Relating Static and Dynamic Semantics COS 441 Princeton University Fall 2004

Motivations We want to know that when evaluating certain well-formed programs certain errors never occur Example Transition semantics for -calculus is “stuck” when applied to expressions with free variables in it So if {} ` E ok then E should never be “stuck”

Formal Statement isFinal(e) = e 2 F steps(e) = 9 e’. e  e’ stuck(e) = :(steps(e) or isFinal(e)) Soundness Theorem: If {} ` E ok and E * E’ then :stuck(E’)

Formal Statement isFinal(e) = e 2 F steps(e) = 9 e’. e  e’ stuck(e) = :(steps(e) or isFinal(e)) Soundness Theorem: If {} ` E ok and E * E’ then (steps(E’) or isFinal(E’))

Proof: Soundness Theorem By induction on derivations of * with Preservation and Progress Lemmas Preservation Lemma: If {} ` E ok and E  E’ then {} ` E’ ok Progress Lemma: If {} ` E ok then (steps(E) or isFinal(E))

Warning!! The remainder of the lecture consists of a series of tedious proofs Take that swig of coffee now Slides will be on web-site Last set of tedious proofs in lecture I’ll assign them as homework from now on! ;) What we discuss today is a template for Assignment 3

Proof by Induction over * S * S Z* S * S’’ S  S’ S’ * S’’ S* To show 8 e,e’ P(e,e’) we must show case Z*: IH(E,E) case S*: If E  E’ and IH(E’,E’’) then IH(E,E’’) IH(e,e’) = If {} ` e ok and e * e’ then (steps(e’) or isFinal(e’))

Proof: Soundness Theorem case Z*: IH(E,E)

Proof: Soundness Theorem case Z*: If {} ` E ok and E * E then (steps(E) or isFinal(E))

Proof: Soundness Theorem case Z*: (steps(E) or isFinal(E)) {} ` E ok and E * E by assumption

Proof: Soundness Theorem case Z*: {} ` E ok and E * E by assumption 2. (steps(E) or isFinal(E)) by ??

Proof: Soundness Theorem case Z*: {} ` E ok and E * E by assumption 2. (steps(E) or isFinal(E)) by Progress Lemma with (1)

Proof: Soundness Theorem case S*: If E  E’ and IH(E’,E’’) then IH(E,E’’)

Proof: Soundness Theorem case S*: IH(E,E’’) 1. E  E’ and IH(E’,E’’) by assumption

Proof: Soundness Theorem case S*: If {} ` E ok and E * E’’ then (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption

Proof: Soundness Theorem case S*: (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption ` E’ ok by Preservation with (2,1) E’ * E’’ by inversion of S* and (2) (steps(E) or isFinal(E’’)) by IH with (3, 4)

Proof: Soundness Theorem case S*: (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by ?? E’ * E’’ by inversion of S* and (2) (steps(E) or isFinal(E’’)) by IH with (3, 4)

Proof: Soundness Theorem case S*: (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by Preservation with (2,1) E’ * E’’ by inversion of S* and (2) (steps(E) or isFinal(E’’)) by IH with (3, 4)

Proof: Soundness Theorem case S*: (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by Preservation with (2,1) E’ * E’’ by ?? (steps(E’’) or isFinal(E’’)) by IH with (3, 4)

Proof: Soundness Theorem case S*: (steps(E’’) or isFinal(E’’)) E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by Preservation with (2,1) E’ * E’’ by inversion of S* and (2) (steps(E’’) or isFinal(E’’)) by IH with (3, 4)

Proof: Soundness Theorem case S*: E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by Preservation with (2,1) E’ * E’’ by inversion of S* and (2) (steps(E’’) or isFinal(E’’)) by ??

Proof: Soundness Theorem case S*: E  E’ and IH(E’,E’’) by assumption {} ` E ok and E * E’’ by assumption {} ` E’ ok by Preservation with (2,1) E’ * E’’ by inversion of S* and (2) (steps(E’’) or isFinal(E’’)) by IH(E’,E’’) with (3, 4)

Notes About our Proof Note our Proof works for any single step relation () Specific details of step function factored into Progress and Preservation lemmas Need to refer to the static and dynamic semantics of the step relation to prove Progress and Preservation Lemmas

Static Semantics for -calculus Names x 2 … Expressions e ::= lam(x.e) | apply(e1,e2)| x  ` apply(E1,E2)ok  ` E1 ok  ` E2 ok ok-A  ` lam(X.E)ok  [ {X} ` E ok X   ok-L  ` X ok X 2  ok-V

Dynamic Semantics for -calculus = { E | 9.  ` E ok } I = { E | {} ` E ok } F = { x.e | {} ` x.e ok } ((x.e1) (y.e2))  [xÃ(y.e2)] e1 A1 ((x.e1) e2)  ((x.e1) e’2) e2  e’2 A2 (e1 e2)  (e’1 e2) e1  e’1 A3

Proof: Preservation Lemma Proof by induction on the derivations of E  E’ case A1: IH(((X.E1) (Y.E2)),[X Ã (Y.E2)] E1) case A2: If IH(E2,E’2) then IH(((X.E1) E2)),((X.E1) E’2)) case A3: If IH(E1,E’1) then IH((E1 E2)),(E’1 E2)) IH(e,e’) = If {} ` e ok and e  e’ then {} ` e’ ok

Proof: Preservation Lemma case A1: If {} ` ((X.E1) (Y.E1)) ok and ((X.E1) (Y.E1))  [X Ã (Y.E2)] E1 then {} ` [X Ã (Y.E2)] E1 ok

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by ?? {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by ?? {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by ??

Proof: Preservation Lemma case A1: {} ` [X Ã (Y.E2)] E1 ok {} ` ((X.E1) (Y.E2)) ok and ((X.E1) (Y.E2))  [X Ã (Y.E2)] E1 by assumption {} ` (X.E1) ok and {} ` (Y.E2) ok by inversion of ok-A and (1) {} [ {X} ` E1 ok by inversion of ok-L and (2) {} ` [X Ã (Y.E2)] E1 ok by Substitution Lemma with (3) and (2)

Substitution Lemma Proof by induction on the derivations of  ` E ok If  [ {X} ` E ok and {} ` E’ ok then  ` [XÃE’]E ok case ok-V: … case ok-L: … case ok-A: … IH(env,e) = If env [ {X} ` e ok and {} ` E’ ok then env ` [XÃE’]e ok

Substitution Proof by induction on the derivations of  ` E ok If  [ {X} ` E ok and {} ` E’ ok then  ` [XÃE’]E ok case ok-V: If X 2  then IH(,X) case ok-L: If IH( [ {X}, E) and X   then IH(,(X.E)) case ok-A: If IH(,E1) and IH(,E2) then IH(,(E1 E2)) IH(env,e) = If env [ {X} ` e ok and {} ` E’ ok then env ` [XÃE’]e ok

Proof: Substitution case ok-V: 1. X 2  by assumption 2.  [ {Y} ` X ok and {} ` E’ ok by assumption 3.  ` [YÃE’]X ok by cases case X = Y: 3.1. [YÃE’]X = E’ by def of subst. 3.2.  ` E’ ok by (2) 3.3.  ` [YÃE’]X ok by (3.1) and (3.2) case X  Y: 3.1. [YÃE’]X = X by def of subst. 3.2.  ` X ok by ok-V and (1) 3.3.  ` [YÃE’]X ok by (3.1) and (3.2)

Proof: Substitution case ok-L: If IH( [ {X}, E) and X   then IH(,(X.E)) …

Proof: Substitution case ok-A: If IH(,E1) and IH(,E2) then IH(,(E1 E2)) …

Proof: Preservation Lemma case A2: If IH(E2,E’2) then IH(((X.E1) E2)),((X.E1) E’2))

Proof: Preservation Lemma case A2: IH(((X.E1) E2)),((X.E1) E’2)) IH(E2,E’2) by assumption

Proof: Preservation Lemma case A2: If {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) then {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by ?? E2  E’2 by inversion of A2 {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by ?? {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 and (2) {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 and (2) {} ` E’2 ok by ?? {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 and (2) {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 and (2) {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ??

Proof: Preservation Lemma case A2: {} ` ((X.E1) E’2) ok IH(E2,E’2) by assumption {} ` ((X.E1) E2)) ok and ((X.E1) E2))  ((X.E1) E’2) by assumption {} ` (X.E1) ok and {} ` E2 ok by inversion of ok-A and (2) E2  E’2 by inversion of A2 and (2) {} ` E’2 ok by IH(E2,E’2) with (3) and (4) {} ` ((X.E1) E’2) ok by ok-A with (3) and (5)

Proof: Preservation Lemma case A3: If IH(E1,E’1) then IH(E1 E2)),(E’1 E2))

Proof: Preservation Lemma case A3: IH((E1 E2)),((E’1 E2)) IH(E1,E’1) by assumption

Proof: Preservation Lemma case A3: If {} ` (E1 E2) ok and (E1 E2)  (E’1 E2) then {} ` (E’1 E2) ok IH(E1,E’1) by assumption

Proof: Preservation Lemma case A3: {} ` (E’1 E2) ok IH(E1,E’1) by assumption {} ` (E1 E2) ok and (E1 E2)  (E’1 E’2) by assumption {} ` E1 ok and {} ` E2 ok by inversion of ok-A and (2) E1  E’1 by inversion of A3 and (2) {} ` E’1 ok by IH(E1,E’1) with (3) and (4) {} ` (E’1 E2) ok by ok-A with (5) and (3)

Proof: Preservation Lemma case A3: {} ` (E’1 E2) ok IH(E1,E’1) by assumption {} ` (E1 E2) ok and (E1 E2)  (E’1 E’2) by assumption {} ` E1 ok and {} ` E2 ok by inversion of ok-A and (2) E1  E’1 by inversion of A3 and (2) {} ` E’1 ok by IH(E1,E’1) with (3) and (4) {} ` (E’1 E2) ok by ok-A with (5) and (3)

Proof: Preservation Lemma case A3: {} ` (E’1 E2) ok IH(E1,E’1) by assumption {} ` (E1 E2) ok and (E1 E2)  (E’1 E’2) by assumption {} ` E1 ok and {} ` E2 ok by inversion of ok-A and (2) E1  E’1 by inversion of A3 and (2) {} ` E’1 ok by IH(E1,E’1) with (3) and (4) {} ` (E’1 E2) ok by ok-A with (5) and (3)

Proof: Preservation Lemma case A3: {} ` (E’1 E2) ok IH(E1,E’1) by assumption {} ` (E1 E2) ok and (E1 E2)  (E’1 E’2) by assumption {} ` E1 ok and {} ` E2 ok by inversion of ok-A and (2) E1  E’1 by inversion of A3 and (2) {} ` E’1 ok by IH(E1,E’1) with (3) and (4) {} ` (E’1 E2) ok by ok-A with (5) and (3)

Proof: Preservation Lemma case A3: {} ` (E’1 E2) ok IH(E1,E’1) by assumption {} ` (E1 E2) ok and (E1 E2)  (E’1 E’2) by assumption {} ` E1 ok and {} ` E2 ok by inversion of ok-A and (2) E1  E’1 by inversion of A3 and (2) {} ` E’1 ok by IH(E1,E’1) with (3) and (4) {} ` (E’1 E2) ok by ok-A with (5) and (3)

Progress Lemma Proof by induction on the derivations of  ` E ok case ok-V: If X 2  then IH(,X) case ok-L: If IH( [ {X}, E) and X   then IH(,(X.E)) case ok-A: If IH(,E1) and IH(,E2) then IH(,(E1 E2)) IH(env,e) = If env = {} and env ` e ok then (steps(e) or isFinal(e))

Proof: Progress Lemma case ok-V: If X 2  then IH(,X)

Proof: Progress Lemma case ok-V: IH(,X) X 2  by assumption

Proof: Progress Lemma case ok-V: If = {} and ` X ok then (steps(X) or isFinal(X)) X 2  by assumption

Proof: Progress Lemma case ok-V: If = {} and {} ` X ok then (steps(X) or isFinal(X)) X 2  by assumption

Proof: Progress Lemma case ok-V: steps(X) or isFinal(X) X 2  by assumption = {} and {} ` X ok by assumption X 2 {} by (1) and (2) (steps(X) or isFinal(X)) by contradiction implied by (3)

Proof: Progress Lemma case ok-V: steps(X) or isFinal(X) X 2  by assumption = {} and {} ` X ok by assumption X 2 {} by ?? (steps(X) or isFinal(X)) by contradiction implied by (3)

Proof: Progress Lemma case ok-V: steps(X) or isFinal(X) X 2  by assumption = {} and {} ` X ok by assumption X 2 {} by (1) and (2) (steps(X) or isFinal(X)) by contradiction implied by (3)

Proof: Progress Lemma case ok-V: (steps(X) or isFinal(X)) X 2  by assumption = {} and {} ` X ok by assumption X 2 {} by (2) and invert-ok-V steps(X) or isFinal(X) by ??

Proof: Progress Lemma case ok-V: (steps(X) or isFinal(X)) X 2  by assumption = {} and {} ` X ok by assumption X 2 {} by (2) and invert-ok-V steps(X) or isFinal(X) by contradiction implied by (3)

Proof: Progress Lemma case ok-L: If IH( [ {X}, E) and X   then IH(,(X.E))

Proof: Progress Lemma case ok-L: IH(,(X.E)) IH( [ {X}, E) and X   by assumption

Proof: Progress Lemma case ok-L: If  = {} and  ` (X.E) ok then (steps((X.E)) or isFinal((X.E))) IH( [ {X}, E) and X   by assumption

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by ?? (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by ?? isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by ?? steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by ??

Proof: Progress Lemma case ok-L: steps((X.E)) or isFinal((X.E)) IH( [ {X}, E) and X   by assumption  = {} and  ` (X.E) ok by assumption {} ` (X.E) ok by (2) (X.E) 2 F by definition of F and (3) isFinal((X.E)) by definition of isFinal and (4) steps((X.E)) or isFinal((X.E)) by (5)

Proof: Progress Lemma case ok-A: If IH(,E1) and IH(,E2) then IH(,(E1 E2))

Proof: Progress Lemma case ok-A: IH(,(E1 E2)) IH(,E1) and IH(,E2)

Proof: Progress Lemma case ok-A: If  = {} and ` (E1 E2) ok then (steps((E1 E2)) or isFinal((E1 E2))) IH(,E1) and IH(,E2) by assumption

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by induction on (E1 E2)  e … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by induction on (E1 E2)  e … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by induction on (E1 E2)  e … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by cases … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by cases … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma case ok-A: steps((E1 E2)) or isFinal((E1 E2)) IH(,E1) and IH(,E2) by assumption  = {} and ` (E1 E2) ok by assumption {} ` (E1 E2) ok by (2) {} ` E1 ok and {} ` E2 ok by inversion of ok-A 9 e. (E1 E2)  e by cases … steps((E1 E2)) by definition of steps and (5) 7. steps((E1 E2)) or isFinal((E1 E2)) by (6)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by ?? case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by ?? 5.2. (E1 E2)  (E1 E’2) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by ?? case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by ?? 5.2. (E’1 E2)  (E’1 E2)

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by ??

Proof: Progress Lemma 5. 9 e. (E1 E2)  e by cases (E1 E2) case E1 = (X’.E’) and E2 = (X’’.E’’): 5.1. (E1 E2)  [X’ Ã(X’’.E’’) ] E’ by A1 case E1 = (X’.E’) and E2  F: 5.1. E2  E’2 by IH({},E2) with (4) and E2  F 5.2. (E1 E2)  (E1 E’2) by A2 with (5.1) case E1  F : 5.1. E1  E’1 by IH({},E1) with (4) and E1  F 5.2. (E’1 E2)  (E’1 E2) by A3 with (5.1)

Summary Soundness Theorem: If {} ` E ok and E * E’ then :stuck(E’) Preservation Lemma: If {} ` E ok and E  E’ then {} ` E’ ok Progress Lemma: If {} ` E ok then (steps(E) or isFinal(E)) Substitution Lemma: If  [ {X} ` E ok and {} ` E’ ok then  ` [XÃE’]E ok

Summary Soundness follows from Preservation and Progress by induction on the ?? relation Soundness means well formed programs don’t get “stuck”

Summary Soundness follows from Preservation and Progress by induction on the * relation Soundness means well formed programs don’t get “stuck”

Summary Soundness follows from Preservation and Progress by induction on the * relation Soundness means well formed programs don’t get “stuck” Preservation follows by induction on the ?? relation

Summary Soundness follows from Preservation and Progress by induction on the * relation Soundness means well formed programs don’t get “stuck” Preservation follows by induction on the  relation

Summary Soundness follows from Preservation and Progress by induction on the * relation Soundness means well formed programs don’t get “stuck” Preservation follows by induction on the  relation Progress follows by induction on the wellformedness relation ??

Summary Soundness follows from Preservation and Progress by induction on the * relation Soundness means well formed programs don’t get “stuck” Preservation follows by induction on the  relation Progress follows by induction on the wellformedness relation ( ` E ok)

Lesson Learned High-level structure of soundness proof All soundness for SOS semantics proofs are basically the same The details vary in small but important ways Proofs are straightforward but tedious Details easy to get confused if not organized Someone ought to automate these proofs or at least their checking See Twelf, Coq, Isabella/HOL … etc.