars2. apply IH to Vars3 Vars2. search.
 %index
  Vars2: case Vars2. apply IH to Vars3 Vars2. apply IH to Vars4 Vars6.
  apply append_unique to Vars5 Vars7. search.
 %length
  Vars2: case Vars2. apply IH to Vars3 Vars2. search.


Prove_Constraint simple_imp:host:proj_e_vars_exist. [Show Proof]

%nil
 search.
%cons
 case Hyp1. exists V. unfold. unfold. exists V, []. split.
   %vars_rf {head: E1; tail: E2} V
    unfold. exists D2, D1. split.
      %vars {tail: E2} D1
       unfold. exists [], D2. split. search. search.
       apply vars_join to H2 with D = [].
       apply append_nil_right to H4. search.
      %vars E1 D1
       search.
      %D1 ++ D2 = V
       search.
   %vars false []
    search.
   %empty ++ V = V
    search.
%null
 case Hyp1. search.
%head
 case Hyp1. search.
%tail
 case Hyp1. search.
%index
 Vars: case Hyp1. search.
%length
 case Hyp1. search.
Prove_Constraint simple_imp:host:proj_e_vars. [Show Proof]

%nil
 case Hyp2. case H1. case H2. case H3. case H4. case Hyp1. search.
%cons
 VarsCons: case Hyp1. case Hyp2. case H1. case H3. case H2. case H5.
 case H8. apply vars_unique to VarsCons H6.
 apply vars_unique to VarsCons1 H9.
 apply append_nil_right to H10. case H4.
 Or: apply mem_append to Hyp3 VarsCons2. MemOr: case Or.
   %mem X DE1
    apply mem_append_left to MemOr H7. search.
   %mem X DRest1
    apply mem_append_right to MemOr H7. search.
%null
 case Hyp1. apply vars_unique to H1 Hyp2. search.
%head
 case Hyp1. apply vars_unique to H1 Hyp2. search.
%tail
 case Hyp1. apply vars_unique to H1 Hyp2. search.
%index
 VI: case Hyp1. VT: case Hyp2. VIdx2: case VT1. case VIdx2.
 VLst2: case VT. case VIdx3. apply vars_unique to VI VLst2.
 apply vars_unique to VI1 VIdx1. apply append_unique to VI2 VT2.
 search.
%length
 case Hyp1. apply vars_unique to Hyp2 H1. search.
Prove_Constraint simple_imp:host:proj_rf_vars_exist.
Prove_Constraint simple_imp:host:proj_rf_vars.


Prove simple_imp:host:vars_is,
      simple_imp:host:vars_rf_is. [Show Proof]

%vars_is
  %nil list
   search.
  %cons list
   IsE1: case IsE. IsD1: apply IH to IsE1 Vars1.
   IsD2: apply IH to IsE2 Vars2.
   apply append__is_list__is_string to IsD1 IsD2 Vars3. search.
  %null check
   IsE1: case IsE. apply IH to IsE1 Vars1. search.
  %head of list
   IsE1: case IsE. apply IH to IsE1 Vars1. search.
  %tail of list
   IsE1: case IsE. apply IH to IsE1 Vars1. search.
  %index into list
   IsE1: case IsE. IsD1: apply IH to IsE1 Vars1.
   IsD2: apply IH to IsE2 Vars2.
   apply append__is_list__is_string to IsD1 IsD2 Vars3. search.
  %length of list
   IsE1: case IsE. apply IH to IsE1 Vars1. search.


Prove simple_imp:host:vars_exist,
      simple_imp:host:vars_rf_exist. [Show Proof]

%vars_exist
  %nil list
   search.
  %cons list
   Vars1: apply IH to IsE1. Vars2: apply IH to IsE2.
   IsV: apply vars_is to IsE1 Vars1.
   IsV1: apply vars_is to IsE2 Vars2.
   apply append__is_list__is_string__total to IsV IsV1. search.
  %null check
   apply IH to IsE1. search.
  %head of list
   apply IH to IsE1. search.
  %tail of list
   apply IH to IsE1. search.
  %index into list
   Vars1: apply IH to IsE1. Vars2: apply IH to IsE2.
   IsV: apply vars_is to IsE1 Vars1.
   IsV1: apply vars_is to IsE2 Vars2.
   apply append__is_list__is_string__total to IsV IsV1. search.
  %length of list
   apply IH to IsE1. search.


Prove simple_imp:host:typeOf_unique,
      simple_imp:host:typeRecFields_unique. [Show Proof]

%typeOf_unique
  %nil list
   Ty2: case Ty2. search. %This is why we need nil(Ty) instead of just nil
  %cons list
   Ty2: case Ty2. apply IH to Ty3 Ty2. apply IH to Ty4 Ty5. search.
  %null check
   Ty2: case Ty2. search.
  %head of list
   Ty2: case Ty2. apply IH to Ty3 Ty2. search.
  %tail of list
   Ty2: case Ty2. apply IH to Ty3 Ty2. search.
  %index into list
   Ty2: case Ty2. apply IH to Ty3 Ty2. search.
  %length of list
   Ty2: case Ty2. search.


Prove simple_imp:host:typeOK_unique.


Prove_Constraint simple_imp:host:proj_eval_e. [Show Proof]

%nil
 search.
%cons
 Ev: case Hyp1. search.
%null
 case Hyp1.
   %E-NullTrue
    search.
   %E-NullFalse
    search.
%head
 case Hyp1. search.
%tail
 case Hyp1. search.
%index
 /*This is why we need E-Index to specify consVal.  Without that, we
   have no way of determining if (null Lst) will evaluate.  We might
   try proving
     forall E L I V G, indexRel L I V -> eval_e G E L ->
                                 exists V', eval_e G (null E) V'
   but this fails in the generic case because the definition of
   indexRel is copied from L's projection, but E still evaluates to
   the original L, so we can't apply the IH.*/
 Ev: case Hyp1. search.
%length
 Ev: case Hyp1. search.


Extensible_Theorem
  index_is_integer : forall L I V,
    Index : indexRel L I V ->
    is_integer I
  on Index. [Show Proof]

%Index-0
 search.
%Index-Step
 IsSubIndex: apply IH to Index2.
 Is: apply minus_integer_is_integer_result to IsSubIndex Index1.
 search.
%Index-D
 backchain IH.
Extensible_Theorem
  index_negative_false : forall L I V,
    Index : indexRel L I V ->
    Neg : I < 0 ->
    false
  on Index. [Show Proof]

%Index-0
 case Neg.
%Index-Step
 apply index_is_integer to Index.
 apply less_integer__subtract_positive to _ _ Neg _ Index1.
 apply minus_integer_is_integer to _ _ Index1.
 apply IH to Index2 _.
%Index-D
 apply IH to Index2 Neg.
Extensible_Theorem
  index_unique : forall L I V1 V2,
    Index1 : indexRel L I V1 ->
    Index2 : indexRel L I V2 ->
    V1 = V2
  on Index1. [Show Proof]

%1 by Index-0
 Index2: case Index2.
   %2 by Index-0
    search.
   %2 by Index-Step
    case Index2. case H1. apply index_negative_false to Index3 _.
%1 by Index-Step
 Index2: case Index2.
   %2 by Index-0
    case Index3. case H1. apply index_negative_false to Index4 _.
   %2 by Index-Step
    apply minus_integer_unique to Index3 Index2.
    apply IH to Index4 Index5. search.
%1 by Index-D
 Index2: case Index2. apply proj_value_unique to Index3 Index2.
 apply IH to Index4 Index5. search.

Extensible_Theorem
  length_is_integer : forall L V,
    Len : lengthRel L V ->
    is_integer V
  on Len. [Show Proof]

%Len-Nil
 search.
%Len-Cons
 IsSubLen: apply IH to Len1.
 apply plus_integer_is_integer to _ _ Len2. search.
%Len-D
 apply IH to Len2. search.
Extensible_Theorem
  length_unique : forall L V1 V2,
    Len1 : lengthRel L V1 ->
    Len2 : lengthRel L V2 ->
    V1 = V2
  on Len1. [Show Proof]

%1 by Len-Nil
 case Len2. search.
%1 by Len-Cons
 Len2: case Len2. apply IH to Len3 Len2.
 apply plus_integer_unique to Len4 Len5. search.
%1 by Len-D
 Len2: case Len2. apply proj_value_unique to Len3 Len2.
 apply IH to Len4 Len5. search.


Prove simple_imp:host:eval_e_unique,
      simple_imp:host:eval_rf_unique. [Show Proof]

%eval_e_unique
  %E-Nil
   case Ev2. search.
  %E-Cons
   Ev2: case Ev2. apply IH to Ev3 Ev2. apply IH to Ev4 Ev5. search.
  %E-NullTrue
   Ev2: case Ev2.
     %2 by E-NullTrue
      search.
     %2 by E-NullFalse
      apply IH to Ev3 Ev2.
  %E-NullFalse
   Ev2: case Ev2.
     %2 by E-NullTrue
      apply IH to Ev3 Ev2.
     %2 by E-NullFalse
      search.
  %E-Head
   Ev2: case Ev2. apply IH to Ev3 Ev2. search.
  %E-Tail
   Ev2: case Ev2. apply IH to Ev3 Ev2. search.
  %E-Index
   Ev2: case Ev2. apply IH to Ev3 Ev2. apply IH to Ev4 Ev6.
   apply index_unique to Ev5 Ev7. search.
  %E-Length
   Ev2: case Ev2. apply IH to Ev3 Ev2.
   apply simple_imp:list:length_unique to Ev4 Ev5. search.


Prove simple_imp:host:update_rec_fields_unique.


Prove_Constraint simple_imp:host:proj_c_eval.


Add_Ext_Size simple_imp:host:eval_c.
Add_Proj_Rel simple_imp:host:eval_c.


Prove_Ext_Ind simple_imp:host:eval_c.


Prove simple_imp:host:eval_c_unique.


Prove_Constraint simple_imp:host:proj_c_eval_results.
Prove_Constraint simple_imp:host:proj_c_eval_results_back.


Prove simple_imp:host:vars_eval_same_result,
      simple_imp:host:vars_equal_rf_same_result. [Show Proof]

%vars_eval_same_result
  %E-Nil
   case Ev2. search.
  %E-Cons
   Ev2: case Ev2. Vars1: case Vars.
   apply IH to _ Vars1 Ev3 Ev2. backchain vars_equiv_left.
   apply IH to _ Vars2 Ev4 Ev5. backchain vars_equiv_right. search.
  %E-NullTrue
   Ev2: case Ev2.
     %2 by E-NullTrue
      search.
     %2 by E-NullFalse
      Vars1: case Vars. apply IH to _ Vars1 Ev3 Ev2.
  %E-NullFalse
   Ev2: case Ev2.
     %2 by E-NullTrue
      Vars1: case Vars. apply IH to _ Vars1 Ev3 Ev2.
     %2 by E-NullFalse
      search.
  %E-Head
   Ev2: case Ev2. Vars1: case Vars. apply IH to _ Vars1 Ev3 Ev2.
   search.
  %E-Tail
   Ev2: case Ev2. Vars1: case Vars. apply IH to _ Vars1 Ev3 Ev2.
   search.
  %E-Index
   Ev2: case Ev2. Vars1: case Vars.
   apply IH to _ Vars1 Ev3 Ev2. backchain vars_equiv_left.
   apply IH to _ Vars2 Ev4 Ev6. backchain vars_equiv_right.
   apply index_unique to Ev5 Ev7. search.
  %E-Length
   Ev2: case Ev2. Vars1: case Vars. apply IH to _ Vars1 Ev3 Ev2.
   apply simple_imp:list:length_unique to Ev4 Ev5. search.

Back to example home

Extensibella Example: simple_imp:list

Language Specification

File: list.sos

File: list_vars.sos

File: list_typing.sos

File: list_eval.sos

Reasoning