# Imports

##### Equality

````
module code.eq where

infix 4 _‚â°_
data _‚â°_ {A : Set} (x : A) : A ‚Üí Set where
  refl : x ‚â° x
  
sym : {A : Set} {x y : A} ‚Üí x ‚â° y ‚Üí y ‚â° x
sym refl = refl

trans : {A : Set} {x y z : A} ‚Üí x ‚â° y ‚Üí y ‚â° z ‚Üí x ‚â° z
trans refl refl = refl

cong : {A B : Set} (f : A ‚Üí B) {x y : A} ‚Üí x ‚â° y ‚Üí f x ‚â° f y
cong f refl = refl

subst : ‚àÄ {A : Set} {x y : A} (P : A ‚Üí Set) ‚Üí x ‚â° y ‚Üí P x ‚Üí P y
subst P refl px = px
````

##### Natural numbers

````
module code.nat where
open import code.eq public

data ‚Ñï : Set where 
  zero : ‚Ñï
  suc : ‚Ñï ‚Üí ‚Ñï
  
{-# BUILTIN NATURAL ‚Ñï #-}

infixl 5 _+_
_+_ : ‚Ñï ‚Üí ‚Ñï ‚Üí ‚Ñï
zero + m = m
(suc n) + m = suc (n + m)

postulate +-comm : (m n : ‚Ñï) ‚Üí m + n ‚â° n + m

infix 4 _‚â§_
data _‚â§_ : ‚Ñï ‚Üí ‚Ñï ‚Üí Set where
  0‚â§n : {n : ‚Ñï} ‚Üí 0 ‚â§ n
  s‚â§s : {m n : ‚Ñï} ‚Üí m ‚â§ n ‚Üí suc m ‚â§ suc n
  
‚â§-trans : ‚àÄ {o m n} ‚Üí o ‚â§ m ‚Üí m ‚â§ n ‚Üí o ‚â§ n
‚â§-trans 0‚â§n m‚â§n = 0‚â§n
‚â§-trans (s‚â§s o‚â§m) (s‚â§s m‚â§n) = s‚â§s (‚â§-trans o‚â§m m‚â§n)

‚â§-+-left : ‚àÄ {m1 m2} ‚Üí m1 ‚â§ m1 + m2
‚â§-+-left {zero} = 0‚â§n
‚â§-+-left {suc m1} = s‚â§s ‚â§-+-left

‚â§-+-right : ‚àÄ {m1 m2} ‚Üí m2 ‚â§ m1 + m2
‚â§-+-right {m1} {m2} = subst (m2 ‚â§_) (sym (+-comm m1 m2)) (‚â§-+-left {m2} {m1})

-- Agda 2.5.3 has a problem with this one
-- Agda 2.6 works OK
postulate ‚â§-suc2 : ‚àÄ {m n} ‚Üí suc m ‚â§ n ‚Üí m ‚â§ n
--‚â§-suc2 sm‚â§n = ‚â§-trans ‚â§-+-right sm‚â§n

infix 4 _<_
_<_ : ‚Ñï ‚Üí ‚Ñï ‚Üí Set
m < n = suc m ‚â§ n
````

##### Dependent product

````
module code.product where

infixr 4 _,_
record Œ£ {l} (A : Set l) (B : A ‚Üí Set) : Set l where
    constructor _,_
    field
      fst : A
      snd : B fst

-- non-dependent product
infixr 2 _‚àß_
_‚àß_ : Set ‚Üí Set ‚Üí Set
A ‚àß B = Œ£ A (Œª _ ‚Üí B)

infix 0 thereExists
thereExists : ‚àÄ {l} {A : Set l} (B : A ‚Üí Set) ‚Üí Set l
thereExists {_} {A} B = Œ£ A B

syntax thereExists (Œª x ‚Üí B) = ‚àÉ[ x ] B
````

##### Negation

````
module code.neg where

data ‚ä• : Set where

‚ä•-elim : {A : Set} ‚Üí ‚ä• ‚Üí A
‚ä•-elim ()

infix 3 ¬¨_ -- higher priority than ‚à® and ‚àß

¬¨_ : Set ‚Üí Set
¬¨ A = A ‚Üí ‚ä•
````

## Boolean values

````
module code.bool where
````

We define the domain of boolean values,
which will be useful later in order to give semantics to boolean expressions.

````
data ùîπ : Set where
  true : ùîπ
  false : ùîπ
````

### **Exercise**: Computation on `ùîπ`

Define the semantic operations of conjunction, disjunction, and negation on boolean values.

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.bool.op where
open import code.bool public

infix 5 _&&_
_&&_ : ùîπ ‚Üí ùîπ ‚Üí ùîπ
b && c = ?

infix 6 _||_
_||_ : ùîπ ‚Üí ùîπ ‚Üí ùîπ
b || c = ?

infix 4 ~_
~_ : ùîπ ‚Üí ùîπ
~ b = ?



# Decidables

## Order on `‚Ñï`

Consider again the inductive definition of `‚â§` for natural numbers:

```agda
--data _‚â§_ : ‚Ñï ‚Üí ‚Ñï ‚Üí Set where
--0‚â§n : {n : ‚Ñï} ‚Üí 0 ‚â§ n
--s‚â§s : {m n : ‚Ñï} ‚Üí m ‚â§ n ‚Üí suc m ‚â§ suc n
```

<!--The essence of this definition is that evidence of `m ‚â§ n`
can be used to produce evidence of `suc m ‚â§ suc n`. -->

While the definition of `‚â§` can be used to establish `m ‚â§ n`
for concrete numbers `m` and `n`,
it does not directly yield an algorithm for checking whether `m ‚â§ n` holds.

(And for a good reason. As we will see below, inductive definitions such as `‚â§` can encode two-counter Minsky machines, and therefore such relations are undecidable in general.)

### **Exercise**: `‚â§·µá`

Write a program that returns `true` or `false` depending on whether `m ‚â§ n` holds or not.

*Hint:* Proceed by recursion on the first argument.

In [None]:
open import code.nat public

infix 15 _‚â§·µá_
_‚â§·µá_ : ‚Ñï ‚Üí ‚Ñï ‚Üí ùîπ
m ‚â§·µá n = ?

?0 : ùîπ


The function `_‚â§·µá_` *computes* the answer to whether `m ‚â§ n` holds.
This means that `m ‚â§ n` is a *decidable* property of the natural numbers.

However, `_‚â§·µá_` does not itself compute a *proof* that `m ‚â§ n` holds,
and in fact there may well be bugs in the definition of `_‚â§·µá_`.

## Decidable properties

We show that we can develop `_‚â§·µá_` and the proof of its correctness in a single definition.

````
module code.decidable where
open import code.neg public
open import code.nat public
````

We can combine a decision procedure for a property
together with the construction of the evidence that the property holds
with the introduction of the class of *decidable properties*.

````
data Dec (A : Set) : Set where
  yes : A ‚Üí Dec A
  no : ¬¨ A ‚Üí Dec A
````

The intuition is that evidence for `Dec A` has one of two possible forms:
Either it is of the form `yes p` where `p` is a proof that `A` holds,
or it is of the form `no ¬¨p` where `¬¨p` is a proof that `¬¨ A` holds.

The crucial improvement is the introduction of evidence also when the property does not hold.

### **Exercise:** `_‚â§_` is decidable

Show that the order `_‚â§_` on natural number is decidable.
This is an instance of *internal verification*,
whereby an algorithm and its proof of correctness are developed together.

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.nat.leq.decidable where
open import code.decidable public

‚â§-suc : {m n : ‚Ñï} ‚Üí suc m ‚â§ suc n ‚Üí m ‚â§ n
‚â§-suc = ?

_‚â§?_ : (m n : ‚Ñï) ‚Üí Dec (m ‚â§ n)
0 ‚â§? _ = ?
(suc _) ‚â§? 0 = ?
(suc m) ‚â§? (suc n) with m ‚â§? n
... | yes m‚â§n = ?
... | no ¬¨m‚â§n = ?

?0 : suc m ‚â§ suc n ‚Üí m ‚â§ n
?1 : Dec (zero ‚â§ n)
?2 : Dec (suc x ‚â§ zero)
?3 : Dec (suc m ‚â§ suc n)
?4 : Dec (suc m ‚â§ suc n)


# Arithmetic expressions

````
{-# OPTIONS --allow-unsolved-metas #-}

module code.aexp where
open import code.eq public
open import code.nat public
open import code.decidable public
open import code.product public
````

We develop an eager denotational and operational semantics
for a simple language of arithmetic expressions,
and we prove that they agree.

## Variables

We represent *variable names* as natural number.
Any countable domain with decidable equality (such as strings) would work here

````
Var = ‚Ñï
````

### Decidable equality

We  show that variables have a decidable equality,
which boils down to show that the same property holds for natural numbers.

````
var-inv : ‚àÄ {x y} ‚Üí suc x ‚â° suc y ‚Üí x ‚â° y
var-inv refl = refl

infix 5 _‚â°Var?_
_‚â°Var?_ : (x y : Var) ‚Üí Dec (x ‚â° y)
0 ‚â°Var? 0 = yes refl
0 ‚â°Var? suc _ = no Œª ()
suc _ ‚â°Var? 0 = no Œª ()
suc x ‚â°Var? suc y with x ‚â°Var? y
... | yes refl = yes refl
... | no neq = no Œª eq ‚Üí neq (var-inv eq)
````

## Syntax of expressions

We define a minimalistic language of arithmetic expressions
comprising variables and a let assignment construct.

````
data AExp : Set where
  num : ‚Ñï ‚Üí AExp
  var : Var ‚Üí AExp
  plus : AExp ‚Üí AExp ‚Üí AExp
  let-exp : Var ‚Üí AExp ‚Üí AExp ‚Üí AExp
````

For example,
the following expression adds one to a variable (called 10).
This is pure syntax so far, no calculation is being performed.

````
add-one : AExp
add-one = plus (var 10) (num 1)
````

## Environments

In order to represent the value of free variables,
we use environments.

````
Env = Var ‚Üí ‚Ñï
````

The following environment assigns value `200` to the variable named `10`,
and value `40` to every other variable.

````
œÅ0 : Env
œÅ0 10 = 200
œÅ0 _ = 40
````

### **Exercise**: `Env` updates

Given an environment `œÅ`, a variable `x` and a new value  `m` for this variable,
let `œÅ [ x ‚Ü¶ m ]` be a new environment which assigns `m` to `x`,
and agrees with `œÅ` elsewhere.

Complete the definition for the environment update function `_[_‚Ü¶_]`.

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.aexp.env where
open import code.aexp public

infixr 30 _[_‚Ü¶_]
_[_‚Ü¶_] : Env ‚Üí Var ‚Üí ‚Ñï ‚Üí Env
(œÅ [ x ‚Ü¶ m ]) y with x ‚â°Var? y
... | yes _ = ?
... | no _ = ?

?0 : ‚Ñï
?1 : ‚Ñï


## **Exercise**: `‚ü¶_‚üßA_`

We are now ready to give denotational semantics to arithmetic expressions.
Complete the definition of `‚ü¶_‚üßA_` below.

In [158]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.aexp.sem where
open import code.aexp.env public

infix 10 ‚ü¶_‚üßA_
‚ü¶_‚üßA_ : AExp ‚Üí Env ‚Üí ‚Ñï
‚ü¶ e ‚üßA œÅ = ?

?0 : ‚Ñï


# Boolean expressions

````
module code.bexp where
open import code.aexp.sem public
open import code.nat.leq.decidable public
open import code.bool.op public
````

We define a simple language of boolan expressions.

## Syntax of expressions

An element in `BExp` is a boolean combination
of atomic expressions of the form `leq e f`,
where `e` and `f` are arithmetic expressions.

````
data BExp : Set where
  tt : BExp
  ff : BExp
  and : BExp ‚Üí BExp ‚Üí BExp
  or : BExp ‚Üí BExp ‚Üí BExp
  not : BExp ‚Üí BExp
  leq : AExp ‚Üí AExp ‚Üí BExp
````

## **Exercise**: `‚ü¶_‚üßB_`

 Define the denotational semantics of boolean expressions.
 
 *Hint:* In the `leq` case you will need `_‚â§?_`.

In [161]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.bexp.sem where
open import code.bexp public

infix 10 ‚ü¶_‚üßB_
‚ü¶_‚üßB_ : BExp ‚Üí Env ‚Üí ùîπ
‚ü¶ b ‚üßB œÅ = ?

?0 : ùîπ


# Imperative programs

````
module code.imp where
open import code.bexp.sem public

infixr 20 _‚®ü_
infix 25 _‚âî_
````

## Syntax of programs 

We define a simple imperative language,
leveraging on arithmetic and boolean expressions defined above.

````
data Cmd : Set where
  skip : Cmd
  _‚âî_ : Var ‚Üí AExp ‚Üí Cmd
  _‚®ü_ : Cmd ‚Üí Cmd ‚Üí Cmd
  if_then_else_ : BExp ‚Üí Cmd ‚Üí Cmd ‚Üí Cmd
  while_do:_ : BExp ‚Üí Cmd ‚Üí Cmd
````

For example, the following is a valid program (piece of syntax).

````
loop : Cmd
loop = while tt do: skip
````

(We added a colon in the syntax of `while_do:_`
because `do` is a reserved keyword.)

## Denotational semantics

It may come as a surprise,
but it is not possible to define the semantics of imperative programs as an Agda function,
because Agda allows only terminating (i.e., total) functions.
On the other hand, imperative programs, such as `loop` above, may not terminate.

Therefore, we resort to an operational semantics.

## Big-steps operational semantics

We begin with the notion of state,
which is the same as environments as of now,
but needs not be.

````
State = Var ‚Üí ‚Ñï
````

The definition of the operational semantics of imperative programs
follows a case analysis.

````
infix 4 _,_‚áí_
data _,_‚áí_ : Cmd ‚Üí State ‚Üí State ‚Üí Set where
````

### `skip`

The `skip` command terminates immediately without changing the state.

````
  ‚áí-skip : ‚àÄ {s} ‚Üí
    skip , s ‚áí s
````

### `x ‚âî e`

The assignment command modifies the state
by updating the value of `x` to the value of `e` in the current state.

````
  ‚áí-assign : ‚àÄ {s x e} ‚Üí
    x ‚âî e , s ‚áí s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ]
````

### `c ‚®ü d`

Sequencing two commands amounts to thread the state change.

````
  ‚áí-seq : ‚àÄ {c d s s' s''} ‚Üí
    c , s ‚áí s' ‚Üí
    d , s' ‚áí s'' ‚Üí
    c ‚®ü d , s ‚áí s''
````

### `if b then c else d`

For conditionals, there are two cases to consider,
depending on whether the condition evaluates to true or to false.

````
  ‚áí-if-tt : ‚àÄ {b s c s' d} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° true ‚Üí
    c , s ‚áí s' ‚Üí
    if b then c else d , s ‚áí s'
    
  ‚áí-if-ff : ‚àÄ {b s c s' d} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° false ‚Üí
    d , s ‚áí s' ‚Üí
    if b then c else d , s ‚áí s'
````

### `while b do: c`

Similarly, for while loops there are two cases to consider.

````
  ‚áí-while-tt : ‚àÄ {b s c s' s''} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° true ‚Üí
    c , s ‚áí s' ‚Üí
    while b do: c , s' ‚áí s'' ‚Üí
    while b do: c , s ‚áí s''
  
  ‚áí-while-ff : ‚àÄ {b s c} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° false ‚Üí
    while b do: c , s ‚áí s
````

This concludes the definition of the operational semantics ` c , s ‚áí s'`.

## **Exercise**: `do: c while b`

Extend the syntax and semantics of imperative programs
by adding a new construct

````
-- do: c while b
````

where `c` is a command and `b` a boolean expression.
The informal semantics of the do-while construct
is to first execute `c`,
and then evaluate the guard `b`:
If it evaluates to true, then we repeat the process,
otherwise we exit the loop.

## **Exercise**: Determinism

Since we cannot encode the semantics of imperative programs as a function,
we immediately lose some properties which are for free for functions.

One example is deterministic evaluation.
Consequently, we need to prove separately
that evaluation of programs is deterministic.

Show that evaluation of imperative programs is deterministic.

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.imp.det where
open import code.imp public

-- convenient to rule out some impossible cases.
false‚â°true : {A : Set} ‚Üí false ‚â° true ‚Üí A
false‚â°true ()

‚áí-det : ‚àÄ {c s s' s''} ‚Üí c , s ‚áí s' ‚Üí c , s ‚áí s'' ‚Üí s' ‚â° s''
‚áí-det ‚áí-skip ‚áí-skip = ?
‚áí-det ‚áí-assign ‚áí-assign = ?
‚áí-det (‚áí-seq der1 der2) (‚áí-seq der3 der4) = ?
‚áí-det (‚áí-if-tt _ der1) (‚áí-if-tt _ der2) = ?
‚áí-det (‚áí-if-tt x _) (‚áí-if-ff y _) = ?
‚áí-det (‚áí-if-ff x _) (‚áí-if-tt y _) = ?
‚áí-det (‚áí-if-ff _ der1) (‚áí-if-ff _ der2) = ?
‚áí-det (‚áí-while-tt x der1 der2) (‚áí-while-tt y der3 der4) = ?
‚áí-det (‚áí-while-tt x _ _) (‚áí-while-ff y) = ?
‚áí-det (‚áí-while-ff x) (‚áí-while-tt y _ _) = ?
‚áí-det (‚áí-while-ff _) (‚áí-while-ff _) = ?

?0 : s ‚â° s
?1 : s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ] ‚â° s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ]
?2 : s' ‚â° s''
?3 : s' ‚â° s''
?4 : s' ‚â° s''
?5 : s' ‚â° s''
?6 : s' ‚â° s''
?7 : s' ‚â° s''
?8 : s' ‚â° s
?9 : s ‚â° s''
?10 : s ‚â° s


## **Exercise**: `loop`

Show that the program `loop` introduced above never stops.

In [None]:
loop-‚ä• : ‚àÄ {s s'} ‚Üí ¬¨ (loop , s ‚áí s')
loop-‚ä• = ?

?0 : ¬¨ loop , s ‚áí s'


## Small-steps operational semantics

````
module code.imp.small-steps where
open import code.imp.det public
open import code.product public
````

We provide an alternative small-steps semantics for imperative programs.

### Configurations

````
Conf = Cmd ‚àß State -- Cartesian product
````

We treat configurations of the form `skip , s` as final,
hence there is no rule for the `skip` command.

````
infix 3 _‚Üù_
data _‚Üù_ : Conf ‚Üí Conf ‚Üí Set where
````

### `x ‚âî e`

In the rule for assignment,
we just evaluate the arithmetic expression `e`
and update the state accordingly.

(We could have used the operational semantics of arithmetic expressions here,
but we avoid it for simplicity.
A similar remark applies to boolean expressions below.)

````
  ‚Üù-assign : ‚àÄ {x e s} ‚Üí
    x ‚âî e , s ‚Üù skip , s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ]
````

### `c ‚®ü d`

In the case of sequencing `c ‚®ü d`,
where are two cases.

In the case `‚Üù-seq-left`, we evaluate one step of `c`.
In the case `‚Üù-seq-right`, `c` has finished and we continue with `d`.

````
  ‚Üù-seq-left : ‚àÄ {c s c' s' d} ‚Üí
    c , s ‚Üù c' , s' ‚Üí
    c ‚®ü d , s ‚Üù c' ‚®ü d , s'
    
  ‚Üù-seq-right : ‚àÄ {d s} ‚Üí
    skip ‚®ü d , s ‚Üù d , s
````

### `if b then c else d`

The conditional has two symmetric cases,
depending on whether the condition evaluates to `true` or `false`.

````
  ‚Üù-if-tt : ‚àÄ {b s c d} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° true ‚Üí
    if b then c else d , s ‚Üù c , s
    
  ‚Üù-if-ff : ‚àÄ {b s c d} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° false ‚Üí
    if b then c else d , s ‚Üù d , s
````

### `while b do: c`

The while looping construct also has two cases.
If the condition `b` evaluates to true,
then the command rewrites to `c ‚®ü while b do: c`.
Otherwise, it terminates rewriting to `skip`.

````
  ‚Üù-while-tt : ‚àÄ {b c s} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° true ‚Üí
    while b do: c , s ‚Üù c ‚®ü while b do: c , s
    
  ‚Üù-while-ff : ‚àÄ {b c s} ‚Üí
    ‚ü¶ b ‚üßB s ‚â° false ‚Üí
    while b do: c , s ‚Üù skip , s
````

## Transitive closure `‚Üù*`

In order to formalise this, we first need to be able to combine many small steps together, i.e., we take the transitive closure of `_,_‚Üù_,_`.

````
infix 3 _‚Üù*_
data _‚Üù*_ : Conf ‚Üí Conf ‚Üí Set where
  stop : ‚àÄ {x} ‚Üí x ‚Üù* x
  one : ‚àÄ {x y z} ‚Üí x ‚Üù y ‚Üí y ‚Üù* z ‚Üí x ‚Üù* z
````

### **Exercise**: Transitivity

Show that the relation `‚Üù*` on configurations is indeed transitive.
*Hint*: Do induction on `der1`.

In [169]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.imp.small-steps.trans where
open import code.imp.small-steps public

‚Üù*-trans : ‚àÄ {x y z} ‚Üí x ‚Üù* y ‚Üí y ‚Üù* z ‚Üí x ‚Üù* z
‚Üù*-trans der1 der2 = ?

?0 : x ‚Üù* z


### Notation for transitive closure

````
module code.imp.small-steps.chains where
open import code.imp.small-steps.trans public
````

The following suggestive notation will be useful for simplyfying carrying out proofs involving `‚Üù*`.
They are entirely analogous to the chain of equalities constructed with `‚â°‚ü®‚ü©`.

````
infix  1 start_
infixr 2 _‚Üù*‚ü®‚ü©_ _‚Üù‚ü®_‚ü©_ _‚Üù*‚ü®_‚ü©_
infix  3 _end

start_ : ‚àÄ {x y} ‚Üí x ‚Üù* y ‚Üí x ‚Üù* y
start x‚Üù*y = x‚Üù*y

_‚Üù*‚ü®‚ü©_ : ‚àÄ x {y} ‚Üí x ‚Üù* y ‚Üí x ‚Üù* y
x ‚Üù*‚ü®‚ü© x‚Üù*y = x‚Üù*y

_‚Üù‚ü®_‚ü©_ : ‚àÄ x {y z} ‚Üí x ‚Üù y ‚Üí y ‚Üù* z ‚Üí x ‚Üù* z
x ‚Üù‚ü® x‚Üùy ‚ü© y‚Üù*z = one x‚Üùy y‚Üù*z

_‚Üù*‚ü®_‚ü©_ : ‚àÄ x {y z} ‚Üí x ‚Üù* y ‚Üí y ‚Üù* z ‚Üí x ‚Üù* z
x ‚Üù*‚ü® x‚Üù*y ‚ü© y‚Üù*z = ‚Üù*-trans x‚Üù*y y‚Üù*z

_end : ‚àÄ x ‚Üí x ‚Üù* x
x end = stop
````

### **Exercise**: A lemma about `‚®ü`

Our objective is to show that small steps and big steps semantics agree.

Before showing this,
we need to prove a lemma
connecting sequencing `‚®ü` and `‚Üù*`.

In [172]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.imp.small-steps.lemma1 where
open import code.imp.small-steps.chains public

‚®ü-lemma-1 : ‚àÄ {c d s s' s''} ‚Üí
  c , s ‚Üù* skip , s'' ‚Üí
  d , s'' ‚Üù* skip , s' ‚Üí
  c ‚®ü d , s ‚Üù* skip , s'
‚®ü-lemma-1 stop der2 = ?
‚®ü-lemma-1 {c} {d} {s} {s'} {s''} (one {y = c' , s'''} step der1) der2 = ?

?0 : skip ‚®ü d , s ‚Üù* skip , s'
?1 : c ‚®ü d , s ‚Üù* skip , s'


## From big to small steps: `big‚Üísmall`

````
module code.imp.big-vs-small where
open import code.imp.small-steps.lemma1 public
````

Once we have two alternative semantics for imperative programs,
the question arises as to whether they are equivalent.

We show that the big steps and the small steps operational semantics of imperative programs yield the same results.
There are two directions to show.

We begin in this section with the easier direction `big‚Üísmall`:
the big step semantics implies the small step one.

````
big‚Üísmall : ‚àÄ c s s' ‚Üí c , s ‚áí s' ‚Üí c , s ‚Üù* skip , s'
````

### `skip`, `x ‚âî e`

The proofs for the skip and assignment constructs are immediate.

````
big‚Üísmall skip s .s ‚áí-skip = stop
big‚Üísmall (x ‚âî e) s .(s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ]) ‚áí-assign = one ‚Üù-assign stop
````

### `c ‚®ü d`

In the case of sequencing `c ‚®ü d`
we call the inductive assumption twice and we collect the results.

````
big‚Üísmall (c ‚®ü d) s s' (‚áí-seq {s' = s''} ‚áí-der1 ‚áí-der2)
    with big‚Üísmall c s s'' ‚áí-der1 | big‚Üísmall d s'' s' ‚áí-der2
... | ‚Üù*-der1 | ‚Üù*-der2 =
  start
    c ‚®ü d , s ‚Üù*‚ü® ‚®ü-lemma-1 ‚Üù*-der1 ‚Üù*-der2 ‚ü©
    skip , s'
  end
````
### `if b then c else d`

The conditional construct has two cases,
depending on whether the condition holds or not.

````
big‚Üísmall (if b then c else d) s s' (‚áí-if-tt b‚â°true ‚áí-der)
    with big‚Üísmall c s s' ‚áí-der
... | ‚Üù*-der =
  start
    if b then c else d , s ‚Üù‚ü® ‚Üù-if-tt b‚â°true ‚ü©
    c , s ‚Üù*‚ü® ‚Üù*-der ‚ü©
    skip , s'
  end

big‚Üísmall (if b then c else d) s s' (‚áí-if-ff b‚â°false ‚áí-der)
    with big‚Üísmall d s s' ‚áí-der
... | ‚Üù*-der =
  start
    if b then c else d , s ‚Üù‚ü® ‚Üù-if-ff b‚â°false ‚ü©
    d , s ‚Üù*‚ü® ‚Üù*-der ‚ü©
    skip , s'
  end
````

### `while b do: c`

Finally, also for while loops there are two cases,
depending on whether the guard `b` holds or not.
In the `true` case we apply the inductive assumption twice.

````
big‚Üísmall (while b do: c) s s' (‚áí-while-tt {s' = s''} b‚â°true ‚áí-der1 ‚áí-der2)
    with big‚Üísmall c s s'' ‚áí-der1 | big‚Üísmall (while b do: c) s'' s' ‚áí-der2
... | ‚Üù*-der1 | ‚Üù*-der2 =
  start
    while b do: c , s ‚Üù‚ü® ‚Üù-while-tt b‚â°true ‚ü©
    c ‚®ü while b do: c , s  ‚Üù*‚ü® ‚®ü-lemma-1 ‚Üù*-der1 ‚Üù*-der2 ‚ü©
    skip , s'
  end  

big‚Üísmall (while b do: c) s .s (‚áí-while-ff b‚â°false) =
  start
    while b do: c , s ‚Üù‚ü® ‚Üù-while-ff b‚â°false ‚ü©
    skip , s
  end
````

## From small to big steps: first attempt

````
module code.imp.small-vs-big-try where
open import code.imp.big-vs-small public
````

We turn now our attention to the other direction of the equivalence between small and big steps operational semantics,
namely

````
small‚Üíbig : ‚àÄ c s s' ‚Üí c , s ‚Üù* skip , s' ‚Üí c , s ‚áí s'
````

A natural starting point is the converse of `‚®ü-lemma-1` above.

````
postulate ‚®ü-lemma-2 : ‚àÄ {c d s s'} ‚Üí c ‚®ü d , s ‚Üù* skip , s' ‚Üí ‚àÉ[ s'' ] c , s ‚Üù* skip , s'' ‚àß d , s'' ‚Üù* skip , s'
````

However, it turns out that the statement `small‚Üíbig` above
creates problems for the termination checker in first `while` case
(all the other cases go through):

````
small‚Üíbig (while b do: c) s s' (one (‚Üù-while-tt b‚â°true) ‚Üù*-der)
    with ‚®ü-lemma-2 ‚Üù*-der
... | s'' , ‚Üù*-der1 , ‚Üù*-der2
    with small‚Üíbig c s s'' ‚Üù*-der1 |
         ? {- small‚Üíbig (while b do: c) s'' s' ‚Üù*-der2 -}
... | ‚áí-der1 | ‚áí-der2 = ‚áí-while-tt b‚â°true ‚áí-der1 ‚áí-der2
small‚Üíbig _ _ _ _ = ?
````

The issue with the commented code above
is that no argument of the call

````
-- small‚Üíbig (while b do: c) s'' s' ‚Üù*-der2
````

is structurally smaller than the original call.

What is missing here is an argument to convince the termination checker
that `‚Üù*-der2` is "smaller" than ` ‚Üù*-der`.
In order to formalise this, we need to refine the `‚Üù*` relation
in order to take into account the *number* of derivation steps.

## Transitive closure with gas

````
module code.imp.small-steps.gas where
open import code.imp.big-vs-small public
````

The idea is to enrich the transitive closure relation
with the information about how many derivation steps have been made so far.

````
infix 3 _‚Üù*_#_
data _‚Üù*_#_ : Conf ‚Üí Conf ‚Üí ‚Ñï ‚Üí Set where
  stop : ‚àÄ {x} ‚Üí x ‚Üù* x # 0
  one : ‚àÄ {x y z n} ‚Üí x ‚Üù y ‚Üí y ‚Üù* z # n ‚Üí x ‚Üù* z # suc n
````

In the base case `stop` we terminate the computation immediately with `0` number of steps,
and in the inductive case `one` we add an extra step
to the number of steps `n` performed inductively.

### **Exercise**: A second lemma about `‚®ü`

We can now prove the converse of `‚®ü-lemma-1` above
in the richer setting offered by `_‚Üù*_#_`.

(Also `‚®ü-lemma-1` can be generalised to `_‚Üù*_#_`,
but we won't need it here.)

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.imp.small-steps.lemma2 where
open import code.imp.small-steps.gas public

‚®ü-lemma-2 : ‚àÄ {c d s s' m} ‚Üí
  c ‚®ü d , s ‚Üù* skip , s' # m ‚Üí
  ‚àÉ[ s'' ] ‚àÉ[ m1 ] ‚àÉ[ m2 ]
      c , s ‚Üù* skip , s'' # m1 ‚àß
      d , s'' ‚Üù* skip , s' # m2 ‚àß
      suc (m1 + m2) ‚â° m
‚®ü-lemma-2 (one (‚Üù-seq-left step) ‚Üù-der) = ?
‚®ü-lemma-2 {s = s} (one {n = n} ‚Üù-seq-right ‚Üù-der) = ?

?0
  : thereExists
    (Œª s'' ‚Üí
       thereExists
       (Œª m1 ‚Üí
          thereExists
          (Œª m2 ‚Üí
             c , s ‚Üù* skip , s'' # m1 ‚àß
             d , s'' ‚Üù* skip , s' # m2 ‚àß suc (m1 + m2) ‚â° suc n)))
?1
  : thereExists
    (Œª s'' ‚Üí
       thereExists
       (Œª m1 ‚Üí
          thereExists
          (Œª m2 ‚Üí
             skip , s ‚Üù* skip , s'' # m1 ‚àß
             d , s'' ‚Üù* skip , s' # m2 ‚àß suc (m1 + m2) ‚â° suc n)))


### **Exercise**: `skip` and `‚Üù*`

Show that executing the `skip` command necessarily terminates in `0` steps.

*Hint*: Convince Agda that only the case `stop` needs to be considered.

In [None]:
{-# OPTIONS --allow-unsolved-metas #-}
module code.imp.small-steps.skip where
open import code.imp.small-steps.gas public

‚Üù*-skip : ‚àÄ {s c s' m} ‚Üí skip , s ‚Üù* c , s' # m ‚Üí c ‚â° skip ‚àß s ‚â° s' ‚àß m ‚â° 0
‚Üù*-skip der = ?

?0 : c ‚â° skip ‚àß s ‚â° s' ‚àß m ‚â° 0


## Well-founded induction

````
module code.wf where
open import code.nat public
````

We now need a [technique](https://stackoverflow.com/questions/19642921/assisting-agdas-termination-checker) to convince the termination checker of Agda
that recursively calling `small‚Üíbig` on derivations of strictly smaller length will eventually terminate.

This is called *well-founded induction*
(a.k.a. *complete induction*, *course of values induction*, or *strong induction*),
a general technique that can be applied to many other settings.

First of all we define a data structure that expresses the fact that a natural number is *accessible*.

````
data Acc (n : ‚Ñï) : Set
Pre : ‚Ñï ‚Üí Set

data Acc n where
    acc : Pre n ‚Üí Acc n
    
Pre n = ‚àÄ m ‚Üí m < n ‚Üí Acc m
````

Intuitively, a number `n` is accessible
if every strictly smaller number `m < n` is also accessible.
In this way, well-founded induction becomes a simple *structural induction*
on the evidence that `Acc n` holds.

We are ready to state and prove that the strict order `_<_` is *well-founded*:

````
<-wf : ‚àÄ n ‚Üí Acc n
<-wf zero = acc Œª _ ()
<-wf (suc n) with <-wf n
... | acc f = acc g
    where
    g : Pre (suc n)
    g zero _ = acc Œª _ ()
    g (suc m) (s‚â§s m<n) = acc Œª o o‚â§m ‚Üí f o (‚â§-trans o‚â§m m<n)
````

<!--In the base case, `zero` is trivially accessible since it has no predecessors.

In the inductive step, we have to show that `suc n` is accessible,
and we inductively assume that `n` is accessible.-->

## From small to big steps: `small‚Üíbig`

````
module code.imp.small-vs-big where
open import code.imp.small-steps.skip public
open import code.imp.small-steps.lemma2 public
open import code.wf public
````

We are now ready to prove that the small step semantics implies the big step one.

````
small‚Üíbig : ‚àÄ c s s' n ‚Üí c , s ‚Üù* skip , s' # n ‚Üí c , s ‚áí s'
small‚Üíbig c s s' n ‚Üù*-der = go c s s' n ‚Üù*-der (<-wf n) where
 go : ‚àÄ c s s' n ‚Üí  c , s ‚Üù* skip , s' # n ‚Üí Acc n ‚Üí c , s ‚áí s'
````

We employ a helper function `go`
which has an additional parameter `Acc n`
allowing us to do well-founded induction in the crucial `while` case below.

### `skip`

The `skip` case is immediate.

````
 go skip s .s 0 stop _ = ‚áí-skip
````

### `x ‚âî e`

In the assignment case we call `‚Üù*-skip ‚Üù*-der`
to enure that `s' ‚â° s [ x ‚Ü¶ ‚ü¶ e ‚üßA s ]`
as required by `‚áí-assign`.

````
 go (x ‚âî e) s s' (suc m) (one ‚Üù-assign ‚Üù*-der) _
     with ‚Üù*-skip ‚Üù*-der
 ... | refl , refl , refl = ‚áí-assign
````

### `c ‚®ü d`

In the sequencing case
we first call `‚®ü-lemma-2 ‚Üù*-der` to discover that

1. `‚Üù*-der1 : c , s ‚Üù* skip , s'' # _`, and
2. `‚Üù*-der2 : d , s'' ‚Üù* skip , s' # _`.

With this information in hand,
we recursively call `small‚Üíbig` on the subcomputations
`‚Üù*-der1`, `‚Üù*-der2` and we assemble the results back with `‚áí-seq`.

````
 go (c ‚®ü d) s s' (suc m) ‚Üù*-der _
     with ‚®ü-lemma-2 ‚Üù*-der
 ... | s'' , m1 , m2 , ‚Üù*-der1 , ‚Üù*-der2 , _
     with small‚Üíbig c s s'' m1 ‚Üù*-der1 | small‚Üíbig d s'' s' m2 ‚Üù*-der2
 ... | ‚áí-der1 | ‚áí-der2 = ‚áí-seq ‚áí-der1 ‚áí-der2
````

Note how we do not need to reason about the lengths `m1`, `m2` of the two subcomputations `‚Üù*-der1`, `‚Üù*-der2`
because the recursive calls `small‚Üíbig c ...` and `small‚Üíbig d`
are done on structurally smaller programs `c`, resp., `d`.

### `if b then c else d`

The case for conditional is straightforward.

````
 go (if b then c else d) s s' (suc m) (one (‚Üù-if-tt b‚â°true) ‚Üù*-der) _
     with small‚Üíbig c s s' m ‚Üù*-der
 ... | ‚áí-der = ‚áí-if-tt b‚â°true ‚áí-der

 go (if b then c else d) s s' (suc m) (one (‚Üù-if-ff b‚â°false) ‚Üù*-der) _
     with small‚Üíbig d s s' m ‚Üù*-der
 ... | ‚áí-der = ‚áí-if-ff b‚â°false ‚áí-der
````

### `while b do: c`, case one

We now tackle the hardest case,
the while loop when the guard evaluates to true.

By calling `‚®ü-lemma-2 ‚Üù*-der`
we obtain `m1` as the length of
the derivation `‚Üù*-der1` showing `c , s ‚Üù* skip , s'' # m1`
and `m2` as the length of
`‚Üù*-der2` showing `while b do: c , s'' ‚Üù* skip , s' # m2`
and a proof `sm1+m2‚â°m` that `suc (m1 + m2) ‚â° m`.

We can then show that `m1 < m` and `m2 < m`,
which allows us to use well-founded induction when calling `go` again
on `‚Üù*-der1`, resp., `‚Üù*-der2`.

The latter inductive calls to `go`
provide us with `‚áí-der1 : c , s ‚áí s''`
and `‚áí-der2 : while b do: c , s'' ‚áí s'`,
from which we can immediately conclude by applying the constructor `‚áí-while-tt`

````
 go (while b do: c) s s' m (one (‚Üù-while-tt b‚â°true) ‚Üù*-der) (acc a)
     with ‚®ü-lemma-2 ‚Üù*-der
 ... | s'' , m1 , m2 , ‚Üù*-der1 , ‚Üù*-der2 , sm1+m2‚â°m
     with go c s s'' m1 ‚Üù*-der1 (a m1 m1<m) |
          go (while b do: c) s'' s' m2 ‚Üù*-der2 (a m2 m2<m)
          where
           m1<m : m1 < m
           m1<m = s‚â§s (‚â§-suc2 (subst (Œª x ‚Üí suc m1 ‚â§ x) sm1+m2‚â°m (‚â§-+-left {suc m1} {m2})))
           m2<m : m2 < m
           m2<m = s‚â§s (subst (m2 ‚â§_) sm1+m2‚â°m (‚â§-+-right {suc m1} {m2}))
 ... | ‚áí-der1 | ‚áí-der2 = ‚áí-while-tt b‚â°true ‚áí-der1 ‚áí-der2
````

This is the only place where we use well-founded induction.

### `while b do: c`, case two

This case is straightforward.

````
 go (while b do: c) s s' m (one (‚Üù-while-ff b‚â°false) ‚Üù*-der) _
     with ‚Üù*-skip ‚Üù*-der
 ... | refl , refl , refl = ‚áí-while-ff b‚â°false
````
