Mechanisation and Proofs

There is ongoing discussion concerning the merits and issues of deep and shallow em- bedding within theorem provers [90]. In a deep embedding, the syntax of the language to be embedded is modelled as an abstract datatype. In a shallow embedding the logi- cal formulae are written using HOL definitions, predicates and functions. The approach outlined below follows a shallow embedding.

We translate transformations into functions that change expressions withinjinja. The overall style of embedding is modelled upon the idea of a combinator library, within functional programming. Consequently all language primitives get translated into func- tional combinators, and the writing of a TRANS specification consists of writing several functions that combine these language primitives.

6.3.1 Refinement

The TRANS specifications undergo some manual refinement, from the form that they are written in, to the form that they are used in Isabelle. The rewrite rules are converted into a pattern matching component that forms part of the side condition, and a replace- ment rule that becomes the new action. The replacement function simply replaces one expression with another in the jinja expression. It is consequently simpler to reason about, and is discussed in Section 6.3.5. Additionally macros are expanded.

6.3.2 Expression Reduction and Local Equivalence

This section provides some general definitions that will be used to denote trans- formational soundness for different TRANS optimisations. The definitions are not specific to any one transformation.

Definition 6.3.1 The function replace relates expresions to their replacement. Its

first argumentinitis the initial overall expression,from is some subexpression ofinit

that is to be replaced with its third argument to. The function returns the replaced

expression.

funreplace ::expr ⇒expr ⇒expr ⇒expr

The replace function is used to express the fact that we want methods in a program to be semantically preserved. It replaces a sub-expression within the method’s body with another expression. This also allows us to prove The Sound Replacement lemma.

Lemma 6.3.1 If we replace a subexpression from with another expression to in a

method body, and under any circumstance to evaluates to the same final value in

the same state asfrom, given the same initial state then overall method body evaluates

to the same final value, in the same state. This is called SoundReplacement

lemmaSoundReplacement: !! s.[|prog ` hinit, si →∗ he0,s0i;prog ` he,si →∗ he0,s0i|] ==>prog ` h(replace init from e),si →∗ he0,s0i

This lemma supports the fact that we only need to establish a local soundness condition for a given transformation. It is local in the sense that it suffices to prove that merely the expression being replaced evaluates to the same final value in the

same state.

Definition 6.3.2 Two expressions are state equivalent if they both reduce to the same final value and state given the same initial state.

definitionequivSt :: J-prog =>expr =>state =>expr =>state =>bool where equivSt prog e1 s1 e2 s2 ==

EX e0_s0_{.prog ` he1,s1i →∗ he</sub>0<sub>,s</sub>0<sub>i=prog ` he2,s2i →∗ he}0_,s0_i

Lemma 6.3.2 If expressionecan reduce toe’ theneand e’are state equivalent.

lemmaEquivalentIfReduceable:prog ` he,(h,l)i →∗ he0,(h0,l0)i==>

equivSt prog e (h,l)e0(h0,l0)

6.3.3 Predicates

Predicates withinTRANS can be considered in two ways.

The term semantic property refers to the weakest condition that is implied about a program statement by the predicate in question holding true. This corre- sponds to the information about the program being transformed that the predicate denotes.

Secondly, there is the stronger function that a compiler developer would write in order to implement the corresponding predicate within their compiler. This imple- mentation function should always imply the semantic property of the predicate, but due to some limitation, or design choice, it may also restrict the program addition- ally. For example we refer to useand defpredicates, but a compiler implementor

in a language that has some form of variable aliasing would have to conservatively approximate such properties using a may-useand may-def predicate.

The embedding defines the semantic properties for predicates, in order to simplify the theorem proving effort and abstract from any specific implementation details. A more complete system that also proves the implementation correct would define an implementation function that corresponds to each predicate, and then prove that the function implies the semantic property.

For some predicates we define the negated predicate separately from the predicate. For example thenotdefdefinition:

abbreviation

notdef ::vname ⇒J-prog ⇒expr ⇒heap⇒locals ⇒expr ⇒heap⇒locals⇒bool where notdef var prog e h l e0h0l0≡prog ` he,(h,l)i → he0,(h0,l0)i&l var =l0var

Here the semantic property implied by the definition is that as expressione for a given heaphand local variableslevaluates toe’in (h0,l0) the local variablevar refers the same value within the local variable environment before the evaluation and after. It additionally enforces that these expressions do indeed evaluate frome toe’.

6.3.4 Temporal Operators

Temporal operators within TRANS all correspond to functions within Isabelle/HOL. These hold true for a given temporal formulaeφifφis satisfied for a list of expression, state pairs. This relates to a possible path of evaluation for the expression to take. By using recursion over lists, Isabelle’s standard induction tactics provide much help for proving properties about the temporal operators, which fits our shallow embedding approach. Additionally we can use HOL’s Existential and Universal quantification, and

a = 3; b = a ;

a = 3; b = 3;

Figure 6.1: Code snippet before and after Constant Propagation

associated lemmas for reasoning about the corresponding quantification over paths in CTL.

6.3.5 Actions

For each TRANS language primitive there is a corresponding function, that performs the general action. Each action is consequently dealt with separately. The example proofs given for Constant Propagation and Loop Invariant Code Motion, in the subsequent sections, both express their actions directly in Isabelle/HOL.