Frap Book

Formal Reasoning About Programs
Adam Chlipala
MIT, Cambridge, MA, USA
Email address: [email protected]
Abstract. Briefly, this book is about an approach to bringing software en-
gineering up to speed with more traditional engineering disciplines, providing
a mathematical foundation for rigorous analysis of realistic computer systems.
As civil engineers apply their mathematical canon to reach high certainty that
bridges will not fall down, the software engineer should apply a different canon
to argue that programs behave properly. As other engineering disciplines have
their computer-aided-design tools, computer science has proof assistants, IDEs
for logical arguments. We will learn how to apply these tools to certify that
programs behave as expected.
More specifically: Introductions to two intertangled subjects: the Coq
proof assistant, a tool for machine-checked mathematical theorem proving;
and formal logical reasoning about the correctness of programs.
For more information, see the book’s home page:
http://adam.chlipala.net/frap/
Copyright Adam Chlipala 2015-2021.

This work is licensed under a Creative Commons
Attribution-NonCommercial-NoDerivatives 4.0 International License. The license
text is available at:
https://creativecommons.org/licenses/by-nc-nd/4.0/
Contents
Chapter 1. Why Prove the Correctness of Programs? 1
Chapter 2. Formalizing Program Syntax 5

2.1. Concrete Syntax 5
2.2. Abstract Syntax 6
2.3. Structural Induction Principles 7
2.4. Decidable Theories 8
2.5. Simplification and Rewriting 10
Chapter 3. Data Abstraction 13

3.1. Algebraic Interfaces for Abstract Data Types 13
3.2. Algebraic Interfaces with Custom Equivalence Relations 15
3.3. Representation Functions 16
3.4. Fixing Parameter Types for Abstract Data Types 16
Chapter 4. Semantics via Interpreters 19

4.1. Semantics for Arithmetic Expressions via Finite Maps 19
4.2. A Stack Machine 20
4.3. A Simple Higher-Level Imperative Language 22
Chapter 5. Inductive Relations and Rule Induction 25

5.1. Finite Sets as Inductive Predicates 25
5.2. Transitive Closure of Relations 26
5.3. Permutations 26
5.4. A Minimal Propositional Logic 27
5.5. Propositional Logic with Implication 28
Chapter 6. Transition Systems and Invariants 31

6.1. Factorial as a State Machine 31
6.2. Invariants 33
6.3. Rule Induction Applied 34
6.4. An Example with a Concurrent Program 35
Chapter 7. Model Checking 39

7.1. Exhaustive Exploration 39
7.2. Abstracting a Transition System 40
7.3. Modular Decomposition of Invariant-Finding 41
Chapter 8. Operational Semantics 45

8.1. Big-Step Semantics 45
8.2. Small-Step Semantics 46
v
vi CONTENTS
8.3. Contextual Small-Step Semantics 48

8.4. Determinism 50
Chapter 9. Abstract Interpretation and Dataflow Analysis 51

9.1. Definition of an Abstract Interpretation 51
9.2. Flow-Insensitive Analysis 53
9.3. Flow-Sensitive Analysis 55
9.4. Widening 56
Chapter 10. Compiler Correctness via Simulation Arguments 59

10.1. Basic Simulation Arguments and Optimizing Expressions 60
10.2. Simulations That Allow Skipping Steps 62
10.3. Simulations That Allow Taking Multiple Matching Steps 63
Chapter 11. Lambda Calculus and Simple Type Safety 65

11.1. Untyped Lambda Calculus 65
11.2. A Quick Case Study in Program Verification: Church Numerals 67
11.4. Simple Types and Their Soundness 68
Chapter 12. More on Evaluation Contexts 71

12.1. Last Chapter’s Example Revisited 71
12.2. Product Types 72
12.3. Sum Types 72
12.4. Exceptions 73
12.5. Mutable Variables 73
12.6. Concurrency Again 74
Chapter 13. Types and Mutation 77

13.1. Simply Typed Lambda Calculus with Mutable References 77
13.2. Type Soundness 78
13.3. Garbage Collection 80
Chapter 14. Hoare Logic: Verifying Imperative Programs 83

14.1. An Imperative Language with Memory 83
14.2. Hoare Triples 84
14.4. Transition-System Invariants from Hoare Triples 87
Chapter 15. Deep Embeddings, Shallow Embeddings, and Options in Between 89

15.1. The Basics 89
15.2. A Mixed Embedding for Hoare Logic 91
15.3. Adding More Effects 92
Chapter 16. Separation Logic 95

16.1. An Object Language with Dynamic Memory Allocation 95
16.2. Assertion Logic 96
16.3. Program Logic 97
16.4. Soundness Proof 99
Chapter 17. Connecting to Real-World Programming Languages 101

CONTENTS vii
17.1. Where Does the Buck Stop? 101

17.2. Modes of Connecting to Real Artifacts 102
17.3. The Importance of Modularity 103
17.4. Case Study: From a Mixed Embedding to a Deep Embedding 103
Chapter 18. Deriving Programs from Specifications 107
18.1. Sets as Computations 107
18.2. Refinement for Abstract Data Types 108
18.3. Another Example Refinement Principle: Adding a Cache 109
Chapter 19. Introduction to Reasoning About Shared-Memory Concurrency 111
19.1. An Object Language with Shared-Memory Concurrency 111
19.2. Shrinking the State Space via Local Actions 112
19.3. Basic Partial-Order Reduction 113
19.4. Partial-Order Reduction More Generally 116
Chapter 20. Concurrent Separation Logic 119
20.1. Object Language: Loops and Locks 119
20.2. The Program Logic 120
20.3. Soundness Proof 121
Chapter 21. Process Algebra and Refinement 123
21.1. An Object Language with Synchronous Message Passing 123
21.2. Refinement Between Processes 125
21.3. The Algebra of Refinement 126
Chapter 22. Session Types 129

22.1. Basic Two-Party Session Types 129
22.2. Dependent Two-Party Session Types 130
22.3. Multiparty Session Types 131
Appendix A. The Coq Proof Assistant 135
A.1. Installation and Basic Use 135
A.2. Tactic Reference 135
A.3. Further Reading 137
Index 139
CHAPTER 1
Why Prove the Correctness of Programs?
The classic engineering disciplines all have their standard mathematical tech-
niques that are applied to the design of any artifact, before it is deployed, to gain
confidence about its safety, suitability for some purpose, and so on. The engineers
in a discipline more or less agree on what are “the rules” to be followed in vetting
a design. Those rules are specified with a high degree of rigor, so that it isn’t a
matter of opinion whether a design is safe. Why doesn’t software engineering have
a corresponding agreed-upon standard, whereby programmers convince themselves
that their systems are safe, secure, and correct? The concepts and tools may not
quite be ready yet for broad adoption, but they have been under development for
decades. This book introduces one particular tool and a body of ideas for how to
apply it to different tasks in program proof.
As this document is in a very early draft stage, no more will be said here, in
favor of jumping right into the technical material. Eventually, there will no doubt
be some sort of historical overview here, as part of a general placing-in-context of
the particular approach that will come next. There will also be plenty of scholarly
citations (here and throughout the book). In this early version, you get to take the
author’s word for it that we are about to learn a promising approach!
However, one overarching element of our strategy is important enough to de-
serve to be called out here. We will study a variety of different approaches for
formalizing what a program should do and for proving that a program does what it
should. At every step, we will pay close attention to the common foundation that
underlies everything. For one thing, we will be proving all of our theorems with
the Coq proof assistant1, a powerful framework for writing and machine-checking
proofs. Coq itself is based on a relatively small set of core features, much like a
well-designed programming language, and in both we build up increasingly sophis-
ticated abstractions as libraries. Those features can be thought of as the core of all
mathematical reasoning.
We will also apply a recipe specific to program proof. When we encounter a new
challenge, to prove a new kind of property about a new kind of program, we will
generally be considering four broad elements that appear in nearly all techniques.
‚ Encoding. Every programming language has both syntax, which defines
what programs look like, and semantics, which defines how programs be-
have when run. Even when these elements seem obvious intuitively, we
often find that there are surprisingly subtle choices to be made in defin-
ing syntax and semantics at the highest level of rigor. Seemingly minor
decisions can have big impacts on how smoothly our proofs go.
1The author only makes an effort to keep the associated Coq code working with the latest
Coq version, which is 8.16 as of this writing.
1
2 1. WHY PROVE THE CORRECTNESS OF PROGRAMS?
‚ Invariants. Nearly every theorem about a program is stated in terms of

a transition system, with some set of states and a relation for stepping
from one state to the next, moving forward in time. Nearly every pro-
gram proof also works by finding an invariant of a transition system, or
a property that always holds of every state reachable from some starting
state. The concept of invariant is very close to being a direct reinterpre-
tation of mathematical induction, that glue of every serious mathematical
development, known and loved by all.
‚ Abstraction. Often a transition system is too complex to analyze di-
rectly. Instead, we abstract it with another transition system that is some-
how more tractable, proving that the new system preserves all relevant
properties of the original.
‚ Modularity. Similarly, when a transition system is too complex, we
often break it into separate modules and use some well-behaved composi-
tion operators to reassemble them into the whole. Often abstraction and
modularity go together, as we decompose a system both horizontally (i.e.,
with modularity), splitting it into more manageable parts, and vertically
(i.e., with abstraction), simplifying parts in ways that preserve key prop-
erties. We can even alternate between strategies, breaking a system into
parts, abstracting one as a simpler part, further decomposing that part
into pieces, and so on.
In the course of the book, we will never quite define any of these meta-techniques
in complete formality. Instead, we’ll meet many examples of each, called out by
eye-catching margin notes. Generalizing from the examples should help the reader
start developing an intuition for when to use each element and for the common
design patterns that apply.
The core subject matter of the book is often grouped under traditional disci-
plinary headers like semantics, programming-languages theory, formal methods, and
verification. Often these different traditions have their own competing terminology
for shared concepts. We’ll follow one particular set of unified terminology and no-
tation, cherry-picked from the conventions of different communities. There really
is a huge amount of commonality across everything that we’ll study, so we don’t
want to distract by constantly translating between notations. It is quite important
to be literate in the standard notational conventions, which are almost always im-
plemented with LATEX, and we stick entirely to that kind of notation in this book.
However, we follow another, much less usual convention: while we give theorem
and lemma statements, we rarely give their proofs. The reason is that the author
and many other researchers today feel that proofs on paper have outlived their use-
fulness. Instead, the proofs are all found in the parallel world of the accompanying
Coq source code.
That is, each chapter of this book has a corresponding Coq source file, dis-
tributed with the general book source code. The Coq sources are heavily com-
mented and may even, in many cases, be feasible to read without also reading the
book chapters. More importantly, the Coq sources aren’t just meant to be read.
They are meant to be executed. We suggest stepping through them interactively,
seeing intermediate states of proofs as appropriate. The book proper can be read
without the Coq sources, to learn the standard background material of program
1. WHY PROVE THE CORRECTNESS OF PROGRAMS? 3
proof; and the Coq sources can be read without the book proper, to learn a partic-
ular concrete realization of those ideas. However, they go better together.
CHAPTER 2
Formalizing Program Syntax
2.1. Concrete Syntax

The definition of a program starts with the definition of a programming lan-
guage, and the definition of a programming language starts with its syntax , which
covers which sorts of phrases are basically well-formed. In the next chapter, we
turn to semantics, which, in the course of saying what programs mean, may im-
pose further validity conditions. Turning to examples, let’s start with concrete
syntax , which decrees which sequences of characters are acceptable. For a simple
language of arithmetic expressions, we might accept the following strings as valid.
3
x
3`x
y ˚ p3 ` xq
Plenty of other strings might be invalid, like these.
1``2
xyz
Rather than appeal to our intuition about grade-school arithmetic, we prefer
to formalize concrete syntax with a grammar , following a style known as Backus-
Naur Form (BNF). We have a set of nonterminals (e.g., e below), standing for
sets of allowable strings. Some are defined by appeal to existing sets, as below,
when we define constants n in terms of the well-known set N of natural numbers
(nonnegative integers). Encoding
Constants n P N
Variables x P Strings
Expressions e ::“ n | x | e ` e | e ˆ e
To interpret the grammar in plain English: we assume sets of constants and
variables, based on well-known sets of natural numbers and strings, respectively. We
then define expressions to include constants, variables, addition, and multiplication.
Crucially, the last two cases are specified recursively: we show how to build bigger
expressions out of smaller ones.
Incidentally, we’re already seeing how many different formal notations creep
into the discussion of formal program proofs. All of this content is typeset in
LATEX, and it may be helpful to consult the book sources, to see how it’s all done.
Throughout the subject, one of our most crucial tools will be inductive defi-
nitions, explaining how to build up bigger sets from smaller ones. The recursive
nature of the grammar above is implicitly giving an inductive definition. A more
general notation for inductive definitions provides a series of inference rules that
5
6 2. FORMALIZING PROGRAM SYNTAX
define a set. Formally, the set is defined to be the smallest one that satisfies all
the rules. Each rule has premises and a conclusion. We illustrate with four rules
that together are equivalent to the BNF grammar above, for defining a set Exp of
Encoding expressions.
nPN x P Strings e1 P Exp e2 P Exp e1 P Exp e2 P Exp

n P Exp x P Exp e1 ` e2 P Exp e1 ˆ e2 P Exp
The general reading of an inference rule is: if all the facts above the horizontal
line are true, then the fact below the line is true, too. The rule implicitly needs
to hold for all values of the metavariables (like n and e1 ) that appear within it;
we can model them more explicitly with a sort of top-level universal quantification.
Newcomers to semantics often react negatively to seeing this style of definition, but
very quickly it becomes apparent as a remarkably compact notation for expressing
many concepts. Think of it as a domain-specific programming language for math-
ematical definitions, an analogy that becomes quite concrete in the associated Coq
code!
2.2. Abstract Syntax

After that brief interlude with concrete syntax, we now drop all formal treat-
ment of it, for the rest of the book! Instead, we concern ourselves with abstract
syntax , the real heart of language definitions. Now programs are abstract syn-
tax trees (ASTs), corresponding to inductive type definitions in Coq or algebraic
datatype definitions in Haskell. Such types can be defined by enumerating their
Encoding constructor functions with types.
Const : N Ñ Exp
Var : Strings Ñ Exp
Plus : Exp ˆ Exp Ñ Exp
Times : Exp ˆ Exp Ñ Exp
Note that the “ˆ” here is not the multiplication operator of concrete syntax,
but rather the Cartesian-product operator of set theory, to indicate a type of pairs!
Such a list of constructors defines the set Exp to contain exactly those terms
Encoding that can be built up with the constructors. In inference-rule notation:
nPN x P Strings e1 P Exp e2 P Exp e1 P Exp e2 P Exp

Constpnq P Exp Varpxq P Exp Pluspe1 , e2 q P Exp Timespe1 , e2 q P Exp
Actually, semanticists get tired of writing such verbose descriptions, so proofs

on paper tend to use exactly the sort of notation that we associated with concrete
syntax. The trick is mental desugaring of the concrete-syntax notation into abstract
syntax! We will generally not dwell on the particularities of that process. Instead,
we repeatedly illustrate it by example, using Coq code that starts with abstract
syntax, accompanied by LATEX-based “code” in this book that applies concrete
syntax freely.
2.3. STRUCTURAL INDUCTION PRINCIPLES 7
Abstract syntax is handy for writing recursive definitions of functions. Here is

one in the clausal style of Haskell.
sizepConstpnqq “ 1
sizepVarpxqq “ 1
sizepPluspe1 , e2 qq “ 1 ` sizepe1 q ` sizepe2 q
sizepTimespe1 , e2 qq “ 1 ` sizepe1 q ` sizepe2 q
It is important that we include one clause per constructor of the inductive type.
Otherwise, the function would not be total . We also need to be careful to ensure
termination, by making recursive calls only on the arguments of the constructors.
This termination criterion, adopted by Coq, is called primitive recursion.
It is also common to associate a recursive definition with a new notation. For
example, we might prefer to write |e| for sizepeq, as follows.
|Constpnq| “ 1
|Varpxq| “ 1
|Pluspe1 , e2 q| “ 1 ` |e1 | ` |e2 |
|Timespe1 , e2 q| “ 1 ` |e1 | ` |e2 |
Let’s continue to exercise our creative license and write res for the depth of e,
that is, the length of the longest downward path from the syntax-tree root to any
leaf.
rConstpnqs “ 1
rVarpxqs “ 1
rPluspe1 , e2 qs “ 1 ` maxpre1 s, re2 sq
rTimespe1 , e2 qs “ 1 ` maxpre1 s, re2 sq
2.3. Structural Induction Principles

The main reason to prefer abstract syntax is that, while strings of text seem
natural and simple to our human brains, they are really a lot of trouble to treat
in complete formality. Inductive trees are much nicer to manipulate. Considering
the name, it’s probably not surprising that the main thing we want to do on them
is induction, an activity most familiar in the form of mathematical induction over
the natural numbers. In this book, we will not dwell on many proofs about natural
numbers, instead presenting the more general and powerful idea of structural in-
duction that subsumes mathematical induction in a formal sense, based on viewing
the natural numbers as one simple inductively defined set.
There is a general recipe to go from an inductive definition to its associated
induction principle. When we define set S inductively, we gain an induction prin-
ciple for proving that some predicate P holds for all elements of S. To make this
conclusion, we must discharge one proof obligation per rule of the inductive defini-
tion. Recall our last rule-based definition above, for the abstract syntax of Exp. To
derive an Exp structural induction principle, we produce a new set of rules, cloning
each rule with two key modifications:
(1) Replace each conclusion, of the form E P S, with a conclusion P pEq. That
is, the obligations involve showing that P holds of certain terms.
(2) For each premise E P S, add a companion premise P pEq. That is, the
obligation allows assuming that P holds of certain terms. Each such
assumption is called an inductive hypothesis (IH ).
That mechanical procedure derives the following four proof obligations, associ-
ated with an inductive proof that @x P Exp. P pxq.
nPN x P Strings
P pConstpnqq P pVarpxqq
e1 P Exp P pe1 q e2 P Exp P pe2 q e1 P Exp P pe1 q e2 P Exp P pe2 q
P pPluspe1 , e2 qq P pTimespe1 , e2 qq
In other words, to establish @x P Exp. P pxq, we need to prove that each of these
inference rules is valid.
To see induction in action, we prove a theorem giving a sanity check on our
two recursive definitions from earlier: depth can never exceed size.
Theorem 2.1. For all e P Exp, res ď |e|.
Proof. By induction on the structure of e. □
That sort of minimalist proof often surprises and frustrates newcomers. Our
position here is that proof checking is an activity fit for machines, not people, so
we will leave out gory details, which are to be found in the accompanying Coq
code, for this theorem and many others associated with this chapter. Actually,
even published proofs on paper tend to use “proofs” as brief as the one above,
relying on the reader’s experience to “fill in the blanks”! Unsurprisingly, fairly
often there are logical errors in such arguments, leading to acceptance of bogus
theorems. For that reason, we stick to machine-checked proofs here, using the
book chapters to introduce concepts, reasoning principles, and statements of key
theorems and lemmas.
2.4. Decidable Theories

We do, however, need to get all the proof details filled in somehow. One of the
most convenient cases is when a proof goal fits into some decidable theory. We follow
the sense from computability theory, where we consider some decision problem, as
a (usually infinite) set F of formulas and some subset T Ď F of true formulas,
possibly considering only those provable using some limited set of inference rules.
The decision problem is decidable if and only if there exists some always-terminating
program that, when passed some f P F as input, returns “true” if and only if f P T .
Decidability of theories is handy because, whenever our goal belongs to the F set of
a decidable theory, we can discharge the goal automatically by running the deciding
program that must exist.
One common decidable theory is linear arithmetic, whose F set is generated
by the following grammar as ϕ.
Constants n P Z
Terms e ::“ x|n|eè|eé
Propositions ϕ ::“ e “ e | e ă e | ␣ϕ | ϕ ^ ϕ
The arithmetic terms used here are linear in the same sense as linear algebra:
we never multiply together two terms containing variables. Actually, multiplication
2.4. DECIDABLE THEORIES 9
is prohibited outright, but we allow multiplication by a constant as an abbreviation

(logically speaking) for repeated addition. Propositions are formed out of equality
and less-than tests on terms, and we also have the Boolean negation (“not”) op-
erator ␣ and conjunction (“and”) operator ^. This set of propositional operators
is enough to encode the other usual inequality and propositional operators, so we
allow them, too, as convenient shorthands.
Using decidable theories in a proof assistant like Coq, it is important to under-
stand how a theory may apply to formulas that don’t actually satisfy its grammar
literally. For instance, we may want to prove f pxq ´ f pxq “ 0, for some fancy func-
tion f well outside the grammar above. However, we only need to introduce a new
variable y, defined with the equation y “ f pxq, to arrive at a new goal y ´ y “ 0. A
linear-arithmetic procedure makes short work of this goal, and we may then derive
the original goal by substituting back in for y. Coq’s tactics based on decidable
theories do all that hard work for us.
Another important decidable theory is of equality with uninterpreted functions.
Functions f P Strings
Terms e ::“ x | f pe, . . . , eq
Propositions ϕ ::“ e “ e | ␣ϕ | ϕ ^ ϕ
In this theory, we know nothing about the detailed properties of the variables
or functions that we use. Instead, we must reason solely from the basic properties
of equality:
e2 “ e1 e1 “ e3 e3 “ e2
e “ e Reflexivity e1 “ e2 Symmetry e1 “ e2 Transitivity
f “ f 1 e1 “ e11 . . . en “ e1n
Congruence
f pe1 , . . . , en q “ f 1 pe11 , . . . , e1n q
As one more example of a decidable theory, consider the algebraic structure

of semirings, which may profitably be remembered as “types that act like natural
numbers.” A semiring is any set containing two elements notated 0 and 1, closed
under two binary operators notated ` and ˆ. The notations are suggestive, but in
fact we have free reign in choosing the set, elements, and operators, so long as the
following axioms1 are satisfied:

pa ` bq ` c “ a ` pb ` cq
0à “ a
a`0 “ a
a`b “ bà
pa ˆ bq ˆ c “ a ˆ pb ˆ cq
1â “ a
aˆ1 “ a
a ˆ pb ` cq “ pa ˆ bq ` pa ˆ cq
pa ` bq ˆ c “ pa ˆ cq ` pb ˆ cq
0â “ 0
aˆ0 “ 0
The formal theory is then as follows, where we consider as “true” only those
equalities that follow from the axioms.
Terms e ::“ 0|1|x|eè|eê
Propositions ϕ ::“ e“e
Note how the applicability of the semiring theory is incomparable to the appli-
cability of the linear-arithmetic theory. That is, while some goals are provable via
either, some are provable only via the semiring theory and some provable only by lin-
ear arithmetic. For instance, by the semiring theory, we can prove xpy`zq “ xy`xz,
while linear arithmetic can prove x ´ x “ 0.
2.5. Simplification and Rewriting

While we leave most proof details to the accompanying Coq code, it does seem
important to introduce two key principles that are often implicit in proofs on paper.
The first is algebraic simplification, where we apply the defining equations of
a recursive definition to simplify a goal. For example, recall that our definition of
expression size included this clause.
|Pluspe1 , e2 q| “ 1 ` |e1 | ` |e2 |
Now imagine that we are trying to prove this formula.
|Pluspe, Constp7qq| “ 2 ` |e|
We may apply the defining equation to rewrite into a different formula, where we
have essentially pushed the definition of |¨| through the Plus.
1 ` |e| ` |Constp7q| “ 2 ` |e|
Another application of a different defining equation, this time for Const, takes us
to here.
1 ` |e| ` 1 “ 2 ` |e|
From here, the goal follows by linear arithmetic.
1The equations are taken almost literally from https://en.wikipedia.org/wiki/Semiring.

2.5. SIMPLIFICATION AND REWRITING 11
Such a proof establishes a theorem @e P Exp. |Pluspe, Constp7qq| “ 2 ` |e|. We

may use already-proved theorems via a more general rewriting mechanism, applying
whenever we know some quantified equality. Within a new goal we are proving, we
find some subterm that matches the lefthand side of that equality, after we choose
the proper values of the quantified variables. The process of finding those values
automatically is called unification. Rewriting enables us to take the subterm we
found and replace it with the righthand side of the equation.
As an example, assume that, for some P , we know P p2 ` |Varpxq|q and are
trying to prove P p|PluspVarpxq, Constp7qq|q. We may use our earlier fact to rewrite
the argument of P in what we are trying to show, so that it now matches the
argument from what we already know, at which point the proof is trivial to finish.
Here, unification found the assignment e “ Varpxq.
Encoding
We close the chapter with an important note on terminology. A formula like
P p|PluspVarpxq, Constp7qq|q combines several levels of notation. We consider that
we are doing our mathematical reasoning in some metalanguage, which is often
applicable to a wide variety of proof tasks. We also happen to be applying it
here to reason about some object language, a programming language whose syntax
is defined formally, here the language of arithmetic expressions. We have x as a
variable of the metalanguage, while Varpxq is a variable expression of the object
language. It is difficult to use English to explain the distinction between the two in
complete formality, but be on the lookout for places where formulas mix concepts of
the metalanguage and object language! The general patterns should soon become
clear, as they are somehow already familiar to us from natural-language sentences
like:
The wise man said, “it is time to prove some theorems.”
The quoted remark could just as well be in Spanish instead of English, in which
case we have two languages nested in a nontrivial way.
CHAPTER 3
Data Abstraction
All of the fully formal proofs in this book are worked out only in associated
Coq code. Therefore, before proceeding to more topics in program semantics and
proof, it is important to develop some basic Coq competence. Several heavily com-
mented examples files are associated with this crucial point in the book. We won’t
discuss details of Coq proving in this document, outside Appendix A. However,
one of the possibilities shown off in the Coq code is worth drawing attention to,
as a celebrated semantics idea in its own right, though we don’t yet connect it to
formalized syntax of programming languages. That idea is data abstraction, one
of the most central ideas in program structuring. Let’s consider the mathematical
meaning of encapsulation in data structures.
3.1. Algebraic Interfaces for Abstract Data Types

Consider the humble queue, a classic data structure that allows us to enqueue
data elements and then dequeue them in the order received. Perhaps surprisingly,
there is already some complexity in efficient queue implementation. So-called client
code that relies on queues shouldn’t need to know about that complexity, though.
We should be able to formulate “queue” as an abstract data type, hiding imple-
mentation details. In the setting of pure functional programming, as in Coq, here
is our first cut at such a data type, as a set of types and operations, somewhat
reminiscent of e.g. interfaces in Java. Type tpαq stands for queues holding data
values in some type α.
tpαq : Set
empty : tpαq
enqueue : tpαq ˆ α Ñ tpαq
dequeue : tpαq á tpαq ˆ α
A few notational conventions of note: We declare that tpαq is a type by assigning

it the type Set, which itself contains all the normal types of programming. An empty
queue exists for any α, and enqueue and dequeue operations are also available for
any α. The type of dequeue indicates function partiality by the arrow á: dequeuing
yields no answer for an empty queue. For partial function f : A á B, we indicate
lack of a mapping for x P A by writing f pxq “ ¨.
In normal programming, we stop at this level of detail in defining an abstract
data type. However, when we’re after formal correctness proofs, we must enrich
data types with specifications or “specs.” One prominent spec style is algebraic:
write out a set of laws, quantified equalities that use the operations of the data
13
14 3. DATA ABSTRACTION
type. For queues, here are two reasonable laws.
dequeuepemptyq “ ¨
@q. dequeuepqq “ ¨ ñ q “ empty
Actually, the inference-rule notation from last chapter also makes algebraic
laws more readable, so here is a restatement.
dequeuepqq “ ¨
dequeuepemptyq “ ¨ q “ empty
One more rule suffices to give a complete characterization of behavior, with the
familiar math notation for piecewise functions.
#
pempty, xq, dequeuepqq “ ¨
dequeuepenqueuepq, xqq “
penqueuepq , xq, yq, dequeuepqq “ pq 1 , yq
1
Now several implementations of this functionality are possible. Here’s one of

the two “obvious” ones, where we enqueue to list fronts and dequeue from list
backs. We write listpαq for the type of lists with data elements from α, with ℓ1 ’ ℓ2
for concatenation of lists ℓ1 and ℓ2 , and with comma-separated lists inside square
brackets for list literals.
tpαq “ listpαq
empty “ rs
enqueuepq, xq “ rxs ’ q
dequeueprsq “ ¨
dequeueprxs ’ qq “ prs, xq, when dequeuepqq “ ¨.
dequeueprxs ’ qq “ prxs ’ q 1 , yq, when dequeuepqq “ pq 1 , yq.
There is also a dual implementation where we enqueue to list backs and dequeue
from list fronts.
tpαq “ listpαq
empty “ rs
enqueuepq, xq “ q ’ rxs
dequeueprsq “ ¨
dequeueprxs ’ qq “ pq, xq
Proofs of the algebraic laws, for both implementations, appear in the associated
Coq code. Both versions actually take quadratic time in practice, assuming con-
catenation takes time linear in the length of its first argument. There is a famous,
more clever implementation that achieves amortized constant time (linear time to
run a whole sequence of operations), but we will need to expand our algebraic style
to accommodate it.
3.2. ALGEBRAIC INTERFACES WITH CUSTOM EQUIVALENCE RELATIONS 15
3.2. Algebraic Interfaces with Custom Equivalence Relations

We find it useful to extend the base interface of queues with a new, mathemat-
ical “operation”:
tpαq : Set
empty : tpαq
« : Pptpαq ˆ tpαqq
We use the “powerset” operation P to indicate that « is a binary relation over
queues (of the same type). Our intention is that « be an equivalence relation, as
formalized by the following laws that we add.
b « a Symmetry a « b b « c
a « a Reflexivity a « b a«c Transitivity
Now we rewrite the original laws to use « instead of equality. We implicitly

lift « to apply to results of the partial function dequeue: nonexistent results ¨ are
related, and existent results pq1 , x1 q and pq2 , x2 q are related iff q1 « q2 and x1 “ x2 .
dequeuepqq “ ¨
dequeuepemptyq “ ¨ q « empty
#
pempty, xq, dequeuepqq “ ¨
dequeuepenqueuepq, xqq «
penqueuepq , xq, yq, dequeuepqq “ pq 1 , yq
1
What’s the payoff from this reformulation? Well, first, it passes the sanity
check that the two queue implementations from the last section comply, with «
instantiated as simple equality. However, we may now also handle the classic two-
stack queue. Here is its implementation, relying on list-reversal function rev (which
takes linear time).
tpαq “ listpαq ˆ listpαq
empty “ prs, rsq
enqueueppℓ1 , ℓ2 q, xq “ prxs ’ ℓ1 , ℓ2 q
dequeuepprs, rsqq “ ¨
dequeueppℓ1 , rxs ’ ℓ2 qq “ ppℓ1 , ℓ2 q, xq
dequeueppℓ1 , rsqq “ pprs, q11 q, xq, when revpℓ1 q “ rxs ’ q11 .
The basic trick is to encode a queue as a pair of lists pℓ1 , ℓ2 q. We try to enqueue
into ℓ1 by adding elements to its front in constant time, and we try to dequeue from
ℓ2 by removing elements from its front in constant time. However, sometimes we
run out of elements in ℓ2 and need to reverse ℓ1 and transfer the result into ℓ2 . The
suitable equivalence relation formalizes this plan.
repppℓ1 , ℓ2 qq “ ℓ1 ’ revpℓ2 q
q1 « q2 “ reppq1 q “ reppq2 q
We can prove both that this « is an equivalence relation and that the other
queue laws are satisfied. As a result, client code (and its correctness proofs) can use
16 3. DATA ABSTRACTION
this fancy code, effectively viewing it as a simple queue, with the two-stack nature
hidden.
Why did we need to go through the trouble of introducing custom equivalence
relations? Consider the following two queues. Are they equal? (We write π1 for
the function that projects out the first element of a pair.)
?
enqueuepempty, 2q “ π1 pdequeuepenqueuepenqueuepempty, 1q, 2qqq
No, they aren’t equal! The first expression reduces to pr2s, rsq, while the second
reduces to prs, r2sq. This data structure is noncanonical , in the sense that the same
logical value may have multiple physical representations. The equivalence relation
lets us indicate which physical representations are equivalent.
3.3. Representation Functions

That last choice of equivalence relations suggests another specification style,
based on representation functions. We can force every queue to include a func-
tion to convert to a standard, canonical representation. Real executable programs
shouldn’t generally call that function; it’s most useful to us in phrasing the alge-
braic laws. Perhaps surprisingly, the mere existence of any compatible function is
enough to show correctness of a queue implementation, and the approach general-
izes to essentially all other data structures cast as abstract data types.
Here is how we revise our type signature for queues.
tpαq : Set
empty : tpαq
rep : tpαq Ñ listpαq
And here are the revised axioms.
reppemptyq “ rs reppenqueuepq, xqq “ rxs ’ reppqq
reppqq “ rs reppqq “ ℓ ’ rxs

dequeuepqq “ ¨ Dq . dequeuepqq “ pq 1 , xq ^ reppq 1 q “ ℓ
1
Notice that this specification style can also be viewed as giving a reference im-
plementation of the data type, where rep shows how to convert back to the reference
implementation at any point.
3.4. Fixing Parameter Types for Abstract Data Types

Here’s another classic abstract data type: finite sets, where we write B for the
set of Booleans.
tpαq : Set
empty : tpαq
add : tpαq ˆ α Ñ tpαq
member : tpαq ˆ α Ñ B
3.4. FIXING PARAMETER TYPES FOR ABSTRACT DATA TYPES 17
A few laws characterize expected behavior, with J and K the respective ele-
ments “true” and “false” of B.
k1 ‰ k2
memberpempty, kq “ K memberpaddps, kq, kq “ J memberpaddps, k1 q, k2 q “ memberps, k2 q
There is a simple generic implementation of this data type with unsorted lists.
t “ list
empty “ rs
addps, kq “ rks ’ s
memberprs, kq “ K
memberprk 1 s ’ s, kq “ k “ k 1 _ memberps, kq
However, we can build specialized finite sets for particular element types and
usage patterns. For instance, assume we are working with sets of natural numbers,
where we know that most sets contain consecutive numbers. In those cases, it suf-
fices to store just the lowest and highest elements of sets, and all the set operations
run in constant time. Assume a fallback implementation of finite sets, with type
t0 and operations empty0 , add0 , and member0 . We implement our optimized set
type like so, assuming an operation fromRange : N ˆ N Ñ t0 to turn a range into
an ad-hoc set.
t “ Empty | RangepN ˆ Nq | AdHocpt0 q
empty “ Empty
addpEmpty, kq “ Rangepk, kq
addpRangepn1 , n2 q, kq “ Rangepn1 , n2 q, when n1 ď k ď n2
addpRangepn1 , n2 q, n1 ´ 1q “ Rangepn1 ´ 1, n2 q, when n1 ď n2
addpRangepn1 , n2 q, n2 ` 1q “ Rangepn1 , n2 ` 1q, when n1 ď n2
addpRangepn1 , n2 q, kq “ AdHocpadd0 pfromRangepn1 , n2 q, kqq, otherwise
addpAdHocpsq, kq “ AdHocpadd0 ps, kqq
memberpEmpty, kq “ K
memberpRangepn1 , n2 q, kq “ n1 ď k ď n2
memberpAdHocpsq, kq “ member0 ps, kq
This implementation can be proven to satisfy the finite-set spec, assuming that
the baseline ad-hoc implementation does, too. For workloads that only build sets
of consecutive numbers, this implementation can be much faster than the generic
list-based implementation, converting quadratic-time algorithms into linear-time.
CHAPTER 4
Semantics via Interpreters
That’s enough about what programs look like. Let’s shift our attention to what
programs mean.
4.1. Semantics for Arithmetic Expressions via Finite Maps

To explain the meaning of one of Chapter 2’s arithmetic expressions, we need a
way to indicate the value of each variable. A theory of finite maps is helpful here. Encoding
We apply the following notations throughout the book:
‚ empty map, with H as its domain

mpkq mapping of key k in map m
mrk ÞÑ vs extension of map m to also map key k to value v
As the name advertises, finite maps are functions with finite domains, where
the domain may be expanded by each extension operation. Two axioms explain
the essential interactions of the basic operators.
k1 ‰ k2
mrk ÞÑ vspkq “ v mrk1 ÞÑ vspk2 q “ mpk2 q
With these operators in hand, we can write a semantics for arithmetic expres-
sions. This is a recursive function that maps variable valuations to numbers. We
write JeK for the meaning of e; this notation is often referred to as Oxford brackets.
Recall that we allow this kind of notation as syntactic sugar for arbitrary func-
tions, even when giving the equations that define those functions. We write v for a
valuation (finite map). Encoding
JnKv “ n
JxKv “ vpxq
Je1 ` e2 Kv “ Je1 Kv ` Je2 Kv
Je1 ˆ e2 Kv “ Je1 Kv ˆ Je2 Kv
Note how parts of the definition feel a little bit like cheating, as we just “push
notations inside the brackets.” It’s important to remember that plus inside the
brackets is syntax, while plus outside the brackets is the normal addition of math!
To test our semantics, we define a variable substitution function. A substitution
re1 {xse stands for the result of running through the syntax of e, replacing every
occurrence of variable x with expression e1 .
19
20 4. SEMANTICS VIA INTERPRETERS
re{xsn “ n
re{xsx “ e
re{xsy “ y, when y ‰ x
re{xspe1 ` e2 q “ re{xse1 ` re{xse2
re{xspe1 ˆ e2 q “ re{xse1 ˆ re{xse2
We can prove a key compatibility property of these two recursive functions.
Theorem 4.1. For all e, e1 , x, and v, Jre1 {xseKv “ JeKpvrx ÞÑ Je1 Kvsq.
That is, in some sense, the operations of interpretation and substitution com-
mute with each other. That intuition gives rise to the common notion of a com-
muting diagram, like the one below for this particular example.
re1 {xs...
pe, vq pre1 {xse, vq
...rxÞÑJe1 Kvs J...K
pe, vrx ÞÑ Je1 Kvsq Jre1 {xseKv

J...K
We start at the top left, with a given expression e and valuation v. The diagram
shows the equivalence of two different paths to the bottom right. Each individual
arrow is labeled with some description of the transformation it performs, to get
from the term at its source to the term at its destination. The right-then-down
path is based on substituting and then interpreting, while the down-then-right path
is based on extending the valuation and then interpreting. Since both paths wind
up at the same spot, the diagram indicates an equality between the corresponding
terms.
It’s a matter of taste whether the theorem statement or the diagram expresses
the property more clearly!
4.2. A Stack Machine

As an example of a very different language, consider a stack machine, similar at
some level to, for instance, the Forth programming language, or to various postfix
Encoding calculators.
Instructions i ::“ PushConstpnq | PushVarpxq | Add | Multiply
Programs i ::“ ¨ | i; i
Though here we defined an explicit grammar for programs, which are just
sequences of instructions, in general we’ll use the notation X to stand for sequences
of X’s, and the associated concrete syntax won’t be so important. We also freely
use single instructions to stand for programs, writing just i in place of i; ¨.
Each instruction of this language transforms a stack , a last-in-first-out list
of numbers. Rather than spend more words on it, here is an interpreter that
makes everything precise. Here and elsewhere, we overload the Oxford brackets
J. . .K shamelessly, where context makes clear which language or interpreter we are
dealing with. We write s for stacks, and we write n ▷ s for pushing number n onto
Encoding the top of stack s.
4.2. A STACK MACHINE 21
JPushConstpnqKpv, sq “ n▷s
JPushVarpxqKpv, sq “ vpxq ▷ s
JAddKpv, n2 ▷ n1 ▷ sq “ pn1 ` n2 q ▷ s
JMultiplyKpv, n2 ▷ n1 ▷ sq “ pn1 ˆ n2 q ▷ s
The last two cases require the stack have at least a certain height. Here we’ll
ignore what happens when the stack is too short, though it suffices, for our purposes,
qy
to add pretty much any default behavior for the missing cases. We overload i to
refer to the composition of the interpretations of the different instructions within
i, in order.
Next, we give our first example of what might be called a compiler , or a trans-
lation from one language to another. Let’s compile arithmetic expressions into
stack programs, which then become easy to map onto the instructions of common
assembly languages. In that sense, with this translation, we make progress toward
efficient implementation on commodity hardware.
Throughout this book, we will use notation t. . .u for compilation, where the
floor-based notation suggests moving downward to a lower abstraction level. Here
is the compiler that concerns us now, where we write i1 ’ i2 for concatenation of
two instruction sequences i1 and i2 . Encoding
tnu “ PushConstpnq
txu “ PushVarpxq
te1 ` e2 u “ te1 u ’ te2 u ’ Add
te1 ˆ e2 u “ te1 u ’ te2 u ’ Multiply
The first two cases are straightforward: their compilations just push the obvious
values onto the stack. The binary operators are just slightly more tricky. Each first
evaluates its operands in order, where each operand leaves its final result on the
stack. With both of them in place, we run the instruction to pop them, combine
them, and push the result back onto the stack.
The correctness theorem for compilation must refer to both of our interpreters.
From here on, we consider that all unaccounted-for variables in a theorem statement
are quantified universally.
Theorem 4.2. JteuKpv, ¨q “ JeKv.
Here’s a restatement as a commuting diagram.
t...u
e teu
J...K
J...K
JeK
As usual, we leave proof details for the associated Coq code, but the key insight
of the proof is to strengthen the induction hypothesis via a lemma.
q y qy
Lemma 4.3. teu ’ i pv, sq “ i pv, JeKv ▷ sq.
We strengthen the statement by considering both an arbitrary initial stack s
and a sequence of extra instructions i to be run after e.
22 4. SEMANTICS VIA INTERPRETERS
4.3. A Simple Higher-Level Imperative Language

The interpreter approach to semantics is usually the most convenient one, when
it applies. Coq requires that all programs terminate, and that requirement is effec-
tively also present in informal math, though it is seldom called out with the same
terms. Instead, with math, we worry about whether recursive systems of equations
are well-founded, in appropriate senses. From either perspective, extra encoding
tricks are required to write a well-formed interpreter for a Turing-complete lan-
guage. We will dodge those complexities for now by defining a simple imperative
language with bounded loops, where termination is easy to prove. We take the
Encoding arithmetic expression language as a base.
Command c ::“ skip | x Ð e | c; c | repeat e do c done
Now the implicit state, read and written by a command, is a variable valuation,
as we used in the interpreter for expressions. A skip command does nothing, while
x Ð e extends the valuation to map x to the value of expression e. We have simple
command sequencing c1 ; c2 , in addition to the bounded loop repeat e do c done,
which executes c a number of times equal to the value of e.
To give the semantics, we need a few commonplace notations that are worth
reviewing. We write id for the identity function, where idpxq “ x; and we write
f ˝ g for composition of functions f and g, where pf ˝ gqpxq “ f pgpxqq. We also
have iterated self-composition, written like exponentiation of functions f n , defined
as follows.
f0 “ id
n`1
f “ fn ˝ f
From here, J. . .K is easy to define yet again, as a transformer over variable
Encoding valuations.
JskipKv “ v
Jx Ð eKv “ vrx ÞÑ JeKvs
Jc1 ; c2 Kv “ Jc2 KpJc1 Kvq
Jrepeat e do c doneKv “ pvq
JeKv
JcK
To put this semantics through a workout, let’s consider a simple optimization, a
transformation whose input and output programs are in the same language. There’s
an additional, fuzzier criterion for an optimization, which is that it should improve
the program somehow, usually in terms of running time, memory usage, etc. The
optimization we choose here may be a bit dubious in that respect, though it is
related to an optimization found in every serious C compiler.
In particular, let’s tackle loop unrolling. When the iteration count of a loop is a
constant n, we can replace the loop with n sequenced copies of its body. C compilers
need to work harder to find the iteration count of a loop, but luckily our language
includes loops with very explicit iteration counts! To define the transformation,
we’ll want a recursive function and notation for sequencing of n copies of a command
c, written n c.
0
c “ skip
n`1
c “ c; n c
4.3. A SIMPLE HIGHER-LEVEL IMPERATIVE LANGUAGE 23
Now the optimization itself is easy to define. We’ll write |. . .| for this and other
optimizations, which move neither down nor up a tower of program abstraction
levels. Encoding
|skip| “ skip
|x Ð e| “ xÐe
|c1 ; c2 | “ |c1 |; |c2 |
n
|repeat n do c done| “ |c|
|repeat e do c done| “ repeat e do |c| done
Note that, when multiple defining equations apply to some function input, by
convention we apply the earliest equation that matches.
Let’s prove that this optimization preserves program behavior; that is, we prove
that it is semantics-preserving.
Theorem 4.4. J|c|Kv “ JcKv.
It all looks so straightforward from that statement, doesn’t it? Indeed, there
actually isn’t so much work to do to prove this theorem. We can also present it as
a commuting diagram much like the prior one.
|...|
c |c|
J...K
J...K
JcK
The statement of Theorem 4.4 happens to be already in the right form to do
induction directly, but we need a helper lemma, capturing the interaction of n c and
the semantics.
n
Lemma 4.5. Jn cK “ JcK .
Let us end the chapter with the commuting-diagram version of the lemma
statement.
n
... n
c c
J...K J...K
n
... n
JcK JcK
CHAPTER 5
Inductive Relations and Rule Induction
We should pause here to consider another crucial mathematical tool that is not
in common use outside the study of semantics but which will be essential for almost
all language semantics we define from here on. That tool is similar to the inductive
set or type definitions we met in Chapter 2. However, now we define relations (and
predicates, the colloquial name for single-argument relations) inductively. Let us
take some time to work through simple examples before moving on to cases more
relevant to semantics.
5.1. Finite Sets as Inductive Predicates

Any finite set is easy to define as a predicate, with a set of inference rules that
include no premises. For instance, say my favorite numbers are 17, 23, and 42. We
can define a predicate favorites as follows.
favoritesp17q favoritesp23q favoritesp42q
As we defined inductive sets as the smallest sets satisfying given inference rules,
we now define inductive predicates as the least predicates satisfying the rules. The
rules given here require acceptance of 17, 23, and 42 and no more, so those are
exactly the values accepted by the predicate.
Any inductive predicate definition has an associated induction principle, which
we can derive much as we derived induction principles in Chapter 2. Specifically,
when we defined P inductively and want to conclude Q from it, we want to prove
@x. P pxq ñ Qpxq. We transform each rule into one obligation within the induction,
by replacing P with Q in the conclusion, in addition to taking each premise P peq
and pairing it with a new premise Qpeq (an induction hypothesis).
Our example of favorites is a degenerate inductive definition whose principle
requires no induction hypotheses. Thus, to prove @x. favoritespxq ñ Qpxq, we must
establish the following.
Qp17q Qp23q Qp42q
That is, to prove that a predicate holds of all elements of a finite set, it suffices
to check the predicate for each element. In general, induction on proofs of relations
is called rule induction. A simple example:
Theorem 5.1. All of my favorite numbers are below 50, i.e. @x. favoritespxq ñ
x ă 50.
Proof. By induction on the proof of favoritespxq, i.e. with Qpxq “ x ă 50. □
Note how it is quite natural to see rule induction as induction on proof trees, as
if they were just any other tree data structure! Indeed, data and proofs are unified
in Coq’s mathematical foundation.
25
26 5. INDUCTIVE RELATIONS AND RULE INDUCTION
5.2. Transitive Closure of Relations

Let R be some binary relation. We define its transitive closure R` by:
xRy x R` y y R` z
x R` y x R` z
That is, R` is the least relation satisfying these rules. It should accept argu-
ment pairs only if the rules force them to be accepted. This relation happens to be
the least that both contains R and is transitive. The second rule forces R` to be
transitive quite explicitly.
We apply our recipe (changing rule conclusions and adding new inductive hy-
potheses) to find the induction principle for R` . To prove @x, y. x R` y ñ Qpx, yq,
we must show:
x R y x R` y Qpx, yq y R` z Qpy, zq
Qpx, yq Qpx, zq
As an example with transitive closure, consider an alternative definition of
“less-than” for natural numbers. Let ă be the relation defined to accept x and
y only when x ` 1 “ y. Now ă` means “less-than,” i.e. the second argument is
reachable from the first by some finite number of increments. We can make the
connection formal.
Theorem 5.2. If x ă` y, then x ă y.
Proof. By induction on the proof of x ă` y, e.g. with Qpx, yq “ x ă y,
considering cases for the two rules defining transitive closure. □
Lemma 5.3. For any n and k, n ă` p1 ` kq ` n.
Proof. By induction on k, using the first rule of transitive closure in the base
case and discharging the inductive case using transitivity via k ` n. □
Theorem 5.4. If n ă m, then n ă` m.
Proof. By Lemma 5.3, with k “ m ´ n ´ 1. □
Another manageable exercise is showing logical equivalence of R` and R`` for
any R, which requires rule induction in both directions of the proof.
5.3. Permutations
It may not be the most intuitively obvious formulation, but we can use an
inductive relation to explain when one list is a permutation of another, written
here as infix relation „.
ℓ1 „ ℓ2 ℓ „ ℓ1 ℓ1 „ ℓ2
rs „ rs x ▷ ℓ1 „ x ▷ ℓ2 y ▷ x ▷ ℓ „ x ▷ y ▷ ℓ ℓ „ ℓ2
We apply the usual recipe to derive its induction principle, showing @ℓ, ℓ1 . ℓ „
ℓ ñ Qpℓ, ℓ1 q:
1
ℓ1 „ ℓ2 Qpℓ1 , ℓ2 q ℓ „ ℓ1 Qpℓ, ℓ1 q ℓ1 „ ℓ2 Qpℓ1 , ℓ2 q

Qprs, rsq Qpx ▷ ℓ1 , x ▷ ℓ2 q Qpy ▷ x ▷ ℓ, x ▷ y ▷ ℓq Qpℓ, ℓ2 q
A number of sensible algebraic properties now follow.
Lemma 5.5. a ▷ ℓ „ ℓ ’ ras.
5.4. A MINIMAL PROPOSITIONAL LOGIC 27
Proof. By induction on ℓ, with semi-intricate little combinations of the rules

of „ in each case. □
Theorem 5.6. ℓ „ reversepℓq.
Proof. By induction on ℓ, with appeal to Lemma 5.5 in the inductive case. □
Theorem 5.7. If ℓ1 „ ℓ2 , then |ℓ1 | “ |ℓ2 |.
Proof. By induction on the proof of ℓ1 „ ℓ2 , with each case falling neatly into
the decidable theory of equality with uninterpreted functions. □
Lemma 5.8. ℓ „ ℓ.
Proof. By induction on ℓ. □
Lemma 5.9. If ℓ1 „ ℓ2 , then ℓ1 ’ ℓ „ ℓ2 ’ ℓ.
Proof. By induction on the proof of ℓ1 „ ℓ2 , appealing to Lemma 5.8 in the
first case. □
Lemma 5.10. If ℓ1 „ ℓ2 , then ℓ ’ ℓ1 „ ℓ ’ ℓ2 .
Proof. By induction on ℓ. □
Theorem 5.11. If ℓ1 „ ℓ11 and ℓ2 „ ℓ12 , then ℓ1 ’ ℓ2 „ ℓ11 ’ ℓ12 .
Proof. Combine Lemmas 5.9 and 5.10 using the transitivity rule of „. □
5.4. A Minimal Propositional Logic

Though we are mostly concerned with programming languages in this book,
the same techniques are also often applied to formal languages of logical formulas.
In fact, there are strong connections between programming languages and logics,
with many dual techniques across the sides. We won’t really dip our toes into those
connections, but we can use the example of propositional logic here, to get a taste
of formalizing logics, at the same time as we practice with inductive relations.
As a warmup for reasoning about syntax trees of logical formulas, consider this
basic language.
Formula ϕ ::“ J | K | ϕ ^ ϕ | ϕ _ ϕ
The constructors are, respectively: truth, falsehood, conjunction (“and”), and
disjunction (“or”).
A simple inductive definition of a predicate $ (for “proves”) suffices to explain
the meanings of the connectives.
$ ϕ1 $ ϕ2 $ ϕ1 $ ϕ2
$ J $ ϕ1 ^ ϕ2 $ ϕ1 _ ϕ2 $ ϕ1 _ ϕ2
That is, truth is obviously true, falsehood can’t be proved, proving a conjunc-
tion requires proving both conjuncts, and proving a disjunction requires proving
one disjunct or the other (expressed with two separate rules).
A simple interpreter also does the trick to explain this language.
JJK “ J
JKK “ K
Jϕ1 ^ ϕ2 K “ Jϕ1 K ^ Jϕ2 K
Jϕ1 _ ϕ2 K “ Jϕ1 K _ Jϕ2 K
Each syntactic connective is explained in terms of the usual semantic connective

in our metalanguage. In the formal study of logic, this style of semantics is often
associated with model theory and a definition via an inductive relation with proof
theory.
It is good to establish that the two formulations agree, and the two directions
of logical equivalence have traditional names.
Theorem 5.12 (Soundness of the inductive predicate). If $ p, then JpK.
Proof. By induction on the proof of $ p, where each case then follows by the
rules of propositional logic in the metalanguage (a decidable theory). □
Theorem 5.13 (Completeness of the inductive predicate). If JpK, then $ p.

Proof. By induction on p, combining the rules of $ with propositional logic
in the metalanguage. □
5.5. Propositional Logic with Implication

Extending to the rest of traditional propositional logic requires us to add a
hypothesis context to our judgment, mirroring a pattern we will see later in studying
type systems (Chapter 11). Our formula language is extended as follows.
Variables p
Formula ϕ ::“ J|K|ϕ^ϕ|ϕ_ϕ|p|ϕñϕ
Note how we add propositional variables p, which stand for unknown truth values.
What is fundamentally harder about modeling implication? We need to per-
form hypothetical reasoning, trying to prove a formula with other formulas available
as known facts. It is natural to build up a list of hypotheses, as an input to the $
predicate. By convention, we use metavariable Γ (Greek capital gamma) for such a
list and call it a context. First, the context is threaded through the rules we already
presented, which are called introduction rules because each explains how to prove
a fact using a specific connective (introducing that connective to the proof).
Γ $ ϕ1 Γ $ ϕ2 Γ $ ϕ1 Γ $ ϕ2
Γ$J Γ $ ϕ1 ^ ϕ2 Γ $ ϕ1 _ ϕ2 Γ $ ϕ1 _ ϕ2
Next, we have modus ponens, the classic rule for applying an implication, an
example of an elimination rule, which explains how to take advantage of a fact
using a specific connective.
Γ $ ϕ1 ñ ϕ2 Γ $ ϕ1
Γ $ ϕ2
A hypothesis rule gives the fundamental way of taking advantage of Γ’s contents.
ϕPΓ
Γ$ϕ
The introduction rule for implication is interesting for adding a new hypothesis
to the context.
ϕ1 ▷ Γ $ ϕ2
Γ $ ϕ1 ñ ϕ 2
5.5. PROPOSITIONAL LOGIC WITH IMPLICATION 29
Most of the remaining connectives have elimination rules, too. The simplest
case is conjunction, with rules pulling out the conjuncts.
Γ $ ϕ1 ^ ϕ2 Γ $ ϕ 1 ^ ϕ 2
Γ $ ϕ1 Γ $ ϕ2
We eliminate a disjunction using reasoning by cases, extending the context
appropriately in each case.
Γ $ ϕ 1 _ ϕ 2 ϕ1 ▷ Γ $ ϕ ϕ 2 ▷ Γ $ ϕ
Γ$ϕ
If we manage to prove falsehood, we have a contradiction, and any conclusion
follows.
Γ$K
Γ$ϕ
Finally, the somewhat-controversial law of the excluded middle, which actually
does not hold in general in Coq, though many developments postulate it as an extra
axiom (which we take advantage of in our own Coq proof here). We write negation
␣ϕ as shorthand for ϕ ñ K.
Γ $ ϕ _ ␣ϕ
This style of inductive relation definition is called natural deduction. We write
$ ϕ as shorthand for ¨ $ ϕ, for an empty context.
Note the fundamental new twist introduced compared to last section’s language:
it is no longer the case that the top-level connective of the goal formula gives us a
small set of connective-specific rules that are the only we need to consider applying.
Instead, we may need to combine the hypothesis rule with elimination rules, taking
advantage of assumptions. The power of inductive relation definitions is clearer
here, since we couldn’t simply use a recursive function over formulas to express
that kind of pattern explicitly.
A simple interpreter sets the stage for proving soundness and completeness.
The most important extension to the interpreter is that it now takes in a valuation
v, just like in the previous chapter, though now the valuation maps variables to
truth values, not numbers.
JpKv “ vppq
JJKv “ J
JKKv “ K
Jϕ1 ^ ϕ2 Kv “ Jϕ1 Kv ^ Jϕ2 Kv
Jϕ1 _ ϕ2 Kv “ Jϕ1 Kv _ Jϕ2 Kv
Jϕ1 ñ ϕ2 Kv “ Jϕ1 Kv ñ Jϕ2 Kv
To indicate that ϕ is a tautology (that is, true under any values of the variables),
we write JϕK, as a kind of abuse of notation expanding to @v. JϕKv.
Theorem 5.14 (Soundness). If $ ϕ, then JϕK.
Proof. By appeal to Lemma 5.15. □
Lemma 5.15. If Γ $ ϕ, and if we have Jϕ1 Kv for every ϕ1 P Γ, then JϕKv.
Proof. By induction on the proof of Γ $ ϕ, using propositional logic in the
metalanguage to plumb together the case proofs. □
The other direction, completeness, is quite a bit more involved, and indeed
its Coq proof strays outside the range of what is reasonable to ask students to
construct at this point in the book, but it makes for an interesting exercise. The
basic idea is to do a proof by exhaustive case analysis over the truth values of all
propositional variables p that appear in a formula.
Theorem 5.16 (Completeness). If JϕK, then $ ϕ.
Proof. By appeal to Lemma 5.17. □
Say that a context Γ and a valuation v are compatible if they agree on the truth
of any variable included in both. That is, when p P Γ, we have vppq “ J; and when
␣p P Γ, we have vppq “ K.
Lemma 5.17. Given context Γ and formula ϕ, if
‚ there is no variable p such that both p P Γ and ␣p P Γ, and
‚ for any valuation v compatible with Γ, we have JϕKv,
then Γ $ ϕ.
Proof. By induction on the set of variables p appearing in ϕ such that neither
p P Γ nor ␣p P Γ. If that set is empty, we appeal directly to Lemma 5.18. Otherwise,
choose some variable p in ϕ that hasn’t yet been assigned a truth value in Γ.
Combine excluded middle on p with the _ elimination rule of $ to do a case split,
so that it now suffices to prove both p ▷ Γ $ ϕ and ␣p ▷ Γ $ ϕ. Each case can be
proved by direct appeal to the induction hypothesis, since assigning p a truth value
in Γ shrinks the set we induct over. □
We write JϕKΓ to denote interpreting ϕ in a valuation that assigns J to exactly
those variables that appear directly in Γ.
Lemma 5.18. Given context Γ and formula ϕ, if
‚ for every variable p appearing in ϕ, we have either p P Γ or ␣p P Γ; and
‚ there is no variable p such that both p P Γ and ␣p P Γ
then if JϕKΓ, then Γ $ ϕ, otherwise Γ $ ␣ϕ.
Proof. By induction on ϕ, with tedious combination of propositional logic in
the metalanguage and in the rules of $. Inductive cases make several appeals to
Lemma 5.19, and it is important that the base case for variables p is able to assume
that either p or ␣p appears in Γ. □
Lemma 5.19 (Weakening). If Γ $ ϕ, and Γ1 includes a superset of the formulas
from Γ, then Γ1 $ ϕ.
Proof. By induction on the proof of Γ $ ϕ. □
CHAPTER 6
Transition Systems and Invariants
For simple programming languages where programs always terminate, it is often

most convenient to formalize them using interpreters, as in Chapter 4. However,
many important languages don’t fall into that category, and for them we need
different techniques. Nontermination isn’t always a bug; for instance, we expect
a network server to run indefinitely. We still need to be able to talk about the
correct behavior of programs that run forever, by design. For that reason, in this
chapter and in most of the rest of the book, we model programs using relations,
in much the same way that may be familiar from automata theory. An important
difference, though, is that, while undergraduate automata-theory classes generally
study finite-state machines, for general program reasoning we want to allow infinite
sets of states, otherwise referred to as infinite-state systems.
Let’s start with an example that almost seems too mundane to be associated
with such terms.
6.1. Factorial as a State Machine

We’re familiar with the factorial operation, implemented as an imperative pro-
gram with a loop.
factorial(n) {
a = 1;
while (n > 0) {
a = a * n;
n = n - 1;
}
return a;
}
In the analysis to follow, consider some value n0 P N fixed, as the input passed
to this operation. A state machine is lurking within the surface syntax of the
program. In fact, we have a variety of choices in modeling it as a state machine. Encoding
Here is the set of states that we choose to use here:
Natural numbers n P N
States s ::“ AnswerIspnq | WithAccumulatorpn, nq
There are two types of states. An AnswerIspaq state corresponds to the return
statement. It records the final result a of the factorial operation. A WithAccumulatorpn, aq
records an intermediate state, giving the values of the two local variables, just before
a loop iteration begins.
31
32 6. TRANSITION SYSTEMS AND INVARIANTS
Following the more familiar parts of automata theory, let’s define a set of initial
states for this machine.
WithAccumulatorpn0 , 1q P F0
For consistency with the notation we will be using later, we define the set F0 using
an inference rule. Equivalently, we could just write F0 “ tWithAccumulatorpn0 , 1qu,
essentially reading off the initial variable values from the first lines of the code above.
Similarly, we also define a set of final states.
AnswerIspaq P Fω
Equivalently: Fω “ tAnswerIspaq | a P Nu. Note that this definition only captures
when the program is done, not when it returns the right answer. It follows from
the last line of the code.
The last and most important ingredient of our state machine is its transition
relation, where we write s Ñ s1 to indicate that state s advances to state s1 in
one step, following the semantics of the program. Here inference rules are more
obviously a good fit.
WithAccumulatorp0, aq Ñ AnswerIspaq
WithAccumulatorpn ` 1, aq Ñ WithAccumulatorpn, a ˆ pn ` 1qq
The first rule corresponds to the case where the program ends, because the loop
test has failed and we now know the final answer. The second rule corresponds to
going once around the loop, following directly from the code in the loop body.
We can fit these ingredients into the general concept of a transition system, the
term we will use throughout this book for this sort of state machine. Actually, the
words “state machine” suggest to many people that the state set must be finite,
hence our preference for “transition system,” which is also used fairly frequently in
semantics.
Definition 6.1. A transition system is a triple xS, S0 , Ñy, with S a set of
states, S0 Ď S a set of initial states, and Ñ Ď S ˆ S a transition relation.
For an arbitrary transition relation Ñ, not just the one defined above for fac-
torial, we define its transitive-reflexive closure Ñ˚ with two inference rules:
s Ñ s1 s1 Ñ˚ s2
˚
sÑ s s Ñ˚ s2
That is, a formal claim s Ñ˚ s1 corresponds exactly to the informal claim that
“starting from state s, we can reach state s1 .”
Definition 6.2. For transition system xS, S0 , Ñy, we say that a state s is
reachable if and only if there exists s0 P S0 such that s0 Ñ˚ s.
Building on these notations, here is one way to state the correctness of our
factorial program, which, defining S according to the state grammar above, we
model as F “ xS, F0 , Ñy.
Theorem 6.3. For any state s reachable in F, if s P Fω , then s “ AnswerIspn0 !q.
That is, whenever the program finishes, it returns the right answer. (Recall
that n0 is the initial value of the input variable.)
We could prove this theorem now in a relatively ad-hoc way. Instead, let’s
develop the general machinery of invariants.
6.2. INVARIANTS 33
6.2. Invariants
The concept of “invariant” may be familiar from such relatively informal notions
as “loop invariant” in introductory programming classes. Intuitively, an invariant
is a property of program state that starts true and stays true, but let’s make that
idea a bit more formal, as applied to our transition-system formalism. Invariants
Definition 6.4. An invariant of a transition system is a property that is
always true, in all of the system’s reachable states. That is, for transition system
xS, S0 , Ñy, where R is the set of all its reachable states, some I Ď S is an invariant
iff R Ď I. (Note that here we adopt the mathematical convention that “properties”
of states and “sets” of states are synonymous, so that in each case we can use what
terminology seems most natural. The “property” holds of exactly those states that
belong to the “set.”)
At first look, the definition may appear a bit silly. Why not always just take
the reachable states R as the invariant, instead of scrambling to invent something
new? The reason is the same as for strengthening induction hypotheses to make
proofs easier. Often it is easier to characterize an invariant that isn’t fully precise,
admitting some states that the system can never actually reach. Additionally, it
can be easier to prove existence of an approximate invariant by induction, by the
method that the next key theorem formalizes.
Theorem 6.5. Consider a transition system xS, S0 , Ñy and its candidate in-
variant I. The candidate is truly an invariant if (1) S0 Ď I and (2) for every s P I
where s Ñ s1 , we also have s1 P I.
That’s enough generalities for now. Let’s define a suitable invariant for facto-
rial. Invariants
IpAnswerIspaqq “ n0 ! “ a
IpWithAccumulatorpn, aqq “ n0 ! “ n! ˆ a
It is an almost-routine exercise to prove that I really is an invariant, using
Theorem 6.5. The key new ingredient we need is inversion, a principle for deducing
which inference rules may have been used to prove a fact.
For instance, at one point in the proof, we need to draw a conclusion from a
premise s P F0 , meaning that s is an initial state. By inversion, because set F0 is
defined by a single inference rule, that rule must have been used to conclude the
premise, so it must be that s “ WithAccumulatorpn0 , 1q.
Similarly, at another point in the proof, we must reason from a premise s Ñ s1 .
The relation Ñ is defined by two inference rules, so inversion leads us to two cases to
consider. In the first case, corresponding to the first rule, s “ WithAccumulatorp0, aq
and s1 “ AnswerIspaq. In the second case, corresponding to the second rule, s “
WithAccumulatorpn ` 1, aq and s1 “ WithAccumulatorpn, a ˆ pn ` 1qq. It’s worth
checking that these values of s and s1 are read off directly from the rules.
Though a completely formal and exhaustive treatment of inversion is beyond
the scope of this text, generally it follows standard intuitions about “reverse-
engineering” a set of rules that could have been used to derive some premise.
Another important property of invariants formalizes the connection with weak-
ening an induction hypothesis.
Theorem 6.6. If I is an invariant of a transition system, then I 1 Ě I (a

superset of the original) is also an invariant of the same system.
Note that the larger I 1 above may not be suitable to use in an inductive proof
by Theorem 6.5! For instance, for factorial, we might define I 1 “ tAnswerIspn0 !qu Y
tWithAccumulatorpn, aq | n, a P Nu, clearly a superset of I. However, by forgetting
everything that we know about intermediate WithAccumulator states, we will get
stuck on the inductive step of the proof. Thus, what we call invariants here needn’t
also be inductive invariants, and there may be slight terminology mismatches with
other sources.
Combining Theorems 6.5 and 6.6, it is now easy to prove Theorem 6.3, estab-
lishing the correctness of our particular factorial system F. First, we use Theorem
6.5 to deduce that I is an invariant of F. Then, we choose the very same I 1 that
we warned above is not an inductive invariant, but which is fairly easily shown to
be a superset of I. Therefore, by Theorem 6.6, I 1 is also an invariant of F, and
Theorem 6.3 follows quite directly from that fact, as I 1 is essentially a restatement
of Theorem 6.3.
6.3. Rule Induction Applied

Recall the technique of rule induction from last chapter. We made stealthy use
of it in the elided proof of Theorem 6.5, and looking more into the details can give
us more practice with rule induction. Consider again the definition of transitive-
reflexive closure by inference rules (which is very close to the definition of transitive
closure from last chapter).
s Ñ s1 s1 Ñ˚ s2
˚
sÑ s s Ñ˚ s2
The relation Ñ˚ is a subset of S ˆ S. Imagine that we want to prove that some
relation P holds of all pairs of states, where the first can reach the second. That
is, we want to prove @s, s1 . ps Ñ˚ s1 q ñ P ps, s1 q, where ñ is logical implication.
Following last chapter’s recipe, we can derive a suitable induction principle. We
modify each defining rule of Ñ˚ , replacing its conclusion with a use of P and adding
a P induction hypothesis for each recursive premise.
s Ñ s1 s1 Ñ˚ s2 P ps1 , s2 q
P ps, sq P ps, s2 q
As before, where the defining rules of Ñ˚ show us how to conclude facts, the two
new rules here are proof obligations. To apply rule induction and establish P for
all reachability pairs, we must prove that each new rule is correct, as a kind of
quantified implication.
As a simpler example than the invariant-induction theorem, consider transitiv-
ity for reachability.
Theorem 6.7. If s Ñ˚ s1 and s1 Ñ˚ s2 , then s Ñ˚ s2 .
Proof. By rule induction on the derivation of s Ñ˚ s1 , taking P ps1 , s2 q to be
that, if s2 “ s1 , then s1 Ñ˚ s2 . We consider variables s1 and s2 fixed throughout
the induction, along with their associated premise s1 Ñ˚ s2 .
Base case: We must show P ps, sq for an arbitrary s. Given that (based on the
definition of P ) we may assume s “ s1 , our premise s1 Ñ˚ s2 precisely matches the
desired conclusion s Ñ˚ s2 .
6.4. AN EXAMPLE WITH A CONCURRENT PROGRAM 35
Induction step: Assume s Ñ s1 , s1 Ñ˚ s1 , and P ps1 , s1 q. We may apply the

second rule defining Ñ˚ , whose two premises become s Ñ s1 and s1 Ñ˚ s2 . The
first is one of the available premises of the induction step. The second follows by
the induction hypothesis about P . □
This sort of proof really is easier to follow in Coq code, so we especially en-
courage the reader to consult the mechanized version here!
6.4. An Example with a Concurrent Program

Imagine that we want to verify a multithreaded, shared-memory program where
multiple threads run this code at once.
f() {
lock();
local = global;
global = local + 1;
unlock();
}
Consider global as a variable shared across all threads, while each thread has
its own version of variable local. The meaning of lock() and unlock() is as
usual, where at most one thread can hold the lock at once, claiming it via lock()
and relinquishing it via unlock(). When variable global is initialized to 0 and
n threads run this code at once and all terminate, we expect that global finishes
with value n. Of course, bugs in this program, like forgetting to include the locking,
could lead to all sorts of wrong answers, with any value between 1 and n possible
with the right demonic thread interleaving. (Here “demonic” refers to consideration
of worst-case behavior, with respect to the desired correctness property.) Encoding
To prove that we got the program right, let’s formalize it as a transition system.
First, our state set:
States P ::“ Lock | Read | Writepnq | Unlock | Done
Compared to the last example, here we see more clearly that kinds of states
correspond to program counters in the imperative code. The first four state kinds
respectively mean that the program counter is right before the matching line in the
program’s code. The last state kind means the program counter is past the end
of the function. Only Write states carry extra information, in this case the value
of variable local. At every other program counter, we can prove that the value
of variable local has no effect on further transitions, so we don’t bother to store
it. We will account for the value of variable global separately, in a way to be
described shortly.
In particular, we will define a transition system for a single thread as L “
xpN ˆ Bq ˆ P, L0 , ÑL y. We define the state to include not only the thread-local
state P but also the value of global (in N) and whether the lock is currently taken
(in B, the Booleans, with values J [true] and K [false]). There is one designated
initial state.
pp0, Kq, Lockq P L0
Four inference rules explain the four transitions between program counters that
a single thread can make, reading and writing shared state as needed.
ppg, Kq, Lockq ÑL ppg, Jq, Readq ppg, ℓq, Readq ÑL ppg, ℓq, Writepgqq
ppg, ℓq, Writepnqq ÑL ppn ` 1, ℓq, Unlockq ppg, ℓq, Unlockq ÑL ppg, Kq, Doneq
Note that these rules will allow a thread to read and write the shared state even
without holding the lock. The rules also allow any thread to unlock the lock, with
no consideration for whether that thread must be the current lock holder. We must
use an invariant-based proof to show that there are, in fact, no lurking violations
of the lock-based concurrency discipline.
Of course, with just a single thread running, there aren’t any interesting viola-
tions! However, we have been careful to describe system L in a generic way, with
its state a pair of shared and private components. We can define a generic notion
of a multithreaded system, with two systems that share some state and maintain
Encoding their own private state.
@ D @ D
Definition 6.8. Let T 1 “ S ˆ P 1 , S0 ˆ P01 , Ñ1 and T 2 “ S ˆ P 2 , S0 ˆ P02 , Ñ2
be two transition systems, with a shared-state type S in common between their
state sets, also agreeing on the initial
@ values S0 for that shared state.D We define the
parallel composition T 1 | T 2 as S ˆ pP 1 ˆ P 2 q, S0 ˆ pP01 ˆ P02 q, Ñ , defining new
transition relation Ñ with the following inference rules, which capture the usual
notion of thread interleaving.
ps, p1 q Ñ1 ps1 , p11 q ps, p2 q Ñ2 ps1 , p12 q

ps, pp1 , p2 qq Ñ ps , pp1 , p2 qq ps, pp1 , p2 qq Ñ ps1 , pp1 , p12 qq
1 1
Note that the operator | is carefully defined so that its output is suitable as
input to a further instance of itself. As a result, while L | L is a transition system
modeling two threads running the code from above, we also have L | pL | Lq as a
three-thread system based on that code, pL | Lq | pL | Lq as a four-thread system
based on that code, etc.
Also note that | constructs transition systems with our first examples of non-
determinism in transition relations. That is, given a particular starting state, there
are multiple different places it may wind up after a given number of execution
steps. In general, with thread-interleaving concurrency, the set of possible final
states grows exponentially in the number of steps, a fact that torments concurrent-
software testers to no end! Rather than consider all possible runs of the program,
we will use an invariant to tame the complexity.
First, we should be clear on what we mean to prove about this program. Let’s
also restrict our attention to the two-thread case for the rest of this section; the
n-thread case is left as an exercise for the reader!
Theorem 6.9. For any reachable state ppg, ℓq, pp1 , p2 qq of L | L, if p1 “ p2 “

Done, then g “ 2.
That is, when both threads terminate, global equals 2.

As a first step toward an invariant, define function C from private states to
numbers, capturing the contribution of a thread with that state, summarizing how
much that thread has added to globals.
#
1 p P tUnlock, Doneu
Cppq “
0 otherwise
6.4. AN EXAMPLE WITH A CONCURRENT PROGRAM 37
Next, we define a function that, given a thread’s private state, determines

whether that thread holds the lock.
#
K p P tLock, Doneu
Hppq “
J otherwise
Now, the main insight: we can reconstruct the shared state uniquely from the
two private states! Function S does exactly that.
Spp1 , p2 q “ pHpp1 q _ Hpp2 q, Cpp1 q ` Cpp2 qq
One last ingredient will help us write the invariant: a predicate Opp, p1 q cap-
turing when, given the state p of one thread, the state p1 is compatible with all of
the implications of p’s state, primarily in terms of mutual exclusion for the lock.
$
&J
’ p P tLock, Doneu
1 1
Opp, p q “ ␣Hpp q p P tRead, Unlocku
’
␣Hpp1 q ^ n “ Cpp1 q p “ Writepnq
%
Finally, we can write the invariant. Invariants

1 2 1 2 2 1 1 2
Ips, pp , p qq “ Opp , p q ^ Opp , p q ^ s “ Spp , p q
As is often the case, defining the invariant is the hard part of the proof, and
the rest follows by the standard methodology that we used for factorial. To recap
that method, first we use Theorem 6.5 to show that I really is an invariant of L | L.
Next, we use Theorem 6.6 to show that I implies the original property of interest,
that finished program states have value 2 for global. Most of the action is in the
first step, where we must work through fussy details of all the different steps that
could happen from a state within the invariant, using arithmetic reasoning in each
case to either derive a contradiction (that step couldn’t happen from this starting
state) or show that a specific new state also belongs to the invariant. We leave
those details to the Coq code, as usual.
The reader may be worried at this point that coming up with invariants can
be rather tedious! In the next chapter, we meet a technique for finding invariants
automatically, in some limited but important circumstances.
CHAPTER 7
Model Checking
Our analyses so far have been tedious for at least two different reasons. First,
we’ve hand-crafted definitions of transition systems, rather than just writing pro-
grams in conventional programming languages. The next chapter will clear that
obstacle, by introducing operational semantics, for building transition systems au-
tomatically from programs. The other inconvenience we’ve faced is defining invari-
ants manually. There isn’t a silver bullet to get us out of this duty, when working
with Turing-complete languages, where almost all interesting questions, this one
included, are undecidable. However, when we can phrase problems in terms of
transition systems with finitely many reachable states, we can construct invariants
automatically by exhaustive exploration of the state space, an approach otherwise
known as model checking. Surprisingly many real programs can be reduced to finite
state spaces, using the techniques introduced in this chapter. First, though, let’s
formalize our intuitions about exhaustive state-space exploration as a sound way
to find invariants.
7.1. Exhaustive Exploration

For an arbitrary binary relation R, we write Rn for the n-times self-composition
of R. Formally, where id is the identity relation that only relates values to them-
selves, we have:
R0 “ id
n`1
R “ R ˝ Rn
For some set S and binary relation R, we also write RpSq for the composition
of R and S, namely tx | Dy P S. y R xu.
Which states of transition system xS, S0 , Ñy are reachable after 0 steps? That
would be precisely the initial states S0 , which we can also write as Ñ0pS0 q.
Which states are reachable after exactly 1 step? That is ÑpS0 q, or Ñ1pS0 q.
How about 2, 3, and 4 steps? There we have Ñ2pS0 q, Ñ3pS0 q, and Ñ4pS0 ).
It follows that the set of states reachable after n steps is:
ď
reachpnq “ ÑipS0 q
iďn
This iteration process is not obviously executable yet, because, a priori, we

seem to need to consider all possible n values, to characterize the state space fully.
However, a crucial property allows us to terminate our search soundly under some
conditions.
Invariants
Theorem 7.1. If reachpn ` 1q “ reachpnq for some n, then reachpnq is an
invariant of the system.
39
40 7. MODEL CHECKING
Here we call reachpnq a fixed point of the transition system, because it is closed
under further exploration. To find a fixed point with a concrete system, we start
with S0 . We repeatedly take the single-step closure corresponding to composition
with Ñ. At each step, we check whether the expanded set is actually equal to the
previous set. If so, our process of multi-step closure has terminated, and we have
an invariant, by construction. Again, keep in mind that multi-step closure will not
terminate for most transition systems, and there is an art to phrasing a problem in
terms of systems where it will terminate.
7.2. Abstracting a Transition System

When analyzing an infinite-state system, it is not necessary to give up hope for
model checking. For instance, consider this program.
int global = 0;
thread() {
int local;
while (true) {
local = global;
global = local + 2;
}
}
If we assume infinite-precision integers, then the state space is infinite. Consid-
ering just the global variable, every even number is reachable, even if we only run a
single thread. However, there is a high degree of regularity across this state space.
In particular, those values really are all even. Consider this other program, which
is hauntingly similar to the last one, in a way that we will make precise shortly.
bool global = true;
thread() {
bool local;
while (true) {
local = global;
global = local;
}
}
We replaced every use of an integer with a Boolean that is true iff the integer
is even. Notice that now the program has a finite state space, and model checking
applies easily! We can formalize such a transformation via the general principle of
abstraction of a transition system.
The key idea is that every state of the concrete system (with relatively many
states) can be associated to one or more states of the abstract system (with rela-
tively few states). We formalize this association via a simulation relation R, and
we define what makes a choice of R sound, via a notion of simulation via a binary
operator ă, subscripted by R.
7.3. MODULAR DECOMPOSITION OF INVARIANT-FINDING 41
p@s P S0 . Ds1 P S01 . s R s1 q p@s, s1 , s1 . s R s1 ^ s Ñ s1 ñ Ds11 . s1 Ñ1 s11 ^ s1 R s11 q

xS, S0 , Ñy ăR xS 1 , S01 , Ñ1 y
The simpler condition is that every concrete initial state must be related to
at least one abstract initial state. The second, more complex condition essentially
says that every step in the concrete world must be matchable by some related step
in the abstract world. A commuting diagram may express the second condition
more clearly.
s Ñ s1
R R
1
DÑ
s1 s11
At an even higher intuitive level, what simulation says is that every execution of
the concrete system may be matched, step for step, by an execution of the abstract
system. The relation R explains the rules for which states match across systems.
For our purposes, the key pay-off from this connection is that we may translate any
invariant of the abstract system into an invariant of the concrete system.
Abstraction
Theorem 7.2. If xS, S0 , Ñy ăR xS 1 , S01 , Ñ1 y, and if I is an invariant of xS 1 , S01 , Ñ1 y,
then R´1 pIq is an invariant of xS, S0 , Ñy.
We can apply this theorem to the two example programs from earlier in the
section, now imagining that we run two parallel-thread copies of each program,
using last chapter’s approach to modeling threads with transition systems. The
concrete system can be represented with thread-local states tReadu Y tWritepnq |
n P Nu and the abstract system with tBReaduYtBWritepbq | b P Bu, for the Booleans
B. We define compatibility between local states.
n even ô b “ true
Read „ BRead Writepnq „ BWritepbq
We also define the overall state simulation relation R, which also covers state
shared by threads.
pn even ô b “ trueq ℓ1 „ ℓ11 ℓ2 „ ℓ12
pn, pℓ1 , ℓ2 qq R pb, pℓ11 , ℓ12 qq
By proving that R is truly a simulation relation, we reduce the problem to find-
ing an invariant for the abstract system, which is easy to do with model checking.
One crucial consequence of abstraction-by-simulation deserves mentioning: We
show that every concrete execution is matched abstractly, but there may also be ad-
ditional abstract executions that don’t match any concrete ones. In model checking
the abstract system, we may do extra work to handle these “useless” paths! If we
do manage to handle them all, then Theorem 7.2 applies perfectly well. However,
we should be careful, in our choices of abstractions, to bias our designs toward those
that don’t introduce extra complexities.
7.3. Modular Decomposition of Invariant-Finding

Many transition systems are straightforward to abstract into others, as single
global steps. Other times, the right way to tame a complex system is to decompose
it into others and analyze them separately for invariants. In such cases, the key
42 7. MODEL CHECKING
is a proof principle to combine the invariants of the component systems into an

invariant of the overall system. We will refer to this style of proof decomposition as
modularity, and this section gives our first example of modularity, for multithreaded
systems.
Imagine that we have a system consisting of n different copies of a transition
system xS, S0 , Ñy running as concurrent threads, modeled in the way introduced in
the previous chapter. It’s not obvious that we can analyze each thread separately,
since, during that thread’s execution, the other threads are constantly interrupting
and modifying global state. To make matters worse, we can only understand their
patterns of state modification by analyzing their thread-local state. The situation
seems inherently unmodular.
However, consider the following construction on transition systems. Given a
transition relation Ñ and an invariant I on the global state shared by all threads,
we define a new transition relation ÑI as follows.
s Ñ s1 Ipg 1 q
s ÑI s1 pg, ℓq ÑI pg 1 , ℓq
The first rule says that any step of the original relation is also a step of the
new relation. However, the second rule adds a new kind of step: the global state
may change arbitrarily, so long as the new value satisfies invariant I. DWe lift this
I @
operation to full transition systems, defining xS, S0 , Ñy “ S, S0 , ÑI .
This construction trivially acts as an abstraction.
Abstraction
Theorem 7.3. S ăid SI , for any system S and property I.
However, we wouldn’t want to make this abstraction step in a proof about a
single thread. We needlessly complicate our model checking by forcing ourselves
to consider all modifications of the global state that obey I. The payoff comes in
analyzing multithreaded systems.
Modularity
Theorem 7.4. Where I is an invariant over only the shared state of a multi-
threaded system, let I 1 “ tpg, ℓq | Ipgqu be the lifting of I to cover full states, local
parts included. If I 1 is an invariant for both SI1 and SI2 , then I 1 is also an invariant
for pS1 | S2 qI .
This theorem gives us a way to analyze the threads in a system separately. As an
example, consider this program, where multiple threads will run f() simultaneously.
int global = 0;
f() {
int local = 0;
while (true) {
local = global;
local = 3 + local;
local = 7 + local;
global = local;
}
}
Call the transition-system encoding of this code S. We can apply the Boolean-
for-evenness abstraction to model a single thread with finite state, but we are
7.3. MODULAR DECOMPOSITION OF INVARIANT-FINDING 43
left needing to account for interference by other threads. However, we can apply
Theorem 7.4 to analyze threads separately.
For instance, we want to show that “global is always even” is an invariant of
S | S. By Theorem 7.3, we can switch to analyzing system pS | SqI , where I is the
evenness invariant. By Theorem 7.4, we can switch to proving the same invariant
separately for systems SI and SI , which are, of course, the same system in this case.
We apply the Boolean-for-evenness abstraction to this system, to get one with a
finite state space, so we can check the invariant automatically by model checking.
Following the chain of reasoning backward, we have proved the invariant for S | S.
Even better, that last proof includes the hardest steps that carry over to the
proof for an arbitrary number of threads. Define an exponentially growing system
of threads Sn by:
S0 “ S
n`1
S “ Sn | Sn
Theorem 7.5. For any n, it is an invariant of Sn that the global variable is
always even.
Proof. By induction on n, repeatedly using Theorem 7.4 to push the obli-
gation down to the leaves of the tree of concurrent compositions, after applying
Theorem 7.3 at the start to introduce the use of . . .I . Every leaf is the same system
S, for which we abstract and apply model checking, appealing to the step above
where we ran the same analysis. □
CHAPTER 8
Operational Semantics
It gets tedious to define a relation from first principles, to explain the behaviors
of any concrete program. We do more things with programs than just reason
about them. For instance, we compile them into other languages. To get the most
mileage out of our correctness proofs, we should connect them to the same program
syntax that we pass to compilers. Operational semantics is a family of techniques
for automatically defining a transition system, or other relational characterization,
from program syntax.
Throughout this chapter, we will demonstrate the different operational-semantics
techniques on a single source language, defined like so.
Numbers n P N
Expressions e ::“ n|x|eè|eé|eê
Commands c ::“ skip | x Ð e | c; c | if e then c else c | while e do c
8.1. Big-Step Semantics

Big-step operational semantics explains what it means to run a program to
completion. For our example language, we define a relation written pv, cq ó v 1 , for
“command c, run with variable valuation v, terminates, modifying the valuation to
v 1 .”
This relation is fairly straightforward to define with inference rules. Encoding
pv, c1 q ó v1 pv1 , c2 q ó v2
pv, skipq ó v pv, x Ð eq ó vrx ÞÑ JeKvs pv, c1 ; c2 q ó v2
JeKv ‰ 0 pv, c1 q ó v 1 JeKv “ 0 pv, c2 q ó v 1
pv, if e then c1 else c2 q ó v pv, if e then c1 else c2 q ó v 1
1
JeKv ‰ 0 pv, c1 q ó v1 pv1 , while e do c1 q ó v2 JeKv “ 0

pv, while e do c1 q ó v2 pv, while e do c1 q ó v
Notice how the definition is quite similar to a recursive interpreter written in a
high-level programming language, though we write with the language of relations
instead of functional programming. For instance, consider the simple case of the
rule for sequencing, “;”. We first “call the interpreter” on the first subcommand c1
with the original valuation v. The result of the “recursive call” is a new valuation
v1 , which we then feed into another “recursive call” on c2 , whose result becomes
the overall result.
Why write this interpreter relationally instead of as a functional program?
The most relevant answer applies to situations like ours as users of Coq or even
of informal mathematics, where we must be very careful that all of our recursive
definitions are well-founded. The recursive version of this relation is clearly not
45
46 8. OPERATIONAL SEMANTICS
well-founded, as it would run forever on a nonterminating while loop. It is also

easier to incorporate nondeterminism in the relational style, a possibility that we
will return to at the end of the chapter.
The big-step semantics is easy to apply to concrete programs. For instance,
define factorial as the program output Ð 1; while input do poutput Ð output ˆ
input; input Ð input ´ 1q.
Theorem 8.1. There exists v such that p‚rinput ÞÑ 2s, factorialq ó v and
vpoutputq “ 2.
Proof. By repeated application of the big-step inference rules. □
We can even prove that factorial behaves correctly on all inputs, by way of
a lemma about factorial loop defined as while input do poutput Ð output ˆ
input; input Ð input ´ 1q.
Lemma 8.2. If vpinputq “ n and vpoutputq “ o, then there exists v 1 such that
pv, factorial loopq ó v 1 and v 1 poutputq “ n! ˆ o.
Proof. By induction on n. □
Lemma 8.3. If vpinputq “ n, then there exists v such that pv, factorialq ó v 1
1
and v 1 poutputq “ n!.

Proof. Largely by direct appeal to Lemma 8.2. □
Most of our program proofs in this book establish safety properties, or invariants
of transition systems. However, these last two examples with big-step semantics
also establish program termination, taking us a few steps into the world of liveness
properties.
8.2. Small-Step Semantics

Often it is convenient to break a system’s execution into small sequential steps,
rather than executing a whole program in one go. Perhaps the most compelling
example comes from concurrency, where it is difficult to give a big-step semantics
directly. Nonterminating programs are the other standard example. We want to
be able to establish invariants for those programs, all the same, and we need a
semantics to help us state what it means to be an invariant.
The canonical solution is small-step operational semantics, probably the most
common approach to formal program semantics in contemporary research. Now
we define a single-step relation pv, cq Ñ pv 1 , c1 q, meaning that one execution step
transforms the first state into the second state. Each state is a valuation v and a
current command c.
Encoding These inference rules give the details.
pv, c1 q Ñ pv 1 , c11 q
pv, x Ð eq Ñ pvrx ÞÑ JeKvs, skipq pv, c1 ; c2 q Ñ pv 1 , c11 ; c2 q pv, skip; c2 q Ñ pv, c2 q
JeKv ‰ 0 JeKv “ 0
pv, if e then c1 else c2 q Ñ pv, c1 q pv, if e then c1 else c2 q Ñ pv, c2 q
pv, while e do c1 q Ñ pv, c1 ; while e do c1 q pv, while e do c1 q Ñ pv, skipq
The intuition behind the rules may come best from working out an example.
8.2. SMALL-STEP SEMANTICS 47
Theorem 8.4. There exists a valuation v such that p‚rinput ÞÑ 2s, factorialq Ñ˚
pv, skipq and vpoutputq “ 2.
Proof. Here is a step-by-step (literally!) derivation that finds v.
p‚rinput ÞÑ 2s, output Ð 1; factorial loopq

Ñ p‚rinput ÞÑ 2sroutput ÞÑ 1s, skip; factorial loopq
Ñ p‚rinput ÞÑ 2sroutput ÞÑ 1s, factorial loopq
Ñ p‚rinput ÞÑ 2sroutput ÞÑ 1s, poutput Ð output ˆ input; input Ð input ´ 1q; factorial loopq
Ñ p‚rinput ÞÑ 2sroutput ÞÑ 2s, pskip; input Ð input ´ 1q; factorial loopq
Ñ p‚rinput ÞÑ 2sroutput ÞÑ 2s, input Ð input ´ 1; factorial loopq
Ñ p‚rinput ÞÑ 1sroutput ÞÑ 2s, poutput Ð output ˆ input; input Ð input ´ 1q; factorial loopq
Ñ p‚rinput ÞÑ 1sroutput ÞÑ 2s, pskip; input Ð input ´ 1q; factorial loopq
Ñ p‚rinput ÞÑ 1sroutput ÞÑ 2s, input Ð input ´ 1; factorial loopq
Ñ p‚rinput ÞÑ 0sroutput ÞÑ 2s, skipq
Clearly the final valuation assigns output to 2. □
8.2.1. Equivalence of Big-Step and Small-Step. Different theorems are

easier to prove with different semantics, so it is helpful to establish formally the
intuitive connection between big and small steps.
Lemma 8.5. If pv, c1 q Ñ˚ pv 1 , c11 q, then pv, c1 ; c2 q Ñ˚ pv 1 , c11 ; c2 q,
Proof. By induction on the derivation of pv, c1 q Ñ˚ pv 1 , c11 q. □
Theorem 8.6. If pv, cq ó v 1 , then pv, cq Ñ˚ pv 1 , skipq.
Proof. By induction on the derivation of pv, cq ó v 1 , appealing to the last

lemma at two points. □
Lemma 8.7. If pv, cq Ñ pv 1 , c1 q and pv 1 , c1 q ó v 2 , then pv, cq ó v 2 . In other

words, we can add a small step to the beginning of any big-step derivation.
Proof. By induction on the derivation of pv, cq Ñ pv 1 , c1 q. □
Lemma 8.8. If pv, cq Ñ˚ pv 1 , c1 q and pv 1 , c1 q ó v 2 , then pv, cq ó v 2 . In other

words, we can add any number of small steps to the beginning of any big-step deriva-
tion.
Proof. By induction on the derivation of pv, cq Ñ˚ pv 1 , c1 q, appealing to the

last lemma. □
Theorem 8.9. If pv, cq Ñ˚ pv 1 , skipq, then pv, cq ó v 1 .
Proof. Largely by appeal to the last lemma, considering that pv 1 , skipq ó

1
v. □
8.2.2. Transition Systems from Small-Step Semantics. The small-step

semantics is a natural fit with our working definition of transition systems. We can
define a transition system from any valuation and command, where V is the set of
valuations and C the set of commands, by Tpv, cq “ xV ˆ C, tpv, cqu, Ñy. Now we
bring to bear all of our machinery about invariants and their proof methods.
For instance, consider program P “ while n do a Ð a ` n; n Ð n ´ 2. Invariants
Theorem 8.10. Given even n, for Tp‚rn ÞÑ nsra ÞÑ 0s, P q, it is an invariant
that the valuation maps variable a to an even number.
Proof. First, we strengthen the invariant. We compute the set P of all com-
mands that can be reached from P by stepping the small-step semantics. This
set is finite, even though the set of reachable valuations is infinite, considering
all potential n values. Our strengthened invariant is Ipv, cq “ c P P ^ pDn. vpnq “
nêvenpnqq^pDa. vpaq “ aêvenpaqq. In other words, we strengthen by adding the
constraints that (1) we do not stray from the expected set of reachable commands
and (2) variable n also remains even.
The strengthened invariant is straightforward to prove by invariant induction,
using repeated inversion on Ñ facts. □
8.3. Contextual Small-Step Semantics

The reader may have noticed some tedium in certain rules of the small-step
semantics, like this one.
pv, c1 q Ñ pv 1 , c11 q
pv, c1 ; c2 q Ñ pv 1 , c11 ; c2 q
This rule is an example of a congruence rule, which shows how to take a step and lift
it into a step within a larger command, whose other subcommands are unaffected.
Complex languages can require many congruence rules, and yet we feel like we
should be able to avoid repeating all this boilerplate logic somehow. A common
way to do so is switching to contextual small-step semantics.
We illustrate with our running example language. The first step is to define
a set of evaluation contexts, which formalize the spots within a larger command
Encoding where steps are enabled.
Evaluation contexts C ::“ l | C; c
We define the operator of plugging an evaluation context in the natural way.
lrcs “ c
pC; c2 qrcs “ Crcs; c2
For this language, the only interesting case of evaluation contexts is the one
that allows us to descend into the left subcommand, because the old congruence rule
invoked the step relation recursively for that position.
The next ingredient is a reduced set of basic step rules, where we have dropped
the congruence rule.
pv, x Ð eq Ñ0 pvrx ÞÑ JeKvs, skipq pv, skip; c2 q Ñ0 pv, c2 q

pv, if e then c1 else c2 q Ñ0 pv, c1 q pv, if e then c1 else c2 q Ñ0 pv, c2 q
8.3. CONTEXTUAL SMALL-STEP SEMANTICS 49
pv, while e do c1 q Ñ0 pv, c1 ; while e do c1 q pv, while e do c1 q Ñ0 pv, skipq
We regain the full coverage of the original rules with a new relation Ñc , saying
that we may apply Ñ0 at the active subcommand within a larger command.
pv, cq Ñ0 pv 1 , c1 q
pv, Crcsq Ñc pv 1 , Crc1 sq
Let’s revisit last section’s example, to see contextual semantics in action, es-
pecially to demonstrate how to express an arbitrary command as an evaluation
context plugged with another command.
Theorem 8.11. There exists valuation v such that p‚rinput ÞÑ 2s, factorialq Ñ˚c
pv, skipq and vpoutputq “ 2.
Proof.
p‚rinput ÞÑ 2s, output Ð 1; factorial loopq
“ p‚rinput ÞÑ 2s, pl; factorial loopqroutput Ð 1sq
Ñc p‚rinput ÞÑ 2sroutput ÞÑ 1s, skip; factorial loopq
“ p‚rinput ÞÑ 2sroutput ÞÑ 1s, lrskip; factorial loopsq
Ñc p‚rinput ÞÑ 2sroutput ÞÑ 1s, factorial loopq
“ p‚rinput ÞÑ 2sroutput ÞÑ 1s, lrfactorial loopsq
Ñc p‚rinput ÞÑ 2sroutput ÞÑ 1s, poutput Ð output ˆ input; input Ð input ´ 1q; factorial loopq
“ p‚rinput ÞÑ 2sroutput ÞÑ 1s, ppl; input Ð input ´ 1q; factorial loopqroutput Ð output ˆ inputsq
Ñc p‚rinput ÞÑ 2sroutput ÞÑ 2s, pskip; input Ð input ´ 1q; factorial loopq
“ p‚rinput ÞÑ 2sroutput ÞÑ 2s, pl; factorial loopqrskip; input Ð input ´ 1qs
Ñc p‚rinput ÞÑ 2sroutput ÞÑ 2s, input Ð input ´ 1; factorial loopq
“ p‚rinput ÞÑ 2sroutput ÞÑ 2s, pl; factorial loopqrinput Ð input ´ 1sq
Ñc p‚rinput ÞÑ 1sroutput ÞÑ 2s, skip; factorial loopq
“ p‚rinput ÞÑ 1sroutput ÞÑ 2s, lrskip; factorial loopsq
Ñ˚c . . .
Ñc p‚rinput ÞÑ 0sroutput ÞÑ 2s, skipq
Clearly the final valuation assigns output to 2. □
8.3.1. Equivalence of Small-Step, With and Without Evaluation Con-
texts. This new semantics formulation is equivalent to the other two, as we estab-
lish now.
Theorem 8.12. If pv, cq Ñ pv 1 , c1 q, then pv, cq Ñc pv 1 , c1 q.
Proof. By induction on the derivation of pv, cq Ñ pv 1 , c1 q. □
Lemma 8.13. If pv, cq Ñ0 pv 1 , c1 q, then pv, cq Ñ pv 1 , c1 q.
Proof. By cases on the derivation of pv, cq Ñ0 pv 1 , c1 q. □
Lemma 8.14. If pv, cq Ñ0 pv 1 , c1 q, then pv, Crcsq Ñ pv 1 , Crc1 sq.
Proof. By induction on the structure of evaluation context C, appealing to
the last lemma. □
Theorem 8.15. If pv, cq Ñc pv 1 , c1 q, then pv, cq Ñ pv 1 , c1 q.
Proof. By inversion on the derivation of pv, cq Ñc pv 1 , c1 q, followed by an
appeal to the last lemma. □
8.3.2. Evaluation Contexts Pay Off: Adding Concurrency. To show-

case the convenience of contextual semantics, let’s extend our example language
with a simple construct for running two commands in parallel, implicitly extending
the definition of plugging accordingly.
Commands c ::“ . . . | c||c
To capture the idea that either command in a parallel construct is allowed to
Encoding step next, we extend evaluation contexts like so:
Evaluation contexts C ::“ . . . | C||c | c||C
We need one more basic step rule, to “garbage-collect” threads that have fin-
ished.
pv, skip||cq Ñ0 pv, cq
And that’s it! The new system faithfully captures our usual idea of threads
executing in parallel. All of the theorems proved previously about contextual steps
continue to hold. In fact, in the accompanying Coq code, literally the same proof
scripts establish the new versions of the theorems, with no new human proof effort.
It’s not often that concurrency comes for free in a rigorous proof!
8.4. Determinism
Our last extension with parallelism introduced intentional nondeterminism in
the semantics: a single starting state can step to multiple different next states.
However, the three semantics for the original language are deterministic, and we
can prove it.
Theorem 8.16. If pv, cq ó v1 and pv, cq ó v2 , then v1 “ v2 .
Proof. By induction on the derivation of pv, cq ó v1 and inversion on the
derivation of pv, cq ó v2 . □
Theorem 8.17. If pv, cq Ñ pv1 , c1 q and pv, cq Ñ pv2 , c2 q, then v1 “ v2 and
c1 “ c2 .
Proof. By induction on the derivation of pv, cq Ñ pv1 , c1 q and inversion on
the derivation of pv, cq Ñ pv2 , c2 q. □
Theorem 8.18. If pv, cq Ñc pv1 , c1 q and pv, cq Ñc pv2 , c2 q, then v1 “ v2 and
c1 “ c2 .
Proof. Follows from the last theorem and the equivalence we proved between
Ñ and Ñc . □
We’ll stop, for now, in our tour of useful properties of operational semantics. All
of the rest of the book is based on small-step semantics, with or without evaluation
contexts. As we study new kinds of programming languages, we will see how
to model them operationally. Almost every new proof technique is phrased as
an approach to establishing invariants of transition systems based on small-step
semantics.
CHAPTER 9
Abstract Interpretation and Dataflow Analysis
The last two chapters showed us both how to build a transition system from a
program automatically and how to find an invariant for a transition system auto-
matically. Let’s now combine these ideas to find invariants for programs automat-
ically, in a particular way associated with the technique of dataflow analysis used
to drive many compiler optimizations. Throughout, we’ll stick with the example
of the small imperative language whose semantics we studied in the last chapter.
We’ll confine our attention to its basic small-step semantics via the Ñ relation.
Model checking builds up increasingly larger finite sets of reachable states in
a system. A state pv, cq of our imperative language combines control state c (the
next command to execute) with data state v (the values of the variables), and so
model checking will find invariants that restrict both components. We say that
model checking is path-sensitive because its invariants can distinguish between the
different data states that can be associated with the same control state, reached
along different paths in the program’s executions. Path-sensitive analyses tend
to be much more computationally expensive than path-insensitive analyses, whose
invariants collapse together all ways of reaching the same control state. Dataflow
analysis is one such path-insensitive approach, and its underlying theory is abstract
interpretation.
9.1. Definition of an Abstract Interpretation

An abstract interpretation is a particular sort of abstraction, of the kind we
met in studying model checking. In that more general setting, we can represent
concrete states with any sorts of abstract states. In abstract interpretation, we
most commonly associate each variable with an independent abstract description.
One example, which we’ll formalize in more detail shortly, would be to label each
variable as “even,” “odd,” or “either.”
Definition 9.1.@ An abstract interpretation
D (for our example imperative lan-
guage) is a tuple D, J, C, `,ˆ ´,
ˆ ˆ,
ˆ \, „ , where D is a set (the domain of the
analysis); J P D; C : N Ñ D; `,ˆ ´,
ˆ ˆ,ˆ \ : D ˆ D Ñ D; and „ Ď N ˆ D. The idea is
that:
‚ Abstract versions of numbers are D values.
‚ J (“top”) is the least specific abstract value, representing any concrete
value.
‚ C maps any constant to its most precise abstraction.
ˆ ´,
‚ `, ˆ and ˆ ˆ push abstraction through arithmetic operators, calculating
their most precise abstractions.
‚ \ (“join”) computes the least upper bound of two abstract values: the
most specific value that represents any value associated with either input.
51
52 9. ABSTRACT INTERPRETATION AND DATAFLOW ANALYSIS
‚ „ formalizes the idea of which concrete values are covered by which ab-
stract values.
For a, b P D, define a Ď b to mean @n P N. pn „ aq ñ pn „ bq. That is, b
is at least as general as a. An abstract interpretation must satisfy the following
algebraic laws:
‚ @a P D. a Ď J
‚ @n P N. n „ Cpnq
‚ @n, m P N. @a, b P D. n „ a ^ m „ b ñ pn ` mq „ pa`bqˆ
‚ @n, m P N. @a, b P D. n „ a ^ m „ b ñ pn ´ mq „ pa´bqˆ
‚ @n, m P N. @a, b P D. n „ a ^ m „ b ñ pn ˆ mq „ paˆbqˆ
ˆ Ď pa1 `b
‚ @a, b, a1 , b1 P D. a Ď a1 ^ b Ď b1 ñ pa`bq ˆ 1q
ˆ Ď pa1 ´b
‚ @a, b, a1 , b1 P D. a Ď a1 ^ b Ď b1 ñ pa´bq ˆ 1q
1 1 1 1
‚ @a, b, a , b P D. a Ď a ^ b Ď b ñ paˆbq ˆ Ď pa ˆb
1 ˆ 1q
‚ @a, b P D. a Ď pa \ bq
‚ @a, b P D. b Ď pa \ bq
As an example, consider this formalization of even-odd analysis, whose proof of
soundness is left as an exercise for the reader. (While the treatment of subtraction
may seem gratuitously imprecise, recall that we are working here with natural
numbers and not integers, such that subtraction “sticks” at zero when the result
would otherwise be negative.)
D “ tE, O, Ju
Cpnq “ E or O, depending on parity of n
E`ˆ E “ E
ˆ
EÒ “ O
ˆ E “ O
O`
ˆ O “ E
O`
`ˆ “ J
ˆ
EÉ “ E
ˆ O
O´ “ E
´ˆ “ J
ˆ
Eˆ “ E
ˆ E
ˆ “ E
ˆ O
Oˆ “ O
ˆˆ “ J
E\E “ E
O\O “ O
\ “ J
n„E “ n is even
n„O “ n is odd
n„J “ always
We generally think of an abstract interpretation as forming a lattice (actually
a semilattice), which is roughly the algebraic structure characterized by operations
9.2. FLOW-INSENSITIVE ANALYSIS 53
like \, when \ truly returns the most specific or least upper bound of its two
arguments. We visualize the even-odd lattice like so.
J
E O
The idea is that taking the join of two elements moves us up the lattice to their
lowest common ancestor.
An edge going up from a to b indicates that a Ď b. As another example,
consider a lattice tracking prime factors of numbers, up to 5. Then the picture
version might go like so:
tu
t2u t5u
t3u
t2, 3u t3, 5u
t2, 5u
t2, 3, 5u
Since Ď is clearly transitive, upward-moving paths across multiple nodes also
imply Ď relationships between their endpoints. It’s worth verifying quickly that
any two nodes in this graph have a unique lowest common ancestor, which is the
proper result of the \ operation on those nodes.
Another worthwhile exercise for the reader is to work out the proper definitions
ˆ ´,
of `, ˆ and ˆ ˆ for this domain.
9.2. Flow-Insensitive Analysis

We now give our first recipe for building a program abstraction from an abstract
interpretation. We apply a flow-insensitive abstraction, which means we find an
invariant that doesn’t depend at all on the control part c of a full state pv, cq.
Alternatively, the invariant depends only on the data part v. Concretely, with
V the set of variables, we work with states s P V Ñ D, taking the domain D of
our chosen abstract interpretation. An abstract state s for a concrete valuation v
assigns to each x an abstract value spxq such that vpxq „ spxq. We overload the
operator „ to denote this compatibility via v „ s.
As a preliminary, we define the abstract interpretation of an expression like so:
rnss “ Cpnq
rxss “ spxq
re1 ` e2 ss “ ˆ 2 ss
re1 ss`re
re1 ´ e2 ss “ ˆ 2 ss
re1 ss´re
re1 ˆ e2 ss “ ˆ 2 ss
re1 ssˆre
Theorem 9.2. If v „ s, then JeKv „ ress.
Next, we model the possible effects of commands. We already said that our
flow-insensitive analysis will forget about control flow in a command, but what
does that mean formally? States of this language, without control flow taken into
account, are just variable valuations, and the only way a command can affect a
valuation is through executing assignments. Therefore, forgetting the control flow
of a command amounts to just recording which assignments it contains syntactically,
losing all context about which Boolean tests would need to pass to reach each
assignment. This simple syntactic extraction process can be formalized with an
assignments-of function A for commands.
Apskipq “ tu
Apx Ð eq “ tpx, equ
Apc1 ; c2 q “ Apc1 q Y Apc2 q
Apif e then c1 else c2 q “ Apc1 q Y Apc2 q
Apwhile e do c1 q “ Apc1 q
As a final preliminary ingredient, for abstract states s1 and s2 , define s1 \ s2
by ps1 \ s2 qpxq “ s1 pxq \ s2 pxq.
Now we define the flow-insensitive step relation, over abstract states alone, as:
px, eq P Apcq
s ÑcFI s s ÑcFI s \ srx ÞÑ resss
We can establish formally how forgetting about the order of assignments is a
valid abstraction technique.
Abstraction
Theorem 9.3. Given command c, initial valuation v, and initial abstract state
s such that v „ s. The transition system with initial state s and step relation ÑcFI
simulates the system with initial state pv, cq and step relation Ñ, according to a
simulation relation enforcing „ between the valuation and abstract state.
Now a simple procedure can find an invariant for the abstracted system. In
particular:
(1) Initialize s with the
Ůabstract state from the theorem statement.
(2) Compute s1 “ s \ px,eqPApcq srx ÞÑ resss.
(3) If s1 Ď s, then we’re done; s is the invariant.
(4) Otherwise, assign s “ s1 and return to 2.
Every step in this outline is computable, since the abstract states will always
be finite maps.
Invariants
Theorem 9.4. If the outline above terminates, then it is an invariant of the
flow-insensitive abstracted system that s (its final value from the loop above) is an
upper bound for every reachable state. That is, for every reachable s1 , s1 Ď s.
To check a concrete program, we first abstract it to a flow-insensitive version
with Theorem 9.3, then we find a guaranteed invariant with Theorem 9.4. One
wrinkle here is that it is not obvious that our informal loop above always terminates.
However, it always terminates if our abstract domain has finite height, meaning that
there is no infinite ascending chain of distinct elements ai such that ai Ď ai`1 for all
i. Our even-odd example trivially has that property, since it contains only finitely
many distinct elements.
9.3. FLOW-SENSITIVE ANALYSIS 55
It is worth emphasizing that, when those conditions are met, our invariant-
finding procedure is guaranteed to terminate, even though the underlying language
is Turing-complete, so that most interesting analysis problems are uncomputable!
The catch is that it is always possible that the invariant found is a trivial one,
where the abstract state maps every variable to J.
Here is an example of a program where flow-insensitive even-odd analysis gives
the most precise answer (relative to its simplifying assumption that we must assign
the same description to a variable at every step of execution).
n Ð 10; x Ð 0; while n ą 0 do x Ð x ` 2 ˆ n; n Ð n ´ 1
The abstract state we wind up with is ‚rn ÞÑ Jsrx ÞÑ Es.
9.3. Flow-Sensitive Analysis

We can only go so far with flow-insensitive invariants, which don’t let us record
different facts about the variables for different lines of the program code. Such an
analysis will get tripped up even by straightline code where parities of variables
change as we go. Here is a trivial example program where the flow-insensitive
analysis returns the useless answer ‚rx ÞÑ Js, when the most precise answer (about
program state after execution) would be ‚rx ÞÑ Os.
x Ð 0; x Ð 1
The solution to this problem can be to go to flow-sensitive analysis, where an
abstract state S is a finite map from commands (all the intermediate “program
counters” of an original command) to the abstract states of the previous section.
We define a function Sps, c, f q to compute all of the states of the form ps1 , c1 q
reachable in a single step from ps, cq. Actually, for each ps1 , c1 q covered by that
informal description, this function returns a map from keys f pc1 q to values s1 . The
idea is that function f wraps the step in any additional command context that isn’t
participating directly in this step. See how f is modified in the sequencing case
below, for something of an intuition for its purpose.
Sps, skip, f q “ ‚
Sps, x Ð e, f q “ ‚rf pskipq ÞÑ srx ÞÑ ressss
Sps, skip; c2 , f q “ ‚rf pc2 q ÞÑ ss
Sps, c1 ; c2 , f q “ Sps, c1 , λc. f pc; c2 qq
Sps, if e then c1 else c2 , f q “ ‚rf pc1 q ÞÑ ssrf pc2 q ÞÑ ss
Sps, while e do c1 , f q “ ‚rf pskipq ÞÑ ssrf pc1 ; while e do c1 q ÞÑ ss
Note that the last two cases, for conditional control flow, ignore the test ex-
pression entirely, which is certainly sound, though it may lead to imprecision in
the analysis. This approximation is known as path insensitivity. Define Sps, cq as
shorthand for Sps, c, λc1 . c1 q.
Now we can define a new abstract step relation.
Sps, cqpc1 q “ s1
ps, cq ÑFS ps1 , c1 q
That is, we step from ps, cq to ps1 , c1 q precisely when, if we look up c1 in the
result of running c abstractly in s, we find s1 .
Now we can follow an analogous path to the one we did in the last section.
Abstraction
Theorem 9.5. Given command c and initial valuation v. The transition system
with initial state ps, cq and step relation ÑFS simulates the system with initial state
pv, cq and step relation Ñ, according to a simulation relation enforcing equality of
the commands, as well as „ between the valuation and abstract state.
Now another simple procedure can find an invariant for the abstracted system.
We write S \ S 1 for joining of two flow-sensitive abstract states. When c is in the
domain of exactly one of S or S 1 , S \ S 1 agrees with the corresponding mapping.
When c is in neither domain, it isn’t in the domain of S \ S 1 either. Finally, when
c is in both domains, we have pS \ S 1 qpcq “ Spcq \ S 1 pcq.
Also define S Ď S 1 to mean that, whenever Spcq “ s, there exists s1 such that
S pcq “ s1 and s Ď s1 .
1
Now our procedure works as follows.

(1) Initialize S “ ‚rc ÞÑŮλx. Js.
(2) Compute S 1 “ S \ Spcq“s Sps, cq.
(3) If S 1 Ď S, then we’re done; S is the invariant.
(4) Otherwise, assign S “ S 1 and return to 2.
Again, every step in this outline is computable, for the same reason as in the
prior section.
Invariants
Theorem 9.6. If the outline above terminates, then it is an invariant of the
flow-sensitive abstracted system that, for reachable ps, cq, we have Spcq “ s1 for
some s1 with s Ď s1 .
Again, the last two theorems together give us a recipe for computing an in-
variant automatically, when the loop terminates. The flow-sensitive procedure is
guaranteed to give an invariant at least as strong as what the flow-insensitive pro-
cedure would come up with, and often it’s much stronger. However, flow-sensitive
analysis is often much more computationally expensive (in time and memory), so
there is a trade-off.
9.4. Widening
Consider an abstract interpretation of intervals, where each elements of the
domain is either ra, bs or ra, 8q, for a, b P N. Restricting our attention to a and
b values between 0 and 1 for illustration purposes, we have this diagram of the
domain, where the bottom element represents an empty set.
r0, 8q
r0, 1s r1, 8q
r0, 0s r1, 1s
r1, 0s
The abstract operators have intuitive and simple definitions, like, flattening the
different kinds of intervals into a common notation, defining pa1 , b1 q \ pa2 , b2 q “
9.4. WIDENING 57
ˆ 2 , b2 q “ pa1 ` a2 , b1 ` b2 q, with usual con-

pminpa1 , a2 q, maxpb1 , b2 qq and pa1 , b1 q`pa
ventions about what it means to do arithmetic with 8.
Again, the lattice diagram above was simplified to cover only 0 and 1 as legal
constant values. We can define the interval lattice to draw from the full, infinite
set of natural numbers. In that case, we can quickly run into trouble with abstract
interpretation. For instance, consider this infinite-looping program:
a Ð 7; while a do a Ð a ` 3
One (flow-insensitive) invariant is that a ě 7, represented as the abstract state
‚ra ÞÑ r7, 8qs. However, even the flow-sensitive analysis will keep growing the
range of a, as it traverses the loop over and over! We see a initialized to r7, 7s, then
grown to r7, 10s after one loop iteration, then to r7, 13s after another, and so on
indefinitely.
Notice that we wrote before that termination is guaranteed when the lattice
has finite height, which we have just demonstrated is not true for general intervals,
as our example program generates an infinite ascending chain of distinct intervals.
The canonical solution to this problem is to employ a widening operator ▽.
This operator has the same soundness requirements as \, but we do not require
that it gives the least upper bound of its two operands. It merely needs to give
some upper bound. In fact, we don’t want it to give least upper bounds; we want
it to skip ahead in that ordering as necessary to promote termination. In general,
we don’t want to replace all uses of \ with ▽, though it is sound to do so. We
might apply ▽ in place of \ only for commands that are the beginnings of loops, for
instance, to guarantee that no infinite path in the program avoids infinitely many
encounters with ▽ to tame infinite ascending chains.
For intervals, when we are working with programs that we fear will keep in-
creasing variables indefinitely through loops, a simple form of widening is defined
as follows. Set pa1 , b1 q▽pa2 , b2 q “ pa1 , b1 q \ pa2 , b2 q when b2 ď b1 , that is, when the
upper bound of the interval hasn’t increased since the last iteration. Otherwise, set
pa1 , b1 q▽pa2 , b2 q “ pminpa1 , a2 q, 8q. In other words, when an interval expands to
include higher values, fast-forward its upper bound to 8.
With this modification, analysis of our tricky example successfully finds the
invariant a ě 7. In fact, flow-insensitive and flow-sensitive interval analysis with
this widening operator applied at loop starts are guaranteed to terminate, for any
input programs.
CHAPTER 10
Compiler Correctness via Simulation Arguments
A good application of operational semantics is correctness of compiler trans-

formations. A compiler is composed of a series of phases, each of which translates
programs in some source language into some target language. Usually, in most
phases of a compiler, the source and target languages are the same, and such
phases are often viewed as optimizations, which tend to improve performance of
most programs in practice. The verification problem is plenty hard enough when
the source and target languages are the same, so we will confine our attention in
this chapter to a single language. It’s almost the same as the imperative language
from the last two chapters, but we add one new syntactic construction, underlined
below.
Numbers n P N
Expressions e ::“ n|x|eè|eé|eê
Commands c ::“ skip | x Ð e | c; c | if e then c else c | while e do c | outpeq
A command outpeq outputs the value of expression e, say by writing it to a
terminal window. What’s interesting about adding output is that now different
nonterminating programs have interestingly different behavior : they may produce
different output sequences, finite or infinite. Any compiler phase should leave out-
put behavior intact. It’s worth noticing that our workhorse technique of invariants
can’t help us here directly. Output equivalence can only be judged by watching
full runs of programs. A nonterminating program that has behaved itself up to
some point, satisfying the invariant of our choice, may still fail to follow through
later on. While invariants are complete for safety properties, here we have our first
systematic study of a class of liveness properties. We must also delve into establish-
ing relational properties of programs, meaning that we reason about connections
between executions of two different programs. In our case, such a pair will include
the program fed as input into a phase, plus the program that the phase generates.
To get started phrasing the correctness condition formally, we need to modify
our operational semantics to track output. We do so by adopting a labeled transition
system, where step arrows are annotated with labels that explain interactions with
the world. For this language, the only interaction kind is an output, which we will
write as a number. We also have silent labels ϵ, for when no output takes place. For
completeness, here are the full rules of the extended language, where the definitions
of contexts and plugging are inherited unchanged.
JeKv
pv, outpeqq Ñ0 pv, skipq
ϵ ϵ
pv, x Ð eq Ñ0 pvrx ÞÑ JeKvs, skipq pv, skip; c2 q Ñ0 pv, c2 q
59
60 10. COMPILER CORRECTNESS VIA SIMULATION ARGUMENTS
ϵ ϵ
pv, if e then c1 else c2 q Ñ0 pv, c1 q pv, if e then c1 else c2 q Ñ0 pv, c2 q
ϵ ϵ
pv, while e do c1 q Ñ0 pv, c1 ; while e do c1 q pv, while e do c1 q Ñ0 pv, skipq
ℓ
pv, cq Ñ0 pv 1 , c1 q
ℓ
pv, Crcsq Ñc pv 1 , Crc1 sq
To reason about infinite executions, we need a new abstraction, compared to
what has worked in our invariant-based proofs so far. That abstraction will be
traces, sequences of outputs (and termination events) that a program might be
observed to generate. We define a command’s trace set inductively. Recall that ¨
is the empty list, while ’ does list concatenation.
ϵ n
s Ñc s1 t P Trps1 q s Ñc s1 t P Trps1 q
¨ P Trpsq terminate P Trppv, skipqq t P Trpsq outpnq ’ t P Trpsq
Notice that a trace is allowed to end at any point, even if the program under
inspection hasn’t terminated yet. Also, since our language is deterministic, for any
two traces of one command, one trace is a prefix of the other. Many parts of the
machinery we develop here will, however, work well for nondeterministic systems,
as we will see with labeled transition systems for concurrency in Chapter 21.
Definition 10.1 (Trace inclusion). For commands c1 and c2 , let c1 ĺ c2 iff
Trpc1 q Ď Trpc2 q.
Definition 10.2 (Trace equivalence). For commands c1 and c2 , let c1 » c2 iff
Trpc1 q “ Trpc2 q.
We will enforce that a correct compiler phase respects trace equivalence. That
is, the output program has the same traces as the input program. For nondeter-
ministic languages, subtler conditions are called for, but we’re happy to stay within
the safe confines of determinism for this chapter.
10.1. Basic Simulation Arguments and Optimizing Expressions

As our first example compiler phase, we consider a limited form of constant
folding, where expressions with statically known values are replaced by constants.
The whole of the optimization is (1) finding all maximal program subexpressions
that don’t contain variables and (2) replacing each such subexpression with its
known constant value. We write cfold1 pcq for the result of applying this optimization
on command c. (For the program transformations in this chapter, we stick to
informal descriptions of how they operate, leaving the details to the accompanying
Coq code.)
A program optimized in this way proceeds in a very regular manner, compared
to executions of the original, unoptimized program. The small steps line up one-
to-one. Therefore, a very regular kind of simulation relation connects them. (This
notion is very similar to the one from Section 7.2, though now it incorporates
labels.)
Definition 10.3 (Simulation relation). We say that binary relation R over
states of our object language is a simulation relation iff:
10.1. BASIC SIMULATION ARGUMENTS AND OPTIMIZING EXPRESSIONS 61
(1) Whenever pv1 , skipq R pv2 , c2 q, it follows that c2 “ skip.

ℓ ℓ
(2) Whenever s1 R s2 and s1 Ñc s11 , there exists s12 such that s2 Ñc s12 and
s11 R s12 .
The crucial second condition can be drawn like this.
R
s1 s2
ℓ ℓ
@Ñc DÑc
s11 s12
R´1
Invariants
As usual, the diagram tells us that when a path along the left exists, a matching
roundabout path exists, too. That is, any step on the left can be matched by a step
on the right. Notice the similarity to the invariant-induction principle that we have
mostly relied on so far. Instead of showing that every step preserves a one-state
predicate, we show that every step preserves a two-state predicate in a particular
way. The simulation approach is as general for relating programs as the invariant
approach is for verifying individual programs.
Theorem 10.4. If there exists a simulation R such that s1 R s2 , then s1 » s2 .
Proof. We prove the two trace-inclusion directions separately. The left-to-
right direction proceeds by induction over the definition of traces on the left, while
the right-to-left direction proceeds by similar induction on the right. While most of
the proof is generic in details of the labeled transition system, for the right-to-left
direction we do rely on proofs of two important properties of this object language.
First, the semantics is total, in the sense that any state whose command isn’t skip
can take a step. Second, the semantics is deterministic, in that there can be at
most one label/state pair reachable in one step from a particular starting state.
In the inductive step of the right-to-left inclusion proof, we know that the
righthand system has taken a step. The lefthand system might already be a skip,
in which case, by the definition of simulations, the righthand system is already a
skip, contradicting the assumption that the righthand side stepped. Otherwise, by
totality, the lefthand system can take a step. By the definition of simulation, there
exists a matching step on the righthand side. By determinism, the matching step
is the same as the one we were already aware of. Therefore, we have a new R
relationship to connect to that step and apply the induction hypothesis. □
We can apply this very general principle to constant folding.
Theorem 10.5. For any v and c, pv, cq » pv, cfold1 pcqq.
Proof. By a simulation argument using this relation:
pv1 , c1 q R pv2 , c2 q “ v1 “ v2 ^ c2 “ cfold1 pc1 q
What we have done is translate the original theorem statement into the language
of binary relations, as this simple case needs no equivalent of strengthening the
induction hypothesis. Internally to the proof, we need to define constant folding of
evaluation contexts C, and we need to prove that primitive steps Ñ0 may be lifted
to apply over constant-folded states, this second proof by case analysis on Ñ0
derivations. Another more obvious workhorse is a lemma showing that constant
folding of expressions preserves interpretation results. □
10.2. Simulations That Allow Skipping Steps

Consider an evolution of our constant-folding optimization to take advantage
of known values of if test expressions. Depending on whether the value is zero, we
can replace the whole if with one of its two cases. We will write cfold2 pcq for this
expanded optimization and work up to proving it sound, too. However, we can no
longer use last section’s definition of simulation! The reason is that optimizations
intentionally cut down on steps that a program needs to execute. Some steps of
the source program now have no matching steps of the target program, say when
we are stepping an if whose test expression had a known value.
Let’s take a first crack at making simulation more flexible.
Definition 10.6 (Simulation relation with skipping (faulty version!)). We say
that binary relation R over states of our object language is a simulation relation
with skipping iff:
ℓ
(2) Whenever s1 R s2 and s1 Ñc s11 , then either:
ℓ
(a) there exists s12 such that s2 Ñc s12 and s11 R s12 ,
1
(b) or ℓ “ ϵ and s1 R s2 .
In other words, to match a silent step, it suffices to do nothing, so long as R
still holds afterward.
We didn’t mark the definition as faulty for nothing. It actually does not imply
trace equivalence. Consider a questionable “optimization” defined as withAdspwhile 1 do skipq “
while 1 do outp0q, and withAdspcq “ c for all other c. It adds a little extra advertise-
ment into a particular infinite loop. Now we define a candidate simulation relation.
pv1 , c1 q R pv2 , c2 q “ c1 P twhile 1 do skip, pskip; while 1 do skipqu
This suspicious relation records nothing about c2 . The skip condition of simula-
tions is handled trivially, as we can see by inspection that R does not allow c1
to be skip. Checking the execution-matching condition of simulations, c1 is either
while 1 do skip or pskip; while 1 do skipq, each of which steps silently to the other.
We may match either step by keeping c2 in place, as R does not constrain c2 at
all. Thus, R is a simulation relation with skipping, and, for c “ while 1 do skip, it
relates c to withAdspcq.
From here we expect to conclude trace equivalence. However, clearly withAds
can turn a program that never outputs into a program that outputs infinitely often!
Let’s patch our definition.
Definition 10.7 (Simulation relation with skipping). We say that an N-indexed
family of binary relations Rn over states of our object language is a simulation re-
lation with skipping iff:
(1) Whenever pv1 , skipq Rn pv2 , c2 q, it follows that c2 “ skip.
ℓ
(2) Whenever s1 Rn s2 and s1 Ñc s11 , then either:
ℓ
(a) there exist n1 and s12 such that s2 Ñc s12 and s11 Rn1 s12 ,
1
(b) or n ą 0, ℓ “ ϵ, and s1 Rn´1 s2 .
This new version imposes a finite limit n at any point, on how many times
the righthand side may match lefthand steps without stepping itself. Our bad
counterexample fails to satisfy the conditions, because eventually the starting step
10.3. SIMULATIONS THAT ALLOW TAKING MULTIPLE MATCHING STEPS 63
count n will be used up, and the incorrect “optimized” program will be forced to
reveal itself by taking a step that outputs.
Theorem 10.8. If there exists a simulation with skipping R such that s1 Rn s2 ,
then s1 » s2 .
Proof. The proof is fairly similar to that of Theorem 10.4. To show termina-
tion preservation in the backward direction, we find ourselves proving a lemma by
induction on n. □
Theorem 10.9. For any v and c, pv, cq » pv, cfold2 pcqq.
Proof. By a simulation argument (with skipping) using this relation:
pv1 , c1 q Rn pv2 , c2 q “ v1 “ v2 ^ c2 “ cfold2 pc1 q ^ countIfspc1 q ă n
We rely on a simple helper function countIfspcq to count how many If nodes appear
in the syntax of c. This notion turns out to be a conservative upper bound on how
many times in a row we will need to let lefthand steps go unmatched on the right.
The rest of the proof proceeds essentially the same way as in Theorem 10.5. □
10.3. Simulations That Allow Taking Multiple Matching Steps

Consider our final example compiler phase: flattening expressions into se-
quences of assignments to temporaries, using only noncompound subexpressions,
where the arguments to every binary operator are variables or constants. Now a
single step at the source level must be matched by many steps at the target level.
We write flattenpcq for the flattening of command c. How can we prove that this
transformation is correct?
Definition 10.10 (Simulation relation with multiple matching steps). We say
that a binary relation R over states of our object language is a simulation relation
with multiple matching steps iff:
ℓ ℓ ˚
(2) Whenever s1 R s2 and s1 Ñc s11 , there exists s12 such that s2 Ñc s12 and
s11 R s12 .
ℓ ˚
We write s Ñc s1 to indicate that s steps to s1 via zero or more silent steps
and then one step with label ℓ (which might also be silent).
Theorem 10.11. If there exists a simulation with multiple matching steps R
such that s1 R s2 , then s1 » s2 .
Proof. The backward direction is the interesting part of this proof. The key
lemma proceeds by strong induction on the number of steps needed to generate the
trace on the right. □
Theorem 10.12. For any v and c where c doesn’t use any names that are
reserved for temporaries, pv, cq » pv, flattenpcqq.
Proof. By a simulation argument (with multiple matching steps) using this
relation:
pv1 , c1 q R pv2 , c2 q “ c1 doesn’t use any names reserved for temporaries
^ v1 – v2 ^ c2 “ flattenpc1 q
The heart of this relation is a subrelation – over valuations, capturing when they
agree on all variables that are not reserved for temporaries, since the flattened
program will feel free to scribble all over the temporaries. The details of – are
especially important to the key lemma, showing that flattening of expressions is
sound, both taking in a – premise and drawing a related – conclusion. The overall
proof is not short, with quite a few lemmas, found in the Coq code. □
It might not be clear why we bothered to define simulation with multiple match-
ing steps, when we already had simulation with skipping. After all, we use simu-
lation to conclude completely symmetric facts about two commands, so why not
just verify this section’s example by applying simulation with skipping, with the
operand order reversed?
Consider the heart of the proof approach that we did adopt. We need to show
that any step of c can be matched suitably by flattenpcq. The proof is divided into
ℓ
cases by inversion on a premise pv, cq Ñc pv 1 , c1 q. Each case naturally fixes the top-
level structure of c, from which we can apply straightforward algebraic simplification
to find the top-level structure of flattenpcq and therefore the step rules that apply
to it.
Now consider applying simulation with skipping, with the commands passed as
ℓ
operands in the reverse order. The crucial inversion is on pv, flattenpcqq Ñc pv 1 , c1 q.
Unfortunately, the top-level structure of flattenpcq does not imply the top-level
structure of c, but we need to show that c can take a matching step. We need
to prove a whole set of bothersome special-case inversion lemmas by induction,
essentially to invert the action of what is, in the general case, an arbitrarily complex
compiler.
CHAPTER 11
Lambda Calculus and Simple Type Safety
We’ll now take a break from the imperative language we’ve been studying for
the last three chapters, instead looking at a classic sort of small language that distills
the essence of functional programming. That’s the language paradigm that we’ve
been using throughout this book, as we coded executable versions of algorithms.
Its distinctive characteristics are first, a computation style based on simplifying
terms instead of running step-by-step instructions that modify state; and second,
use of functions as first-class values. Functional programming went mainstream
in the early 21st century, influencing widely adopted languages from JavaScript,
where first-class functions are routinely used as callbacks in asynchronous event
processing; to Scala, a hybrid language that melds functional-programming ideas
with object-oriented programming for the Java platform; to Haskell, a purely func-
tional language that has become popular with programming hobbyists and is seeing
increasing adoption in industry.
The heart of functional programming persists even in λ-calculus (or lambda cal-
culus), the simplest version of which contains just three syntactic forms, but which
provides probably the simplest of the widely known Turing-complete languages that
is (nearly!) pleasant to program in directly.
11.1. Untyped Lambda Calculus

Here is the syntax of the original λ-calculus.
Expressions e ::“ x | λx. e | e e
An expression λx. e is a first-class, anonymous function, also called a function
abstraction or λ-abstraction. When called, it replaces its formal-argument variable
x with the actual argument within e and continues evaluating. The third syn-
tactic form e e uses juxtaposition, or writing one term after another, for function
application.
A simple example of an expression is λx. x, for an identity function. When we
apply it to itself, like pλx. xq pλx. xq, it reduces again to itself.
We can give a simple big-step operational semantics to λ-terms. The key aux-
iliary operation is substitution, where we write re1 {xse for replacing all free occur-
rences of x in e with e1 . Here we refer to a notion of free variables, which we should
define first, as a recursive function.
FVpxq “ txu
FVpλx. eq “ FVpeq ´ txu
FVpe1 e2 q “ FVpe1 q Y FVpe2 q
65
66 11. LAMBDA CALCULUS AND SIMPLE TYPE SAFETY
Intuitively, a variable is free in an expression iff it doesn’t occur inside the scope of
a λ binding the same variable.
Next we define substitution.
re1 {xsx “ e1
re1 {xsy “ y, if y ‰ x
1
re {xsλx. e “ λx. e
1
re {xsλy. e “ λy. re1 {xse, if y ‰ x
re1 {xse1 e2 “ re1 {xse1 re1 {xse2
Notice a peculiar property of this definition when we work with open terms,
whose free-variable sets are nonempty. According to the definition rx{ysλx. y “
λx. x. In this example, we say that λ-bound variable x has been captured uninten-
tionally, where substitution created a reference to that λ where none existed before.
Such a problem can only arise when replacing a variable with an open term. In this
case, that term is x, where FVpxq “ txu ‰ H.
More general investigations into λ-calculus will define a more involved notion of
capture-avoiding substitution. Instead, in this book, we carefully steer clear of the
λ-calculus applications that require substituting open terms for variables, letting us
stick with the simpler definition. When it comes to formal encoding of this style of
syntax in proof assistants, surprisingly many complications arise, leading to what
is still an active research area in encodings of language syntax with local variable
binding. Since we aim more for broad than deep coverage of the field of formal
program reasoning, we are happy to avoid those complexities.
With substitution in hand, a big-step semantics is easy to define. We use the
syntactic shorthand v for a value, or term that needs no further evaluation, which
Encoding in this case includes just the λ-abstractions.
e1 ó λx. e e2 ó v rv{xse ó v 1
λx. e ó λx. e e1 e2 ó v 1
A value evaluates to itself. To evaluate an application, evaluate both the func-

tion and the argument. The function value must be some λ-abstraction. Substitute
the argument value in the body of the abstraction, evaluate the result, and return
that value as the overall value. Note that we only ever need to evaluate closed
terms, meaning terms that are not open, so we obey the restriction on substitution
sketched above.
It may be surprising that these two rules are enough to define the full semantics
of a Turing-complete language! Indeed, λ-calculus is Turing-complete, and we must
be able to find nonterminating programs. Here is one example.
Ω “ pλx. x xq pλx. x xq
Theorem 11.1. Ω does not evaluate to anything. In other words, Ω ó v implies

a contradiction.
Proof. By induction on the derivation of Ω ó v. □

11.2. A QUICK CASE STUDY IN PROGRAM VERIFICATION: CHURCH NUMERALS 67
11.2. A Quick Case Study in Program Verification: Church Numerals

Since λ-calculus is Turing-complete, it must be able to represent numbers and
all the usual arithmetic operations. The classic representation is Church numerals,
where every natural number n is represented as a particular λ-term n that, when
passed a function f as input, returns f n , the n-way self-composition of f . In some
sense, repeating a process is the fundamental use of a natural number, and it turns
out that we can recover all of the usual operations atop this primitive.
Two λ-calculus functions are sufficient to build up all the naturals as Church
numerals.
zero “ λf. λx. x
plus1 “ λn. λf. λx. f pn f xq
Our representation of 0 returns an identity function, no matter which f it is passed.
Our successor operation takes in a number n and returns a new one that first runs
n and then applies f one extra time. Now we have 0 “ zero, 1 “ plus1 zero,
2 “ plus1 pplus1 zeroq, and so on.
These Church numerals are not values yet. Let us formalize which values they
evaluate to and tweak the encoding to use the values instead. We write tnu for the
body of a λ-abstraction that we are building to represent n, where variables f and
x are in scope.
t0u “ x
tn ` 1u “ f ppλf. λx. tnuq f xq
The n ` 1 case may seem wastefully large, but, in fact, this is the precise form
of the values produced by evaluating repeated applications of plus1 to zero, as the
reader can verify using the big-step semantics. We define n “ λf. λx. tnu, giving a
canonical encoding for each number.
Now we notate correctness of an encoding e for number n by e „ n, defining
it as e ó n, meaning that e evaluates to the Church encoding of n. Two first easy
results show that our primitive constructors are correct.
Theorem 11.2. zero „ 0.
Theorem 11.3. If en „ n, then plus1 en „ n ` 1.
Things get more interesting as we start to code up the arithmetic operations.
add “ λn. λm. n plus1 m
That is, addition of n to m is calculated by applying n plus1 operations to m.
Theorem 11.4. If en „ n and em „ m, then add en em „ n ` m.
Proof. After a few steps applying the big-step rules directly, we finish by
induction on n. A silly-seeming but necessary lemma proves that re{ms tnu “ tnu,
since tnu does not contain free occurrences of m. □
Multiplication proceeds in much the same way.
mult “ λn. λm. n padd mq zero
Theorem 11.5. If en „ n and em „ m, then mult en em „ n ˆ m.
Proof. After a few steps applying the big-step rules directly, we finish by
induction on n, within which we appeal to Theorem 11.4. □
An enjoyable (though not entirely trivial) exercise for the reader is to generalize
the methods of Church encoding to encoding of other inductive datatypes, including
the syntax of λ-calculus itself. A hallmark of a Turing-complete language is that it
can host an interpreter for itself, and λ-calculus is no exception!

λ-calculus is also straightforward to formalize with a small-step semantics. One
might argue that the technique is even simpler for λ-calculus, since we must deal
Encoding only with expressions, not also imperative variable valuations.
The crucial rule is for β-reduction, which explains the behavior of function
applications in terms of substitution.
pλx. eq v Ñ rv{xse
Note the one subtlety: the function argument is required to be a value. This
innocuous-looking restriction helps enforce call-by-value evaluation order , where,
upon encountering a function application, we must first evaluate the function, then
evaluate the argument, and only then call the function.
Two more rules complete the semantics and the characterization of call-by-
value.
e1 Ñ e11 e2 Ñ e12
e1 e2 Ñ e1 e2 v e2 Ñ v e12
1
Note again from the second rule that we are only allowed to move on to evaluating
the function argument after the function is fully evaluated.
Following a very similar outline to what we used in Chapter 8, we establish
equivalence between the two semantics for λ-calculus.
Theorem 11.6. If e Ñ˚ v, then e ó v.
Theorem 11.7. If e ó v, then e Ñ˚ v.
There are a few proof subtleties beyond what we encountered before, and the
Coq formalization may be worth reading, to see those details.
Again as before, we have a natural way to build a transition system from any
λ-term e, where L is the set of λ-terms. We define Tpeq “ xL, teu, Ñy. The next
section gives probably the most celebrated λ-calculus result based on the transition-
system perspective.
11.4. Simple Types and Their Soundness

Let’s spruce up the language with some more constructs.
Numbers n P N
Expressions e ::“ n | e ` e | x | λx. e | e e
Values v ::“ n | λx. e
We’ve added natural numbers as a primitive feature, supported via constants and
addition. Numbers may be intermixed with functions, and we may, for instance,
write first-class functions that take numbers as input or return numbers.
11.4. SIMPLE TYPES AND THEIR SOUNDNESS 69
We add two new bureaucratic rules for addition, mirroring those for function
application.
e1 Ñ e11 e2 Ñ e12
e1 ` e2 Ñ e11 ` e2 v ` e2 Ñ v ` e12
One more rule for addition is called for. Here we face a classic nuisance in
writing rules that combine explicit syntax with standard mathematical operators,
and we write ` for the syntactic construct and + for the mathematical addition
operator.
n ` m Ñ n+m
What would be a useful property to prove about our new expressions? For
one thing, we don’t want them to “crash,” as in the expression pλx. xq ` 7 that
tries to add a function and a number. No rule of the semantics knows what to do
with that case, but it also isn’t a value, so we shouldn’t consider it as finished with
evaluation. Define an expression as stuck when it is not a value and it cannot take
a small step. For “reasonable” expressions e, we should be able to prove that it is
an invariant of Tpeq that no expression is ever stuck.
To define “reasonable,” we formalize the popular idea of a static type system.
Every expression will be assigned a type, capturing which sorts of contexts it may
legally be dropped into. Our language of types is simple. Abstraction
Types τ ::“ N | τ Ñ τ
We have trees of function-space constructors, where all the leaves are instances of
the natural-number type N. Note that, with type assignment, we have yet another
case of abstraction, approximating a potentially complex expression with a type
that only records enough information to rule out crashes.
To assign types to closed terms, we must recursively define what it means for an
open term to have a type. To that end, we use typing contexts Γ, finite maps from
variables to types. To mimic standard notation, we write Γ, x : τ as shorthand for
Γrx ÞÑ τ s, overriding of key x with value τ in Γ. Now we define typing as a three-
place relation, written Γ $ e : τ , to indicate that, assuming Γ as an assignment of
types to e’s free variables, we conclude that e has type τ .
We define the relation inductively, with one case per syntactic construct. Modularity
Γpxq “ τ Γ $ e1 : N Γ $ e2 : N
Γ$x:τ Γ$n:N Γ $ e1 ` e2 : N
Γ, x : τ1 $ e : τ2 Γ $ e1 : τ1 Ñ τ2 Γ $ e2 : τ1
Γ $ λx. e : τ1 Ñ τ2 Γ $ e1 e2 : τ2
We write $ e : τ as shorthand for ‚ $ e : τ , meaning that closed term e has type
τ , with no typing context required. Note that this style of typing rules provides
another instance of modularity, since we can separately type-check different subex-
pressions of a large expression, using just their types to coordinate expectations
among subexpressions.
It should be an invariant of Tpeq that every reachable expression has the same
type as the original, so long as the original was well-typed. This observation is
the key to proving that it is also an invariant that no reachable expression is stuck,
using a proof technique called the syntactic approach to type soundness, which turns
out to be just another instance of our general toolbox for invariant proofs.
We work our way through a suite of standard lemmas to support that invariant
proof.
Lemma 11.8 (Progress). If $ e : τ , then e isn’t stuck.
Proof. By induction on the derivation of $ e : τ . □
Lemma 11.9 (Weakening). If Γ $ e : τ and every mapping in Γ is also included
in Γ1 , then Γ1 $ e : τ .
Proof. By induction on the derivation of Γ $ e : τ . □
1 1 1
Lemma 11.10 (Substitution). If Γ, x : τ $ e : τ and $ e : τ , then Γ $
re1 {xse : τ .
Proof. By induction on the derivation of Γ, x : τ 1 $ e : τ , with appeal to
Lemma 11.9. □
Lemma 11.11 (Preservation). If e1 Ñ e2 and $ e1 : τ , then $ e2 : τ .
Proof. By induction on the derivation of e1 Ñ e2 . □
Invariants
Theorem 11.12 (Type Soundness). If $ e : τ , then ␣stuck is an invariant of
Tpeq.
Proof. First, we strengthen the invariant to Ipeq “ $ e : τ , justifying the
implication by Lemma 11.8, Progress. Then we apply invariant induction, where
the base case is trivial. The induction step is a direct match for Lemma 12.3,
Preservation. □
The syntactic approach to type soundness is often presented as a proof tech-
nique in isolation, but what we see here is that it follows very directly from our
general invariant proof technique. Usually syntactic type soundness is presented as
fundamentally about proving Progress and Preservation conditions. The Progress
condition maps to invariant strengthening, and the Preservation condition maps to
invariant induction, which we have used in almost every invariant proof so far. Since
the basic proof structure matches our standard one, the main insight is the usual
one: a good choice of a strengthened invariant. In this case, invariant Ipeq “ $ e : τ
is that crucial insight, including the original design of the set of types and the typing
relation.
CHAPTER 12
More on Evaluation Contexts
In Chapter 8, we met evaluation contexts, a strange little way of formalizing

the idea “the next place in a program where a step will happen.” Though we
showed off how easy they make it to add concurrency to a language, the payoff
from this style may still not have been clear. In this chapter, we continue the
theme of showing how evaluation contexts make it easy to add new features to
a formal semantics with very concise descriptions. That is, the game will be to
continue extending a language definition modularly, leaving unchanged as much of
our old definitions and proofs as possible. Many of the concise conventions we adopt
here do require explicit expansion in the associated Coq code, though fancier Coq
frameworks would obviate that requirement as well.
12.1. Last Chapter’s Example Revisited

Let’s begin by recasting last chapter’s typed λ-calculus with numbers, using
evaluation contexts. We introduce this grammar of contexts.
Evaluation contexts C ::“ l|C e|v C |C è|v`C
Note the one subtlety, same as we encountered last chapter in a different place:
the third and fifth forms of evaluation context require the first operand to be a
value. Again we enforce call-by-value evaluation order . Tweaks to the definition
of C produce other evaluation orders, like call-by-name, but we will say no more
about those alternatives.
Two rules explain the primitive steps. They should look familiar from last
chapter’s more direct small-step semantics.
pλx. eq v Ñ0 rv{xse n ` m Ñ0 n+m
Encoding
As we will throughout this chapter, we assume a standard definition of what
it means to plug an expression into the hole in a context, and now we can give the
top-level small-step evaluation rule.
e Ñ0 e1
Cres Ñ Cre1 s
Last chapter’s type-system definition may be reused unchanged. We just need
to make a small modification to the sequence of results leading to type soundness.
Lemma 12.1. If e1 Ñ0 e2 and $ e1 : τ , then $ e2 : τ .
Proof. By inversion on the derivation of e1 Ñ0 e2 . □
Lemma 12.2. If e1 Ñ0 e2 and $ Cre1 s : τ , then $ Cre2 s : τ .
Proof. By induction on the structure of C, with appeal to Lemma 12.1. □
71
72 12. MORE ON EVALUATION CONTEXTS
Lemma 12.3 (Preservation). If e1 Ñ e2 and $ e1 : τ , then $ e2 : τ .

Proof. By inversion on the derivation of e1 Ñ e2 , with appeal to Lemma
12.2. □
12.2. Product Types

Let’s see some examples of how easy it is to add new features to our language,
starting with product types, or pair types. The name “product types” comes from
“Cartesian product.” We indicate extension of existing grammars by beginning
definitions with . . ., and we indicate extension of existing inductive predicates just
by listing new rules.
Expressions e ::“ . . . | pe, eq | π1 peq | π2 peq
Values v ::“ . . . | pv, vq
Contexts C ::“ . . . | pC, eq | pv, Cq | π1 pCq | π2 pCq
Types τ ::“ ... | τ ˆ τ
Operator πi is for projecting the ith element of a pair. Two new small-step
rules finish the explanation of projection behavior.
π1 ppv1 , v2 qq Ñ0 v1 π2 ppv1 , v2 qq Ñ0 v2
Finally, we can extend our type system with one new rule per expression kind.
Γ $ e1 : τ1 Γ $ e2 : τ2 Γ $ e : τ1 ˆ τ2 Γ $ e : τ1 ˆ τ2
Γ $ pe1 , e2 q : τ1 ˆ τ2 Γ $ π1 peq : τ1 Γ $ π2 peq : τ2
And that’s the complete, unambiguous specification of this new feature! The
type-soundness proof adapts very naturally. In fact, in the Coq code, almost exactly
the same proof script as before keeps doing the job, a theme we will see continue
throughout the chapter.
12.3. Sum Types

Next on our tour is sum types, otherwise known as variants or disjoint unions.
An element of the sum type τ1 ` τ2 is either a τ1 or a τ2 , and we indicate which
with constructor functions inl and inr.
Expressions e ::“ . . . | inlpeq | inrpeq | pmatch e with inlpxq ñ e | inrpxq ñ eq
Values v ::“ . . . | inlpvq | inrpvq
Contexts C ::“ . . . | pmatch C with inlpxq ñ e | inrpxq ñ eq
Types τ ::“ . . . | τ ` τ
The match form, following pattern-matching in Coq and other languages, ac-
counts for most of the syntactic complexity. Two new small-step rules explain its
behavior.
pmatch inlpvq with inlpx1 q ñ e1 | inrpx2 q ñ e2 q Ñ0 rv{x1 se1
pmatch inrpvq with inlpx1 q ñ e1 | inrpx2 q ñ e2 q Ñ0 rv{x2 se2

And the typing rules:
Γ $ e : τ1 Γ $ e : τ2 Γ $ e : τ1 ` τ2 Γ, x1 : τ1 $ e1 : τ Γ, x2 : τ2 $ e2 : τ
Γ $ inlpeq : τ1 ` τ2 Γ $ inrpeq : τ1 ` τ2 Γ $ pmatch e with inlpx1 q ñ e1 | inrpx2 q ñ e2 q : τ
Again, the automated type-soundness proof adapts with minimal modification.
12.5. MUTABLE VARIABLES 73
12.4. Exceptions
Next, let’s see how to model exceptions, a good representative of control-flow-
heavy language features. For simplicity, we will encode exception values themselves
as natural numbers. The action is in how exceptions are thrown and caught.
Expressions e ::“ . . . | throwpeq | ptry e catch x ñ eq
Contexts C ::“ . . . | throwpCq | ptry C catch x ñ eq
We also introduce metavariable C ´ to stand for an evaluation context that does
not use the constructor for catch and is not just a hole l (though it must contain a
l). It is handy to express the idea of exceptions bubbling up to the nearest enclosing
catch constructs. Specifically, here are three rules to define exception behavior.
ptry v catch x ñ eq Ñ0 v ptry throwpvq catch x ñ eq Ñ0 rv{xse C ´ rthrowpvqs Ñ0 throwpvq

And the typing rules, where the biggest twist is that a throw expression can
have any type, since it never terminates normally:
Γ$e:N Γ $ e : τ Γ, x1 : N $ e1 : τ
Γ $ throwpeq : τ Γ $ ptry e catch x1 ñ e1 q : τ
Most of the automated type-soundness proof adapts, but we do need to make
one nontrivial change: extending the primary safety invariant, since now there are
well-typed states that are neither values nor able to step. An uncaught exception
is the new potential outcome of an execution. Therefore, the invariant we prove
(with related fix-ups to a lemma statement or two) is:
Ipeq “ e is a value _ pDn : N. e “ throwpnqq _ pDe1 . e Ñ e1 q
It is worth pausing here to reflect on what we did not need to do. Though we
added a new kind of side effect, we did not need to modify a single rule dealing with
preexisting features. The open-ended abstraction of evaluation contexts helped us
plan ahead for side effects without foreseeing them precisely. For instance, it was
critical that we could refer to a restricted context C ´ to consider exception bubbling
past any of the prior features for which we defined order-of-evaluation rules.
12.5. Mutable Variables

Let’s now consider another side effect and how we can add it without having to
modify existing rules. This one we will build on the lambda calculus with products
and sums, not trying to harmonize it with exceptions. We also keep the existing
immutable variables and add new syntactic features for mutable variables.
Mutable variables X
Expressions e ::“ . . . | X | X Ð e
Contexts C ::“ . . . | X Ð C
We keep the Ñ0 relation defined previously and define on top of it Ñ1 that
works on states that contain variable valuations σ (as we have used before to model
imperative languages).
e1 Ñ0 e2 σpXq “ v
pσ, e1 q Ñ1 pσ, e2 q pσ, Xq Ñ1 pσ, vq pσ, X Ð vq Ñ1 pσrX ÞÑ vs, vq
74 12. MORE ON EVALUATION CONTEXTS
We define an alternative top-level small-step relation:

pσ, eq Ñ1 pσ 1 , e1 q
pσ, Cresq Ñ pσ 1 , Cre1 sq
Note how planning ahead and modularizing our order-of-operations rules via con-
text plugging allows us to reuse the same rules, even in the presence of mutable-
variable valuations.
We “cheat” a bit and extend our typing judgment to take an extra argument,
so a typing fact looks like ∆; Γ $ e : τ . The new context ∆ assigns types to mutable
variables, and it stays fixed throughout a program’s execution. We implicitly edit
each prior typing rule to thread ∆ through unchanged, and we add the two crucial
new ones:
∆pXq “ τ ∆pXq “ τ ∆; Γ $ e : τ
∆; Γ $ X : τ ∆; Γ $ X Ð e : τ
We have to make moderate edits to the central lemma statements. One frequent
ingredient is a compatibility relation ∆ » σ, indicating that any variable given a
type τ in ∆ is also assigned a τ -typed value in σ. Then we can adapt the type-
preservation proof as follows. (The progress proof works essentially the same as
before.)
Lemma 12.4. If e1 Ñ0 e2 and $ e1 : τ , then $ e2 : τ .
Proof. By inversion on the derivation of e1 Ñ0 e2 . □
Lemma 12.5. If pσ1 , e1 q Ñ1 pσ2 , e2 q, ∆; ‚ $ e1 : τ , and ∆ » σ1 , then ∆; ‚ $
e2 : τ and ∆ » σ2 .
Proof. By inversion on the derivation of pσ1 , e1 q Ñ1 pσ2 , e2 q, with appeal to
Lemma 12.4. □
Lemma 12.6. If pσ1 , e1 q Ñ1 pσ2 , e2 q, ∆; ‚ $ Cre1 s : τ , and ∆ » σ1 , then
∆; $ Cre2 s : τ and ∆ » σ2 .
Proof. By induction on the structure of C, with appeal to Lemma 12.5. □
Lemma 12.7 (Preservation). If pσ1 , e1 q Ñ pσ2 , e2 q, ∆; $ e1 : τ , and ∆ » σ1 ,
then ∆; ‚ $ e2 : τ and ∆ » σ2 .
Proof. By inversion on the derivation of pσ1 , e1 q Ñ pσ2 , e2 q, with appeal to
Lemma 12.6. □
Everything can be brought together in type-safety proof with a strengthened
invariant that also asserts the » relation, just as in the various statements of preser-
vation.
12.6. Concurrency Again

Mutable variables provide a means for communication between threads, so we
can bring concurrency to our language with remarkably little effort. We choose a
concurrent pairing operator, which builds a pair through simultaneous evaluation
of the expressions for the two elements.
Expressions e ::“ . . . | e||e
Contexts C ::“ . . . | C||e | e||C
12.6. CONCURRENCY AGAIN 75
As when we looked at adding concurrency to an imperative language, note that

we introduce nondeterminism by allowing evaluation to proceed on either side of
the parallel composition ||, on any given step. One new small-step rule explains
what to do when both sides are fully evaluated.
v1 ||v2 Ñ0 pv1 , v2 q
The typing rule is straightforward:
∆; Γ $ e1 : τ1 ∆; Γ $ e2 : τ2
∆; Γ $ e1 ||e2 : τ1 ˆ τ2
After this change, literally the same Coq proof script as before establishes type
soundness. That’s a pretty strong demonstration of modularity in semantics.
CHAPTER 13
Types and Mutation
As we glimpsed last chapter, the syntactic approach to type soundness contin-

ues to apply to impure functional languages, which combine imperative side effects
with first-class functions. We’ll study the general domain through its most com-
mon exemplar: λ-calculus with mutable references, which generalize the mutable
variables that we modeled in Section 12.5.
13.1. Simply Typed Lambda Calculus with Mutable References

Here is an extension of the lambda-calculus syntax from Chapter 11, with
additions underlined.
Numbers n P N
Expressions e ::“ n | e ` e | x | λx. e | e e | newpeq | !e | e :“ e
The three new expression forms deal with references, which act like, for in-
stance, Java objects that only have single public fields. We write newpeq to allocate
a new reference initialized with value e, we write !e for reading the value stored in
reference e, and we write e1 :“ e2 for overwriting the value of reference e1 with e2 .
An example is worth a thousand words, so let’s consider a concrete program. We’ll
use two notational shorthands:
let x “ e1 in e2 fi pλx. e2 q e1
e1 ; e2 fi let “ e1 in e2 (for a variable not used anywhere else)
Here is a simple program that uses references.
let r “ newp0q in r :“ !r ` 1; !r
This program (1) allocates a new reference r storing the value 0; (2) increments
r’s value by 1; and (3) returns the new r value, which is 1.
To be more formal about the meanings of all programs, we extend the opera-
tional semantics from the start of last chapter. First, we add some new kinds of
evaluation contexts.
Evaluation contexts C ::“ l|C e|v C |C è|v`C
| newpCq | !C | C :“ e | v :“ C
Next we define the basic reduction steps of the language. Similarly to in Section
12.5, we work with states that include not just expressions but also heaps h, partial
functions from references to their current stored values. We begin by copying over
the two basic-step rules from last chapter, threading through the heap h unchanged.
ph, pλx. eq vq Ñ0 ph, rv{xseq ph, n ` mq Ñ0 ph, n+mq

77
78 13. TYPES AND MUTATION
To write out the rules that are specific to references, it’s helpful to extend our
language syntax with a form that will never appear in original programs but which
does show up at intermediate execution steps. In particular, let’s add an expression
form for locations, the runtime values of references, and let’s say that locations also
count as values.
Locations ℓ P N
Expressions e ::“ n | e ` e | x | λx. e | e e | newpeq | !e | e :“ e | ℓ
Values v ::“ n | λx. e | ℓ
Now we can write the rules for the three reference primitives.
ℓ R domphq hpℓq “ v hpℓq “ v
ph, newpvqq Ñ0 phrℓ ÞÑ vs, ℓq ph, !ℓq Ñ0 ph, vq ph, ℓ :“ v q Ñ0 phrℓ ÞÑ v 1 s, v 1 q
1
To evaluate a reference allocation newpeq, we nondeterministically pick some

unused location ℓ and initialize it with the requested value. To read from a reference
in !e, we just look up the location in the heap; the program will be stuck if the
location is not already included in h. Finally, to write to a reference with e1 :“ e2 ,
we check that the requested location is already in the heap (we’re stuck if not),
then we overwrite its value with the new one.
Here is the overall step rule, which looks just like the one for basic λ-calculus,
with a heap wrapped around everything.
ph, eq Ñ0 ph1 , e1 q
ph, Cresq Ñ ph1 , Cre1 sq
As a small exercise for the reader, it may be worth using this judgment to
derive that our example program from before always returns 1. Even fixing the
empty heap in the starting state, there is some nondeterminism in which final heap
it returns: the possibilities are all the single-location heaps, mapping their single
locations to value 1. It is natural to allow this nondeterminism in allocation, since
typical memory allocators in real systems don’t give promises about predictability
in the addresses that they return. However, we will be able to prove that, for
instance, any program returning a number gives the same answer, independently
of nondeterministic choices made by the allocator. That property is not true in
programming languages like C that are not memory-safe, as they allow arithmetic
and comparisons on pointers, the closest C equivalent of our references.
13.2. Type Soundness

For λ-calculus with references, we can prove a similar type-soundness theorem
to what we proved last chapter, though the proof has a twist or two. To start with,
we should define our extended type system, with one new case for references.
Types τ ::“ N | τ Ñ τ | τ ref
Here are the rules from last chapter’s basic λ-calculus, which we can keep
unchanged.
Γpxq “ τ Γ $ e1 : N Γ $ e2 : N
Γ$x:τ Γ$n:N Γ $ e1 ` e2 : N
Γ, x : τ1 $ e : τ2 Γ $ e1 : τ1 Ñ τ2 Γ $ e2 : τ1
Γ $ λx. e : τ1 Ñ τ2 Γ $ e1 e2 : τ2
13.2. TYPE SOUNDNESS 79
We also need a rule for each of the reference primitives.

Γ$e:τ Γ $ e : τ ref Γ $ e1 : τ ref Γ $ e2 : τ
Γ $ newpeq : τ ref Γ $ !e : τ Γ $ e1 :“ e2 : τ
That’s enough notation to let us state type soundness, which is indeed provable.
Theorem 13.1 (Type Soundness). If $ e : τ , then ␣stuck is an invariant of
Tpeq.
However, we will need to develop some more machinery to let us state the
strengthened invariant that makes the proof go through.
The trouble with our typing rules is that they disallow location constants, but
those constants will arise in intermediate states of program execution. To prepare
for them, we introduce heap typings Σ, partial functions from locations to types.
The idea is that a heap typing Σ models a heap h by giving the intended type
for each of its locations. We define an expanded typing judgment of the form
Σ; Γ $ e : τ , with a new parameter included solely to enable the following rule.
Σpℓq “ τ
Σ; Γ $ ℓ : τ
We must also extend every typing rule we gave before, adding an extra “Σ;” pre-
fix, threaded mindlessly through everything. We never extend Σ as we recurse into
subexpressions, and we only examine it in leaves of derivation trees, corresponding
to ℓ expressions.
We have made some progress toward stating an inductive invariant for the type-
soundness theorem. The essential idea of the proof is found in the invariant choice
Iph, eq “ DΣ. Σ; ‚ $ e : τ . However, we can tell that something is suspicious with
this invariant, since it does not mention h. We should also somehow characterize
the relationship between Σ and h.
Here is a first cut at defining a relation Σ $ h.
@ℓ, τ. Σpℓq “ τ ñ Dv. hpℓq “ v ^ Σ; ‚ $ v : τ
Σ$h
In other words, whenever Σ announces the existence of location ℓ meant to
store values of type τ , the heap h actually stores some value v for ℓ, and that value
has the right type. Note the tricky recursion inherent in typing v with respect to
the very same Σ.
This rule as stated is not quite sufficient to make the invariant inductive. We
could get stuck on a newpeq expression if the heap h becomes infinite, with no free
addresses left to allocate. Of course, we know that finite executions, started in the
empty heap, only produce finite intermediate heaps. Let’s remember that fact with
another condition in the Σ $ h relation.
p@ℓ, τ. Σpℓq “ τ ñ Dv. hpℓq “ v ^ Σ; ‚ $ v : τ q pD bound. @ℓ ě bound. ℓ R domphqq
Σ$h
The rule requires the existence of some upper bound bound on the already-
allocated locations. By construction, whenever we need to allocate a fresh location,
we may choose bound, or indeed any location greater than it.
We now have the right machinery to define an inductive invariant, namely: Invariants
Iph, eq “ DΣ. Σ; ‚ $ e : τ ^ Σ $ h
We prove variants of all of the lemmas behind last chapter’s type-safety proof,
with a few new ones and twists on the originals. Here we give some highlights.
Lemma 13.2 (Heap Weakening). If Σ; Γ $ e : τ and every mapping in Σ is
also included in Σ1 , then Σ1 ; Γ $ e : τ .
Lemma 13.3. If ph, eq Ñ0 ph1 , e1 q, Σ; ‚ $ e : τ , and Σ $ h, then there exists Σ1
such that Σ1 ; ‚ $ e1 : τ , Σ1 $ h1 , and Σ1 preserves all mappings from Σ.
Lemma 13.4. If Σ; ‚ $ Cre1 s : τ , then there exists τ0 such that Σ; ‚ $ e1 : τ0
and, for all e2 and Σ1 , if Σ1 ; ‚ $ e2 : τ0 and Σ1 preserves mappings from Σ, then
Σ1 ; ‚ $ Cre2 s : τ .
Lemma 13.5 (Preservation). If ph, eq Ñ ph1 , e1 q, Σ; ‚ $ e : τ , and Σ $ h, then
there exists Σ1 such that Σ1 ; ‚ $ e1 : τ and Σ1 $ h1 .
13.3. Garbage Collection

Functional languages like ML and Haskell include features very similar to the
mutable references that we study in this chapter. However, their execution models
depart in an important way from the operational semantics we just defined: they
use garbage collection to deallocate unused references, whereas our last semantics
allows references to accumulate forever in the heap, even if it is clear that some of
them will never be needed again. Worry not! We can model garbage collection with
one new rule of the operational semantics, and then our type-safety proof adapts
and shows that we still avoid stuckness, when the garbage collector can snatch
unreachable locations away from us at any moment.
To define unreachable, we start with a way to compute the free locations of an
expression.
freelocpxq “ H
freelocpnq “ H
freelocpe1 ` e2 q “ freelocpe1 q Y freelocpe2 q
freelocpλx. e1 q “ freelocpe1 q
freelocpe1 e2 q “ freelocpe1 q Y freelocpe2 q
freelocpnewpe1 qq “ freelocpe1 q
freelocp!e1 q “ freelocpe1 q
freelocpe1 :“ e2 q “ freelocpe1 q Y freelocpe2 q
freelocpℓq “ tℓu
Next, we define a relation to capture which locations are reachable from some
starting expression, relative to a particular heap? For each expression e and heap
h, we define Rh peq as the set of locations reachable from e via h.
hpℓq “ v ℓ1 P Rh pvq ℓ P freelocpeq ℓ1 P Rh pℓq
ℓ P Rh pℓq ℓ1 P Rh pℓq ℓ1 P Rh peq
In order, the rules say: any location reaches itself; any location reaches any-
where reachable from the value assigned to it by h; and any expression reaches
anywhere reachable from any of its free locations.
13.3. GARBAGE COLLECTION 81
Now we add one new top-level rule to the operational semantics, saying un-
reachable locations may be removed at any time.
@ℓ, v. ℓ P Rh peq ^ hpℓq “ v ñ h1 pℓq “ v
@ℓ, v. h1 pℓq “ v ñ hpℓq “ v
h1 ‰ h
ph, eq Ñ ph1 , eq
Let us explain each premise in more detail. The first premise says that, going
from the old heap h to the new heap h1 , the value of every reachable reference is
preserved. The second premise says that the new heap is a subheap of the original,
not spontaneously adding any new mappings. The final premise says that we have
actually done some useful work: the new heap isn’t just the same as the old one.
It may not be clear why we must include the last premise. The reason has to
do with our formulation of type safety, by saying that programs never get stuck.
We defined that e is stuck if it is not a value but it also can’t take a step. If we
omitted from the garbage-collection rule the premise h1 ‰ h, then this rule would
always apply, for any term, simply by setting h1 “ h. That is, no term would ever
be stuck, and type safety would be meaningless! Since the rule also requires that h1
be no larger than h (with the second premise), additionally requiring h1 ‰ h forces
h1 to shrink, garbage-collecting at least one location. Thus, in any execution state,
we can “kill time” by running garbage collection only finitely many times before
we need to find some “real” step to run. More precisely, the limit on how many
times we can run garbage collection in a row, starting from heap h, is |domphq|, the
number of locations in h.
The type-safety proof is fairly straightforward to update. We prove progress by
ignoring the garbage-collection rule, since the existing rules were already enough
to find a step for every nonvalue. A bit more work is needed to update the proof
of preservation; its cases for the existing rules follow the same way as before, while
we must prove a few lemmas on the way to handling the new rule.
Lemma 13.6 (Transitivity for reachability). If freelocpe1 q Ď freelocpe2 q, then
Rh pe1 q Ď Rh pe2 q.
Lemma 13.7 (Irrelevance of unreachable locations for typing). If Σ $ h, Σ; Γ $
e : τ , then Σ1 ; Γ $ e : τ , if we also know that, for all ℓ and τ 1 , when ℓ P Rh peq and
Σpℓq “ τ 1 , it follows that Σ1 pℓq “ τ 1 .
Lemma 13.8 (Reachability sandwich). If ℓ P Rh peq, hpℓq “ v, and ℓ1 P Rh pvq,
then ℓ1 P Rh peq.
To extend the proof of preservation, we need to show that the strengthened
invariant still holds after garbage collection. A key element is choosing the new
heap typing. We pick the restriction of the old heap typing Σ to the domain of the
new heap h1 . That is, we drop from the heap typing all locations that have been
garbage collected, preserving the types of the survivors. Some work is required to
show that this strategy is sound, given the definition of reachability, but the lemmas
above work out the details, leaving just a bit of bookkeeping in the preservation
proof. The final safety proof then proceeds in exactly the same way as before.
Our proof here hasn’t quite covered all the varieties of garbage collectors that
exist. In particular, copying collectors may move references to different locations,
while we only allow collectors to delete some references. It may be an edifying
exercise for the reader to extend our proof in a way that also supports reference
relocation.
CHAPTER 14
Hoare Logic: Verifying Imperative Programs
We now take a step away from the last chapters in two dimensions: we switch
back from functional to imperative programs, and we return to proofs of deep cor-
rectness properties, rather than mere absence of type-related crashes. Nonetheless,
the essential proof structure winds up being the same, as we once again prove
invariants of transition systems!
14.1. An Imperative Language with Memory

To provide us with an interesting enough playground for program verification,
let’s begin by defining an imperative language with an infinite mutable heap. For
reasons that will become clear shortly, we do a strange bit of mixing of syntax
and semantics. In certain parts of the syntax, we include assertions a, which are
arbitrary mathematical predicates over program state, split between heaps h and
variable valuations v.
Numbers n P N
Expressions e ::“ n | x | e ` e | e ´ e | e ˆ e | ˚res
Boolean expressions b ::“ e “ e | e ă e
Commands c ::“ skip | x Ð e | ˚res Ð e | c; c
| if b then c else c | tauwhile b do c | assertpaq
Beside assertions, we also have memory-read operations ˚res and memory-write
operations ˚re1 s Ð e2 , which are written suggestively, as if the memory were a
global array named ˚. Loops have sprouted an extra assertion in their syntax, which
we will actually ignore in the language semantics, but which becomes important as
part of the proof technique we will learn, especially in automating it.
Expressions have a standard recursive semantics.
JnKph, vq “ n
JxKph, vq “ vpxq
Je1 ` e2 Kph, vq “ Je1 Kph, vq ` Je2 Kph, vq
Je1 ´ e2 Kph, vq “ Je1 Kph, vq ´ Je2 Kph, vq
Je1 ˆ e2 Kph, vq “ Je1 Kph, vq ˆ Je2 Kph, vq
J˚resKph, vq “ hpJeKph, vqq
Je1 “ e2 Kph, vq “ Je1 Kph, vq “ Je2 Kph, vq
Je1 ă e2 Kph, vq “ Je1 Kph, vq ă Je2 Kph, vq
We finish up with a big-step semantics in the style of those we’ve seen before,
with the added complication of threading a heap through. Encoding
83
84 14. HOARE LOGIC: VERIFYING IMPERATIVE PROGRAMS
ph, v, skipq ó ph, vq ph, v, x Ð eq ó ph, vrx ÞÑ JeKph, vqsq
ph, v, ˚re1 s Ð e2 q ó phrJe1 Kph, vq ÞÑ Je2 Kph, vqs, vq
ph, v, c1 q ó ph1 , v1 q ph1 , v1 , c2 q ó ph2 , v2 q

ph, v, c1 ; c2 q ó ph2 , v2 q
JbKph, vq ph, v, c1 q ó ph1 , v 1 q ␣JbKph, vq ph, v, c2 q ó ph1 , v 1 q

ph, v, if b then c1 else c2 q ó ph1 , v 1 q ph, v, if b then c1 else c2 q ó ph1 , v 1 q
JbKph, vq ph, v, c; tIuwhile b do cq ó ph1 , v 1 q ␣JbKph, vq

ph, v, tIuwhile b do cq ó ph1 , v 1 q ph, v, tIuwhile b do cq ó ph, vq
aph, vq
ph, v, assertpaqq ó ph, vq
Reasoning directly about operational semantics can get tedious, so let’s develop
some machinery for proving program correctness automatically.
14.2. Hoare Triples

Much as we did with type systems, we define a syntactic predicate and prove
it sound once and for all. Afterward, we can automatically show that particular
programs and their specifications inhabit the predicate. This time, predicate in-
stances will be written like tP uctQu, with c the command being verified, P its
precondition (assumption about the program state before we start running c), and
Q its postcondition (obligation about the program state after c finishes). We call
Encoding any such fact a Hoare triple, and the overall predicate is an instance of Hoare logic.
A first rule for skip is easy: anything that was true before is also true after.
tP uskiptP u
A rule for assignment is slightly more involved: to state what we know is true
after, we recall that there existed a prestate satisfying the precondition, which then
evolved into the poststate in the expected way.
tP ux Ð etλph, vq. Dv 1 . P ph, v 1 q ^ v “ v 1 rx ÞÑ JeKph, v 1 qsu

The memory-write command is treated symmetrically.
tP u˚re1 s Ð e2 tλph, vq. Dh1 . P ph1 , vq ^ h “ h1 rJe1 Kph1 , vq ÞÑ Je2 Kph1 , vqsu
To model sequencing, we thread predicates through in an intuitive way.
tP uc1 tQu tQuc2 tRu
tP uc1 ; c2 tRu
For conditional statements, we start from the basic approach of sequencing,
adding two twists. First, since the two subcommands run after different outcomes
of the test expression, we extend their preconditions. Second, since we may reach
14.2. HOARE TRIPLES 85
the end of the command after running either subcommand, we take the disjunction
of their postconditions.
tλs. P psq ^ JbKpsquc1 tQ1 u tλs. P psq ^ ␣JbKpsquc2 tQ2 u
tP uif b then c1 else c2 tλs. Q1 psq _ Q2 psqu
Coming to loops, we at last have a purpose for the assertion annotated on each
one. We call those assertions loop invariants; one of these is meant to be true every Invariants
time a loop iteration begins. We will try to avoid confusion with the more funda-
mental concept of invariant for transition systems, though in fact the two are closely
related formally, which we will see in the last section of this chapter. Essentially, the
loop invariant gives the induction hypothesis that makes the program-correctness
proof go through. We encapsulate the induction reasoning once-and-for-all, in the
proof of soundness for Hoare triples. To verify an individual program, it is only
necessary to prove the premises of the rule, which we give now.
p@s. P psq ñ Ipsqq tλs. Ipsq ^ JbKpsquctIu
tP utIuwhile b do ctλs. Ipsq ^ ␣JbKpsqu
In words: the loop invariant is true when we begin the loop, and every iteration
preserves the invariant, given the extra knowledge that the loop test succeeded. If
the loop finishes, we know that the invariant is still true, but now the test is false.
The final command-specific rule, for assertions, is a bit anticlimactic. The
precondition is carried over as postcondition, if it is strong enough to prove the
assertion.
@s. P psq ñ Ipsq
tP uassertpIqtP u
One more essential rule remains, this time not specific to any command form.
The rules we’ve given deduce specific kinds of precondition-postcondition pairs. For
instance, the skip rule forces the precondition and postcondition to match. However,
we expect to be able to prove tλph, vq. vpxq ą 0uskiptλph, vq. vpxq ě 0u, because the
postcondition is weaker than the precondition, meaning the precondition implies the
postcondition. Alternatively, the precondition is stronger than the postcondition,
because the precondition keeps all restrictions from the postcondition while adding
new ones. Hoare Logic’s rule of consequence allows us to build a new Hoare triple
from an old one by strengthening the precondition and weakening the postcondition.
tP uctQu p@s. P 1 psq ñ P psqq p@s. Qpsq ñ Q1 psqq
tP 1 uctQ1 u
These rules together are complete, in the sense that any intuitively correct
precondition-postcondition pair for a command is provable. Here we only go into
detail on a proof of the dual property, soundness.
Lemma 14.1. Assume the following fact: Together, ph, v, cq ó ph1 , v 1 q, Iph, vq,
and JbKph, vq imply Iph1 , v 1 q. Then, given ph, v, tIuwhile b do cq ó ph1 , v 1 q, it follows
that Iph1 , v 1 q and ␣JbKph1 , v 1 q.
Proof. By induction on the derivation of ph, v, tIuwhile b do cq ó ph1 , v 1 q. □
That lemma encapsulates once-and-for-all the use of induction in reasoning

about the many iterations of loops.
Theorem 14.2 (Soundness of Hoare logic). If tP uctQu, ph, v, cq ó ph1 , v 1 q, and

P ph, vq, then Qph1 , v 1 q.
Proof. By induction on the derivation of tP uctQu and inversion on the deriva-
tion of ph, v, cq ó ph1 , v 1 q, appealing to Lemma 14.1 in the appropriate case. □
We leave concrete example derivations to the accompanying Coq code, as that

level of fiddly detail deserves to be machine-checked. Note that there is a rather
effective automated proof procedure lurking behind the rules introduced in this
section: To prove a Hoare triple, first try applying the rule associated with its top-
level syntax-tree constructor (e.g., assignment or loop rule). If the conclusion of that
rule does unify with the goal, apply the rule and proceed recursively on its premises.
Otherwise, apply the rule of consequence to replace the postcondition with one
matching that from the matching rule; note that all rules accept arbitrarily shaped
preconditions, so we don’t actually need to do work to massage the precondition.
After a step like this one, it is guaranteed that the “fundamental” rule now applies.
This process creates a pile of side conditions to be proved by other means, cor-
responding to the assertion implications generated by the rules for loops, assertions,
and consequence. Many real-world tools based on Hoare logic discharge such goals
using solvers for satisfiability modulo theories, otherwise known as SMT solvers.
The accompanying Coq code just uses a modest Coq automation-tactic definition
building on the proof steps we have been using all along. It is not complete by
any means, but it does surprisingly well in the examples we step through, of low to
moderate complexity.
Before closing our discussion of the basics of Hoare logic, let’s consider how
Abstraction it brings to bear some more of the general principles that we have met before. A
command’s precondition and postcondition serve as an abstraction of the command:
it is safe to model a command with its specification, if it has been proved using
Modularity a Hoare triple. Furthermore, the Hoare rules themselves take advantage of mod-
ularity to analyze subcommands separately, mediating between them using only
the specifications. The implementation details of a subcommand don’t matter for
any other subcommands in the program, so long as that subcommand has been
connected to a specification that preserves enough information about its behavior.
It is an art to choose the right specification for each piece of a program. Detailed
specifications minimize the chance that some other part of the program winds up
unprovable, despite its correctness, but more detailed specifications also tend to be
harder to prove in the first place.

Last section’s soundness theorem only lets us draw conclusions about programs
that terminate. We call such guarantees partial correctness. Other forms of Hoare
triples guarantee total correctness, which includes termination. However, sometimes
programs aren’t meant to terminate, yet we still want to gain confidence about
their behavior. To that end, we first give a small-step semantics for the same
programming language. Then we prove a different soundness theorem for the same
Hoare-triple predicate, showing that it also implies a useful invariant for programs
as transition systems.
The small-step relation is quite similar to the one from last chapter, though
Encoding now our states are triples ph, v, cq, of heap h, variable valuation v, and command c.
14.4. TRANSITION-SYSTEM INVARIANTS FROM HOARE TRIPLES 87
ph, v, x Ð eq Ñ ph, vrx ÞÑ JeKph, vqs, skipq
ph, v, ˚re1 s Ð e2 q Ñ phrJe1 Kph, vq ÞÑ Je2 Kph, vqs, v, skipq
ph, v, c1 q Ñ ph1 , v 1 , c11 q

ph, v, skip; c2 q Ñ ph, v, c2 q ph, v, c1 ; c2 q Ñ ph1 , v 1 , c11 ; c2 q
JbKph, vq ␣JbKph, vq
ph, v, if b then c1 else c2 q Ñ ph, v, c1 q ph, v, if b then c1 else c2 q Ñ ph, v, c2 q
JbKph, vq ␣JbKph, vq
ph, v, tIuwhile b do cq Ñ ph, v, c; tIuwhile b do cq ph, v, tIuwhile b do cq Ñ ph, v, skipq
aph, vq
ph, v, assertpaqq Ñ ph, v, skipq
14.4. Transition-System Invariants from Hoare Triples

Even an infinite-looping program must satisfy its assert commands, every time
it passes one of them. For that reason, it’s interesting to consider how to show that
a command never gets stuck on a false assertion. We work up to that result with
a few intermediate ones. First, we define stuck much the same way as in the last
three chapters: a state ph, v, cq is stuck if c is not skip, but there is also nowhere to
step to from this state. An example of a stuck state would be one beginning with
an assert of an assertion that does not hold on h and v. In fact, we can prove that
any other state is unstuck, though we won’t bother here.
Lemma 14.3 (Progress). If tP uctQu and P ph, vq, then ph, v, cq is unstuck.
Proof. By induction on the derivation of tP uctQu. □
Lemma 14.4. If tP uskiptQu, then @s. P psq ñ Qpsq.
Proof. By induction on the derivation of tP uskiptQu. □
Lemma 14.5 (Preservation). If tP uctQu, ph, v, cq Ñ ph1 , v 1 , c1 q, and P ph, vq,
then tλs. s “ ph1 , v 1 quc1 tQu.
Proof. By induction on the derivation of tP uctQu, appealing to Lemma 14.4
in one case. Note how we conclude a very specific precondition, forcing exact state
equality with the one we have stepped to. □
Invariants
Theorem 14.6 (Invariant Safety). If tP uctQu and P ph, vq, then unstuckness
is an invariant for the small-step transition system starting at ph, v, cq.
Proof. First we weaken the invariant to Iph, v, cq “ tλs. s “ ph, vquctλ . Ju.
That is, we focus in on the most specific applicable precondition, and we forget
everything that the postcondition was recording for us. Note that postconditions
are still an essential part of Hoare triples for this proof, but we have already done
our detailed analysis of them in the earlier lemmas. Lemma 14.3 gives the needed
implication from the new invariant to the old.
Next, we apply invariant induction, whose base case follows trivially. The
induction step follows by Lemma 14.5. □
CHAPTER 15
Deep Embeddings, Shallow Embeddings, and

Options in Between
So far, in this book, we have followed the typographic conventions of ordinary

mathematics and logic, as they would be worked out on whiteboards. In parallel,
we have mechanized all of the definitions and proofs in Coq. Often little tidbits
of encoding challenge show up in mechanizing the proofs. As formal languages get
more complex, it becomes more and more important to choose the right encoding.
For instance, in the previous chapter, we repeatedly jumped through hoops to
track the local variables of programs, threading variable valuations v throughout
everything. Coq already has built into it a respectable notion of variables; can we
somehow reuse that mechanism, rather than roll our own new one? This chapter
gives a “yes” answer, working toward redefining last chapter’s Hoare logic in a
lighter-weight manner, along the way introducing some key terminology that is
used to classify encoding choices.
Since whiteboard math doesn’t usually bother with encoding details, here we
must break with our convention of using only standard notation in the book. In-
stead, we will use notation closer to literal Coq code, and, in fact, more of the
technical action than usual is only found in the accompanying Coq source file.
15.1. The Basics

Recall some terminology introduced in Section 2.5: every formal proof is car-
ried out in some metalanguage, which, in our case, is Coq’s logic and programming
language called Gallina. A syntactic language that we formalize is called an object
language. Often it is convenient to do reasoning without any particular object lan-
guage, as in this simple arithmetic function that can be defined directly in Gallina.
foo “ λpx, yq. let u “ x ` y in let v “ u ˆ y in u ` v
However, it is difficult to prove some important facts about terms encoded

directly in the metalanguage. For instance, we can’t easily do induction over the
syntax of all such terms. To allow that kind of induction, we can define an object
language inductively. Encoding
Const : N Ñ exp
Var : V Ñ exp
Plus : exp Ñ exp Ñ exp
Times : exp Ñ exp Ñ exp
Let : V Ñ exp Ñ exp Ñ exp
89
90 15. DEEP EMBEDDINGS, SHALLOW EMBEDDINGS, AND OPTIONS IN BETWEEN
That last example program, with implicit free variables x and y, may now be
redefined in the exp type.
foo1 “ Let pVar “u”q pPlus pVar “x”q pVar “y”qq pLet pVar “v”q
pTimes pVar “u”q pVar “y”qq pPlus pVar “u”q pVar “v”qqq
As in Chapter 4, we can define a recursive interpreter, mapping exp programs
and variable valuations to numbers. Using that interpreter, we can prove equiva-
lence of foo and foo1 .
We say that foo uses a shallow embedding, because it is coded directly in the
metalanguage, with no extra layer of syntax. Conversely, foo1 uses a deep embed-
ding, since it goes via the inductively defined exp type.
These extremes are not our only options. In higher-order logics like Coq’s, we
may also choose what might be called mixed embeddings, which define syntax-tree
types that allow some use of general functions from the metalanguage. Here’s an
Encoding example, as an alternative definition of exp.
Const : N Ñ exp
Var : V Ñ exp
Plus : exp Ñ exp Ñ exp
Times : exp Ñ exp Ñ exp
Let : exp Ñ pN Ñ expq Ñ exp
The one change is in the type of the Let constructor, where now no variable
name is given, and instead the body of the “let” is represented as a Gallina function
from numbers to expressions. The intent is that the body is called on the number
that results from evaluating the first expression. This style is called higher-order
abstract syntax . Though that term is often applied to a more specific instance of
the technique, which is not exactly the one used here, we will not be so picky.
As an illustration of the technique in action, here’s our third encoding of the
simple example program.
foo2 “ Let pPlus pVar “x”q pVar “y”qq pλu.
Let pTimes pConst uq pVar “y”qq pλv.
Plus pConst uq pConst vqqq
With a bit of subtlety, we can define an interpreter for this language, too.
JConst nKv “ n
JVar xKv “ vpxq
JPlus e1 e2 Kv “ Je1 Kv ` Je2 Kv
JTimes e1 e2 Kv “ Je1 Kv ˆ Je2 Kv
JLet e1 e2 Kv “ Je2 pJe1 KvqKv
Note how, in the Let case, since the body e2 is a function, before evaluating it,
we call it on the result of evaluating e1 . This language would actually be sufficient
even if we removed the Var constructor and the v argument of the interpreter. Coq’s
normal variable binding is enough to let us model interesting programs and prove
things about them by induction on syntax.
It is important here that Coq’s induction principles give us useful induction
hypotheses, for constructors whose recursive arguments are functions. The second
15.2. A MIXED EMBEDDING FOR HOARE LOGIC 91
argument of Let above is an example. When we do induction on expression syntax

to establish @e. P peq, the case for Let e1 e2 includes two induction hypotheses. The
first one is standard: P pe1 q. The second one is more interesting: @n : N. P pe2 pnqq.
That is, the theorem holds on all results of applying body e2 to arguments.
15.2. A Mixed Embedding for Hoare Logic

This general strategy also applies to modeling imperative languages like the
one from last chapter. We can define a polymorphic type family cmd of commands,
indexed by the type of value that a command is meant to return. Encoding
Return : @α. α Ñ cmd α
Bind : @α, β. cmd β Ñ pβ Ñ cmd αq Ñ cmd α
Read : N Ñ cmd N
Write : N Ñ N Ñ cmd unit
We use notation x Ð c1 ; c2 as shorthand for Bind c1 pλx. c2 q, making it possible
to write some very natural-looking programs in this type. Here are two examples.
array maxp0, aq “ Return a
array maxpi ` 1, aq “ v Ð Read i; array max i pmaxpv, aqq
increment allp0q “ Return pq

increment allpi ` 1q “ v Ð Read i; Ð Write i pv ` 1q; increment all i
Function array max computes the highest value found in the first i slots of
memory, using an accumulator a. Function increment all adds 1 to every one of the
first i memory slots.
Note that we are not writing programs directly as syntax trees, but rather
working with recursive functions that compute syntax trees. We are able to do so
despite the fact that we built no support for recursion into the cmd type family.
Likewise, we didn’t need to build in any support for max, addition, or any of the
other operations that are easy to code up in Gallina.
It is straightforward to implement an interpreter for this object language, where
each command’s interpretation maps input heaps to pairs of output heaps and
results. Note that we have no need for an explicit variable valuation.
JReturn vKh “ ph, vq
JBind c1 c2 Kh “ let ph1 , vq “ Jc1 Kh in Jc2 pvqKh1
JRead aKh “ ph, hpaqq
JWrite a vKh “ phra ÞÑ vs, pqq
We can also define a syntactic Hoare-logic relation for this type, where pre-
conditions are predicates over initial heaps, and postconditions are predicates over
result values and final heaps.
tP uc1 tQu @r. tQprquc2 prqtRu
tP uReturn vtλr, h. P phq ^ r “ vu tP uBind c1 c2 tRu
tP uRead atλr, h. P phq ^ r “ hpaqu tP uWrite a vtλr, h. Dh1 . P ph1 q ^ h “ h1 ra ÞÑ vsu

92 15. DEEP EMBEDDINGS, SHALLOW EMBEDDINGS, AND OPTIONS IN BETWEEN
tP uctQu p@h. P 1 phq ñ P phqq p@r, h. Qpr, hq ñ Q1 pr, hqq

tP 1 uctQ1 u
Much of the details are the same as last chapter, including in a rule of conse-
quence at the end. The most interesting new wrinkle is in the rule for Bind, where
the premise about the body command c2 starts with universal quantification over
all possible results r of executing c1 . That result is passed off, via function appli-
cation, both to the body c2 and to Q, which serves as the postcondition of c1 and
the precondition of c2 .
This Hoare logic can be used to verify the two example programs from earlier
in this section; see the accompanying Coq code for details. We also have a standard
soundness theorem.
Theorem 15.1. If tP uctQu and P phq for some heap h, then let ph1 , rq “ JcKh.
It follows that Qpr, h1 q.
15.3. Adding More Effects

We can continue to enhance our object language with different kinds of side
effects that are not supported natively by Gallina. First, we add nontermination, in
the form of unbounded loops. For a type α, we define Opαq as the type of loop-body
outcomes, either Donepaq to indicate that the loop should terminate or Againpaq to
indicate that the loop should keep running. Our loops are functional, maintaining
accumulators as they run, and the a argument gives the latest accumulator value
in each case. So we add this constructor:
Loop : @α. α Ñ pα Ñ cmd pOpαqqq Ñ cmd α
Here’s an example of looping in action, in a program that returns the address
of the first occurrence of a value in memory, or loops forever if that value is not
found in the whole infinite memory.
index ofpnq “ Loop 0 pλi. v Ð Read i; if v “ n then Return pDonepiqq else Return pAgainpi ` 1qqq
With the addition of nontermination, it’s no longer straightforward to write
an interpreter for the language. Instead, we implement a small-step operational
semantics Ñ; see the accompanying Coq code for details. We build an extended
Invariants Hoare logic, keeping all the rules from last section and adding this new one. Like
before, it is parameterized on a loop invariant, but now the loop invariant takes a
loop-body outcome as parameter.
@a. tIpAgainpaqqucpaqtIu
tIpAgainpiqquLoop i ctλr. IpDoneprqqqu
This new Hoare logic is usable to verify the example program from above and
many more, and we can also prove a soundness theorem. The operational semantics
gives us the standard way of interpreting our programs as transition systems, with
Invariants states pc, hq.
Theorem 15.2. If tP uctQu and P phq for some heap h, then it is an invariant
of pc, hq that, if the command ever becomes Return r in a heap h1 , then Qpr, h1 q.
That is, if the program terminates, the postcondition is satisfied.
We can add a further side effect to the language: exceptions. Actually, we stick
to a simple variant of this classic side effect, where there is just one exception, and
15.3. ADDING MORE EFFECTS 93
it cannot be caught. We associate this exception with program failure, and the
Hoare logic will ensure that programs never actually fail.
The extension to program syntax is easy:
Fail : @α. cmd α
That is, a failing program can be considered to return any result type, since it will
never actually return normally, instead throwing an uncatchable exception.
The operational semantics is also easily extended to signal failures, with a new
special system state called Failed. We also add this Hoare-logic rule.
tλ . KuFailtλ , . Ku
That is, failure can only be verified against an unsatisfiable precondition, so that
we know that the failure is unreachable.
With this extension, we can prove a soundness-theorem variant, capturing the
impossibility of failure. Invariants
Theorem 15.3. If tP uctQu and P phq for some heap h, then it is an invariant
of pc, hq that the state never becomes Failed.
Note that this version of the theorem still tells us interesting things about
programs that run forever. It is easy to implement runtime assertion checking with
code that performs some test and runs Fail if the test does not pass. An infinite-
looping program may perform such tests infinitely often, and we learn that none of
the tests ever fail.
The accompanying Coq code demonstrates another advantage of this mixed-
embedding style: we can extract our programs to OCaml and run them efficiently.
That is, rather than using functional programming to implement our three kinds of
side effects, we implement them directly with OCaml’s mutable heap, unbounded
recursion, and exceptions, respectively. As a result, our extracted programs achieve
the asymptotic performance that we would expect, thinking of them as C-like code,
where interpreters in a pure functional language like Gallina would necessarily add
at least an extra logarithmic factor in the modeling of unboundedly growing heaps.
CHAPTER 16
Separation Logic
In our Hoare-logic examples so far, we have intentionally tread lightly when

it comes to the potential aliasing of pointer variables in a program. Generally, we
have only worked with, for instance, a single array at a time. Reasoning about
multi-array programs usually depends on the fact that the arrays don’t overlap in
memory at all. Things are even more complicated with linked data structures, like
linked lists and trees, which we haven’t even attempted up to now. However, by
using separation logic, a popular variant of Hoare logic, we will find it quite pleasant
to prove programs that use linked structures, with no need for explicit reasoning
about aliasing, assuming that we keep all of our data structures disjoint from each
other through simple coding patterns.
16.1. An Object Language with Dynamic Memory Allocation

Before we get into proofs, let’s fix a mixed-embedding object language.
Commands c ::“ Return v | x Ð c; c | Loop i f | Fail
| Read n | Write n n | Alloc n | Free n n
A small-step operational semantics explains what these commands mean.
ph, c1 q Ñ ph1 , c11 q

ph, x Ð c1 ; c2 pxqq Ñ ph1 , x Ð c11 ; c2 pxqq ph, x Ð Return v; cpxqq Ñ ph, cpvqq
ph, Loop i f q Ñ ph, x Ð f piq; match x with Donepaq ñ Return a | Againpaq ñ Loop a f q
hpaq “ v hpaq “ v
ph, Read aq Ñ ph, Return vq ph, Write a v q Ñ phra ÞÑ v 1 s, Return pqq
1
domphq X ra, a ` nq “ H
ph, Alloc nq Ñ phra ÞÑ 0n s, Return aq ph, Free a nq Ñ ph ´ ra, a ` nq, Return pqq
A few remarks about the last four rules: The basic Read and Write operations
now get stuck when accessing unmapped addresses. The premise of the rule for
Alloc enforces that address a denotes a currently unmapped memory region of size
n. We use a variety of convenient notations that we won’t define in detail here,
referring instead to the accompanying Coq code. Another notation uses 0n to refer
informally to a sequence of n zeroes to write into memory. Similarly, the conclusion
of the Free rule unmaps a whole size-n region, starting at a. We could also have
chosen to enforce in this rule that the region starts out as mapped into h.
95
96 16. SEPARATION LOGIC
16.2. Assertion Logic

Separation logic is based on two big ideas. The first one has to do with the
assertion logic, which we use to write invariants; while the second one has to do
with the program logic, which we use to prove that programs satisfy specifications.
The assertion logic is based on predicates over partial memories, or finite maps
from addresses to stored values. Because they are finite, they omit infinitely many
addresses, and it is crucial that we are able to describe heaps that intentionally
leave addresses out of their domains. Informally, a predicate claims ownership of
addresses in the domains of matching heaps.
We can describe the connectives of separation logic in terms of the sets of partial
heaps that they accept.
emp “ t‚u
p ÞÑ v “ t‚rp ÞÑ vsu
rϕs “ th | ϕ ^ h “ ‚u
Dx. P pxq “ th | Dx. h P P pxqu
P ˚Q “ th1 Z h2 | h1 P P ^ h2 P Qu
The formula emp accepts only the empty heap, while formula p ÞÑ v accepts
only the heap whose only address is p, mapped to value v. We overload the ÞÑ
operator in that second line above, to denote “points-to” on the lefthand side of
the equality and finite-map overriding on the righthand side. Notation rϕs is lifting
a pure (i.e., regular old mathematical) proposition ϕ into an assertion, enforcing
both that the heap is empty and that ϕ is true. We also adapt the normal existential
quantifier to this setting.
The essential definition is the last one, of the separating conjunction ˚. We
use the notation h1 Z h2 for disjoint union of heaps h1 and h2 , implicitly enforc-
ing domph1 q X domph2 q “ H. The intuition of separating conjunction is that we
partition the overall heap into two subheaps, each of which matches one of the
respective conjuncts P and Q. This connective implicitly enforces lack of aliasing,
leading to separation logic’s famous conciseness of specifications that combine data
structures.
We can also define natural comparison operators between assertions, overload-
ing the usual notations for equivalence and implication of propositions.
P ôQ “ @h. h P P ô h P Q
P ñQ “ @h. h P P ñ h P Q
The core connectives satisfy a number of handy algebraic laws. Here is a

sampling (where we note that the first one takes advantage of the overloading of
implication ñ in two different senses).
ϕ ñ pP ñ Qq ϕ P ñ Q ϕ
P ˚ rϕs ñ Q P ñ Q ˚ rϕs P ô rϕs ˚ P
P1 ñ P2 Q1 ñ Q2
P ˚QôQ˚P P ˚ pQ ˚ Rq ô pP ˚ Qq ˚ R P1 ˚ Q1 ñ P2 ˚ Q2
16.3. PROGRAM LOGIC 97
@x. P pxq ñ Q P ñ Qpvq

pP ˚ Dx. Qpxqq ô Dx. P ˚ Qpxq pDx. P pxqq ñ Q P ñ Dx. Qpxq
This set of algebraic laws has a very special consequence: it supports automated
proof of implications by cancellation, where we repeatedly “cross out” matching
subformulas on the two sides of the arrow. Consider this example formula that we
might want to prove.
pDq. p ÞÑ q ˚ Dr. q ÞÑ r ˚ r ÞÑ 0q ñ pDa. Db. Dc. b ÞÑ c ˚ p ÞÑ a ˚ a ÞÑ bq
First, the laws above allow us to bubble all quantifiers to the fronts of formulas.
pDq, r. p ÞÑ q ˚ q ÞÑ r ˚ r ÞÑ 0q ñ pDa, b, c. b ÞÑ c ˚ p ÞÑ a ˚ a ÞÑ bq
Next, all D to the left can be replaced with fresh free variables, while all D to
the right can be replaced with fresh unification variables, whose values, in terms of
the free-variable values, we can deduce in the course of the proof.
p ÞÑ q ˚ q ÞÑ r ˚ r ÞÑ 0 ñ ?b ÞÑ?c ˚ p ÞÑ?a ˚ ?a ÞÑ?b
Next, we find matching subformulas to cancel. We start by matching p ÞÑ q
with p ÞÑ?a, learning that ?a “ q and reducing to the following formula. This
crucial step relies on the three key properties of ˚, given in the second row of rules
above: commutativity, associativity, and cancellativity.
q ÞÑ r ˚ r ÞÑ 0 ñ ?b ÞÑ?c ˚ q ÞÑ?b
We run another cancellation step of q ÞÑ r against q ÞÑ?b, learning ?b “ r.
r ÞÑ 0 ñ r ÞÑ?c
Now we can finish the proof by reflexivity of ñ, learning ?c “ 0.
16.3. Program Logic

We use our automatic cancellation procedure to discharge some of the premises
from the rules of the program logic, which we present now. First, here are the rules
that are (almost) exactly the same as from last chapter.
tP uc1 tQu p@r. tQprquc2 prqtRuq

tP uReturn vtλr. P ˚ rr “ vsu tP ux Ð c1 ; c2 pxqtRu
@a. tIpAgainpaqquf paqtIu

tIpAgainpiqquLoop i f tλr. IpDoneprqqu trKsuFailtλ . rKsu
tP uctQu P 1 ñ P @r. Qprq ñ Q1 prq

tP 1 uctQ1 u
More interesting are the rules for primitive memory operations. First, we have
the rule for Read.
tDv. a ÞÑ v ˚ RpvquRead atλr. a ÞÑ r ˚ Rprqu

In words: before reading from address a, it must be the case that a points to
some value v, and predicate Rpvq records what else we know about the memory at
that point. Afterward, we know that a points to the result r of the read operation,
and R is still present. We call R a frame predicate, recording what we know about
98 16. SEPARATION LOGIC
parts of memory that the command does not touch directly. We might also say that
the footprint of this command is the singleton set tau. In general, frame predicates
record preserved facts about addresses outside a command’s footprint. The next
few rules don’t have frame predicates baked in; we finish with a rule that adds them
back, in a generic way for arbitrary Hoare triples.
tDv. a ÞÑ vuWrite a v 1 tλ . a ÞÑ v 1 u
This last rule, for Write, is even simpler. We see a straightforward illustration
of overwriting a’s old value v with the new value v’.
tempuAlloc ntλr. r ÞÑ 0n u ta ÞÑ ?n uFree a ntλ . empu

The rules for allocation and deallocation deploy a few notations that we don’t
explain in detail here, with 0n for sequences of n zeroes and ?n for sequences of n
arbitrary values.
The next rule, the frame rule, gives the second key idea of separation logic,
supporting the small-footprint reasoning style.
tP uctQu
tP ˚ Ructλr. Qprq ˚ Ru
In other words, any Hoare triple can be extended by conjoining an arbitrary
predicate R in both precondition and postcondition. Even more intuitively, when
a program satisfies a spec, it also satisfies an extended spec that records the state
of some other part of memory that is untouched (i.e., is outside the command’s
footprint).
For the pragmatics of proving particular programs, we defer to the accompany-
Modularity ing Coq code. However, for modular proofs, the frame rule has such an important
role that we want to emphasize it here. It is possible to define (recursively) a
predicate llistpℓ, pq, capturing the idea that the heap contains exactly an imperative
linked list, rooted at pointer p, representing functional linked list ℓ. We can also
prove a general specification for a list-reversal function:
@ℓ, p. tllistpℓ, pqureverseppqtλr. llistprevpℓq, rqu
Now consider that we have the roots p1 and p2 of two disjoint lists, respec-
tively representing ℓ1 and ℓ2 . It is easy to instantiate the general theorem and get
tllistpℓ1 , p1 qureversepp1 qtλr. llistprevpℓ1 q, rqu and tllistpℓ2 , p2 qureversepp2 qtλr. llistprevpℓ2 q, rqu.
Applying the frame rule to the former theorem, with R “ llistpℓ2 , p2 q, we get:
tllistpℓ1 , p1 q ˚ llistpℓ2 , p2 qureversepp1 qtλr. llistprevpℓ1 q, rq ˚ llistpℓ2 , p2 qu
Similarly, applying the frame rule to the latter, with R “ llistprevpℓ1 q, rq, we get:
tllistpℓ2 , p2 q ˚ llistprevpℓ1 q, rqureversepp2 qtλr1 . llistprevpℓ2 q, r1 q ˚ llistprevpℓ1 q, rqu
Now it is routine to derive the following spec for a larger program:
tllistpℓ1 , p1 q ˚ llistpℓ2 , p2 qu
r Ð reversepp1 q; r1 Ð reversepp2 q; Returnpr, r1 q
tλpr, r1 q. llistprevpℓ1 q, rq ˚ llistprevpℓ2 q, r1 qu
Note that this specification would be incorrect if the two input lists could share
any memory cells! The separating conjunction ˚ in the precondition implicitly
formalizes our expectation of nonaliasing. The proof internals require only the basic
16.4. SOUNDNESS PROOF 99
rules for Return and sequencing, in addition to the rule of consequence, whose side
conditions we discharge using the cancellation approach sketched in the previous
section.
Note also that this highly automatable proof style works just as well when
calling functions associated with several different data structures in memory. The
frame rule provides a way to show that any function, in any library, preserves
arbitrary memory state outside its footprint.
16.4. Soundness Proof

Our Hoare logic is sound with respect to the object language’s operational
semantics. Invariants
Theorem 16.1. If tP uctQu and P p‚q, then it is an invariant of the transition
system starting from p‚, cq that either the command has become a Return or another
execution step is possible.
As usual, the key to the proof is to find a stronger invariant that can be proved
by invariant induction. In this case, we use the invariant λph, cq. tthuuctQu. That
is, assert a Hoare triple where the precondition enforces exact heap equality with
the current heap. The postcondition can remain the same throughout execution.
A few key lemmas are interesting enough to mention here; we leave other details
to the Coq code.
First, we need to prove that this fancier invariant implies the one from the
theorem statement, and the most direct statement needs to be strengthened, to get
the induction to go through.
Lemma 16.2 (Progress). If tP uctQu and P ph1 q, then either c is a Return or it
is possible to take a step from ph1 Z h2 , cq, for any disjoint h2 .
Note the essential inclusion of a disjoint union with the auxiliary heap h2 .
Without this strengthening of the obvious property, we would get stuck in the case
of the proof for the frame rule.
Lemma 16.3 (Preservation). If ph, cq Ñ ph1 , c1 q and tthuuctQu, then tth1 uuc1 tQu.
Proof. By induction on the derivation of ph, cq Ñ ph1 , c1 q. □
The different cases of the proof depend on some not-entirely-obvious inversion
lemmas. For instance, here is the one we prove for Write.
Lemma 16.4. If tP uWrite a v 1 tQu, then there exists R such that:
‚ P ñ Dv. a ÞÑ v ˚ R
‚ a ÞÑ v 1 ˚ R ñ Qppqq
Proof. By induction on the derivation of tP uWrite a v 1 tQu. □
Again, without the introduction of the R variable, we would get stuck proving
the case for the frame rule.
CHAPTER 17
Connecting to Real-World Programming

Languages
Our exercises so far have been confined to proofs of programs in idealized

programming languages. How can proof assistants be used to derive results about
full-scale languages? Developers are already used to coordinating build processes
that plumb together multiple languages and tools. A proof assistant like Coq can
become one tool in such a build flow. However, the interesting wrinkle that arises is
the chance to do more than just get tools cooperating on building executable code.
We can also get tools cooperating on generating proofs of parts of the system.
It is worth emphasizing that this whole subject is a very active area of research.
There are many competing approaches, and it is not clear which will be most
practical in the long run. With this chapter, we survey the interesting design
dimensions and approaches to them that are known today. We also go into more
detail on one avant-garde approach, of verified compilation of shallowly embedded
programs to deeply embedded programs in Coq.
17.1. Where Does the Buck Stop?

For any system where we really care about correctness (or its special case
of security), it is common to delineate a trusted code base (TCB): the parts of the
system where bugs could invalidate correctness. By implication, system components
outside the TCB can be arbitrarily buggy without endangering correctness.
When we use Coq, the Coq proof checker itself is in the TCB. Implicitly, all the
infrastructure below the proof checker is also trusted. That includes the OCaml
compiler (since Coq is implemented in OCaml), the operating-system kernel, the
processor beneath, and so on. Interestingly, most of Coq is not trusted. For
instance, the tactic engine outputs proof terms in a core language, and we only
need to trust the (relatively small) checker for that language.
The point is, we always draw the trust boundary somewhere, and we always
reason informally starting at some layer of a system. Our real-world-connecting
examples of prior chapters have stopped at extracting OCaml code from Coq de-
velopments. We could avoid trusting extraction (and the OCaml compiler) by
instead proving properties of C abstract syntax trees. However, then we are still
trusting the C compiler! So we could verify that compiler and even the operating
system its outputs run on. However, then we are still trusting the computer pro-
cessor! So we could verify the processor, even down to the level of circuits with
analog dynamics modeled using differential equations. However, then we are still
trusting our characterization of the laws of physics!
In summary, it is naive to suggest that some formal-methods developments
“prove the whole system” while others do not.
101
102 17. CONNECTING TO REAL-WORLD PROGRAMMING LANGUAGES
17.2. Modes of Connecting to Real Artifacts

Encoding
Any strategy in this space involves some connection between a proved compo-
nent and an unproved component. Oversimplifying a bit, we are considering what
is the “last level” of a proof that spans multiple abstraction layer. (The “first level”
will be the top-level specification of an application or whatever other piece has a
proof that is not used as a lemma for some other proof.)
17.2.1. Modes Based on Extraction. The easiest “last level” connection
is via extraction, which translates Gallina programs into functional programs in
languages like OCaml, Haskell, and Scheme. Other proof assistants than Coq tend
to include similar extraction facilities. When the formal object of study is already
a purely functional program, extraction is a very natural fit. Its main downsides
are TCB size and performance. On the TCB front, a variety of compilers, including
the one for extraction itself, remain trusted. On the performance front, it is often
possible to make a functional program run much faster or use much less memory
by translating it to, say, a C program that doesn’t rely on garbage collection.
Extraction can be part of other, less-obvious connections, where we bring cer-
tain kinds of side effects and real-world interactions into scope. For instance, a
common class of applications is reactive systems. The system is viewed as an ob-
ject, in the sense of object-oriented programming, with encapsulated private state
and public methods that are allowed to read and modify that state. Some methods
are designated as event handlers: they are called when various input events take
place in the real world, like when a packet is received from a network. An event
handler in turn signals output actions to take in response. This model is actually
quite easy to implement using extraction: a reactive system is a choice of private
state type plus a set of pure functions, each taking in the state and returning the
new modified state. The pure functions are the methods of the object. Expressive
power in this style is very high, though the TCB-size and performance objections
remain.
In Chapter 15, we already saw another approach to adding side effects atop
extracted code: extract syntax trees, perhaps in a mixed embedding, run with an
interpreter coded directly in the target language of extraction. That interpreter is
free to use whatever side effects the host language supports. If anything, the TCB-
size and performance objections increase with this approach, given the additional
level of indirection that comes from using syntax trees and interpretation. However,
the flexibility can be very appealing, with a straightforward means of allowing most
any side effect.
17.2.2. Modes Based on Explicit Rendering. Another “last level” strat-

egy is to do explicit translation between abstract syntax trees and concrete, textual
code formats. These translations usually have nothing proved about them, mean-
ing they belong to TCBs, but often the translators are simple enough that it is
relatively unworrying to trust them.
In one direction, we implement a tool that takes in, say, the textual syntax
of C code, outputting Coq source code for corresponding explicit syntax trees.
Now we can reason about these trees like any other mathematical objects coded
manually in Coq. A downside of this approach is that it is relatively complex to
parse mainstream programming languages, yet we are trusting just such a parser.
However, this style often supports the smoothest integration with legacy code bases.
17.4. CASE STUDY: FROM A MIXED EMBEDDING TO A DEEP EMBEDDING 103
In the other direction, we write a Coq function from syntax trees to strings
of concrete code in some widely used language. This function is still trusted, but
it tends to be much shorter and worthy of trust than its inverse. Coq can be
run as part of a build process, printing to the screen the string that has been
computed from a syntax tree. A scripting language can be used to extract the
string from Coq’s output, write it to a file, and call a conventional compiler. A
major challenge of this approach is that only deeply embedded languages have
straightforward printing to concrete syntax, in practice, while shallowly embedded
languages tend to be easier to do proofs about.
17.3. The Importance of Modularity

Modularity
Our discussion so far leaves out an important dimension. Often significant
projects are divided into libraries, and we want to be able to prove libraries inde-
pendently of each other. We have a few choices for facing this reality of large-scale
development.
The easiest approach is to use Coq pipelines to generate single libraries, which
are linked outside of Coq. Our libraries may even be linked with modules written
in other languages or that would otherwise resist whatever proof methods we used.
These connections across languages may enlarge the TCB significantly, but we can
boost performance by linking with crucial but unverified code.
We may also want to give modules first-class status in Coq and prove the
correctness of linking mechanisms. In concert with verified compilers, possibilities
open up to do linking across languages without expanding the TCB. All languages
can be compiled to some common format, like assembly language, and the compiled
version of each library can be given a specification in a common logical format, like a
particular Hoare logic. With all the pieces in place, we wind up with the semantics
of the common language in the TCB, but the compilers and all aspects of their
source languages stay outside the TCB.
17.4. Case Study: From a Mixed Embedding to a Deep Embedding

This chapter’s associated Coq code works out a case study of verified compila-
tion from a mixed embedding to a deep embedding, realizing one of the “last level”
options above that keeps the best of both worlds: straightforward program proof
with a mixed embedding, but the smaller TCB and improved performance that
comes from outputting concrete C syntax from Coq.
17.4.1. Source and Target Languages. Our mixed-embedding source lan-
guage will be a simplification of last chapter’s language.
Commands c ::“ Return v | x Ð c; c | Loop i f | Read n | Write n n
Our deep-embedding target language will expose essentially the same features
but more in the traditional style of C and related languages.
Expressions e ::“ x | n | e ` e | ˚res
Statements s ::“ skip | x Ð e | ˚res Ð e | s; s | if e then s else s | while e do s
We assume standard small-step semantics for both languages, referring to the
Coq code for details. A state of the source language takes the form ph, cq for a
heap h, while a state of the target language adds a variable valuation v, for triples
ph, v, cq.
17.4.2. Formal Compilation. It is not at all obvious how to translate from

a mixed embedding to a deep embedding. We can’t just write a compiler as a Gal-
lina function, because the Bind construct is encoded using functions of the meta-
language. As a result, there is no way to “recurse under a binder”!
However, inductive predicate definitions give us all the power we need, when
we mix in the power of logical quantifiers. We will define a judgment v $ c ãÑ
s, indicating that mixed-embedded command c can be compiled to statement s,
assuming that we start running s when the valuation includes every mapping from
v.
A good warmup is defining a related judgment v $ n ãÑ e, compiling normal
Gallina numeric expressions n into syntactic expressions e.
vpxq “ n v $ n1 ãÑ e1 v $ n2 ãÑ e2
v $ n ãÑ x v $ n1 ` n2 ãÑ e1 ` e2
So far, the logic is straightforward. When we want to mention a number, it
suffices to find a variable that has already been assigned that number. Translation
recurses through addition in a natural way. (Note that, in the addition rule, the
“+” on the left of the arrow is normal Gallina addition, while the “+” on the right
is syntactic “plus” of the deeply embedded language!)
Another rule may appear at first to be overly powerful.
v $ n ãÑ n
That is, any numeric expression may be injected into the deep embedding as
a constant. How can we hope to embed all Gallina expressions in C? The details
of the command-compilation rules reveal why we are safe, so let us turn to those
rules.
The rules we show here are simplified from the full set in the Coq development,
supporting an even smaller subset of the source language, to make the presentation
easier to understand. The rule for lone Return commands is simple, delegating most
of the work to expression compilation, using a designated variable result to hold
the final answer of a command.
v $ n ãÑ e
v $ Return n ãÑ result Ð e
The most interesting rules cover uses of Bind on various primitive operations
directly. Here is the simplest such rule, where the primitive is simple Return.
y R dompvq v $ n ãÑ e p@w. vry ÞÑ ws $ cpwq ãÑ sq

v $ x Ð Return n; cpxq ãÑ y Ð e; s
This rule selects a deep-embedding variable name y to correspond to x in the
source program. (Actually, the source-program Bind is encoded as a call to a higher-
order function, so no choice of a particular x is present.) The name y must not
already be present in the valuation v – it must not have been chosen already for a
command executed earlier. Next, we find an expression e that represents the value
n being bound. Finally, we reach the trickiest part. The statement s needs to
represent the Bind body c, for any value w that n might evaluate to. For every such
choice w, we extend v to record that w was assigned to y. In parallel, we pass w
into the body c. As a result, the expression-translation rule for variables can pick
up on this connection and compile mentions of w into uses of y!
17.4. CASE STUDY: FROM A MIXED EMBEDDING TO A DEEP EMBEDDING 105
Here is where we see why it wasn’t problematic earlier to include a rule that
translates any number n into a constant in the deep embedding. Most numeric
expressions in a source program will depend on results of earlier Bind operations.
However, the quantified premise of the last rule enforces that the output statement
s is not allowed to depend on w directly! The values of introduced variables can
only be accessed through deeply embedded variable names. In other words, if we
tried to use the constant rule directly to prove the quantified premise of that last
rule, when the body involves a Return of a complex expression that mentions the
bound variable, we would generate s that includes w, which is not allowed.
Similar rules are present for Read and Write, which interestingly are compiled
the same way as Return. From a syntactic, compilation standpoint, they do not
behave differently from pure computation. More involved and raising new compli-
cations is the rule for loops; see the Coq code for details.
17.4.3. Soundness Proof.

Theorem 17.1. If v $ c ãÑ s, then the source-language transition system
starting at ph, cq simulates the target-language transition system starting at ph, v, sq.
Proof. In other words, every execution of the target-language system can
be mimicked by one of the source-language system, where the states are connected
throughout by some relation that we choose. A good choice is the relation „ defined
by this inference rule.
v $ c ãÑ s
ph, v Z v 1 , sq „ ph, cq
Note that the only departure from the theorem statement itself is the allowance
for compiled program s to run in a larger valuation than we compiled it against.
It is safe to provide extra variables v 1 (merged into v with disjoint union), so
long as the program never reads them, which our translation judgment enforces.
We need to allow for extra variables because loop bodies run multiple times, with
later iterations technically being exposed to temporary-variable values set by earlier
iterations.
Actually, we need to modify our translation judgment so that it also applies
to “silly” intermediate states of execution in the target language. For instance, we
wind up with skips that are quickly stepped away, yet those configurations must be
related to source configurations by „. Here is one example of the extra rules that
we need to add to make our induction hypothsis strong enough.
vpyq “ n v $ cpnq ãÑ s
v $ x Ð Return n; cpxq ãÑ skip; s
The premises encode our expectation that an assignment of n to y “just ran.”
□
This result can be composed with soundness of any Hoare logic for the source
language. The associated Coq code defines one, essentially following our separation
logic from last chapter.
Theorem 17.2. If tP uctQu, P phq, v $ c ãÑ s, and result R dompvq, then
it is an invariant of the transition system starting in ph, v, sq that execution never
gets stuck.
Proof. First, we switch to proving an invariant of the system ph, cq using

the simulation from Theorem 17.1. Next, we use the soundness theorem of the
Hoare logic to weaken the invariant proved in that way into the one we want in the
end. □
At this point, we can verify the high-level program conveniently while arriving
at a low-level program automatically. That low-level program is easy to print as a
string of concrete C code, as the associated Coq code demonstrates. We only trust
the simple printing process, not the compiler that got us from a mixed embedding
to a C-like syntax tree.
CHAPTER 18
Deriving Programs from Specifications
We have generally focused so far on proving that programs meet specifications.

What if we could generate programs from their specifications, in ways that guaran-
tee correctness? Let’s explore that direction, in the tradition of program derivation
via stepwise refinement.
18.1. Sets as Computations

The heart of stepwise refinement is to start with a specification and gradually
transform it until it deserves to be called an implementation. It will help to use
a common program format for specifications, implementations, and intermediate
states on the path from the former to the latter. One convenient choice is sets of
allowable answers. A specification is naturally considered as a relation R between
inputs and outputs, where the set-based version of the specification for inputs
x is specpxq “ ty | x R yu. An implementation is naturally considered as a
function f from an input to an output, which can be modeled with singleton sets
as implpxq “ tf pxqu. Intermediate terms in our derivations may still be sets with
multiple elements, but we aim to winnow down to single choices eventually.
Computations of this kind form a monad with respect to two particular oper-
ators. Monads are an abstraction of sequential computation, popular in functional
programming. They require definitions of “return” and “bind” operators, which we
give here, writing P for the “powerset” operator that lifts types into sets.
ret : @α. α Ñ Ppαq
ret “ λx. txu
bind @α, β. Ppαq Ñ pα Ñ Ppβqq Ñ Ppβq
:
ď
bind “ λc1 . λc2 . c2 pxq
xPc1
We write x Ð c1 ; c2 pxq as shorthand for bind c1 c2 .

A valid monad must also satisfy three algebraic laws. We will state just one of
those laws here, with respect to the superset relation Ě, which we read as “refines
into.” That is, the lefthand operand is a more specification-like computation, which
we want to replace with the righthand operand, which should be more concrete.
In other words, any legal answer for the new computation is also legal for the old
one. However, we may decide that the new computation rules out some answers
that were previously under consideration. If we rule out all the possible answers,
then we will be stuck, if we ever want to refine to a singleton set!
With our notion of refinement in place, we can state three key properties, the
first of which is one of the monad laws.
Theorem 18.1. bind pret vq c Ě cpvq.
107
108 18. DERIVING PROGRAMS FROM SPECIFICATIONS
Theorem 18.2. If c1 Ě c11 , then bind c1 c2 Ě bind c11 c2 .

Theorem 18.3. If @x. c2 pxq Ě c12 pxq, then bind c1 c2 Ě bind c1 c12 .
Together with the well-known reflexivity and transitivity of Ě, these laws set us
up for convenient equational reasoning. That is, we start from a specification and
repeatedly rewrite in it using Ě facts, until we arrive at an acceptable implemen-
tation (singleton set whose element reads as an efficient computation). Rewriting
requires us to descend inside the structure of a term to find a match for the lefthand
side of a Ě fact. When we descend into the first argument or second argument of
a bind, we appeal to Theorem 18.2 or 18.3, respectively. We also use transitivity
of Ě to chain together multiple rewritings. Finally, we use Theorem 18.1 whenever
we have reduced a prefix of a computation into deterministic code.
The associated Coq code contains an example of this kind of refinement in ac-
tion. There are enough details that mechanized assistance is especially worthwhile.
18.2. Refinement for Abstract Data Types

Abstract data types (ADTs) are an important program-encapsulation feature
that we studied in Chapter 3. Recall that they package private state together with
public methods that can manipulate it, somewhat in the style of object-oriented
programming. Let us now study how to start from an ADT specification and refine
it gradually into an efficient implementation, in a way that leaves a “proof trail”
justifying correctness.
For simplicity, we will force all methods to take N as input and return N as
output, in addition to the implicit threading-through of an object’s private state.
The whole theory generalizes to methods of varying type.
Definition 18.4. An abstract data type (ADT) over a set M of methods is a
triple xS, C, MmPM y, where S is the set of private states, C : PpSq is a constructor
that initializes the state, and each Mm : S ˆ N Ñ PpS ˆ Nq is a method.
Note that constructor and method bodies live in the computation monad, al-
lowing them to be nondeterminstic and to mix program-style and specification-style
code.
1
@ 1 1 1
D
@ 2 2Definition D 18.5. Consider two ADTs T “ S , C , M mPM and T 2 “
S , C , MmPM over the same methods M . We say that T refines T 1 (writ-
2 2
ten, with overloaded notation, as T 1 Ě T 2 ) when there exists binary relation R on

S 1 and S 2 such that:
(1) @s2 P C 2 . Ds1 P C 1 . s1 R s2
@m, s1 , s2 . s1 R s2 ñ @x, y, s12 . ps12 , yq P M2m ps2 , xq
(2)
ñ Ds11 . ps11 , yq P M1m ps1 , xq ^ s11 R s12
In fact, the relation R here is a simulation, in the sense of Chapter 10! Intu-
itively, any sequence of method calls on T 2 can be simulated with the same sequence
of method calls on T 1 yielding the same answers. The private states in the two
worlds needn’t be precisely equal, but at each step they must remain related by R.
A number of very handy refinement principles apply.
Theorem 18.6 (Reflexivity). T Ě T .
Proof. Justified by choosing the simulation relation to be equality. □
18.3. ANOTHER EXAMPLE REFINEMENT PRINCIPLE: ADDING A CACHE 109
Theorem 18.7 (Transitivity). If T1 Ě T2 and T2 Ě T3 , then T1 Ě T3 .

Proof. Justified by choosing the simulation relation for the conclusion to be
the composition of the relations for the premises. □
1 2
@ 1
D
@ Theorem
2
D18.8 (Focusing on a constructor). If C Ě C , then S, C , MmPM Ě
S, C , MmPM .
Theorem 18.9 (Focusing on a method). Let m be one of the methods for T ,
and let the body of that method be c. Let T 1 be the result of replacing m’s body in
T with a new function c1 . If @s, x. cps, xq Ě c1 ps, xq, then T Ě T 1 .
The next simulation principle is one of the most powerful.
Theorem 18.10 (Change of representation). Let T “ xS, C, MmPM y be an
ADT, and pick A : S 1 Ñ S (for some new state set S 1 ) as an abstraction function.
Now define T 1 “ xS 1 , C 1 , M1mPM y, where:
(1) C 1 “ s Ð C; ts1 | Aps1 q “ su
(2) M1m “ λs10 , x. ps, yq Ð Mm pAps10 q, xq; s1 Ð ts1 | Aps1 q “ su; ret ps1 , yq
Then T Ě T 1 .
Proof. Justified by choosing the simulation relation tpApsq, sq | s P S 1 u. □
The intuition of representation change is that we choose S 1 as some clever new
data structure. We are responsible for a formal characterization of how it relates
to the original, more obvious data structure. Abstraction function A shows how to
“undo our cleverness,” computing the old version of a state. It would generally be
inefficient to run this conversion on every method call. Luckily, the new method
bodies generated by this rule can be subjected to further optimization! For instance,
we can use Theorem 18.9 to rewrite method bodies further. We will especially want
to do so to replace subcomputations of the form ts1 | Aps1 q “ su, which stand for
calling A´1 on particular values. Of course not every function has an inverse as a
total relation, let alone a total function, so there is no purely mechanical way to
rewrite inverse function calls into executable code.
See the associated Coq code for some examples of these rules in action for
concrete program derivations. It turns out that Theorems 18.6 through 18.10 are
complete: any correct refinement fact on ADTs can be proved using them alone.
18.3. Another Example Refinement Principle: Adding a Cache

Still, it can be helpful to formulate additional ADT-refinement principles, cap-
turing common optimization strategies. As an example, we formalize the idea of
adding a cache to a data structure, which is also known as finite differencing in the
literature.
Theorem 18.11 (Adding a cache). Let T “ xS, C, MmPM y be an ADT, and
pick a method m such that Mm “ λs, x. ret ps, f psqq for some pure function f :
S Ñ N. Now define T 1 “ xS ˆ N, C 1 , M1mPM y, where:
(1) C 1 “ s Ð C; ret ps, f psqq
(2) M1m “ λps, cq, x. ret pps, cq, cq
110 18. DERIVING PROGRAMS FROM SPECIFICATIONS
(3) For m1 ‰ m, M1m1 “ λps, cq, x. ps1 , yq Ð Mm ps, xq; c1 Ð tc1 | f psq “ c ñ
f ps1 q “ c1 u; ret pps1 , c1 q, yq
Then T Ě T 1 .
Proof. Justified by choosing the simulation relation tps, ps, f psqqq | s P Su.
□
Intuitively, method m is a pure observer, not changing the state, only returning
some pure function f of it. We change the state set from S to S ˆ N, so that the
second component of a state caches the output of f on the first component. Like
in a change of representation, method bodies are all rewritten automatically, but
pick-from-set operations are inserted, and we must refine them away to arrive at a
final implementation.
Here the crucial such pattern is tc1 | f psq “ c ñ f ps1 q “ c1 u. Intuitively, we
are asked to choose a cache value c1 that is correct for the new state s1 , while we
are allowed to assume that the prior cache value c was accurate for the old state s.
Therefore, it is natural to give an efficient formula for computing c1 in terms of c.
CHAPTER 19
Introduction to Reasoning About Shared-Memory

Concurrency
Separation logic tames sharing of a mutable memory across libraries and data
structures. We will need some additional techniques when we add concurrency
to the mix, resulting in the shared-memory style of concurrency. This chapter
introduces a basic style of operational semantics for shared memory, also studying
its use in model checking, including with an important optimization called partial-
order reduction. The next chapter shows how to prove deeper properties of fancier
programs, by extending the Hoare-logic approach to shared-memory concurrency.
Then the chapter after that shows how to formalize and reason about a different
style of concurrency, message passing.
19.1. An Object Language with Shared-Memory Concurrency

For the next two chapters, we work with this object language.
Commands c ::“ Fail | Return v | x Ð c; c | Read a | Write a v | Lock a | Unlock a | c||c
In addition to the basic structure of the languages from Chapters 15 and 16,
we have three features specific to concurrency. We follow the common “threads and
locks” style of synchronization, with commands Lock a and Unlock a for acquiring
and releasing locks, respectively. We also have c1 ||c2 for running commands c1 and
c2 in parallel, giving a scheduler free reign to interleave their atomic steps.
The operational semantics is small-step, especially because big-step semantics
is notoriously awkward for concurrency. Each state of the system is a triple ph, l, cq,
with h and c the heap and current command from our usual semantics. New compo-
nent l is a lockset, recording which locks are currently held, without distinguishing
between different threads that might have taken them.
ph, l, c1 q Ñ ph1 , l1 , c11 q

ph, l, x Ð c1 ; c2 pxqq Ñ ph1 , l1 , x Ð c11 ; c2 pxqq ph, l, x Ð Return v; c2 pxqq Ñ ph, l, c2 pvqq
ph, l, Read aq Ñ ph, l, Return hpaqq ph, l, Write a vq Ñ phra ÞÑ vs, l, Return 0q
aRl aPl
ph, l, Lock aq Ñ ph, l Y tau, Return 0q ph, l, Unlock aq Ñ ph, lztau, Return 0q
ph, l, c1 q Ñ ph1 , l1 , c11 q ph, l, c2 q Ñ ph1 , l1 , c12 q

ph, l, c1 ||c2 q Ñ ph1 , l1 , c11 ||c2 q ph, l, c1 ||c2 q Ñ ph1 , l1 , c1 ||c12 q
111
112 19. INTRODUCTION TO REASONING ABOUT SHARED-MEMORY CONCURRENCY
Note that the last two rules are the only source of nondeterminism in this
semantics, where a single state can step to multiple different next states. This non-
determinism corresponds to the freedom we give to a scheduler that may pick which
thread runs next. Though this kind of concurrent programming is very expressive
and often achieves very high performance, it comes at a cost in reasoning, as there
may be exponentially many different schedules for a single program, measured with
respect to the textual length of the program. A popular name for this pitfall is the
state-explosion problem.
Note also that we have omitted any looping constructs from this object lan-
guage, so all programs terminate. The Coq formalization uses the mixed-embedding
style, making it not entirely obvious that all programs really do terminate. In any
case, if we must tame the state-explosion problem, we already have our work cut
out for us, even when the state space rooted at any concrete state is finite!
19.2. Shrinking the State Space via Local Actions

Recall our study of model checking in Chapter 7. With a little cleverness,
many problems in program verification can be reduced to exploration of finite state
spaces of transition systems. In particular, we looked at safety properties, which
can be expressed as invariants of transition systems. One simply follows all the
edges in the graph determined by a transition system, accepting the program if
that process terminates without finding a state that violates the invariant. For our
object language in this chapter, a good safety property is that commands are not
about to fail, formalized as:
natfpFailq “ K
natfpx Ð c1 ; c2 pxqq “ natfpc1 q
natfpc1 ||c2 q “ natfpc1 q ^ natfpc2 q
natfp q “ J
Here is an example of a program execution that avoids failures.
p‚r0 ÞÑ 1s, H, n Ð Read 0; Write 0 pn ` 1qq Ñ p‚r0 ÞÑ 1s, H, n Ð Return 1; Write 0 pn ` 1qq
Ñ p‚r0 ÞÑ 1s, H, Write 0 p1 ` 1qq
Ñ p‚r0 ÞÑ 2s, H, Return 0q
When exploring the state space of this program, a näive model checker will
generate each of these states explicitly, even the “silly” second one that reduces to
the third without reading or writing the shared state. We can short-circuit those
extra states by writing a simple function that makes all appropriate purely local
reductions, everywhere within a command.
tx Ð c1 ; c2 pxqu “ tc2 pvqu, when tc1 u “ Return v
tx Ð c1 ; c2 pxqu “ x Ð tc1 u; tc2 pxqu, when tc1 u is not Return
tc1 ||c2 u “ tc1 u||tc2 u
tcu “ c
Using this relation, we can define an alternative step relation that short-circuits
local steps.
ph, l, cq Ñ ph1 , l1 , c1 q
ph, l, cq ÑL ph1 , l1 , tc1 uq
19.3. BASIC PARTIAL-ORDER REDUCTION 113
The base semantics can be used to define transition systems in the usual way,
with Tph, l, cq “ xtph, l, cqu, Ñy. We can also define short-circuiting transition sys-
tems with TL ph, l, cq “ xtph, l, tcuqu, ÑL y. A theorem shows that the latter overap-
proximates the former. Abstraction
Theorem 19.1. If natf is an invariant of TL ph, l, cq, then it is also an invariant
of Tph, l, cq.
Proof. By induction on a trace ph, l, cq Ñ˚ ph1 , l1 , c1 q, matching each original
step with zero or one alternative steps. We appeal to a number of lemmas, some of
which are summarized below. □
Lemma 19.2. For all c, ttcuu “ tcu.
Proof. By induction on the structure of c. □
Lemma 19.3. If ph, l, cq Ñ ph1 , l1 , c1 q, then either ph1 , l1 q “ ph, lq and tc1 u “ tcu
(the step was local), or there exists c2 where ph, l, tcuq Ñ ph1 , l1 , c2 q and tc2 u “ tc1 u
(the step was not local).
Proof. By induction on the derivation of ph, l, cq Ñ ph1 , l1 , c1 q, appealing in
places to to Lemma 19.2. □
Lemma 19.4. If natfptcuq, then natfpcq.
Proof. By induction on the structure of c. □
19.3. Basic Partial-Order Reduction

What made the reduction in Theorem 19.1 sound? It was that local actions
commute with all actions in other threads. A particular run of a system in the
base semantics might indeed choose to run a nonlocal action before a local action
that is enabled. However, we can reorder any such action to instead come after
every enabled local action, without affecting the final state. This reordering is an
example of commutativity in action.
By recognizing and exploiting other varieties of commutativity, we can shrink
state spaces even further, even reducing the spaces of certain interesting program
families from exponential size to linear size. A popular technique of this kind is
partial-order reduction. We formalize a simple variant of it in this section (and
in the accompanying Coq code), then sketch a less formal generalization in the
chapter’s final section.
To check commutativity more flexibly, we must use more than just the fact
that a local action commutes with any action in another thread. For instance, we
should take advantage of the fact that any two Read actions commute. We will do
some static analysis of programs to overapproximate which kinds of atomic actions
they might perform. Such an analysis is designed to be trivially computable. Here’s
an example of one analysis, formulated as a relation summarizepc, pr, w, ℓqq, which
asserts that the only globally visible actions that could be performed by thread c
are reads to addresses in r, writes to addresses in w, and acquires or releases of
locks in ℓ.
summarizepc1 , sq @r. summarizepc2 prq, sq

summarizepReturn r, sq summarizepFail, sq summarizepx Ð c1 ; c2 pxq, sq
aPr aPw
summarizepRead a, pr, w, ℓqq summarizepWrite a v, pr, w, ℓqq
aPℓ aPℓ
summarizepLock a, pr, w, ℓqq summarizepUnlock a, pr, w, ℓqq
summarizepc1 , sq summarizepc2 , sq
summarizepc1 ||c2 , sq
Those relations do all we need to do to record which actions a thread might
not commute with. The other key ingredient is an extractor for the next atomic
action in a thread, written as a partial function.
nextActionpReturn rq “ Return r
nextActionpFailq “ Fail
nextActionpRead aq “ Read a
nextActionpWrite a vq “ Write a v
nextActionpLock aq “ Lock a
nextActionpUnlock aq “ Unlock a
nextActionpx Ð c1 ; c2 pxqq “ nextActionpc1 q
Given a next atomic action and a summary of another thread, it is now easy
to define commutativity of the two.
commutespReturn , q “ J
commutespFail, q “ J
commutespRead a, p , w, qq “ aRw
commutespWrite a , pr, w, qq “ aRrYw
commutespLock a, p , , ℓqq “ aRℓ
commutespUnlock a, p , , ℓqq “ aRℓ
commutesp , q “ K
With these ingredients, we can define a predicate porSafe that figures out when
a state is eligible for the partial-order-reduction optimization, which is to force the
first thread to run next, ignoring the other threads for now. In working out the
formal details, we will confine ourselves to commands c1 ||c2 with distinguished “first
threads” c1 , though everything can be generalized to other settings (and doing that
generalization could be a worthwhile exercise for the reader, though it requires a
lot of logical bookkeeping). This optimization is only safe when the first thread
can take a step and when that step commutes with any action that other threads
(combined into c2 ) might perform. Formally, we define porSafeph, l, c1 , c2 , sq as
follows, where s should be a valid summary of c2 .
‚ There is some c0 where nextActionpc1 q “ c0 . That is, thread c1 has some
uniquely determined atomic action lined up to run next.
‚ There exist h1 , l1 , and c11 such that ph, l, c1 q Ñ ph1 , l1 , c11 q. That is, thread
c1 is actually able to take a step, which might not be possible if e.g. trying
to take a lock that is already held.
19.3. BASIC PARTIAL-ORDER REDUCTION 115
‚ And the crucial compatibility condition: commutespc0 , sq. That is, all
actions that other threads might perform commute with c0 , the first action
of c1 .
With the applicability condition defined, it is now straightforward to define an
optimized step relation, parameterized on an accurate summary s for c2 .
ph, l, c1 q Ñ ph1 , l1 , c11 q

ph, l, c1 ||c2 q ÑsC ph1 , l1 , c11 ||c2 q
␣porSafeph, l, c1 , c2 , sq ph, l, c2 q Ñ ph1 , l1 , c12 q

ph, l, c1 ||c2 q ÑsC ph1 , l1 , c1 ||c12 q
The whole thing is wrapped up into transition systems as TC ph, l, c1 , c2 , sq “
xtph, l, c1 ||c2 qu, ÑsC y.
Our proof of soundness for this reduction will depend on having some constant
upper bound on program execution time. This relation computes a conservative
overapproximation.
timeOfpReturn r, nq timeOfpFail, nq timeOfpRead a, n ` 1q timeOfpWrite a v, n ` 1q
timeOfpLock a, n ` 1q timeOfpUnlock a, n ` 1q
timeOfpc1 , n1 q @r. timeOfpc2 prq, n2 q timeOfpc1 , n1 q timeOfpc2 , n2 q

timeOfpx Ð c1 ; c2 pxq, n1 ` n2 ` 1q timeOfpc1 ||c2 , n1 ` n2 ` 1q
It may be surprising that, in our formal mixed embedding, there exist com-
mands with no provable upper bounds, according to this relation. We leave it as an
exercise to the reader to find a concrete example. (Actually, the Coq code includes
an example and its proof of unboundedness.)
One last ingredient is to work with a relation Ñi , which is the i-way self-
composition of Ñ. It is easy to show that whenever x Ñ˚ y, there exists i such
that x Ñi y.
With these ingredients, we can state the reduction theorem. Abstraction
Theorem 19.5. If summarizepc2 , sq and timeOfpc1 ||c2 , nq, then to prove natf as
an invariant of Tph, l, c1 ||c2 q, it suffices to prove natf as an invariant of TC ph, l, c1 , c2 , sq.
Proof. Setting c “ c1 ||c2 , we assume for the sake of contradiction that there
exists some derivation ph, l, cq Ñ˚ ph1 , l1 , c1 q, where ␣natfph1 , l1 , c1 q. First, since c
runs in bounded time, by Lemma 19.6, we can complete that execution to continue
running to some ph2 , l2 , c2 q, which is a stuck state. By Lemma 19.7, ␣natfpc2 q.
Next, we conclude that there exists i such that ph, l, cq Ñi ph2 , l2 , c2 q. By Lemma
19.8, there exist h3 , l3 , and c3 where ph, l, c1 ||c2 q Ñs˚ 3 3 3
C ph , l , c q and ␣natfpc q.
3
These facts contradict our assumption that natf is an invariant of TC ph, l, c1 , c2 , sq.
□
Lemma 19.6. If timeOfpc, nq, then there exist h1 , l1 , and c1 where ph, l, cq Ñ˚
ph , l1 , c1 q, such that ph1 , l1 , c1 q is a stuck state.
1
Proof. By strong induction on n. □

Lemma 19.7. If ph, l, cq Ñ˚ ph1 , l1 , c1 q and ␣natfpcq, then ␣natfpc1 q.
Proof. By induction on the derivation of ph, l, cq Ñ˚ ph1 , l1 , c1 q, with a nested

induction on the derivations of individual steps. □
Lemma 19.8. If ph, l, c1 ||c2 q Ñi ph1 , l1 , c1 q, and ph1 , l1 , c1 q is stuck and about to
fail, and summarizepc2 , sq, then there exist h2 , l2 , and c3 such that ph, l, c1 ||c2 q Ñs˚ C
ph2 , l2 , c3 q and ␣natfpc3 q.
Proof. By induction on i. Note that induction on the structure of a derivation
ph, l, c1 ||c2 q Ñ˚ ph1 , l1 , c1 q would not be sufficient here, as we will see in the proof
sketch below that we sometimes invoke the induction hypothesis on an execution
trace that is not just the tail of the one we started with.
If i “ 0, then ph, l, c1 ||c2 q is already about to fail, and the conclusion follows
trivially.
Otherwise, i “ i1 ` 1 for some i1 . We proceed by cases on the truth of
porSafeph, l, c1 , c2 , sq.
If ␣porSafeph, l, c1 , c2 , sq, then we invert the derivation ph, l, c1 ||c2 q Ñi ph1 , l1 , c1 q
1
to conclude ph, l, c1 ||c2 q Ñ ph2 , l2 , c2 q and ph2 , l2 , c2 q Ñi ph1 , l1 , c1 q for some inter-
mediate state. ÑC is easily able to match that first step, as the optimization is
disabled, and the rest follows directly by appeal to the induction hypothesis.
Otherwise, porSafeph, l, c1 , c2 , sq, and the key optimization is enabled, so that
ÑC only allows the first thread to run. The next deduction is not immediate,
because the first original step ph, l, c1 ||c2 q Ñ ph2 , l2 , c2 q may have chosen a thread
1
beside c1 . However, the trace ph, l, c1 ||c2 q Ñi `1 ph1 , l1 , c1 q must eventually pick the
first thread to run, and we apply Lemma 19.9 to commute that eventual step to the
front of the derivation, showing its equivalence to one that runs the first thread and
then takes i1 additional steps to ph1 , l1 , c1 q. At this point the induction hypothesis
applies to those i1 steps, to finish the proof. □
Lemma 19.9. If ph, l, c1 ||c2 q Ñi`1 ph1 , l1 , c1 q, where that last state is stuck, and
if summarizepc2 , sq, nextActionpc1 q “ x, commutespx, sq, and ph, l, c1 q Ñ ph0 , l0 , c11 q,
then ph0 , l0 , c11 ||c2 q Ñi ph1 , l1 , c1 q.
Proof. By induction on the derivation of ph, l, c1 ||c2 q Ñi`1 ph1 , l1 , c1 q, ap-
pealing to a few crucial lemmas, such as single-step determinism of any state in
nextAction’s domain, plus the soundness of commutes with respect to single steps
of pairs of commands, plus the fact that single steps preserve the accuracy of sum-
maries. □
19.4. Partial-Order Reduction More Generally

The key insights of the prior section can be adapted to prove soundness of
a whole family of optimizations by partial-order reduction. In general, we apply
the optimization to remove edges from a state-space graph, whose nodes are states
and whose edges are labeled with actions α. In our setting, α is the identifier of
the thread scheduled to run next. To do model checking, the graph need not be
materialized in memory in one go. Instead, as an optimization, the graph tends to
be constructed on-the-fly, during state-space exploration.
The proofs from the last two sections only apply to check the invariant that
no thread is about to fail. However, the results easily generalize to arbitrary safety
properties, which can be expressed as decidable invariants on states. Another im-
portant class of specifications is liveness properties, the most canonical example
19.4. PARTIAL-ORDER REDUCTION MORE GENERALLY 117
of which is termination, phrased in terms of reachability of some subsets of states

designated as finished. There are many other useful liveness properties. Another
example applies to a producer-consumer system, where one thread continually en-
queues new work into a queue, and another thread continually dequeues work items
and does something with them. A good liveness property for that system could be
that, whenever the producer enqueues an item, the consumer eventually dequeues
it, and from there the consumer eventually takes some visible action based on the
value of the item. Our general treatment of partial-order reduction is parameterized
on some property ϕ over states, and it may be safety, liveness, or a combination of
the two.
Every state s of the transition system has an associated set Epsq of identifiers
for threads that are enabled to run in s. The partial-order-reduction optimization
conceptually is based on picking a function A, mapping each state s to an ample
set Apsq of threads to consider in state-space exploration. A few eligibility criteria
apply, for every state s.
Readiness: Apsq Ď Epsq. That is, we do not select any threads that are not
actually ready to run.
Progress: If Apsq “ H, then Epsq “ H. That is, so long as any thread at
all can step, we select at least one thread.
Commutativity: Consider all executions starting at s and taking steps only
with the threads not in Apsq. These executions only include actions that
commute with the next actions of the threads in Apsq. As a consequence,
any actions that run before elements of the ample set can be reordered to
follow the execution of any ample-set element.
Invisibility: If Apsq ‰ Epsq, then no action in Apsq modifies the truth of ϕ.
Any ample-set algorithm leads to a different variant of ÑC from the prior

section, and it is possible to prove that any such transition system is a sound
abstraction of the original.
As an example of a different heuristic, consider a weakness of the one from
the prior section: when we pick a thread c as the only one to consider running
next, c’s first action must commute with any action that any other thread might
ever run, for the entire rest of the execution. However, imagine that thread c holds
some lock a. We might formalize that notion by saying that (1) a is in the lockset,
and (2) the other threads, running independently, will never manage to run an
Unlock a command. A computable static analysis can verify this statement for
many nontrivial programs. Now consider which summaries of the other threads we
can get away with comparing against c for commutativity. We only need to collect
the actions that other threads can run before each one reaches its first occurrence
of Lock a. The reason is that, if c holds lock a and hasn’t run yet, no other thread
can progress past its first Lock a. Now threads may share addresses for read and
write access, yet still take advantage of the optimization, when accesses are properly
protected by locks.
The conditions above are only sufficient because we left unbounded loops out
of our object language. What happens if we add them back in? Consider this
program:
pwhile ptrueq t Write 0 0 uq || pn Ð Read 1; Failq

An optimization in the spirit of our original from the prior section would happily
decree that it is safe always to pick the first thread to run. This reduced state-
transition system never gets around to running the second thread, so exploring the
state space never finds the failure! To plug this soundness hole, we add a final
condition on the ample sets.
Fairness: If there is a cycle in the finite state space where α is enabled at
some point, then α P Apsq for some s in the cycle.
This condition effectively forces the ample set for the example program above
to include the second thread.
CHAPTER 20
Concurrent Separation Logic
Chapters 16 and 19 respectively introduced techniques for reasoning about

two tricky aspects of programs: heap-allocated linked data structures and shared-
memory concurrency. When we add concurrency to the mix for a program-reasoning
problem, we are often surprised at how much more complex it becomes. This chap-
ter introduces a pleasant exception to the rule, concurrent separation logic, a rather
small addition to separation logic that supports invariant-based reasoning about
threads-and-locks shared-memory programs.
20.1. Object Language: Loops and Locks

Here’s the object language we adopt, which should be old hat by now, just
mixing together features of the object languages from Chapters 16 and 19.
Commands c ::“ Fail | Return v | x Ð c; c | Loop i f

| Read a | Write a v | Alloc n | Free a n | Lock a | Unlock a | c||c
ph, l, c1 q Ñ ph1 , l1 , c11 q

ph, l, x Ð c1 ; c2 pxqq Ñ ph1 , l1 , x Ð c11 ; c2 pxqq ph, l, x Ð Return v; c2 pxqq Ñ ph, l, c2 pvqq
ph, l, Loop i f q Ñ ph, l, x Ð f piq; match x with Donepaq ñ Return a | Againpaq ñ Loop a f q
hpaq “ v hpaq “ v
ph, l, Read aq Ñ ph, l, Return vq ph, l, Write a v 1 q Ñ phra ÞÑ v 1 s, l, Return pqq
domphq X ra, a ` nq “ H
ph, l, Alloc nq Ñ phra ÞÑ 0n s, l, Return aq ph, l, Free a nq Ñ ph ´ ra, a ` nq, l, Return pqq
aRl aPl
ph, l, Lock aq Ñ ph, l Y tau, Return pqq ph, l, Unlock aq Ñ ph, lztau, Return pqq
ph, l, c1 q Ñ ph1 , l1 , c11 q ph, l, c2 q Ñ ph1 , l1 , c12 q

ph, l, c1 ||c2 q Ñ ph1 , l1 , c11 ||c2 q ph, l, c1 ||c2 q Ñ ph1 , l1 , c1 ||c12 q
119
120 20. CONCURRENT SEPARATION LOGIC
20.2. The Program Logic

We will build on basic separation logic, using the same kind of assertions and
even adopting all of the original rules unchanged. Here they are again, for easy
reference.
tP uc1 tQu p@r. tQprquc2 prqtRuq

tempuReturn vtλr. rr “ vsu tP ux Ð c1 ; c2 pxqtRu
@a. tIpAgainpaqquf paqtIu

tIpAgainpiqquLoop i f tλr. IpDoneprqqu trKsuFailtλ . rKsu
tDv. a ÞÑ v ˚ RpvquRead atλr. a ÞÑ r ˚ Rprqu tDv. a ÞÑ vuWrite a v 1 tλ . a ÞÑ v 1 u
tempuAlloc ntλr. r ÞÑ 0n u ta ÞÑ ?n uFree a ntλ . empu
tP uctQu P 1 ñ P @r. Qprq ñ Q1 prq tP uctQu

1 1
tP uctQ u tP ˚ Ructλr. Qprq ˚ Ru
Modularity
When two threads use disjoint regions of memory, it is trivial to apply this rule
of Concurrent Separation Logic to verify the threads independently.
tP1 uc1 tQ1 u tP2 uc2 tQ2 u
tP1 ˚ P2 uc1 ||c2 tλ . rKssu
The separating conjunction ˚ turned out to be just the right way to express the
idea of “splitting the heap into a part for the first thread and a part for the second
thread.” Because c1 and c2 touch disjoint memory regions, all of their memory
operations commute, so that we need not worry about the state-explosion problem,
in all the ways that the scheduler might interleave their steps. Note that, since for
simplicity our running example family of concurrent object languages includes no
way for parallel compositions to terminate, it makes sense to assign a contradictory
overall postcondition.
However, with realistic shared-memory programs, we don’t get off as easy as the
parallel-composition rule suggests. Threads do share memory regions, using syn-
chronization to tame the state-explosion problem. Our object language includes
locks as its example of synchronization, and Concurrent Separation Logic is spe-
cialized to locks. We may keep the simplistic-seeming rule for parallel composition
and implicitly enrich its power by adding a twist, in the form of some other rules.
The big twist is that we parameterize everything over some finite set L of locks
Invariants that may be used. Furthermore, another parameter is a function I that maps locks
to invariants, which have the same type as preconditions. The idea is this: when
no one holds a lock, the lock owns a chunk of memory that satisfies its invariant.
When a thread holds the lock, the lock doesn’t own any memory; it is waiting
for the thread to unlock it and donate back a chunk of memory satisfying the
invariant. We now think of the precondition of a Hoare triple as only describing
the local memory of a thread, which no other thread may access; while locks and
their invariants coordinate the shared memory regions of an application. The proof
rules will coordinate dynamic motion of memory regions between the shared regions
20.3. SOUNDNESS PROOF 121
and local regions. This motion is only part of a proof technique; it has no runtime
content reflected in the operational semantics!
With all of that set-up, the final two rules may seem surprisingly simple.
aPL aPL
tempuLock atλ . Ipaqu tIpaquUnlock atλ . empu
When a thread takes a lock, it appears as if a memory chunk satisfying that
lock’s invariant materializes in the local memory space. Conversely, when a thread
releases a lock, it appears as if the lock grabs a memory chunk satisfying the invari-
ant out of the local memory space. The rules are coordinating conceptual ownership
transfers between local memory and the global lock memory.
The accompanying Coq code shows a few example verifications of interesting
programs.
20.3. Soundness Proof

We can adapt the separation-logic soundness proof to concurrency, with just a
few new ideas. First, we will appreciate some new connectives for writing assertions.
One simple one is a guarded predicate, defined like so, for pure proposition ϕ (the
guard) and separation-logic assertion P .
ϕ ÝÑ P “ if ϕ then P else emp
The other key addition will be the “big star,” iterated separating conjunction,
with quantification over finite sets, written like ˚xPS P pxq. The definition is:
˚xPtv1 ,...,vn u P pxq “ P pv1 q ˚ . . . ˚ P pvn q
The reader may be worried about the inherently unordered nature of sets. For
each ordering of a set, we get a syntactically distinct formula on the righthand
side of the defining equation. Luckily, separating conjunction ˚ is associative and
commutative, so all orders lead to logically equivalent formulas.
With those preliminaries out of the way, we can state the soundness theorem,
referring again to the not-about-to-fail predicate natf from last chapter, extended
appropriately to say that loops are not about to fail. Invariants
Theorem 20.1 (Soundness). If tP uctQu, and if a heap h satisfies the predicate
pP ˚ ˚ℓPL Ipℓqq, then natf is an invariant of the system starting at state ph, H, cq.
The theorem lays out restrictions on the starting heap. It must have a segment
to serve as the root thread’s local heap, matching precondition P . Then, for each
lock ℓ P L, there must be an associated memory region satisfying Ipℓq. Our use of
separating conjunction forces each of these regions to occupy disjoint memory from
all the others.
Some key lemmas support the proof. Here are the highlights. The first is
representative of a family of lemmas that we prove, one for each syntactic construct
of the object language.
Lemma 20.2. If tP uRead atQu, then there exists R such that P ñ Dv. a ÞÑ
v ˚ Rpvq and, for all r, a ÞÑ r ˚ Rprq ñ Qprq.
Proof. By induction on the derivation of tP uRead atQu. □
As another example incorporating more of the complexities of concurrency, we
have this lemma.
122 20. CONCURRENT SEPARATION LOGIC
Lemma 20.3. If tP uc1 ||c2 tQu, then there exist P1 , P2 , Q1 , and Q2 such that
tP1 uc1 tQ1 u, tP2 uc2 tQ2 u, and P ñ P1 ˚ P2 .
Proof. By induction on the derivation of tP uc1 ||c2 tQu. One somewhat sur-
prising case is when the frame rule begins the derivation. We have some predicate
R that is added to both the precondition and postcondition. In picking P1 , P2 ,
Q1 , and Q2 , we have a choice as to where we incorporate R. The two threads
together leave R alone, so clearly either thread individually does, too. Therefore,
we arbitrarily incorporate R in P1 and Q1 . □
Two lemmas express crucial techniques to isolate elements within iterated con-
junction.
Lemma 20.4. If v P S, then ˚xPS P pxq ñ P pvq ˚ ˚xPSztvu P pxq.
Proof. By induction on the cardinality of S. □
Lemma 20.5. If v R S, then P pvq ˚ ˚xPS P pxq ñ ˚xPSYtvu P pxq.
Proof. By induction on the cardinality of S. □
1 1 1
Lemma 20.6 (Preservation). If ph, l, cq Ñ ph , l , c q, tP uctQu, and h satisfies
pP ˚ R ˚ ˚ℓPL pℓ R l ÝÑ Ipℓqqq, then there exists P 1 such that tP 1 uc1 tQu, where h1
satisfies pP 1 ˚ R ˚ ˚ℓPL pℓ R l1 ÝÑ Ipℓqqq.
Proof. By induction on the derivation of ph, l, cq Ñ ph1 , l1 , c1 q. The cases for
lock and unlock respectively use Lemmas 20.4 and 20.5. Note that we include
the parameter R solely to get a strong enough induction hypothesis for steps of
commands c1 ||c2 . We need to know that a step by one thread does not change
the private heap of the other thread. To draw that conclusion, in appealing to the
induction hypothesis, we extend R with precisely that private state. □
Lemma 20.7. ˚ℓPL Ipℓq ñ ˚ℓPL pℓ R H ÝÑ Ipℓqq.
Proof. By induction on the cardinality of L. □
Lemma 20.8. If tP uctQu, and if a heap h satisfies the predicate pP ˚˚ℓPL Ipℓqq,
then an invariant of the system starting at state ph, H, cq is: for reachable state
ph1 , l1 , c1 q, there exists P 1 where tP 1 uc1 tQu, such that h1 satisfies pP 1 ˚˚ℓPL pℓ R l1 ÝÑ Ipℓqqq.
Proof. By invariant induction, using Lemma 20.7 for the base case and Lemma
20.6 for the induction step, the latter with R “ emp. □
Lemma 20.9 (Progress). If tP uctQu and c is about to fail, then P is unsatis-
fiable.
The overall soundness proof proceeds by invariant weakening with the invariant
established by Lemma 20.8. We prove the inclusion of new invariant in old by
Lemma 20.9.
CHAPTER 21
Process Algebra and Refinement
The last two chapters dealt with the most popular sort of concurrent program-
ming, the threads-and-locks shared-memory style. It’s a fundamentally imperative
style, with side effects coordinating synchronization across threads. Another well-
established (and increasingly popular) style is message passing, which is closer in
spirit to functional programming. In that world, there is, in fact, no memory at all,
let alone shared memory. Instead, state is incorporated into the text of thread code,
and information passes from thread to thread by sending messages over channels.
There are two main kinds of message passing. In the asynchronous or mailbox style,
a thread can deposit a message in a channel, even when no one is ready to receive
the message immediately. Later, a thread can come along and effectively dequeue
the message from the channel. In the synchronous or rendezvous style, a message
send only executes when a matching receive, on the same channel, is available im-
mediately. The threads of the two complementary operations rendezvous and pass
the message in one atomic step.
Packages of semantics and proof techniques for such languages are often called
process algebras, as they support an algebraic style of reasoning about the source
code of message-passing programs. That is, we prove laws very similar to the
familiar equations of algebra and use those laws to “rewrite” inside larger processes,
by replacing their subprocesses with others we have shown suitably equivalent. It’s
a powerful technique for highly modular proofs, which we develop in the rest of
this chapter for one concrete synchronous language. Well-known process algebras
include the π-calculus and the Calculus of Communicating Systems; the one we
focus on is idiosyncratic and designed partly to make the Coq proofs manageable.
21.1. An Object Language with Synchronous Message Passing
Channels c
Processes p ::“ νr⃗cspxq; ppxq | blockpcq; p | !cpvq; p | ?cpxq; ppxq | p||p | dupppq | done
Here’s the intuitive explanation of each syntax construction.
‚ Fresh channel generation νr⃗cspxq; ppxq creates a new private channel
to be used by the body process ppxq, where we replace x with the channel
that is chosen. Following tradition, we use the Greek letter ν (nu) for
this purpose. Each generation operation takes a parameter ⃗c, which we
call the support of the operation. It gives a list of channels already in use
for other purposes, so that the fresh channel must not equal any of them.
(We assume an infinite domain of channels, so that, for any specific list,
it is always possible to find a channel not in that list.)
123
124 21. PROCESS ALGEBRA AND REFINEMENT
‚ Abstraction boundaries blockpcq; p prevent “the outside world” from

sending p any messages on channel c or receiving any messages from p via
Abstraction c. That is, c is treated as a local channel for p.
‚ Sends !cpvq; p and receives ?cpxq; ppxq, where we use an exclamation
mark to suggest “telling something” and a question mark to suggest “ask-
ing something.” Processes of these kinds can rendezvous when they agree
on the channel. When !cpvq; p1 and ?cpxq; p2 pxq rendezvous, they respec-
tively evolve to p1 and p2 pvq.
‚ Parallel compositions p1 ||p2 work as we’re used to by now.
‚ Duplications dupppq act just like infinitely many copies of p composed
in parallel. We use them to implement nonterminating “server” processes
that are prepared to respond to many requests over particular channels.
In traditional process algebra, duplication fills the role that loops and
recursion fill in conventional programming.
‚ The inert process done is incapable of doing anything at all. It stands
for a finished program.
We give an operational semantics in the form of a labeled transition system,

as we did to formalize output instructions for compiler correctness in Chapter 10.
That is, we not only express how a step takes us from one state to another, but we
also associate each step with a label that summarizes what happened. Our labels
will include the silent label ϵ, read labels ?cpvq, and write labels !cpvq. The latter
two indicate that a thread has read a value from or written a value to channel c,
respectively, and the parameter v indicates which value was read or written. We
l
write p1 ÝÑ p2 to say that process p1 steps to p2 by performing label l. We use
ϵ
p1 ÝÑ p2 as an abbreviation for p1 ÝÑ p2 .
We start with the rules for sends and receives.
!cpvq ?cpvq
!cpvq; p ÝÑ p ?cpxq; ppxq ÝÑ ppvq
They record the action in the obvious way, but there is already an interesting wrin-
kle: the rule for receives picks a value v nondeterministically. This nondeterminism
is resolved by the next two rules, the rendezvous rules, which force a read label to
match a write label precisely.
!cpvq ?cpvq ?cpvq !cpvq

p1 ÝÑ p11 p2 ÝÑ p12 p1 ÝÑ p11 p2 ÝÑ p12
p1 ||p2 ÝÑ p11 ||p12 p1 ||p2 ÝÑ p11 ||p12
A fresh channel generation can step according to any valid choice of channel.
c R ⃗c
νr⃗cspxq; ppxq ÝÑ blockpcq; ppcq
An abstraction boundary prevents steps with labels that mention the protected
channel. (We overload notation c P l to indicate that channel c appears in the
send/receive position of label l.)
l
p ÝÑ p1 cRl
l
blockpcq; p ÝÑ blockpcq; p1
21.2. REFINEMENT BETWEEN PROCESSES 125
Any step can be lifted up out of a parallel composition.

l l
p1 ÝÑ p11 p2 ÝÑ p12
l l
p1 ||p2 ÝÑ p11 ||p2 p1 ||p2 ÝÑ p1 ||p12
Finally, a duplication can spawn a new copy (“thread”) at any time.
dupppq ÝÑ dupppq||p
The labeled-transition-system approach may seem a bit unwieldy for just ex-
plaining the behavior of programs. Where it really pays off is in supporting a
modular, algebraic reasoning style about processes, which we turn to next.
21.2. Refinement Between Processes

What sorts of correctness theorems should we prove about processes? The
classic choice is to show that a more complex implementation process is a safe
substitute for a simpler specification process. We will say that the implementation
p refines the specification p1 . Intuitively, such a claim means that any trace of labels
that p could generate may also be generated by p1 , so that p has no more behaviors
than p1 has, though it may have fewer behaviors. (There is a formal connection
lurking here to the notion of refinement from Chapter 18, where method calls there
are analogous to channel operations here.) Crucially, in building traces of process
executions, we ignore silent labels, only collecting the send and receive labels.
This condition is called trace inclusion, and, though it is intuitive, it is not
strong enough to support all of the composition properties that we will want. In-
stead, we formalize refinement via simulation, very similarly to how we formalized
compiler correctness in Chapter 10 and data abstraction in Chapter 18. Abstraction
Definition 21.1. Binary relation R between processes is a simulation when
these two conditions hold.
‚ Silent steps match up: when p1 R p2 and p1 ÝÑ p11 , there always exists
p12 such that p2 ÝÑ˚ p12 and p11 R p12 .
l
‚ Communication steps match up: when p1 R p2 and p1 ÝÑ p11 for
l
l ‰ ϵ, there always exist p22 and p12 such that p2 ÝÑ˚ p22 , p22 ÝÑ p12 , and
1 1
p1 R p2 .
Intuitively, R is a simulation when, starting in a pair of related processes, any
step on the left can be matched by a step on the right, taking us back into R. The
conditions are naturally illustrated with commuting diagrams.
R R
p1 p2 p1 p2
˚ l l
@ÝÑ DÝÑ @ÝÑ DÝÑ˚ ÝÑ
p11 p12 p11 p12

R´1 R´1
Invariants
Simulations have quite a lot in common with our well-worn concept of invariants
of transition systems. Simulation can be seen as a kind of natural generalization of
invariants, which are predicates over single states, into relations that apply to states
of two different transition systems that need to evolve in (approximate) lock-step.
126 21. PROCESS ALGEBRA AND REFINEMENT
We define refinement p1 ď p2 to indicate that there exists a simulation R such

that p1 R p2 . Luckily, this somewhat involved definition is easily related back to
our intuitions.
Theorem 21.2. If p1 ď p2 , then every trace generated by p1 is also generated
by p2 .
Proof. By induction on executions of p1 . □
Refinement is also a preorder.
Theorem 21.3 (Reflexivity). For all p, p ď p.
Proof. Choose equality as the simulation relation. □
Theorem 21.4 (Transitivity). If p1 ď p2 and p2 ď p3 , then p1 ď p3 .
Proof. The two premises respectively imply the existence of simulations R1
and R2 . Set the new simulation relation as R1 ˝ R2 , defined to contain a pair pp, qq
iff there exists r with p R1 r and r R2 q. □
The accompanying Coq code includes several examples of verifying moderately
complex processes, by manual tailoring of simulation relations. We leave those
details to the code, turning now instead to further algebraic properties that allow
us to compose laborious manual proofs about components, in a black-box way.
21.3. The Algebra of Refinement

We finish the chapter with a tour through some algebraic properties of refine-
ment that are proved in the Coq source. We usually omit proof details here, though
we work out one interesting example in more detail.
Perhaps the greatest pay-off from the refinement approach is that refinement
is a congruence for parallel composition.
Theorem 21.5. If p1 ď p11 and p2 ď p12 , then p1 ||p2 ď p11 ||p12 .
Modularity
This deceptively simple theorem statement packs a strong modularity punch!
We can verify a component in isolation and then connect to an arbitrary additional
component, immediately concluding that the composition behaves properly. The
secret sauce, implicit in our formulation of the object language and refinement,
is the labeled-transition-system style, where processes may generate receive labels
nondeterministically. In this way, we can reason about a process implicitly in terms
of every value that some other process might send to it when they are composed,
without needing to quantify explicitly over all other eligible processes.
A similar congruence property holds for duplication, and we’ll take this op-
portunity to explain a bit of the proof, in the form of choosing a good simulation
relation.
Theorem 21.6. If p ď p1 , then dupppq ď duppp1 q.
Proof. The premise implies the existence of a simulation R. We define a
derived relation RD with these inference rules.
p R p1 p R p1 p1 RD p11 p2 RD p12
p R D p1 dupppq RD duppp1 q p1 ||p2 RD p11 ||p12
21.3. THE ALGEBRA OF REFINEMENT 127
RD is precisely the relation we need to finish the current proof. Intuitively, the
challenge is that dupppq includes infinitely many copies of p, each of which may
evolve in a different way. It is even possible for different copies to interact with each
other through shared channels. However, comparing intermediate states of dupppq
and duppp1 q, we expect to see a shared backbone, where corresponding threads are
related by the original simulation R. The definition of RD formalizes that intuition
of a shared backbone with R connecting corresponding leaves. □
We wrap up the chapter with a few more algebraic properties, which the
Coq code puts to good use in larger examples. We sometimes rely on a predi-
cate neverUsespc, pq, to express that, no matter how other threads interact with it,
process p will never perform a send or receive operation on channel c.
Theorem 21.7. If p ď p1 , then blockpcq; p ď blockpcq; p1 .
Theorem 21.8. blockpc1 q; blockpc2 q; p ď blockpc2 q; blockpc1 q; p
Theorem 21.9. If neverUsespc, p2 q, then pblockpcq; p1 ||p2 q ď pblockpcq; p1 q||p2 .
Theorem 21.10 (Handoff). If neverUsespc, ppvqq, then pblockpcq; p!cpvq; doneq||dupp?cpxq; ppxqqq ď
ppvq.
That last theorem is notable for how it prunes down the space of possibilities
given an infinitely duplicated server, where each thread is trying to receive from a
channel. If server threads never touch that channel after their initial receives, then
most server threads will remain inert. The one send !cpvq; done is the only possible
source of interaction with server threads, thanks to the abstraction barrier on c,
and that one send can only awaken one server thread. Thus, the whole composition
behaves just like a single server thread, instantiated with the right input value.
A concrete example of the Handoff theorem in action is a refinement like this
one, applying to a kind of forwarding chain between channels:
p “ blockpc1 q; blockpc2 q; !c1 pvq; done||dupp?c1 pxq; !c2 pxq; doneq||dupp?c2 pyq; !c3 pyq; doneq
p ď !c3 pvq; done
Note that, without the abstraction boundaries at the start, this fact would not
be derivable. We would need to worry about meddlesome threads in our environ-
ment interacting directly with c1 or c2 , spoiling the protocol and forcing us to add
extra cases to the righthand side of the refinement.
CHAPTER 22
Session Types
Process algebra, as we met it last chapter, can be helpful for modeling network
protocols. Here, multiple parties step through a script of exchanging messages and
making decisions based on message contents. A buggy party might introduce a
deadlock , where, say, party A is blocked waiting for a message from party B, while
B is also waiting for A. Session types are a style of static type system that rule out
deadlock while allowing convenient separate checking of each party, given a shared
protocol type.
There is an almost unlimited variation of different versions of session types. We
still step through a progression of three variants here, and even by the end there
will be obvious protocols that don’t fit the framework. Still, we aim to convey the
core ideas of the approach.
22.1. Basic Two-Party Session Types

Each of our type systems will apply to the object language from the prior
chapter. Assume for now that a protocol involves exactly two parties. Here is a
simple type system, explaining a protocol’s “script” from the perspective of one
party.
Base types σ
Session types τ ::“ !cpσq; τ | ?cpσq; τ | done
Abstraction
We model simple parties with no internal duplication or parallelism. A session
type looks like an abstracted version of a process, remembering only the types of
messages exchanged on channels, rather than their values. A simple set of typing
rules makes the connection.
v:σ p:τ @v : σ. ppvq : τ
!cpvq; p : !cpσq; τ ?cpxq; ppxq : ?cpσq; τ done : done
The only wrinkle in these rules is the use of universal quantification for the
receive rule, to force the body to type-check under any well-typed value read from
the channel. Actually, such proof obligations may be nontrivial when we encode
this object language in the mixed-embedding style of Section 15.1, where the body
p in the rule could include arbitrary metalanguage computation, to choose a body
based on the value v read from the channel.
The associated Coq code demonstrates tactics to deal with that complication,
for automatic type-checking of concrete programs. That code is also where we keep
all of our concrete examples of object-language programs.
For the rest of this chapter, we will interpret last chapter’s object language as
a transition system with one small change: we only allow silent steps. That is, we
only model whole programs, with no communication with “the environment.” As
a result, we consider self-contained protocols.
129
130 22. SESSION TYPES
A satisfying soundness theorem applies to our type system. To state it, we first
need the crucial operation of complementing a session type.
!cpσq; τ “ ?cpσq; τ
?cpσq; τ “ !cpσq; τ
done “ done
Modularity
It is apparent that complementation just swaps the sends and receives. When
the original session type tells one party what to do, the complement type tells the
other party what to do. The power of this approach is that we can write one global
protocol description (the session type) and then check two parties’ code against it
separately. A new version of one party can be dropped in without rechecking the
other party’s code.
Using complementation, we can give succinct conditions for deadlock freedom
of a pair of parties.
Theorem 22.1. If p1 : τ and p2 : τ , then it is an invariant of p1 ||p2 that an
intermediate process is either done||done or can take a step.
Proof. By invariant induction, after strengthening the invariant to say that
any intermediate process takes the form p11 ||p12 , where, for some type τ 1 , we have
p11 : τ 1 and p12 : τ 1 . The inductive case of the proof proceeds by simple inversion
on the derivation of p11 : τ 1 , where by the definition of complement it is apparent
that any communication p11 performs has a matching action at the start of p12 . The
choice of τ 1 changes during such a step, to the “tail” of the old τ 1 . □
22.2. Dependent Two-Party Session Types

It is a boring protocol that follows such a regular communication pattern as our
first type system accepts. Rather, it tends to be crucial to change up the expected
protocol steps, based on values sent over channels. It is natural to switch to a
dependent type system to strengthen our expressiveness. That is, a communication
type will allow its body type to depend on the value sent or received.
Session types τ ::“ !cpx : σq; τ pxq | ?cpx : σq; τ pxq | done
Each nontrivial construct does more than give the base type that should be
sent or received on or from a channel. We also bind a variable x, to stand for the
value sent or received. It may be unintuitive that we must introduce a binder even
for sends, when the sender is in control of which value will be sent. The reason
is that we must allow the sender to then continue with different subprotocols for
different values that might be sent. We should not force the sender’s hand by fixing
a value in advance, when that value might depend on arbitrary program logic.
Very little change is needed in the typing rules.
v : σ p : τ pvq @v : σ. ppvq : τ pvq
!cpvq; p : !cpx : σq; τ pxq ?cpxq; ppxq : ?cpx : σq; τ pxq done : done
Our deadlock-freedom property is easy to reestablish.
Theorem 22.2. If p1 : τ and p2 : τ , then it is an invariant of p1 ||p2 that an
intermediate process is either done||done or can take a step.
Proof. Literally the same Coq proof script as for Theorem 22.1! □
22.3. MULTIPARTY SESSION TYPES 131
22.3. Multiparty Session Types

New complications arise when more than two parties are communicating in a
protocol. The Coq code demonstrates a case of an online merchant, a customer
sending it orders, and a warehouse being queried by the merchant to be sure a
product is in stock. Many other such examples appear in the real world.
Now it is no longer possible to start from one party’s view of a protocol and
compute any other party’s view. The reason is that each message only involves two
parties. Any other party will not see that message in its own session type, making
it impossible to preserve that message in a complement-like operation.
Instead, we define one global session type that includes only “send” operations.
However, we name the parties and parameterize on a mapping C from channels to
unique parties that own their send and receive ends. That is, for any given channel
and operation on it (send and receive), precisely one party is given permission to
perform the operation – and indeed, when the time comes, that party is obligated
to perform the operation, to avoid deadlock.
With that view in mind, our type language gets even simpler.
Session types τ ::“ !cpx : σq; τ pxq | done
We redefine the typing judgment as p :α,b τ . Here α is the identifier of the
party running p, and b is a Boolean that, when set, enforces that p’s next action (if
any) is a receive.
v:σ Cpcq “ pα, βq β ‰ α p :α,K τ pvq
!cpvq; p :α,K !cpx : σq; τ pxq
Cpcq “ pβ, αq β ‰ α @v : σ. ppvq :α,K τ pvq

?cpxq; ppxq :α,b !cpx : σq; τ pxq
Cpcq “ pβ, γq β ‰ α γ ‰ α @v : σ. p :α,J τ pvq

p :α,b !cpx : σq; τ pxq
done :α,b done

The first two rules encode the simple cases where the current party α is one
of the two designated to step next in the protocol, as we verify by looking up
the channel in C. It is important that the send and receive ends of the channel are
owned by different parties, or we would clearly have a deadlock, as that party would
either wait forever for a message from itself or try futilely to send itself a message!
The ‰ premises enforce that condition. Also, the Boolean subscript enforces that
we cannot be running a send operation if we have been instructed to run a receive
next. That flag is reset to false in the recursive premises, since we only use the flag
to express an obligation for the very next command.
The third rule is crucial: it applies to a process that is not participating in the
next step of the protocol. That is, we look up the owners of the channel that comes
next, and we verify that neither owner is α. In this case, we merely proceed to the
next protocol step, leaving the process unchanged. Crucially, we must be prepared
for any value that might be exchanged in this skipped step, even though we do not
see it ourselves.
132 22. SESSION TYPES
Why does the last premise of the third rule set the Boolean flag, forcing the
next action to be a receive? Otherwise, at some point in the protocol, we could
have multiple parties trying to send messages. In such a scenario, there might not
be a unique step that the composed parties can take. The proofs are easier if we
can assume deterministic execution within a protocol, which is why we introduced
this static restriction.
To amend our theorem statement, we need to characterize when a process
implements a set of parties correctly. We use the judgment p :α⃗ τ to that end,
where p is the process, α⃗ is a list of all the involved parties, and τ is the type they
must follow collectively.
p1 :α,K τ p2 :β⃗ τ
done :rs τ p1 ||p2 :α’β⃗ τ
The heart of the proof is demonstrating the existence of a unique sequence of
steps to a point where all parties are done. Here is a sketch of the key lemmas.
Lemma 22.3. If p :α⃗ done, then p can’t take any silent step.
Proof. By induction on any derivation of a silent step, followed by inversion
on p :α⃗ done. □
Lemma 22.4. If p :α⃗ !cpx : σq; τ pxq and at least one of sender or receiver of
channel c is missing from α
⃗ , then p can’t take any silent step.
Proof. By induction on any derivation of a silent step, followed by inversion
on p :α⃗ !cpx : σq; τ pxq. □
Lemma 22.5. Assume that α ⃗ is a duplicate-free list of parties excluding both
sender and receiver of channel c. If p :α⃗ !cpx : σq; τ pxq, then for any v : σ, we have
p :α⃗ τ pvq. In other words, when we have well-typed code for a set of parties that do
not participate in the first step of a protocol, that code remains well-typed when we
advance to the next protocol step.
Proof. By induction on the derivation of p :α⃗ !cpx : σq; τ pxq. □
Lemma 22.6. Assume that α ⃗ is a duplicate-free list of parties, at least compre-
hensive enough to include the sender of channel c. However, α ⃗ should exclude the
!cpvq
receiver of c. If p :α⃗ !cpx : σq; τ pxq and p ÝÑ p1 , then p1 :α⃗ τ pvq.
Proof. By induction on steps followed by inversion on multiparty typing. As
we step through elements of α⃗ , we expect to “pass” parties that do not participate
in the current protocol step. Lemma 22.5 lets us justify those passings. □
Theorem 22.7. Assume that α ⃗ is a duplicate-free list of all parties for a pro-
tocol. If p :α⃗ τ , then it is an invariant of p that an intermediate process is either
inert (made up only of dones and parallel compositions) or can take a step.
Proof. By invariant induction, after strengthening the invariant to say that
any intermediate process p1 satisfies p1 :α⃗ τ 1 for some τ 1 . The inductive case uses
Lemma 22.3 to rule out steps by finished protocols, and it uses Lemma 22.4 to rule
out cases that are impossible because parties that are scheduled to go next are not
present in α
⃗ . Interesting cases are where we find that one of the active parties is
at the head of α⃗ . That party either sends or receives. In the first case, we appeal
22.3. MULTIPARTY SESSION TYPES 133
to Lemma 22.6 to find a receiver among the remaining parties. In the second case,
we appeal to an analogous lemma (not stated here) to find a sender.
The other crucial case of the proof is showing that existence of a multiparty
typing implies that, if a process is not inert, it can take a step. The reasoning is
quite similar to in the inductive case, but where instead of showing that any possible
step preserves typing, we demonstrate that a particular step exists. The head of
the session type telegraphs what step it is: for the communication at the head of
the type, the assigned sending party sends to the assigned receiving party. □
APPENDIX A
The Coq Proof Assistant
Coq is a proof-assistant software package developed as open source, primarily

by Inria, the French national computer-science lab.
A.1. Installation and Basic Use

The project home page is:
https://coq.inria.fr/
The code associated with this book is designed to work with Coq versions 8.11 and
higher. The project Web site makes a number of versions available, and versions are
also available in popular OS package distributions, along with binaries for platforms
where open-source package systems are less common. We assume that readers have
installed Coq by one of those means or another. It will also be almost essential to
use some graphical interface for Coq editing. The author prefers Proof General, an
Emacs mode:
http://proofgeneral.inf.ed.ac.uk/
It should be possible to follow along using CoqIDE, a standalone tool distributed
with Coq itself, but we will not give any CoqIDE-specific instructions.
The Proof General instructions are simple: after installing, within a regular
Emacs session, open a file with the Coq extension .v. Move the point (cursor) to
a position where you would like to examine the current state of a proof, etc. Then
press C-C C-RET (“control-C, control-enter”) to run Coq up to that point. Several
display panes will open, showing different aspects of Coq’s state, any error messages
it wants to report, etc. This feature is the main workhorse of Proof General. It
can be used both to move forward, checking that Coq accepts a command; and to
move backward, to undo commands processed previously.
Proof General has plenty of other bells and whistles, but we won’t go into them
here.
A.2. Tactic Reference

Tactics are the commands run in Coq to advance the state of a proof, corre-
sponding to deduction steps at different granularities. Here we collect all of the
short explanations of tactics that appear in Coq source files associated with the
chapters included in this document. Note that many of these are specific to the
Frap library distributed with this book, where built-in tactics often do quite similar
things, but in a way that the author judges to be more of a hassle for beginners.
apply H: For H a hypothesis or previously proved theorem, establishing
some fact that matches the structure of the current conclusion, switch to
proving H’s own hypotheses. This is backwards reasoning via a known
fact.
135
136 A. THE COQ PROOF ASSISTANT
apply H with (x1 := e1 ) ... (xn := en ): Like the last one, supplying
values for quantified variables in H’s statement, especially for those vari-
ables whose values aren’t immediately implied by the current goal.
apply H1 in H2 : Like apply H1 , but used in a forward direction rather
than backward. For instance, if H1 proves P ñ Q and H2 proves P , then
the effect is to change H2 to Q.
assert P : First prove proposition P , then continue with it as a new hy-
pothesis.
assumption: Prove a conclusion that matches a hypothesis exactly.
cases e: Break the proof into one case for each constructor that might have
been used to build the value of expression e. In the special case where e
essentially has a Boolean type, we consider whether e is true or false.
constructor: When proving an instance of an inductive predicate, apply
the first matching rule of that predicate.
eapply H: Like apply but will work even when some quantified variables
from H do not have their values determined immediately by the form of
the goal. Instead, existential variables (with names starting with question
marks) are introduced for those values.
eassumption: Like assumption but will figure out values of existential vari-
ables.
econstructor: When proving an instance of an inductive predicate, eapply
the first matching rule of that predicate.
eexists: To prove Dx. P pxq, switch to proving P p?yq, for a new existential
variable ?y.
equality: A complete decision procedure for the theory of equality and un-
interpreted functions. That is, the goal must follow from only reflexivity,
symmetry, transitivity, and congruence of equality, including that func-
tions really do behave as functions. See Section 2.4.
exfalso: From any proof state, switch to proving False. In other words,
indicate a switch to a proof by contradiction.
exists e: Prove Dx. P pxq by proving P peq.
first order: Simplify a goal into zero or more new goals, based on the rules
of first-order logic alone. Warning: this tactic is especially likely to run
forever, on complex enough goals! (While entailment for propositional
logic is decidable, entailment for first-order logic isn’t.)
f equal: When the goal is an equality between two applications of the same
function, switch to proving that the function arguments are pairwise equal.
induct x: Where x is a variable in the theorem statement, structure the
proof by induction on the structure of x. You will get one generated
subgoal per constructor in the inductive definition of x. (Indeed, it is
required that x’s type was introduced with Inductive.)
invert H: Replace hypothesis H with other facts that can be deduced from
the structure of H’s statement. More detail to be added here soon!
linear arithmetic: A complete decision procedure for linear arithmetic.
Relevant formulas are essentially those built up from variables and con-
stant natural numbers and integers using only addition and subtraction,
with equality and inequality comparisons on top. (Multiplication by con-
stants is supported, as a shorthand for repeated addition.) See Section
A.3. FURTHER READING 137
2.4. Also note that this tactic goes a bit beyond that theory, by (1) con-
verting multivariable terms into a standard polynomial form and then (2)
treating each different product of powers of variables as one variable in
a linear-arithmetic problem. So, for instance, linear arithmetic can
prove x ˆ y “ y ˆ x simply by deciding that a new variable z “ x ˆ y,
rewriting the goal to z “ z after putting polynomials in canonical form (in
this case, commuting argument order in products to make it consistent).
left: Prove a disjunction by proving its left side.
maps equal: Prove that two finite maps are equal by considering all the
relevant cases for mappings of different keys.
propositional: Simplify a goal into zero or more new goals, based on the
rules of propositional logic alone.
replace e1 with e2 by tac: Replace occurrences of e1 with e2 , proving e2 “
e1 with tactic tac.
rewrite H: Where H is a hypothesis or previously proved theorem, es-
tablishing forall x1 .. xN, e1 = e2, find a subterm of the goal that
equals e1, given the right choices of xi values, and replace that subterm
with e2.
rewrite H1 in H2 : Like rewrite H1 but performs the rewrite in hypothesis
H2 instead of in the conclusion.
right: Prove a disjunction by proving its right side.
ring: Prove goals that are equalities over some registered ring or semiring,
in the sense of algebra, where the goal follows solely from the axioms of
that algebraic structure. See Section 2.4.
simplify: Simplify throughout the goal, applying the definitions of recursive
functions directly. That is, when a subterm matches one of the match cases
in a defining Fixpoint, replace with the body of that case, then repeat.
subst: Remove all hypotheses like x “ e for variables x, simply replacing
all uses of x by e.
symmetry: When proving X “ Y , switch to proving Y “ X.
transitivity X: When proving Y “ Z, switch to proving Y “ X and
X “ Z.
trivial: Coq maintains a database of simple proof steps, such as proving
a fact by direct appeal to a matching hypothesis. trivial asks to try all
such simple steps.
unfold X: Replace X by its definition.
unfold X in *: Like the last one, but unfolds in hypotheses as well as con-
clusion.
A.3. Further Reading

For more Coq information, we recommend a few books (beyond the Coq refer-
ence manual). Some focus purely on introducing Coq:
‚ Adam Chlipala, Certified Programming with Dependent Types, MIT Press,
http://adam.chlipala.net/cpdt/
‚ Yves Bertot and Pierre Castéran, Interactive Theorem Proving and Pro-
gram Development: Coq’Art: The Calculus of Inductive Constructions,
Springer, https://www.labri.fr/perso/casteran/CoqArt/
138 A. THE COQ PROOF ASSISTANT
The first of these two, especially, goes in-depth on the automated proof-scripting
principles showcased from time to time in the Coq example code associated with
the present book.
There are also other sources that introduce program-reasoning principles at the
same time, including:
‚ Benjamin C. Pierce et al., Software Foundations, http://www.cis.upenn.
edu/~bcpierce/sf/
Software Foundations generally proceeds at a slower pace than this book does.
Index
β-reduction, 68 Church numerals, 67

λ expression, 65 circuits, 101
λ-abstraction, 65 clausal function definition, 7
λ-calculus, 65 client code, 13
ν, 123 closed terms, 66
π-calculus, 123 commutativity, 113, 120
LATEX, 2, 5 commutativity (partial-order reduction),
117
abstract data type, 13, 108 commute, 113
abstract interpretation, 51 commuting diagram, 20, 125
abstract syntax, 6 compiler, 21
abstract syntax tree, 6 compiler optimization, 59
abstraction, 2, 40 compiler phase, 59
abstraction function, 109 compiler verification, 103
abstraction layers, 102 compilers, 59
algebraic datatype, 6 complement (of a session type), 130
algebraic simplification, 10 completeness of a logic, 28
algebraic specifications, 13 completeness of Hoare logic, 85
aliasing, 95 composition of a relation and a set, 39
amortized time, 14 composition of functions, 22
ample sets, 117 computability theory, 8
assertion logic, 96 conclusion, 6
assertions, 83 concrete syntax, 5
AST, 6 concurrent pairing, 74
asynchronous message passing, 123 concurrent separation logic, 119
automata theory, 31 congruence, 126
congruence rule, 48
Backus-Naur Form, 5 constant folding, 60
big-step operational semantics, 45, 111 constructor, 6, 108
big-step semantics, 66 contextual small-step semantics, 48
binary relation, 15 control state, 51
BNF, 5 copying garbage collectors, 81
build processes, 101 Coq, 135
CoqIDE, 135
C programming language, 22, 78, 103
caching, 109 data abstraction, 13
Calculus of Communicating Systems, 123 dataflow analysis, 51
call-by-name, 71 deadlock, 129
call-by-value, 68, 71 decidable theory, 8
cancellation, 97 decision problem, 8
cancellativity, 97 deep embedding, 90, 104
capture-avoiding substitution, 66 demonic choice, 35
Cartesian product, 6, 72 dependent types, 130
channel, 123 determinism, 60
139
140 INDEX
differential equations, 101 inference rules, 5

disjoint unions, 72 infinite-state systems, 31
duplication, 124 initial state, 32
Inria, 135
elimination rules, 28 interface, 13
Emacs, 135 interpreter, 102
encapsulation, 13 interpreters, 45
encoding, 1 interval analysis, 56
equational reasoning, 108 introduction rules, 28
evaluation contexts, 48, 71 invariant, 2
event handlers, 102 invariant induction, 122
exceptions, 73, 92 invariant weakening, 122
exponentiation of functions, 22 inversion, 33
extraction, 93, 102 invisibility, 117
fairness, 118 Java, 13, 77

final state, 32 JavaScript, 65
finite differencing, 109 join operation of an abstract interpretation,
finite height of abstract domain, 54 51
finite map, 19 juxtaposition, 65
finite sets, 16
finite-state machines, 31 label, 124
fixed point, 40 labeled transition system, 59, 124
flattening, 63 lambda calculus, 65
flow-sensitive analysis, 55 lattice, 52
formal methods, 2 law of the excluded middle, 29
Forth, 20 least upper bound, 51
frame predicate, 97 libraries, 103
frame rule, 98 lifting pure propositions, 96
free variables, 65, 90 linear algebra, 8
fresh channel generation, 123 linear arithmetic, 8
function abstraction, 65 linked data structures, 119
functional programming, 65 linking, 103
lists, 14
Gallina, 89 liveness properties, 46, 59, 116
garbage collection, 80 locations, 78
grammar, 5 locks, 35, 111
lockset, 111
Haskell, 6, 7, 65, 80, 102 loop invariant, 33
heap typings, 79 loop invariants, 85
heaps, 77 loop unrolling, 22
higher-order abstract syntax, 90
Hoare logic, 84 mailbox, 123
Hoare triple, 84 mathematical induction, 7
horizontal decomposition, 2 memory safety, 78
hypothetical reasoning, 28 message-passing concurrency, 123
metalanguage, 11, 89
identity function, 22 metavariable, 6
identity relation, 39 mixed embedding, 90, 102, 104, 112
IH, 8 mixed embeddings, 129
induction, 7 ML, 80
induction hypothesis, 25 model checking, 39, 112
inductive definition, 5 model theory, 28
inductive hypothesis, 8 modularity, 2, 42
inductive invariants, 34 monad, 107
inductive predicates, 25, 104 mous ponens, 28
inductive principle, 25 multi-step closure, 40
inductive relations, 25 multiparty session types, 131
inert process, 124 multithreaded programs, 35
INDEX 141
mutable references, 77 reactive systems, 102

mutual exclusion, 37 readiness, 117
recursive definition, 7
N, 5 reference implementations of data types, 16
natural deduction, 29 references, 77
natural numbers, 5 refinement, 107, 125
network protocols, 129 relational properties, 59
noncanonical, 16 rendezvous, 123
nondeterminism, 36, 46, 78, 112 representation functions, 16
nonterminal, 5 rewriting, 11, 108
nontermination, 59 rule induction, 25, 34
nu, 123 rule of consequence, 85
object language, 11, 89 safety properties, 46, 59, 116
object-oriented programming, 102, 108 satisfiability modulo theories, 86
OCaml, 93, 101, 102 Scala, 65
open terms, 66 scheduler, 112
operating systems, 101
Scheme, 102
operational semantics, 45
security, 101
optimization, 22, 59
self-composition, 22
output, 59
self-composition of relations, 39
ownership, 96
semantics, 1, 2, 5
Oxford brackets, 19
semantics preservation, 23
pair types, 72 semilattice, 52
parallel composition of threads, 50 semirings, 9
partial correctness, 86 separating conjunction, 96
partial function, 13 separation logic, 95, 105, 111, 119
partial memories, 96 shallow embedding, 90
partial-order reduction, 113 shared-memory concurrency, 111, 119, 123
path-insensitive analysis, 51, 55 shared-memory programming, 35
path-sensitive analysis, 51 side effects, 102
permutations, 26 silent steps, 59, 129
piecewise functions, 14 simulation, 40, 105, 108
plugging evaluation contexts, 48 simulation relation, 40
pointers, 78 single-step closure, 40
postfix, 20 small-footprint style, 98
powerset, 15, 107 small-step operational semantics, 46, 68,
precondition, 84 111
premise, 6 SMT solvers, 86
preorder, 126 soundness of a logic, 28
primitive recursion, 7 soundness of Hoare logic, 85
process algebra, 123 source language, 59
processors, 101 specifications, 13
producer-consumer systems, 117 specs, 13
product types, 72 stack, 20
program counters, 35 stack machine, 20
program derivation, 107 state-explosion problem, 112
program logic, 96 static analysis, 113
programming-languages theory, 2 stepwise refinement, 107
progress (partial-order reduction), 117 strengthening the precondition, 85
projection (from pairs), 72 strong induction, 115
Proof General, 135 stronger predicate, 85
proof terms, 101 structural induction, 7
proof theory, 28 stuck term, 69
propositional logic, 9, 27 substitution, 19, 65
sum types, 72
quantifiers, 104 support, 123
queues, 13 synchronization, 120
142 INDEX
synchronous message passing, 123

syntactic approach to type soundness, 69
syntax, 1, 5
target language, 59
tautology, 29
TCB, 101
termination of recursive definitions, 7
theory of equality with uninterpreted
functions, 9
threads and locks, 123
top element of an abstract interpretation,
51
total correctness, 86
total function, 7
trace equivalence, 60
trace inclusion, 60, 125
traces, 60
transition system, 2, 32
transitive closure, 26
transitive-reflexive closure, 32
trusted code base, 101
Turing-completeness, 22, 39
two-stack queue, 15
type system, 129
typing context, 69
uncaught exceptions, 73
unification, 11
unification variables, 97
value, 66
variable binding, 66
variable capture, 66
variants, 72
verification, 2
vertical decomposition, 2
weakening, 30
weakening the postcondition, 85
weaker predicate, 85
widening, 57

Frap Book

Uploaded by

Copyright:

Available Formats

Frap Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Frap Book

Uploaded by

Copyright:

Available Formats

Formal Reasoning About Programs

Copyright Adam Chlipala 2015-2021.

Chapter 1. Why Prove the Correctness of Programs? 1

Chapter 2. Formalizing Program Syntax 5

Chapter 3. Data Abstraction 13

Chapter 4. Semantics via Interpreters 19

Chapter 5. Inductive Relations and Rule Induction 25

Chapter 6. Transition Systems and Invariants 31

Chapter 7. Model Checking 39

Chapter 8. Operational Semantics 45

8.3. Contextual Small-Step Semantics 48

Chapter 9. Abstract Interpretation and Dataflow Analysis 51

Chapter 10. Compiler Correctness via Simulation Arguments 59

Chapter 11. Lambda Calculus and Simple Type Safety 65

Chapter 12. More on Evaluation Contexts 71

Chapter 13. Types and Mutation 77

Chapter 14. Hoare Logic: Verifying Imperative Programs 83

Chapter 15. Deep Embeddings, Shallow Embeddings, and Options in Between 89

Chapter 16. Separation Logic 95

Chapter 17. Connecting to Real-World Programming Languages 101

17.1. Where Does the Buck Stop? 101

Chapter 22. Session Types 129

Why Prove the Correctness of Programs?

‚ Invariants. Nearly every theorem about a program is stated in terms of

Formalizing Program Syntax

2.1. Concrete Syntax

nPN x P Strings e1 P Exp e2 P Exp e1 P Exp e2 P Exp

2.2. Abstract Syntax

nPN x P Strings e1 P Exp e2 P Exp e1 P Exp e2 P Exp

Actually, semanticists get tired of writing such verbose descriptions, so proofs

Abstract syntax is handy for writing recursive definitions of functions. Here is

2.3. Structural Induction Principles

2.4. Decidable Theories

is prohibited outright, but we allow multiplication by a constant as an abbreviation

Another important decidable theory is of equality with uninterpreted functions.

As one more example of a decidable theory, consider the algebraic structure

following axioms1 are satisfied:

2.5. Simplification and Rewriting

1The equations are taken almost literally from https://en.wikipedia.org/wiki/Semiring.

Such a proof establishes a theorem @e P Exp. |Pluspe, Constp7qq| “ 2 ` |e|. We

3.1. Algebraic Interfaces for Abstract Data Types

A few notational conventions of note: We declare that tpαq is a type by assigning

type. For queues, here are two reasonable laws.

Now several implementations of this functionality are possible. Here’s one of

3.2. Algebraic Interfaces with Custom Equivalence Relations

Now we rewrite the original laws to use « instead of equality. We implicitly

3.3. Representation Functions

reppqq “ rs reppqq “ ℓ ’ rxs

3.4. Fixing Parameter Types for Abstract Data Types

Semantics via Interpreters

4.1. Semantics for Arithmetic Expressions via Finite Maps

‚ empty map, with H as its domain

pe, vrx ÞÑ Je1 Kvsq Jre1 {xseKv

4.2. A Stack Machine

4.3. A Simple Higher-Level Imperative Language

Inductive Relations and Rule Induction

5.1. Finite Sets as Inductive Predicates

5.2. Transitive Closure of Relations

ℓ1 „ ℓ2 Qpℓ1 , ℓ2 q ℓ „ ℓ1 Qpℓ, ℓ1 q ℓ1 „ ℓ2 Qpℓ1 , ℓ2 q