The evaluators we have seen so far (e.g., the ones for aexps, bexps, and commands) have been formulated in a "big-step" style — they specify how a given expression can be evaluated to its final value (or a command plus a store to a final store) "all in one big step." This style is simple and natural for many purposes (indeed, Gilles Kahn, who popularized its use, called it natural semantics), but there are some things it does not do well. In particular, it does not give us a natural way of talking about concurrent programming languages, where the "semantics" of a program — i.e., the essence of how it behaves — is not just which input states get mapped to which output states, but also includes the intermediate states that it passes through along the way, since these states can also be observed by concurrently executing code. Another shortcoming of the big-step style is more technical, but critical for some applications. Consider the variant of Imp with lists that we introduced in ImpList.v. We chose to define the meaning of programs like 0 + nil by specifying that a list should be interpreted as 0 when it occurs in a context expecting a number, but this was a bit of a hack. It would be better simply to say that the behavior of such a program is undefined — it doesn't evaluate to any result. We could easily do this: we'd just have to use the formulations of aeval and beval as inductive propositions (rather than Fixpoints), so that we can make them partial functions instead of total ones. However, this way of defining Imp has a serious deficiency. In this language, a command might fail to map a given starting state to any ending state for two quite different reasons: either because the execution gets into an infinite loop or because, at some point, the program tries to do an operation that makes no sense, such as taking the successor of a boolean variable, and none of the evaluation rules can be applied. These two outcomes — nontermination vs. getting stuck in an erroneous configuration — are quite different. In particular, we want to allow the first (permitting the possibility of infinite loops is the price we pay for the convenience of programming with general looping constructs like while) but prevent the second (which is just wrong), for example by adding some form of typechecking to the language. Indeed, this will be a major topic for the rest of the course. As a first step, we need a different way of presenting the semantics that allows us to distinguish nontermination from erroneous "stuck states." So, for lots of reasons, we'd like to have a finer-grained way of defining and reasoning about program behaviors. This is the topic of the present chapter. We replace the "big-step" eval relation with a "small-step" relation that specifies, for a given program, how the "atomic steps" of computation are performed.

A Toy Language

To save space in the discussion, let's go back to an incredibly simple language containing just constants and addition. At the end of the chapter, we'll see how to apply the same techniques to the full Imp language.

Here is a standard evaluator for this language, written in the same (big-step) style as we've been using up to this point.

Now, here is the same evaluator, written in exactly the same style, but formulated as an inductively defined relation. Again, we use the notation t ⇓ n for "t evaluates to n."

	(E_Const)
n ⇓ n

t1 ⇓ n1
t2 ⇓ n2	(E_Plus)
t1 + t2 ⇓ plus n1 n2

We write plus n1 n2 in the second rule, rather than n1 + n2, to emphasize the fact that the + on the left of the ⇓ is an abstract-syntax-tree node while the addition on the right of the ⇓ is the mathematical sum of the numbers n1 and n2. The formal Coq version of the definition is more pedantic about this distinction:

Here is a slight variation, still in big-step style, where the final result of evaluating a term is also a term, rather than a bare number.

(Note that this doesn't change anything in the informal rules, where we are eliding the distinction between the constant term n and the bare number n.)

Now, here is a small-step version.

	(ST_PlusConstConst)
n1 + n2 ⇒ plus n1 n2

t1 ⇓ t1'	(ST_Plus1)
t1 + t2 ⇓ t1' + t2

t2 ⇓ t2'	(ST_Plus2)
n1 + t2 ⇓ n1 + t2'

Note that we're using variable names here to lighten the notation: by convention, n1 and n2 refer only to constants (constructed with tm_const), while t1 and t2 refer to arbitrary terms. In the formal rules, we use explicit constructors to make the same distinction.

Things to notice:

• We are defining just a single reduction step, in which one tm_plus node is replaced by its value.
• Each step finds the leftmost tm_plus node that is ready to go (both of its operands are constants) and rewrites it in place. The first rule tells how to rewrite this tm_plus node itself; the other two rules tell how to find it.
• A term that is just a constant cannot take a step.

A couple of examples of reasoning with the step relation... If t1 can take a step to t1', then tm_plus t1 t2 steps to plus t1' t2:

Exercise: 2 stars (test_step_2)

Right-hand sides of sums can take a step only when the left-hand side is finished: if t2 can take a step to t2', then tm_plus (tm_const n) t2 steps to tm_plus (tm_const n) t2':

☐ One interesting property of the ⇒ relation is that, like the evaluation relation for our language of Imp programs, it is deterministic. Theorem: For each t, there is at most one t' such that t steps to t' (t ⇒ t' is provable). Formally, this is the same as saying that ⇒ is a partial function. Proof sketch: We show that if x steps to both y1 and y2 then y1 and y2 are equal, by induction on a derivation of step x y1. There are several cases to consider, depending on the last rule used in this derivation and in the given derivation of step x y2.

• If both are ST_PlusConstConst, the result is immediate.
• The cases when both derivations end with ST_Plus1 or ST_Plus2 follow by the induction hypothesis.
• It cannot happen that one is ST_PlusConstConst and the other is ST_Plus1 or ST_Plus2, since this would imply that x has the form tm_plus t1 t2 where both t1 and t2 are constants (by ST_PlusConstConst) and one of t1 or t2 has the form tm_plus ....
• Similarly, it cannot happen that one is ST_Plus1 and the other is ST_Plus2, since this would imply that x has the form tm_plus t1 t2 where t1 has both the form tm_plus t1 t2 and the form tm_const n. ☐

Values

Let's take a moment to slightly generalize the way we state the definition of single-step reduction. It is useful to think of the ⇒ relation as defining an abstract machine:

• At any moment, the state of the machine is a term.
• A step of the machine is an atomic unit of computation — here, a single "add" operation.
• The halting states of the machine are ones where there is no more computation to be done.

We can then execute a term t as follows:

• Take t as the starting state of the machine.
• Repeatedly use the ⇒ relation to find a sequence of machine states, starting with t, where each state steps to the next.
• When no more reduction is possible, "read out" the final state of the machine as the result of execution.

Intuitively, it is clear that the final states of the machine are always terms of the form tm_const n for some n. We call such terms values.

Having introduced the idea of values, we can use it in the definition of the ⇒ relation to write ST_Plus2 rule in a slightly more intuitive way:

	(ST_PlusConstConst)
n1 + n2 ⇒ plus n1 n2

t1 ⇓ t1'	(ST_Plus1)
t1 + t2 ⇓ t1' + t2

t2 ⇓ t2'	(ST_Plus2)
v1 + t2 ⇓ v1 + t2'

Again, the variable names here carry important information: by convention, v1 ranges only over values, while t1 and t2 range over arbitrary terms. In the Coq version of the rules, we use an explicit value hypothesis for the same purpose.

Exercise: 3 stars, recommended (redo_determinacy)

As a sanity check on this change, let's re-verify determinacy Proof sketch: We must show that if x steps to both y1 and y2 then y1 and y2 are equal. Consider the final rules used in the derivations of step x y1 and step x y2.

• If both are ST_PlusConstConst, the result is immediate.
• It cannot happen that one is ST_PlusConstConst and the other is ST_Plus1 or ST_Plus2, since this would imply that x has the form tm_plus t1 t2 where both t1 and t2 are constants (by ST_PlusConstConst) AND one of t1 or t2 has the form tm_plus ....
• Similarly, it cannot happen that one is ST_Plus1 and the other is ST_Plus2, since this would imply that x has the form tm_plus t1 t2 where t1 both has the form tm_plus t1 t2 and is a value (hence has the form tm_const n).
• The cases when both derivations end with ST_Plus1 or ST_Plus2 follow by the induction hypothesis. ☐

Most of this proof is the same as the one above. But to get maximum benefit from the exercise you should try to write it from scratch and just use the earlier one if you get stuck.

☐

Strong Progress and Normal Forms

The definition of single-step reduction for our toy language is fairly simple, but for a larger language it would be pretty easy to forget one of the rules and create a situation where some term cannot take a step even though it has not been completely reduced to a value. The following theorem shows that we did not, in fact, make such a mistake here. Theorem (Strong Progress): For all t:tm, either t is a value, or there exists a term t' such that t ⇒ t'. Proof: By induction on t.

• Suppose t = tm_const n. Then t is a value.
• Suppose t = tm_plus t1 t2, where (by the IH) t1 is either a value or can step to some t1', and where t2 is either a value or can step to some t2'. We must show tm_plus t1 t2 is either a value or steps to some t'.
  • If t1 and t2 are both values, then t can take a step, by ST_PlusConstConst.
  • If t1 is a value and t2 can take a step, then so can t, by ST_Plus2.
  • If t1 can take a step, then so can t, by ST_Plus1. ☐

This important property is called strong progress, because every term either is a value or can "make progress" by stepping to some other term. (The qualifier "strong" distinguishes it from a more refined version that we'll see in later chapters, called simply "progress.")

The idea of "making progress" can be extended to tell us something interesting about values: they are exactly the terms that cannot make progress in this sense. To state this fact, let's begin by giving a name to terms that cannot make progress: We'll call them normal forms.

This definition actually specifies what it is to be a normal form for an arbitrary relation R over an arbitrary set X, not just for the particular single-step reduction relation over terms that we are interested in at the moment. We'll re-use the same terminology for talking about other relations later in the course. We can use this terminology to generalize the observation we made in the strong progress theorem: in this language, normal forms and values are actually the same thing.

Why is this interesting? For two reasons:

• Because value is a syntactic concept — it is a defined by looking at the form of a term — while normal_form is a semantic one — it is defined by looking at how the term steps. It is not obvious that these concepts should coincide!
• Indeed, there are lots of languages in which the concepts of normal form and value do not coincide.

Let's examine how this can happen... We might, for example, mistakenly define value so that it includes some terms that are not finished reducing.

Exercise: 3 stars, recommended (value_not_same_as_normal_form)

☐

Alternatively, we might mistakenly define step so that it permits something designated as a value to reduce further.

Exercise: 3 stars, recommended (value_not_same_as_normal_form)

☐

Finally, we might mistakenly define value and step so that there is some term that is not a value but that cannot take a step in the step relation. Such terms are said to be stuck.

(Note that ST_Plus2 is missing.)

Exercise: 3 stars (value_not_same_as_normal_form')

☐

Exercises

Here is another very simple language whose terms, instead of being just plus and numbers, are just the booleans true and false and a conditional expression...

Exercise: 1 star (smallstep_bools)

Which of the following propositions are provable? (This is just a thought exercise, but for an extra challenge feel free to prove your answers in Coq.)

☐

Exercise: 3 stars, recommended (progress_bool)

Just as we proved a progress theorem for plus expressions, we can do so for boolean expressions, as well.

☐

Exercise: 2 stars, optional (step_deterministic)

☐

Exercise: 2 stars (smallstep_bool_shortcut)

Suppose we want to add a "short circuit" to the step relation for boolean expressions, so that it can recognize when the then and else branches of a conditional are the same value (either tm_true or tm_false) and reduce the whole conditional to this value in a single step, even if the guard has not yet been reduced to a value. For example, we would like this proposition to be provable: Write an extra clause for the step relation that achieves this effect and prove bool_step_prop4.

☐

☐

Exercise: 3 stars (properties_of_altered_step)

It can be shown that the determinism and strong progress theorems for the step relation in the lecture notes also hold for the definition of step given above. After we add the clause ST_ShortCircuit...

• Is the step relation still deterministic? Write yes or no and briefly (1 sentence) explain your answer.
  Optional: prove your answer correct in Coq.

• Does a strong progress theorem hold? Write yes or no and briefly (1 sentence) explain your answer.
  Optional: prove your answer correct in Coq.

• In general, is there any way we could cause strong progress to fail if we took away one or more constructors from the original step relation? Write yes or no and briefly (1 sentence) explain your answer.

(* FILL IN HERE *)
☐

Multi-Step Reduction

Until now, we've been working with the single-step reduction relation ⇒, which formalizes the individual steps of an abstract machine for executing programs. It is also interesting to use this machine to reduce programs to completion — to find out what final result they yield. This can be formalized as follows:

• First, we define a multi-step reduction relation ⇒*, which relates terms t and t' if t can reach t' by any number of single reduction steps.
• Then we define a "result" of a term t as a normal form that t can reach by multi-step reduction.

Multi-Step Reduction

The multi-step reduction relation ⇒* is the reflexive, transitive closure of the single-step relation ⇒.

For example...

Here's an alternate proof that uses eapply to avoid explicitly constructing all the intermediate terms.

Exercise: 1 star (test_stepmany_2)

☐

Exercise: 1 star (test_stepmany_3)

☐

Exercise: 2 stars (test_stepmany_4)

☐

Normal Forms Again

If t reduces to t' in zero or more steps and t' is a normal form, we say that "t' is a normal form of t."

We have already seen that single-step reduction is deterministic — i.e., a given term can take a single step in at most one way. It follows from this that, if t can reach a normal form, then this normal form is unique — i.e., normal_form_of is a partial function. In other words, we can actually pronounce normal_form t t' as "t' is the normal form of t."

Exercise: 3 stars, optional (test_stepmany_3)

☐ Indeed, something stronger is true for this language (though not for all languages): the reduction of any term t will eventually reach a normal form — i.e., normal_form_of is a total function. Formally, we say the step relation is normalizing.

To prove that step is normalizing, we need a couple of lemmas. First, we observe that, if t reduces to t' in many steps, then the same sequence of reduction steps within t is also possible when t appears as the left-hand child of a tm_plus node, and similarly when t appears as the right-hand child of a tm_plus node (whose left-hand child is a value).

Exercise: 2 stars

☐ Theorem: The step function is normalizing — i.e., for every t there exists some t' such that t steps to t' and t' is a normal form. Proof sketch: By induction on terms. There are two cases to consider:

• t = tm_const n for some n. Here t doesn't take a step, and we have t' = t. We can derive the left-hand side by reflexivity and the right-hand side by observing (a) that values are normal forms (by nf_same_as_value) and (b) that t is a value (by v_const).
• t = tm_plus t1 t2 for some t1 and t2. By the IH, t1 and t2 have normal forms t1' and t2'. Recall that normal forms are values (by nf_same_as_value); we know that t1' = tm_const n1 and t2' = tm_const n2, for some n1 and n2. We can combine the ⇒* derivations for t1 and t2 to prove that tm_plus t1 t2 reduces in many steps to tm_const (plus n1 n2).
  It is clear that our choice of t' = tm_const (plus n1 n2) is a value, which is in turn a normal form. ☐

Equivalence of Big-Step and Small-Step Reduction

Having defined the operational semantics of our tiny programming language in two different styles, it makes sense to ask whether these definitions actually define the same thing! They do, but it is not completely straightforward to show this — or even to see how to state it exactly, since one of the relations only goes a small step at a time while the other proceeds in large chunks.

Exercise: 3 stars (eval__stepmany)

You'll want to use the congruences and some properties of rsc for this.

☐

Exercise: 3 stars (eval__stepmany_inf)

Write an informal version of the proof of eval__stepmany. (* FILL IN HERE *)
☐

Exercise: 3 stars (step__eval)

☐

Bringing it all together, we can crisply say that the v is the normal form of t iff t evaluates to v.

Additional Exercises

Exercise: 4 stars (combined_properties)

We've considered the arithmetic and conditional expressions separately. This exercise explores how the two interact.

Earlier, we separately proved for both plus- and if-expressions...

• that the step relation was a partial function (i.e., it was deterministic), and
• a strong progress lemma, stating that every term is either a value or can take a step.

Prove or disprove these for the combined language.

☐

Small-Step Imp

For a more serious example, here is the small-step version of the Imp operational semantics. Although the definitions are bigger, the basic ideas are exactly the same as what we've seen above.

Notice that we didn't actually bother to define boolean values — they aren't needed in the definition of ⇒b (why?), though they might be if our language were a bit larger. The semantics of commands is the interesting part. We need two small tricks to make it work:

• We use SKIP as a "command value" — i.e., a command that has reached a normal form.
  • An assignment command reduces to SKIP (and an updated state).
  • The sequencing command waits until its left-hand subcommand has reduced to SKIP, then throws it away so that reduction can continue with the right-hand subcommand.
• We reduce a WHILE command by transforming it into a conditional followed by the same WHILE.
  (There are other ways of achieving the desired effect, but they all share the feature that the original WHILE command needs to be saved somewhere while a single copy of the loop body is being evaluated.)

Concurrent Imp

Finally, to show the power of this definitional style, let's enrich Imp with a new form of command that runs two subcommands in parallel and terminates when both have terminated. To reflect the unpredictability of scheduling, the actions of the subcommands may be interleaved in any order, but they share the same memory and can communicate by reading and writing the same variables.

Among the many interesting properties of this language is the fact that the following program can terminate with the variable X set to any value...

In particular, it can terminate with X set to 0:

It can also terminate with X set to 2:

More generally...

Exercise: 3 stars, optional

Exercise: 3 stars, optional

... the above loop can exit with X having any value whatsoever.