On Coevaluation Behavior and Equivalence

Abstract

Coevaluation, the coinductive interpretation of standard big-step evaluation rules, is a concise form of semantics, with the same number of rules as in evaluation, which intends to simultaneously describe finite and infinite computations. However, it is known that it is only able to express an infinite computations subset, and, to date, it remains unknown exactly what this subset is. More precisely, coevaluation behavior has several unusual features: there are terms for which evaluation is infinite but that do not coevaluate, it is not deterministic in the sense that there are terms which coevaluate to any value v, and there are terms for which evaluation is infinite but that coevaluate to only one value. In this work, we describe the infinite computations subset which is able to be expressed by coevaluation. More importantly, we introduce a coevaluation extension that is well-behaved in the sense that the finite computations coevaluate exactly as in evaluation and the infinite computations coevaluate exactly as in divergence. Consequently, no unusual features are presented; in particular, this extension captures all infinite computations (not only a subset of them). In addition, as a consequence of thiswell-behavior, we present the expected equivalence between (extended) coevaluation and evaluation union divergence.

1. Introduction

Natural semantics, also known as big-step semantics, is a well-known formalism used to specify the semantics of programming languages. However, it is well-known that natural semantics, as originally introduced by Kahn [1], is unable to express non-terminating computations. More precisely, it is unable to distinguish non-terminating programs and those that go wrong; hence, it is not possible to define non-termination as a negative formulation of natural semantics, that is, as the negation of these semantics, except for very simple languages that do not exhibit programs that go wrong. In order to address this issue, Leroy [2], in work further advanced by Leroy and Grall [3], proposed the use of coinduction to describe non-terminating computations in the form of coinductive big-step semantics. Leroy first propounds to specify terminating computations using standard natural semantics, referred to as evaluation (Section 3.2), and non-terminating computations using (a style of) coinductive big-step semantics, referred to as divergence (Section 3.3). Then, he proposes defining both terminating and non-terminating computations using coevaluation; this is a different style of coinductive big-step semantics. Coevaluation is the coinductive interpretation of standard evaluation rules (Section 4.1). Leroy [2] introduced coevaluation as an alternative attempt to describe both kinds of computations, at the same time, in a more concise way. Indeed, in [2], more concise refers to using the same number of rules as those of traditional natural semantics. However, since then, it has become known that coevaluation is not able to describe all infinite computations, but only a subset of them; which subset exactly remains unidentified. Furthermore, coevaluation exhibits a number of unusual features: there exist programs that diverge but do not coevaluate; it is not deterministic in the sense that there are programs that coevaluates to any value v, and there are programs that diverge but coevaluate to only one value.

In this work, we describe the subset of infinite computations that coevaluation is able to express (Section 4); the subset consists of all infinite computations expressed by those evaluation, standard natural semantics, rules such that have the same form of a divergence rule. Thus, at this point, it is clear that coevaluation captures only a non-terminating computations subset; in consequence, we develop a coevaluation extension by adding the remaining divergence rules to it, obtaining in this way a first preliminary coevaluation extension that is able to describe both terminating and non-terminating computations (Section 5.2). However, this preliminary extension does not have the expected behavior because, although all terminating and non-terminating computations are expressed, there are still diverging terms that coevaluate to any value v. For this reason, we offer a (naive) step-index-based coevaluation extension which has the expected behavior (Section 5.3). In other words, we finally achieve a well-behaved coevaluation extension, that is, a coevaluation extension in which finite computations coevaluate exactly as in evaluation, and infinite computations coevaluate exactly as in divergence. Consequently, we present the desired and expected equivalence between coevaluation and the union of evaluation and divergence (Section 6.1) and we show the absence of unusual features in coevaluation (Section 6.2).

1.1. Coevaluation-Based Semantics

Charguéraud [4] introduces pretty-big-step semantics, a form of semantics based on coevaluation. However, in [4], the precise coevaluation behavior appears to remain unidentified. Moreover, in general, pretty-big-step semantics still exhibits unusual and unexpected behavior, namely, the existence of diverging computations that coevaluate to any value v.

In turn, Bach Poulsen and Mosses [5] introduce flag-based big-step semantics based on pretty-big-step semantics. Unfortunately, flag-based big-step semantics suffers from analogous unusual behavior, that is, there still exists infinite computations that coevaluate to any value v. Furthermore, in [5], the original coevaluation behavior is not completely known.

Furthermore, there are works which employ some of these semantics to conduct research; see, for instance, [6]. Hence, it would be particularly useful to further advance these semantics.

1.2. Contributions

Our main contributions are as follows:

• A description of the subset of infinite computations that coevaluation is able to express (Section 4.2 and Section 5.1).
• A well-behaved coevaluation extension, that is, an extension where coevaluation behaves the same as evaluation for finite computations, and where coevaluation behaves the same as divergence for infinite computations (Section 5.3).
• Proof of the expected equivalence between (extended) coevaluation and the union of evaluation with divergence (Section 5.3 and Section 6.1).
• Proof of the non-existence of known unusual features in (extended) coevaluation (Section 6.2).

It is noteworthy that all of our results are accompanied by their corresponding Coq formalization. (During this work, we only present relevant fragments. The complete formalization in Coq can be found in [7]).

This paper is structured as follows: first, in Section 2, we discuss the related work. Then, in Section 3, we recall the evaluation and divergence semantics as exposed by Leroy [2]. In Section 4, we study coevaluation as originally formulated by Leroy [2] and describe its behavior. In Section 5, we provide a preliminary coevaluation extension, and then introduce a well-behaved coevaluation extension. In Section 6, we prove that (extended) coevaluation (that is, our latter coevaluation extension) is, in fact, equivalent to evaluation union divergence; afterwards, we show the absence of known unusual features in (extended) coevaluation. In Section 7, we discuss some consequences and possible future work derived from our well-behaved coevaluation extension development. Finally, in Section 8, we give our conclusions.

2. Related Work

In this section, we begin discussing related semantics (Section 2.1); then, we give an account of the related works from which our well-behaved coevaluation extension took inspiration (Section 2.2). Afterwards, we present a discussion of alternative coinduction mechanisms; specifically, coinduction based on the notion of clocks (Section 2.3). We close this section by discussing step-indexed logical relations (Section 2.4).

2.1. Related Semantics

Cousot and Cousot [8] introduce bi-inductive semantics, a form of semantics capable of describing finite and infinite computations in the intended way; however, these semantics rely on a least fixed point defined in terms of a non-standard order, as indicated by Leroy and Grall [3]. Such a non-standard order does not correspond either to induction or coinduction, as further pointed out by Charguéraud [4]. Currently, Coq only supports natively inductive and coinductive definitions; thus, the problem is how to mechanize bi-inductive semantics in Coq. There does not appear to be a trivial immediate solution; to put it another way, it seems that such an undertaking requires a major effort, if it is indeed possible. On the contrary, at present, as demonstrated in this work (Section 5.3), our well-behaved coevaluation extension, step-indexed coevaluation, is directly mechanizable in Coq (by a native coinductive definition).

Charguéraud [4] presents pretty-big-step semantics, a coevaluation-based form of semantics aimed at addressing the duplication problem presented in big-step semantics. In other words, the main goal of pretty-big-step semantics is to reduce the number of rules and premises in a big-step semantics definition. Notwithstanding, this stimulating form of semantics, in general, requires two definitions, one inductive and one coinductive, for its formalization in Coq. Moreover, unfortunately, similar to the original coevaluation, in general, pretty-big-step semantics suffers from unusual behavior: there are diverging terms which coevaluate to any (possibly finite) value. Hence, in general, pretty-big-step semantics is not well-behaved. In comparison, as illustrated in this development (Section 5.3), our main coevaluation extension, step-indexed coevaluation, requires only one coinductive definition for its formalization in Coq; furthermore, as shown in this work (Section 5.3), step-indexed coevaluation is well-behaved.

Bach Poulsen and Mosses [5] elaborate on pretty-big-semantics, introducing flag-based big-step semantics with the intent to further reduce the rules and premises in a big-step semantics definition. Thus, the scenario is very similar to that of pretty-big-step semantics. It requires two definitions, one inductive and one coinductive, for its mechanization in Coq. In addition, unfortunately, flag-based big-step semantics exhibits analogous unusual behavior to that of pretty-big-step semantics, which, in turn, is present in original coevaluation, namely, there are diverging terms which coevalute to any (finite or infinite) value. Hence, flag-based big-step semantics is not well-behaved.

2.2. Step-Indexed Coevaluation Realization

We make it clear that our well-behaved coevaluation extension (Section 5.3), step-indexed coevaluation, takes inspiration from bi-inductive semantics of Cousot and Cousot [8], and their previous work on bi-inductive definitions [9]. Furthermore, it is influenced by Grall’s “interprétation mixte” [10]. What we were looking for was a mechanism to indicate or “mark” the premises (“prémisses positives” in [10]) or rules (positive rules in [9]) that must be interpreted inductively in a Coq coinductive definition. We found such a mechanism in the form of a step-index. More precisely, at that point, we drew some inspiration from Zúñiga and Bel-Enguix’s fuel-based interpreter [11], the fuel parameter in such an interpreter provides a way to guarantee that the interpreter will eventually terminate in a finite number of steps. Then, in the form of a step-index, we adopted and adapted this technique to the required ($\stackrel{co}{\Rightarrow }$-app) rule of our preliminary semantics (Section 5.2). This is how our well-behaved step-indexed coevaluation was conceived. To sum up, we consider a key finding to be the use of a step-index as a mechanism to simulate the effect of inductive interpretation within the desired rules of a Coq coinductive semantics definition.

2.3. Coinduction Based on Clocks

Coinduction support based on the syntactic guard condition [12], such as that of Coq [13], is too rigid in several domains; for instance, in compiler verification [2,3,4,5,11]. This situation has motivated the development of more advanced mechanisms that account for a more sophisticated and flexible coinduction support; for instance, sized types [14,15,16,17] and copatterns [17,18,19,20].

A more radical approach is to develop a type theory based on the notion of clocks, designed especially to address such an issue in an effective, generalized, robust, and flexible way [21,22,23,24,25,26,27]. This approach ultimately results in the eventually achieved type theory being implemented as a proof assistant [28,29].

This approach was initially motivated, among others, by the work of Atkey and McBride [30], which is based on that of Nakano [31]. In short, Nakano introduced a modal type system for guarded recursion; Atkey and McBride introduced the concept of clock variables in order to index Nakano’s guarded recursion.

Intuitively, the modal operator present in Nakano’s type system, in general, is too strict and rigid to make finite observations of infinite structures; hence, Atkey and McBride introduced clock variables. Clock variables provide the required flexibility to make large enough observations, as required by a specific application domain. A clock variable represents an individual time sequence. Clock variables are interpreted as counters running down to zero in the style of step-indexed models [32]; hence, clock variables can be seen as step-indexes encoded at the type level. They use multiple clocks, where each clock represents a separate time stream, so they provide a multiple-step-indexed model.

According to Atkey and McBride, by quantifying over all counters, we can make all possible finite observations of a infinite structure. Furthermore, a finished infinite time stream is represented by quantifying (universally) over the corresponding clock variable. Additionally, if we take into account each running down counter represented by a clock, then the corresponding universally quantified type provides a means to consider any counter large enough to take any required finite part of the stream. In effect, in [30], clocks are interpreted as natural numbers.

We consider our step-indexed coevaluation to be related to McBride and Atkey’s solution to some degree, but, more strictly, step-indexed coevaluation is not an instantiation of Atkey and McBride’s approach, nor was it conceived as such (see Section 2.2). In what follows, we will attempt to view our solution as an instantiation of that of Atkey and McBride and we discuss why we consider this not to be the case.

Atkey and McBride’s approach is a type system general enough to cover several problem domains, whereas our solution is in the area of the semantics of programming languages, specifically, coevaluation. Intuitively, going from Atkey and McBride’s solution to ours, at first glance, clocks correspond to step-indexes; furthermore, clocks could be lifted from the type level, i.e., Atkey and McBride’s type system, to the term level, i.e., our step-indexed coevaluation. For their part, infinite structures would correspond to infinite evaluations.

At this point, we highlight that, in Atkey and McBride’s solution, all clocks are interpreted as counters running down to zero. In this respect, we consider our solution to be more liberal in the sense that in step-indexed coevaluation, in principle, step indices are indices in general, not necessary counters; we have to construct counters from indices by hand to accomplish inductive interpretation with the desired rules. For instance, for the language used in this work, in step-indexed coevaluation (Section 5.3) we only had to construct one clock required to enforce an inductive interpretation of the ($\stackrel{co}{\Rightarrow }$-app) rule; in other words, this is the only rule where the step-index decreases. It is worth noting that in the rules corresponding to the infinite part of step-indexed coevaluation, in principle, the index is irrelevant; in particular, it is not treated as a (decreasing) counter.

In step-indexed coevaluation, it is relevant to consider a big enough index for the desired finite premises, with such an index being quantified universally; this is similar to Atkey and McBride’s approach, where the corresponding universally quantified type provides a means to consider any counter large enough to take the required finite part, in this context, of a potentially infinite evaluation.

In short, in our solution, step-indexes are not, in general, an instantiation of Atkey and McBride’s clocks. Therefore, we (strictly) consider our solution to not be an instantiation of that of Atkey and McBride, even though they certainly have some similarities.

2.4. Step-Indexed Logical Relations

Step-indexed logical relations [32,33] provide a means to establish program equivalence, with several useful properties; for instance, compositionality (see, for example [34,35]).

A step-indexed logical relation for two programs is usually defined in a similar manner to the following: two programs, $a_1$ and $a_2$, are related at a step-index i if $a_1$ evaluates to some value $v_1$ in k steps with k less than i; then, $a_2$ evaluates to some value $v_2$ in j steps, such that $v_1$ and $v_2$ are related by some equivalence relation.

Intuitively, the indexes in a step-indexed logical relation provide flexibility, such that two programs that evaluate to an equivalent value do not necessarily have to do so in the same number of computation steps. For instance, in compiler verification, a transformation typically takes an intermediate representation as a source language and transforms it into a target language with a lower level of abstraction. It can be challenging to establish semantic preservation because a program in the target lower-level language will usually take more computation steps than the equivalent program in the source language. In this scenario, step-indexed logical relations are proved to be useful [35,36,37,38].

In step-indexed logical relations, the main use of the index is to provide flexibility in the number of steps a program can take to evaluate to some value. The purpose of introducing such flexibility (by using an index) is to establish a relation between programs. Instead, in our solution, the index is used as a mechanism to enforce an inductively interpretation of the desired rules. It is worth noting that our step-indexed coevaluation is neither inspired by nor based on step-indexed logical relations (see Section 2.2).

If we consider the finite part of step-indexed coevaluation only, it can be seen as fuel-based big-step semantics; hence, the index could be reused to work as an index in the style of a step-indexed logical relation. Such an approach is supported by the works of Owens et al. [36,37] and Paraskevopoulou et al. [35,38]. However, in the infinite part of step-indexed coevaluation, in principle, the index is irrelevant; specifically, it is not decreased by any of the rules. Thus, in general, the index in step-indexed coevaluation does not work as an index in the style of an step-indexed logical relation.

3. Preliminaries

In order to explain the coevaluation behavior (Section 4), first, in this part, we recall evaluation and divergence as originally exposed by Leroy [2]. Note that our intention here is only to touch on these semantics briefly. We refer the reader directly to [2,3] for detailed explanation. Previous work lemmas due to Leroy [2], together with their corresponding proofs and Coq codifications, can be found in Appendix A.

3.1. The Language

The language used by Leroy to demonstrate these semantics was the call-by-value lambda calculus extended with constants. Its abstract syntax is the following:

 

For the purposes of this article, we assume, with loose of generality, that constants are natural numbers. In Coq, this abstract syntax is written as follows:

 

In the next sections, we specify the various semantics for this language.

3.2. Natural Semantics

Traditional natural semantics, referred to as evaluation, relates terms to final values. In our language, we define that a term v is a value if it is a constant c or it is an abstraction $\lambda x.b$; we write $v\in \mathtt{Values}$ to denote that v is a value. Equivalently, we can state the values of our language using an “is value” predicate defined inductively as follows:

 

This predicate is written in Coq as follows:

 

Given two terms a and b, and a variable x, assuming that b is closed, $a[x\leftarrow b]$ denotes the capture-avoiding substitution of b for all free occurrences of x in a. Such a substitution has been used by Leroy [2] and Leroy and Grall [3].

Based on Leroy and Grall [39], the definition of this substitution in Coq is as follows:

 

At this point, we highlight that, in general, this substitution can capture variables; however, as pointed out by Leroy [2] and Leroy and Grall [3], it is capture-avoiding if b is closed, and this is sufficient to define evaluation of closed source terms. This way, in the present work, the semantics are defined on closed source terms.

In this regard, as a further observation, the subst function assume that b is closed. This is always the case when weakly reducing closed source terms, as Leroy mentions in [40]. Since we are considering a call-by-value strategy of evaluation (working on closed source terms), which is a weak reduction strategy, then b will always be closed.

The standard natural semantics, referred to as evaluation, stated by the predicate

$$a\Rightarrow v$$

which reads “the term a evaluates to a final value v”, where a is closed, is defined inductively by the following rules:

 

This form of semantics is formalized in Coq by means of an Inductive definition, as follows:

 

We point out that ⇒ for this language is deterministic, Lemma A1.

In the following, we will treat infinite computations.

3.3. Divergence

Leroy successfully introduces a first style of coinductive big-step semantics, divergence, to describe infinite computations under the natural semantics approach.

The coinductive big-step semantics, referred to as divergence, stated by the (coinductive) predicate

$$a\stackrel{\infty }{\Rightarrow }$$

which reads “a diverges”, where the term a is closed, is defined coinductively by the following rules:

 

This form of semantics is encoded in Coq, by means of an CoInductive definition, as follows:

 

It is worth noting that ⇒ and $\stackrel{\infty }{\Rightarrow }$ are mutually exclusive, Lemma A2.

In the next section, we will focus on our main target of study: coevaluation.

4. Coevaluation Behavior

In this part, we study the coevaluation semantics (Section 4.1) and then conduct an analysis of its behavior (Section 4.2).

4.1. Coevaluation

In order to simultaneously describe finite and infinite computations in a more concise way using a single semantics specification, Leroy proposed a second style of coinductive big-step semantics, coevaluation, which consists of coinductively interpreting the same rules as those of evaluation (Section 3.2), namely, using those rules in a coinductive definition instead of an inductive one.

The coinductive big-step semantics, referred to as coevaluation, stated by the (coinductive) predicate

$$a\stackrel{co}{\Rightarrow }v$$

which reads “a coevaluates to v”, where the term a is closed, is defined coinductively by the following rules:

 

Certainly, these semantics are formalized in Coq, by means of an CoInductive, definition as follows:

 

In the forthcoming section, we will analyze the behavior of this form of semantics.

4.2. Behavior

Here, we will inspect the behavior of coevaluation. We begin by examining the results explored by Leroy [2].

First, we recognize that ⇒ is included in $\stackrel{co}{\Rightarrow }$, Lemma A3. Then, in order to note the inclusion of $\stackrel{co}{\Rightarrow }$ in ⇒ union $\stackrel{\infty }{\Rightarrow }$; first, we analyze a lemma that states that if we consider $\stackrel{co}{\Rightarrow }$ after discarding ⇒, the remaining one is $\stackrel{\infty }{\Rightarrow }$, Lemma A4. Accordingly, we move on to the inclusion of $\stackrel{co}{\Rightarrow }$ in ⇒ union $\stackrel{\infty }{\Rightarrow }$, Lemma A5.

At this point, in the quest for inclusion in the other direction, unfortunately, unusual behaviors arise; this means that ⇒ union $\stackrel{\infty }{\Rightarrow }$ is not included in $\stackrel{co}{\Rightarrow }$.

Three kinds of unusual behaviors have already been pointed out by Leroy [2]: there exists terms that diverge but do not coevaluate, there are infinite terms which are not deterministic in the sense that they coevaluate to any value v, and there are terms that diverge but coevaluate to only one value. In what follows, we will expose these unusual behaviors, and during the exposition, we will name (define) some terms which we will then use as examples.

We begin by defining the first example term, used by Leroy [2].

Example 1.

$\delta =\lambda x.xx$.

In Coq, we write:

 

Example 2.

$\omega =\delta \delta$.

Similarly, in Coq:

 

Immediately, we observe that $\omega$ diverge, as expected, Lemma A6. Furthermore, as expected, there is no (finite) evaluation for $\omega$, Lemma A7.

We continue by presenting another example term.

Example 3.

$\alpha =\omega \left(00\right)$.

Its Coq counterpart is the following:

 

Indeed, $\alpha$ diverges (Lemma A8). However, $\alpha$ does not coevaluate to any value v (Lemma A9). We can note here how this is just an example of a term which diverges but does not coevaluate. Hence, using it as a counterexample, we can affirm that $\stackrel{co}{\Rightarrow }$ does not capture all infinite computations but a subset of them. As we will see (Section 5), the reason why the term $\alpha =\omega \left(00\right)$ does not coevaluate is the lack of expressiveness in $\stackrel{co}{\Rightarrow }$ to capture infinite computations of applications for which the left term diverges. This corresponds to the ($\stackrel{\infty }{\Rightarrow }$-app-l) $\stackrel{\infty }{\Rightarrow }$ rule; in effect, if we add an analogous rule to $\stackrel{co}{\Rightarrow }$, then $\omega \left(00\right)$ coevaluates.

We proceed by analyzing another unusual behavior. As we already know (Lemma A6), the term $\omega$ diverges as expected; however, $\omega$ coevaluates to any value v unexpectedly (Lemma A10). This is definitely a major, unusual, unexpected, and undesired behavior. This is an instance of a diverging term for which coevaluation is not deterministic, in the sense that it coevaluates to any value v. We will cover in detail the reason for this behavior in Section 5.

We move forward by presenting another unusual kind of behavior; thus, we define another example term.

Example 4.

$\beta =(\lambda x.0)\omega$.

In Coq:

 

The term $\beta$ diverges (Lemma A11); however, the term $\beta$ coevaluates to 0 and only to 0, Lemma A12. This is an instance of a diverging term that coevaluates only to one value. In this way, we conclude our review of coevaluation and its unusual features.

In the following section, we will construct a coevaluation extension that has the expected desired behavior; in other words, one which is well-behaved and, consequently, does not feature unusual behaviors.

5. Coevaluation Extension

In this part, we develop a well-behaved coevaluation extension. First, as a starting point, we conduct a more in-depth analysis of coevaluation in order to unveil the reasons behind its unexpected and undesired behavior (Section 5.1). Then, we begin to construct a preliminary extension able to express all finite and infinite computations (Section 5.2). Afterwards, we finally reach a well-behaved coevaluation extension (Section 5.3); thus, this extension, in addition to capturing all finite and infinite computations, does not exhibit unusual features.

5.1. Coevaluation Behavior Exposed

We further analyze the behavior of $\stackrel{co}{\Rightarrow }$ in order to expose the reasons for its undesired features. The $\stackrel{co}{\Rightarrow }$ rules (Section 4.1) are reprinted here in order to facilitate exposition.

 

At this point, we know that $\stackrel{co}{\Rightarrow }$ does not express all infinite computations, but a subset of them (see Section 4.2). The ($\stackrel{co}{\Rightarrow }$-app) rule captures the finite computations corresponding to (⇒-app) rule, as expected, but also captures the infinite computations corresponding to the ($\stackrel{\infty }{\Rightarrow }$-app-f) $\stackrel{\infty }{\Rightarrow }$ rule (and only these infinite computations).

This is more evident if we rewrite the divergence semantics $\stackrel{\infty }{\Rightarrow }$ (Section 3.3) using an explicit symbol ⊥ to denote divergence.

 

In Coq, first, we represent the new symbol ⊥ as follows:

 

Then, we write the revisited $\stackrel{\infty }{\Rightarrow }$ semantics in the following manner:

 

We must emphasize that the rules of the revisited $\stackrel{\infty }{\Rightarrow }$ semantics are exactly the same as those of the original $\stackrel{\infty }{\Rightarrow }$ semantics (Section 3.3), the only difference being the use of the explicit symbol ⊥. ( Furthermore, for clarity of exposition, in the ($\stackrel{\infty }{\Rightarrow }$-app-f) rule, we use $v_2$ instead of v). In this way, both $\stackrel{\infty }{\Rightarrow }$ semantics are trivially equivalent.

Lemma 1.

For all of term a, it holds that $a\stackrel{\infty }{\Rightarrow }$ if, and only if, $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof is trivial by coinduction in both directions. □

Such a lemma is echoed in Coq as follows:

 

We write $\stackrel{\infty }{\Rightarrow }$ for both divergence semantics, which are equivalent, and determine the appropriate one based on context.

Having rewritten the $\stackrel{\infty }{\Rightarrow }$ rules, if we compare the ($\stackrel{\infty }{\Rightarrow }$-app-f) rule with the ($\stackrel{co}{\Rightarrow }$-app) rule, unexpectedly, they are “the same”. More precisely, they share the same shape in terms of premises and conclusion, the only difference being v in the ($\stackrel{co}{\Rightarrow }$-app) rule, instead of ⊥ in the ($\stackrel{\infty }{\Rightarrow }$-app-f) rule.

The ($\stackrel{co}{\Rightarrow }$-app) rule captures the same infinite computations as ($\stackrel{\infty }{\Rightarrow }$-app-f), but, instead of coevaluating to a divergent value ⊥, ($\stackrel{co}{\Rightarrow }$-app) coevalutes to any value v. In particular, this explains why there exists diverging terms which coevaluate to any value v (see, for instance, Example 2, Lemmas A6, and A10). Furthermore, it is important to note that there is no other $\stackrel{co}{\Rightarrow }$ rule which coincides with some $\stackrel{\infty }{\Rightarrow }$ rule. This is why $\stackrel{co}{\Rightarrow }$ is unable to capture infinite computations of applications for which the left term diverges corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-l) $\stackrel{\infty }{\Rightarrow }$ rule, and for which the right term diverges corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-r) $\stackrel{\infty }{\Rightarrow }$ rule. Consequently, in order to achieve the expected $\stackrel{co}{\Rightarrow }$ behavior, we must carry out, at least, the following two actions:

• The ($\stackrel{\infty }{\Rightarrow }$-app-l) and ($\stackrel{\infty }{\Rightarrow }$-app-r) analogous $\stackrel{\infty }{\Rightarrow }$ rules must be added to $\stackrel{co}{\Rightarrow }$.
• The ($\stackrel{co}{\Rightarrow }$-app) rule must be split in two: one rule that explicitly captures only finite computations (those corresponding to (⇒-app) ⇒ rule) and one that explicitly captures infinite computations only (those corresponding to the ($\stackrel{\infty }{\Rightarrow }$-app-f) $\stackrel{\infty }{\Rightarrow }$ rule).

In the following section, we will perform these two actions in our preliminary coevaluation extension.

5.2. Preliminary Coevaluation Extension

This part is dedicated to constructing a preliminary coevaluation extension based on the original coevaluation behavior issues identified in our previous discussion (Section 5.1).

First, we must explicitly distinguish finite values from the infinite one. In this way, (finite or infinite) values, in general, $v_g\in \mathtt{FDvalues}$, consist of the set of finite values, $v\in \mathtt{Values}$, union the singleton set of infinite values, $\perp \in \mathtt{Dvalues}$. To ensure consistency with the notation used until now, v represents a finite value and not a (general, finite, or infinite) value which is otherwise represented as $v_g$.

In this way, we obtain the following in Coq:

 

Then, we construct a $\stackrel{co}{\Rightarrow }$ extension by adding two new ($\stackrel{co}{\Rightarrow }$-app-l) and ($\stackrel{co}{\Rightarrow }$-app-r) $\stackrel{co}{\Rightarrow }$ rules (analogous to the ($\stackrel{\infty }{\Rightarrow }$-app-l) and ($\stackrel{\infty }{\Rightarrow }$-app-r) $\stackrel{\infty }{\Rightarrow }$ rules) and splitting the ($\stackrel{co}{\Rightarrow }$-app) rule in two: one for finite computations (which retains the ($\stackrel{co}{\Rightarrow }$-app) name) and another for infinite computations (named ($\stackrel{co}{\Rightarrow }$-app-f) after the ($\stackrel{\infty }{\Rightarrow }$-app-f) analogous $\stackrel{\infty }{\Rightarrow }$ rule).

 

Note that we maintain $\stackrel{co}{\Rightarrow }$ to refer to this (and future) coevaluation extensions; depending on where it appears, we hope it is clear to which one we are referring.

This $\stackrel{co}{\Rightarrow }$ extension is written in Coq as follows:

 

At first glance, this is an encouraging extension in order to achieve the expected $\stackrel{co}{\Rightarrow }$ behavior; notably, this extension is able to express all infinite computations (and not only a subset of them). However, its major drawback is that it retains the unusual and undesirable feature of diverging terms which coevaluate to any value v. In what follows, we conduct an analysis on this extension and its behavior.

We begin by looking for the inclusion that does not hold in original $\stackrel{co}{\Rightarrow }$, namely, the inclusion of ⇒ union $\stackrel{\infty }{\Rightarrow }$ in $\stackrel{co}{\Rightarrow }$.

First, we observe that ⇒ is included in (the expected finite part of) $\stackrel{co}{\Rightarrow }$.

Lemma 2.

If $a\Rightarrow v$, then $a\stackrel{co}{\Rightarrow }v$.

Proof. 

Straightforward induction on the $a\Rightarrow v$ predicate. □

In Coq, this lemma echoes as follows:

 

Correspondingly, $\stackrel{\infty }{\Rightarrow }$ is included in (the expected infinite part of) $\stackrel{co}{\Rightarrow }$.

Lemma 3.

If $a\stackrel{\infty }{\Rightarrow }\perp$, then $a\stackrel{co}{\Rightarrow }\perp$.

Proof. 

The proof proceeds by coinduction. Since in this extension each $\stackrel{\infty }{\Rightarrow }$ rule has a $\stackrel{co}{\Rightarrow }$ counterpart, the proof is simple. In this way, the proof continues by case analysis; whereby each of these cases is solved by using the corresponding matching $\stackrel{co}{\Rightarrow }$ rule and, then, employing Lemma 2 for the ⇒ premises and applying coinduction hypothesis to the corresponding $\stackrel{\infty }{\Rightarrow }$ premise. □

This lemma is written in Coq in the following manner:

 

Hence, we arrive at the desired inclusion of ⇒ union $\stackrel{\infty }{\Rightarrow }$ in $\stackrel{co}{\Rightarrow }$.

Lemma 4.

If $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$, then $a\stackrel{co}{\Rightarrow }v$ or $a\stackrel{co}{\Rightarrow }\perp$.

Proof. 

The proof is a direct consequence of Lemmas 2 and 3. □

This lemma is transcribed in Coq as follows:

 

Note that this inclusion also can be stated in a similar manner.

Lemma 5.

If $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$, then there exists $v_g$ such that $a\stackrel{co}{\Rightarrow }{v}_g$.

Proof. 

The proof is direct: there exists $v_g=v$ by Lemma 2, or there exists $v_g=\perp$ by Lemma 3. □

In Coq, this lemma echoes as follows:

 

In the opposite direction, following a similar way to that of the original $\stackrel{co}{\Rightarrow }$, we can even prove that $\stackrel{co}{\Rightarrow }$ is included in ⇒ union $\stackrel{\infty }{\Rightarrow }$.

First, we present a lemma, analogous to Lemma A4, which states that if we take (in principle, the expected finite part of) $\stackrel{co}{\Rightarrow }$ after discarding ⇒, what remains is $\stackrel{\infty }{\Rightarrow }$.

Lemma 6.

If $a\stackrel{co}{\Rightarrow }v$ and $(a\Rightarrow v)$, then $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The key point is to observe that only the, in principle, finite part of $\stackrel{co}{\Rightarrow }$ is taken into account; in this way, only the ($\stackrel{co}{\Rightarrow }$-const), ($\stackrel{co}{\Rightarrow }$-fun), and ($\stackrel{co}{\Rightarrow }$-app) rules are considered. In consequence, the proof is analogous to that of Lemma A4. □

This lemma is written in Coq in the following manner:

 

If we analyze this statement, it is unexpected to some degree. If we consider the, in principle, finite part of $\stackrel{co}{\Rightarrow }$ after discarding ⇒, what we expect is a contradiction. To put it another way, we expect the finite part of $\stackrel{co}{\Rightarrow }$ to be equivalent to ⇒. Then, why does this lemma hold? The reason is that, in addition to the finite computations corresponding to the (⇒-app) rule, unfortunately, the ($\stackrel{co}{\Rightarrow }$-app) rule still captures the same infinite computations as the ($\stackrel{co}{\Rightarrow }$-app-f) rule (which are the same as those of the ($\stackrel{\infty }{\Rightarrow }$-app-f) rule). In this manner, similarly to original $\stackrel{co}{\Rightarrow }$, there still exists diverging computations which coevaluate to any value v.

Lemma 7.

It holds that $\omega \stackrel{co}{\Rightarrow }v$ for any term v.

Proof. 

The proof is by coinduction, which is analogous to that of Lemma A10. The key takeaway is that the proof is possible thanks to the use of ($\stackrel{co}{\Rightarrow }$-app) rule. □

This lemma is written in Coq in the following manner:

 

This is definitely an undesired behavior since we want the ($\stackrel{co}{\Rightarrow }$-app) rule to only capture finite computations, and no infinite computations at all, because we expect the infinite computations corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) to be captured by the analogous ($\stackrel{co}{\Rightarrow }$-app-f) rule.

Lemma 8.

It holds that $\omega \stackrel{co}{\Rightarrow }\perp$.

Proof. 

The proof is carried out by coinduction. It is analogous to that of Lemma 7 but the key step is the use of ($\stackrel{co}{\Rightarrow }$-app-f) rule instead of the ($\stackrel{co}{\Rightarrow }$-app) rule. □

Such a lemma echoes in Coq as follows:

 

Lemmas 7 and 8 are examples that show that both ($\stackrel{co}{\Rightarrow }$-app) and ($\stackrel{co}{\Rightarrow }$-app-f) capture the same infinite computations. More precisely, the ($\stackrel{co}{\Rightarrow }$-app) rule captures the finite computations corresponding to the (⇒-app) rule as desired, but also captures the infinite computations corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) rule, which is not desired. For its part, the ($\stackrel{co}{\Rightarrow }$-app-f) rule captures the infinite computations corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) rule (and only them) as desired. In this way, our key contribution is to force the ($\stackrel{co}{\Rightarrow }$-app) rule to capture only finite computations, those corresponding to (⇒-app) rule, and only them (that is, no infinite computations at all). Note that if we succeed in such a work, we would achieve a well-behaved $\stackrel{co}{\Rightarrow }$ extension. This is demonstrated in Section 5.3.

In the rest of this section, we will prove, first, that the expected infinite part of $\stackrel{co}{\Rightarrow }$ is equal to $\stackrel{\infty }{\Rightarrow }$, and, then, that $\stackrel{co}{\Rightarrow }$ is equivalent to ⇒ union $\stackrel{\infty }{\Rightarrow }$.

We begin by observing that the intended finite part of $\stackrel{co}{\Rightarrow }$ is included in ⇒ union $\stackrel{\infty }{\Rightarrow }$.

Lemma 9.

If $a\stackrel{co}{\Rightarrow }v$, then $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof is a direct consequence of classical reasoning, exclude middle, on $a\Rightarrow v$, and Lemma 6. □

In Coq, this lemma is written as follows:

 

We continue by highlighting that the expected infinite part of $\stackrel{co}{\Rightarrow }$ is included in $\stackrel{\infty }{\Rightarrow }$.

Lemma 10.

If $a\stackrel{co}{\Rightarrow }\perp$, then $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof proceeds by coinduction. Then, it continues by case analysis, consisting of ($\stackrel{co}{\Rightarrow }$-app-f), ($\stackrel{co}{\Rightarrow }$-app-l), and ($\stackrel{co}{\Rightarrow }$-app-r); each one is solved by applying coinduction hypothesis on the corresponding diverging premise and using Lemma 9 for the remaining ones; in addition, employing Lemma 3 when required. □

Such a lemma is transcribed in Coq in the following manner:

 

Thus, the expected infinite part of $\stackrel{co}{\Rightarrow }$ is equivalent to $\stackrel{\infty }{\Rightarrow }$.

Lemma 11.

For all term a, it holds that $a\stackrel{co}{\Rightarrow }\perp$ if, and only if, $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof follows directly by Lemmas 10 and 3. □

This lemma is written in Coq as follows:

 

We continue by exposing the inclusion of $\stackrel{co}{\Rightarrow }$ in ⇒ union $\stackrel{\infty }{\Rightarrow }$.

Lemma 12.

If $a\stackrel{co}{\Rightarrow }v$ or $a\stackrel{co}{\Rightarrow }\perp$, then $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof is a direct consequence of Lemmas 9 and 10. □

In Coq, such a lemma is written in the following way:

 

Hence, $\stackrel{co}{\Rightarrow }$ is equivalent to ⇒ union $\stackrel{\infty }{\Rightarrow }$.

Theorem 1.

For all term a, for all v value, it holds that $a\stackrel{co}{\Rightarrow }v$ or $a\stackrel{co}{\Rightarrow }\perp$ if, and only if, $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof follows directly by Lemmas 12 and 4. □

This theorem is represented in Coq as follows:

 

In short, this $\stackrel{co}{\Rightarrow }$ extension has more desired properties than original $\stackrel{co}{\Rightarrow }$; however, it does not have all desired features. Hence, it should be further refined in order to obtain the expected $\stackrel{co}{\Rightarrow }$ behavior. We will carry out this task in the upcoming section.

5.3. Well-Behaved Coevaluation Extension

In this part, we will further enhance our preliminary $\stackrel{co}{\Rightarrow }$ extension (see Section 5.2) in order to achieve one with the expected coevaluation behavior.

The main drawback of our preliminary extension is that ($\stackrel{co}{\Rightarrow }$-app) captures the finite computations corresponding to the (⇒-app) rule as desired but, in addition, captures the infinite computations corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) rule, which is completely undesired. This is why in that extension there still exists diverging terms, those corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) rule, which coevaluate to any value v. For its part, the ($\stackrel{co}{\Rightarrow }$-app-f) rule captures the same infinite computations corresponding to the ($\stackrel{\infty }{\Rightarrow }$-app-f) rule, and only them, but by this rule such infinite computations coevaluate to ⊥ as desired. Thus, we want the ($\stackrel{co}{\Rightarrow }$-app) rule to capture only the finite computations corresponding to the (⇒-app) rule, and only them. In other words, we do not want any infinite computations to be captured by the ($\stackrel{co}{\Rightarrow }$-app) rule at all.

How can we force the ($\stackrel{co}{\Rightarrow }$-app) rule to capture only finite computations? A naive simple solution is to add an index to $\stackrel{co}{\Rightarrow }$. The central idea is to use the index to ensure that the ($\stackrel{co}{\Rightarrow }$-app) rule can be used only a finitely many number of times. In this way, ($\stackrel{co}{\Rightarrow }$-app) rule will capture only the finite computations associated with the (⇒-app) rule. Notice that due to it is impossible to employ ($\stackrel{co}{\Rightarrow }$-app) rule ad infinitum (namely, in an attempted proof by coinduction because of the decreasing index in the premises), ($\stackrel{co}{\Rightarrow }$-app) will not capture infinite computations at all. Hence, we obtain a step-indexed coevaluation $a\stackrel{co}{\underset{i}{\Rightarrow }}{v}_g$, where the source term a is closed, defined coinductively by the following rules:

 

Thus, $\stackrel{co}{\underset{i}{\Rightarrow }}$ consists of the expected finite part: ($\stackrel{co}{\Rightarrow }$-const), ($\stackrel{co}{\Rightarrow }$-fun), and ($\stackrel{co}{\Rightarrow }$-app) rules, and the expected infinite part: ($\stackrel{co}{\Rightarrow }$-app-f), ($\stackrel{co}{\Rightarrow }$-app-l), and ($\stackrel{co}{\Rightarrow }$-app-r) rules.

This form of semantics is encoded in Coq as follows:

 

Note that the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ can be seen as a fuel-based semantics. Alternatively, in the spirit of big-step semantics, the index can be seen as a step size; hence, if it is big enough then it will coincide with standard big-step semantics (if it is smaller than required, then the computation will not be captured by $\stackrel{co}{\underset{i}{\Rightarrow }}$, meaning that it will not coevaluate to any value v).

Regarding the expected infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$, a priori, the index is irrelevant and can be dropped out; what actually matters in the expected infinite rules is that each premise associated with a finite computation assumes an index big enough to coevaluate to a final value. For instance, premise $a_1\stackrel{co}{\underset{i}{\Rightarrow }}\lambda x.b$ of the ($\stackrel{co}{\Rightarrow }$-app-f) rule assumes an index i big enough to take $a_1$ to the final value $\lambda x.b$; certainly, this premise would correspond to ⇒ premise $a_1\Rightarrow \lambda x.b$ of ($\stackrel{\infty }{\Rightarrow }$-app-f). Similarly, premise $a_2\stackrel{co}{\underset{j}{\Rightarrow }}{v}_2$ assumes an index j big enough to take $a_2$ to final value $v_2$. For its part, note that the index k in the conclusion $a_1{a}_2\stackrel{co}{\underset{k}{\Rightarrow }}\perp$ is irrelevant in the sense that it is not related to any of these finite premises; moreover, it is even unrelated to the infinite premise $b[x\leftarrow v_2]\stackrel{co}{\underset{k}{\Rightarrow }}\perp$, that is to say, this premise could instead be written, for instance, as $b[x\leftarrow v_2]\stackrel{co}{\underset{l}{\Rightarrow }}\perp$ for any index l. We use the same index k in the infinite premise, as well as in the conclusion, for simplicity.

We continue to prove that the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is equivalent to ⇒ and, then, that the expected infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is equivalent to $\stackrel{\infty }{\Rightarrow }$.

First, we deal with the equivalence between ⇒ and the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$. We begin by observing that if we already have a big enough index to take a term to a final value by coevaluating it, then any other (equal or) bigger index also lets $\stackrel{co}{\underset{i}{\Rightarrow }}$ carry the term to the same final value.

Lemma 13.

If $i\le j$ and $a\stackrel{co}{\underset{i}{\Rightarrow }}v$, then $a\stackrel{co}{\underset{j}{\Rightarrow }}v$.

Proof. 

The proof proceeds by induction on the index i. The base case when $i=0$, which is composed of the (sub)cases for constants and abstractions, is trivial by ($\stackrel{co}{\Rightarrow }$-const) and ($\stackrel{co}{\Rightarrow }$-fun) rules, respectively, since they work with any index i, in particular with j. The inductive case when $i=\left(Si\right)$ is composed of the (sub)cases for constants, abstractions, and applications. The first two are, again, solved trivially by ($\stackrel{co}{\Rightarrow }$-const) and ($\stackrel{co}{\Rightarrow }$-fun) rules. The interesting case is that of applications solved by ($\stackrel{co}{\Rightarrow }$-app) rule, employing the induction hypothesis on each of the three premises. □

This lemma echoes in Coq as follows:

 

We continue by studying that ⇒ is included in the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$. This means that, if a term evaluates to a final value, then it is necessary for there to exists a big enough index to allow $\stackrel{co}{\underset{i}{\Rightarrow }}$ to take the term to the same final value.

Lemma 14.

If $a\Rightarrow v$, then there exists i, such that $a\stackrel{co}{\underset{i}{\Rightarrow }}v$.

Proof. 

The proof is conducted by induction on the $a\Rightarrow v$ predicate. The key step is to exhibit a big enough index for each case. The base cases for constants and abstractions are trivial by exhibiting any index i, for instance $i=0$, and using ($\stackrel{co}{\Rightarrow }$-const) and ($\stackrel{co}{\Rightarrow }$-fun) rules, respectively. The inductive case for applications is carried out by exhibiting the maximum of the indices i, j, and k, that is $max\left(ijk\right)$, as a big enough index; where each of these three indices corresponds, respectively, to the index which exists by induction hypothesis on each of three premises of rule (⇒-app). Thus, the proof continues by using the ($\stackrel{co}{\Rightarrow }$-app) rule and, then, by applying the induction hypothesis followed by Lemma 13 (to use $max\left(ijk\right)$ as index) to each of the three premises. □

This lemma is represented in Coq in the following manner:

 

Conversely, if there exists a big enough index to take a term to a final value by coevaluating it, then the term evaluates to the same final value. That is, the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is included in ⇒.

Lemma 15.

If there exists i, such that $a\stackrel{co}{\underset{i}{\Rightarrow }}v$, then $a\Rightarrow v$.

Proof. 

The proof is by straightforward induction on the index i. The base case is when $i=0$ comprises the (sub)cases for constants and abstractions; such cases are trivial by (⇒-const) and (⇒-fun) rules, respectively. The inductive case is when $i=\left(Si\right)$ is composed of the (sub)cases for constants, abstractions, and applications; the first two are, again, solved trivially by (⇒-const) and (⇒-fun) rules, respectively. The interesting case is that for applications, which follows by (⇒-app) rule and applying induction hypothesis to each of the three premises. □

This lemma is written in Coq in the following manner:

 

It is worth noting that this lemma can also be expressed in this manner.

Lemma 16.

If $a\stackrel{co}{\underset{i}{\Rightarrow }}v$, then $a\Rightarrow v$.

Proof. 

The proof is a direct consequence of Lemma 15; certainly, considering i as the index that exists. □

This can be echoed in Coq as follows:

 

In this way, ⇒ is equivalent to the expected finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$.

Lemma 17.

For all term a, for all value v, it holds that $a\Rightarrow v$ if, and only if, there exists i, such that $a\stackrel{co}{\underset{i}{\Rightarrow }}v$.

Proof. 

The proof follows directly by Lemmas 14 and 15. □

This lemma is transcribed in this Coq representation:

 

We examine the equivalence between $\stackrel{\infty }{\Rightarrow }$ and the expected infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$. First, we study the inclusion of the former in the latter.

Lemma 18.

If $a\stackrel{\infty }{\Rightarrow }\perp$, then $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$.

Proof. 

The proof proceeds by coinduction. Then, it continues by case analysis on the $a\stackrel{\infty }{\Rightarrow }\perp$ predicate. Thus, there is one case for each $\stackrel{\infty }{\Rightarrow }$ rule. Each case is solved by using its corresponding $\stackrel{co}{\underset{i}{\Rightarrow }}$ rule counterpart, employing Lemma 14 on the finite premises (if any) and applying the coinduction hypothesis to the infinite one. □

This lemma is written in Coq as follows:

 

In the converse direction, the expected infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is included in $\stackrel{\infty }{\Rightarrow }$.

Lemma 19.

If $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$, then $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof is analogous to that of Lemma 18, but going in the opposite direction. It is carried out by coinduction. Then, it continues by case analysis on the $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$ predicate. Hence, there is one case for each of the ($\stackrel{co}{\Rightarrow }$-app-f), ($\stackrel{co}{\Rightarrow }$-app-l), and ($\stackrel{co}{\Rightarrow }$-app-r) $\stackrel{co}{\underset{i}{\Rightarrow }}$ rules. Thus, each case is solved by using its corresponding $\stackrel{\infty }{\Rightarrow }$ rule counterpart, employing Lemma 15 on the finite premises and resorting to the coinduction hypothesis for the infinite one. □

The encoding of this lemma in Coq is as follows:

 

Hence, $\stackrel{\infty }{\Rightarrow }$ is equal to the expected infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$.

Lemma 20.

For all index k, for all term a, it holds that $a\stackrel{\infty }{\Rightarrow }\perp$ if, and only if, $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$.

Proof. 

The proof is a direct consequence of Lemmas 18 and 19. □

Such a lemma is written in Coq in this manner:

 

Since $\stackrel{co}{\underset{i}{\Rightarrow }}$ behaves identically to ⇒ for finite computations, Lemma 17, and $\stackrel{co}{\underset{i}{\Rightarrow }}$ behaves identically to $\stackrel{\infty }{\Rightarrow }$ for infinite computations, Lemma 20; this $\stackrel{co}{\underset{i}{\Rightarrow }}$ extension is well-behaved.

As a consequence, $\stackrel{co}{\underset{i}{\Rightarrow }}$ is equal to ⇒ union $\stackrel{\infty }{\Rightarrow }$.

Theorem 2.

There exists i, such that $a\stackrel{co}{\underset{i}{\Rightarrow }}v$ or $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$ if, and only if, $a\Rightarrow v$ or $a\stackrel{\infty }{\Rightarrow }\perp$.

Proof. 

The proof follows by Lemmas 17 and 20. □

This theorem is formalized in Coq as follows:

 

Note that $\stackrel{co}{\underset{i}{\Rightarrow }}$ captures all finite and infinite computations since it is equivalent to ⇒ union $\stackrel{\infty }{\Rightarrow }$. More precisely, there is a finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ equivalent to ⇒, which captures all finite computations (Lemma 17), and there is an infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ equivalent to $\stackrel{\infty }{\Rightarrow }$, which captures all infinite computations (Lemma 20).

In fact, the finite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is deterministic.

Lemma 21.

If $a\stackrel{co}{\underset{i}{\Rightarrow }}{v}_1$ and $a\stackrel{co}{\underset{j}{\Rightarrow }}{v}_2$, then $v_1=v_2$.

Proof. 

The proof begins by employing Lemma 16 on the first premise, and then on the second one. Consequently, the proof concludes by Lemma A1. (Instead of the previous proof, a direct one is possible by induction on the index i). □

This lemma is represented in Coq in this manner:

 

Note that indices i and j can be distinct (or equal); what is relevant here is that we are assuming they both are big enough to take a to a final finite value by coevaluation.

For its part, the infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ is deterministic in the sense that if a term coevaluates to the infinite value ⊥ for an index k, then it also coevaluates to the infinite value ⊥ for any index l.

Lemma 22.

If $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$, then $a\stackrel{co}{\underset{l}{\Rightarrow }}\perp$.

Proof. 

The proof proceeds by coinduction; thus, we have $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$ as the coinduction hypothesis. Then, the proof continues by case analysis; consequently, there are three cases corresponding to each one of the infinite part of $\stackrel{co}{\underset{i}{\Rightarrow }}$ rules: ($\stackrel{co}{\Rightarrow }$-app-f), ($\stackrel{co}{\Rightarrow }$-app-l), and ($\stackrel{co}{\Rightarrow }$-app-r). Each case is solved by using the rule that mimics that of the hypothesis; the required finite premises follow trivially by those of the hypothesis, and the infinite premise follows by coinduction hypothesis. □

This lemma echoes in Coq as shown below:

 

Furthermore, it cannot be the case that, if a term coevaluates to the infinite value ⊥ for an index k, then it coevaluates to a finite value v for some other index i (possibly equal to k), and vice versa; it cannot be the case that, if a term coevaluates to a finite value v for an index i, then it coevaluates to the infinite value ⊥ for some other index k (possibly equal to i). That is to say, we remark that the finite and infinite parts of $\stackrel{co}{\underset{i}{\Rightarrow }}$ are mutually exclusive.

Lemma 23.

Given the $\stackrel{co}{\underset{i}{\Rightarrow }}$ semantics, the finite $a\stackrel{co}{\underset{i}{\Rightarrow }}v$ and infinite $a\stackrel{co}{\underset{k}{\Rightarrow }}\perp$ parts of such semantics are mutually exclusive.

Proof. 

The result follows by using Lemma 16 on the first premise, Lemma 19 followed by Lemma 1 on the second one, and then by Lemma A2. (Alternatively, a direct proof can be carried out by induction on the index i, using Lemma 21 when required.) □

This lemma echoes in Coq as follows:

 

Specifically, this means that there is no $\stackrel{co}{\underset{i}{\Rightarrow }}$ rule which captures both finite and infinite computations. Thus, in particular, we do not have the problem exposed in our preliminary $\stackrel{co}{\Rightarrow }$ extension (Section 5.2) anymore; namely, the ($\stackrel{co}{\Rightarrow }$-app) $\stackrel{co}{\Rightarrow }$ rule capturing finite computations, corresponding to (⇒-app) ⇒ rule, and capturing infinite computations, corresponding to ($\stackrel{\infty }{\Rightarrow }$-app-f) $\stackrel{\infty }{\Rightarrow }$ rule. Here, the ($\stackrel{co}{\Rightarrow }$-app) rule only captures the finite computations corresponding to the (⇒-app) ⇒ rule (and only them), as expected. We highlight that this is a consequence of the well-behavior of $\stackrel{co}{\underset{i}{\Rightarrow }}$ (in other words, this is due to $\stackrel{co}{\underset{i}{\Rightarrow }}$ being well-behaved).

Once a well-behaved coevaluation extension is realized, in the following section, we will show that this extension has, specifically, the central properties of the expected coevaluation behavior which we have identified and analyzed in this work; that is to say, we will present the expected coevaluation equivalence with evaluation union divergence, as a slight variant of Theorem 2, and we will show the absence of identified unusual features in this coevaluation extension.

6. Expected Coevaluation Behavior

We have studied that our step-indexed coevaluation extension is well-behaved (Section 5.3). This section is dedicated to highlighting, in brief, that it has the properties of the expected coevaluation behavior which we consider key; namely, we will show that this extension is equivalent to evaluation union divergence (Section 6.1), and we will demonstrate the non-existence of known unusual features in it (Section 6.2).

6.1. Expected Coevaluation Equivalence

We have already analyzed that $\stackrel{co}{\underset{i}{\Rightarrow }}$ is equivalent to ⇒ union $\stackrel{\infty }{\Rightarrow }$ (Theorem 2). Here, our intention is to present this claim in a more direct form.

Theorem 3.

There exists i, such that $a\stackrel{co}{\underset{i}{\Rightarrow }}{v}_g$ if, and only if, $a\Rightarrow v$ (when $v_g=v$) or $a\stackrel{\infty }{\Rightarrow }$ (when $v_g=\perp$).

Proof. 

The proof is a direct consequence of Lemmas 17 and 20. (In addition, Lemma 1 is employed when required). □

This theorem is written in Coq as follows:

 

In short, with regard to finite computations, assuming the existence of a big enough index, if a term coevaluates to a finite value v, it is therefore necessary for it to evaluate to the same finite value v, and vice versa; that is to say, if a term evaluates to a finite value v, there exists a big enough index such that it is necessary for it to coevaluate to the same finite value v.

For its part, regarding infinite computations, if a term coevaluates to the infinite value ⊥ for some index, it is thus necessary for it to diverge; in the opposite direction, if a term diverges, there is thus an index such that it is necessary for it to coevaluate to the (same singleton) infinite value ⊥.

6.2. Expected Non-Existence of Unusual Features of Coevaluation

Since step-indexed coevaluation is well-behaved (Section 5.3), it is not possible for it to present any unusual feature. In this part, for clarity of exposition, we consider it relevant to show specifically that step-indexed coevaluation does not have the known unusual features pointed out by Leroy [2], which we have exposed in this work (Section 4.2). In what follows, we will revisit each one of these unusual features, this time showing that our step-indexed coevaluation extension does not feature any of them.

Leroy [2] identified three unusual features: there are terms that diverge but do not coevaluate, there are infinite terms which are not deterministic in the sense they coevaluate to any value v, and there are terms that diverge but coevaluate to only one value.

Briefly, we recall our example terms: $\delta =\lambda x.xx$,  $\omega =\delta \delta$,   $\alpha =\omega \left(00\right)$, and  $\beta =(\lambda x.0)\omega$.

We begin by observing that in $\stackrel{co}{\underset{i}{\Rightarrow }}$, the term $\omega$ coevaluates to the singleton infinite value ⊥, as desired.

Lemma 24.

For all index i, it holds that $\omega \stackrel{co}{\underset{i}{\Rightarrow }}\perp$.

Proof. 

By Lemma 18, Lemma 1, and then by Lemma A6. Alternatively, a direct proof is carried out by coinduction; then, the ($\stackrel{co}{\Rightarrow }$-app-f) rule is used, employing the ($\stackrel{co}{\Rightarrow }$-fun) rule on the first and second finite premises and applying the coinduction hypothesis for the third infinite premise. □

In Coq, this lemma is written in the following way:

 

Contrary to original $\stackrel{co}{\Rightarrow }$ in which $\alpha$ does not coevaluate to any value at all (Lemma A9), in our $\stackrel{co}{\underset{i}{\Rightarrow }}$, the term $\alpha$ coevaluates to the singleton infinite value ⊥, as desired.

Lemma 25.

For all index i, it holds that $\alpha \stackrel{co}{\underset{i}{\Rightarrow }}\perp$.

Proof. 

By Lemma 18, Lemma 1, and then by Lemma A8. Alternatively, a direct proof is carried out by ($\stackrel{co}{\Rightarrow }$-app-l) rule, and then by Lemma 24. □

Such a lemma echoes in Coq as follows:

 

Let us recall that in the original $\stackrel{co}{\Rightarrow }$, the term $\alpha$ is an instance of a term that diverges but does not coevaluate (Lemma A9); hence, using it as a counterexample, the original $\stackrel{co}{\Rightarrow }$ does not capture all infinite computations but a (proper) subset of them. Instead, in our $\stackrel{co}{\underset{i}{\Rightarrow }}$, the term $\alpha$ coevaluates, Lemma 25; moreover, $\stackrel{co}{\underset{i}{\Rightarrow }}$ captures all infinite computations (Lemma 18), as expected. Hence, our $\stackrel{co}{\underset{i}{\Rightarrow }}$ does not suffer from this unusual feature.

We continue by analyzing a key unusual feature. In addition to the fact that in $\stackrel{co}{\underset{i}{\Rightarrow }}$ the term $\omega$ coevalutes to ⊥ (Lemma 24), we observe that $\omega$ does not coevaluate to any finite value v.

Lemma 26.

The predicate $\omega \stackrel{co}{\underset{i}{\Rightarrow }}v$ is false for all finite values v.

Proof. 

By Lemma 16 and then by Lemma A7. Alternatively, a direct proof is conducted by induction on the index i. Yet another alternative proof is a direct consequence of Lemma 24 followed by Lemma 23. □

Such a lemma echoes in Coq in the following manner:

 

We keep in mind that, in the original $\stackrel{co}{\Rightarrow }$, the term $\omega$ coevaluates to any value, Lemma A10, as unexpected. On the contrary, we highlight that in $\stackrel{co}{\underset{i}{\Rightarrow }}$ the term $\omega$ coevaluates to the singleton infinite value ⊥ (Lemma 24), and only to it (since $\omega$ does not coevaluate to any finite value v, Lemma 26) as expected.

In the original $\stackrel{co}{\Rightarrow }$, this represents an instance of a diverging term which is not deterministic in the sense that it coevaluates to any value (Lemma A10), which is completely undesired. Instead, in $\stackrel{co}{\underset{i}{\Rightarrow }}$, all diverging terms coevaluate to the singleton infinite value ⊥ (Lemma 18), and only to it, since if a term coevaluates to the infinite value ⊥ then it does not coevaluate to any finite value v (and vice versa); that is to say, the finite and infinite parts of $\stackrel{co}{\underset{i}{\Rightarrow }}$ are mutually exclusive (Lemma 23). This is the behavior both desired and expected. Hence, our $\stackrel{co}{\underset{i}{\Rightarrow }}$ does not suffer from this key unusual feature.

We go on the third and final unusual feature of our analysis. In comparison to the original $\stackrel{co}{\Rightarrow }$, where $\beta$ coevalutes to only one value 0 (Lemma A12), which is undesired, we point out that in $\stackrel{co}{\underset{i}{\Rightarrow }}$, the term $\beta$ coevaluates to the singleton infinite value ⊥, as desired.

Lemma 27.

For all index i, it holds that $\beta \stackrel{co}{\underset{i}{\Rightarrow }}\perp$.

Proof. 

By Lemmas 18, 1 and A11. As an alternative, a direct proof is carried out by ($\stackrel{co}{\Rightarrow }$-app-r) rule, using the ($\stackrel{co}{\Rightarrow }$-app-fun) rule on the first finite premise, and employing Lemma 24 on the second infinite premise. □

This lemma is represented in Coq in the following manner:

 

In the original $\stackrel{co}{\Rightarrow }$, this is an example of a term that diverges but coevaluates to only one (undesired) value (Lemma A12), which is unexpected. Instead, in $\stackrel{co}{\underset{i}{\Rightarrow }}$, all infinite computations coevaluate to the singleton infinite (desired) value ⊥ (Lemma 18), and only to it, as we already discussed in the analysis of the previous unusual feature (Lemma 23), as expected. Thus, our $\stackrel{co}{\underset{i}{\Rightarrow }}$ is not affected by this unusual feature.

This way, our $\stackrel{co}{\underset{i}{\Rightarrow }}$ does not have any of the three unusual features pointed out by Leroy.

In sum, contrary to the original $\stackrel{co}{\Rightarrow }$, where the expected $\stackrel{co}{\Rightarrow }$ equivalence with ⇒ union $\stackrel{\infty }{\Rightarrow }$ does not hold and where $\stackrel{co}{\Rightarrow }$ presents several unusual behaviors, $\stackrel{co}{\underset{i}{\Rightarrow }}$ is equivalent to ⇒ union $\stackrel{\infty }{\Rightarrow }$, and does not feature any of these unusual behaviors.

In the forthcoming section, in particular, we will discuss the potential impact, implications, and consequences of our step-indexed coevaluation semantics in related coevaluation-based semantics and vice versa; in addition, we explore possible directions for future work.

7. Discussion

This section is devoted to discuss our work, in addition to possible future works, from different perspectives. First, we deal with related semantics; specifically, pretty-big-step and flag-based-big-step semantics (Section 7.1). Then, we tackle compiler verification (Section 7.2). Afterwards, we consider some implications and limitations of our step-indexed coevaluation (Section 7.3). Finally, we consider our work as an extension of that of Leroy and coworkers (Section 7.4).

7.1. Related Coevaluation-Based Semantics

We recall that pretty-big-step semantics is a coevaluation-based semantics (Section 1.1 and Section 2.1). Unfortunately, pretty-big-step semantics suffers from an analogous unusual behavior to that of coevaluation; namely, there are diverging terms that coevaluate to any (possible finite) value. Hence, in general, it is not well-behaved. In addition, in general, pretty-big-step semantics requires two definitions, one inductive and one coinductive, for Coq formalization.

It is very fortunate that, at first glance, pretty-big-step semantics and our step-indexed coevaluation semantics can benefit from each other. In the step-indexed to pretty-big-step direction, we conjecture that, in a similar way, we can conduct an analysis on the original coevaluation semantics to turn it into a well-behaved one with the use of an index. We can carry out an analysis on pretty-big-step semantics to make it well-behaved by adopting and adapting the use of an index as in step-indexed coevaluation; note that, as a consequence, it could need only one coinductive definition for its formalization in Coq. In the pretty-big-step to step-indexed direction, we believe that by adopting and adapting the techniques developed by Charguéraud, we can turn step-indexed coevaluation into concise semantics. This potentially fruitful synergy of ideas will be explored in future work.

Let us recall that, in turn, flag-based big-step semantics is based on pretty-big-step semantics (Section 1.1 and Section 2.1); unfortunately, the former inherits analogous problems to those we have described for the latter. In this way, the discussion of potential mutual benefit between pretty-big-step semantics and step-indexed coevaluation, in addition to fruitful synergy of efforts, also applies for flag-based big-step semantics.

7.2. Compiler Verification

We discuss the possible use of step-indexed coevaluation for compiler verification.

Coinductive big-step semantics, as shown in [2,3] and further developed in [11], has been successfully used to conduct compiler verification, that is, evaluation for semantic preservation of terminating computations, and divergence for semantic preservation of non-terminating computations. However, this useful approach requires two semantics, namely, evaluation and divergence. We conjecture that we can conduct compiler verification using only one semantics, namely, step-indexed coevaluation. This insight is based on the observation that, on one hand, the proofs conducted by induction on evaluation (see for instance, Lemmas A1, A2 and A7) can be conducted by induction on the index in the analogous finite part of step-indexed coevaluation (Lemmas 21, 23, and 26), and on the other hand, the proofs carried out by coinduction on divergence (see for instance, Lemmas A6 and A8) can be carried out by coinduction on the analogous infinite part of step-indexed coevaluation (Lemmas 24 and 25). Likewise, we believe that it is possible to state and prove the correctness theorem for terminating computations, by means of the finite part of step-indexed coevaluation, and for non-terminating computations, by means of the infinite part of step-indexed coevaluation. This early insight will be further investigated as future work.

7.3. Implications and Limitations

We proceed to discuss some implications and limitations of our step-indexed coevaluation semantics.

With regard to the use of the index as a mechanism to indicate what premises or rules must be inductively interpreted in a coinductive semantics definition, it appears to be very general; a priori, it does not seem to be a limitation in this respect. Note that the use of the index as such a mechanism allows inductive and coinductive interpretations to be mixed in an intuitive, easy, and immediate way, specifically, using only a single coinductive definition in Coq. Even, perhaps, this technique can also be applied to other problems that require mixing induction and coinduction in Coq, not only in the definition of programming languages semantics, this could be explored as future work.

In theory, one of the implications of step-indexed coevaluation is that we expect the wired fixed point necessary to obtain the non-standard interpretation of the bi-inductive semantics rules to be equivalent to the standard fixed point corresponding to coinduction, extended with the use of the index to indicate that the selected premises or rules to be interpreted inductively only. This represents an advantage for proof assistants with limited coinduction support; specifically, those with a syntactic guardedness check, such as Coq. Since, in this way, we would have an easy, intuitive, and immediate solution to obtain the necessary mixture of induction and coinduction to carry out the mechanization of the semantics.

Step-indexed coevaluation advances big-step semantics in the sense that, to our knowledge, it is the first semantics capable of expressing finite and infinite computations, in the intended way, which is mechanizable in Coq (by using a single coinductive definition).

Charguéraud [4] argues in favor of big-step semantics as a more realistic formalism to be adopted for the formal specification of programming languages; in this context, in principle, step-indexed coevaluation implies that (finite and infinite computations of) programming languages could be specified with a single big-step semantics definition. Additionally, step-indexed coevaluation implies that we could potentially carry out compiler verification for finite and infinite computations with a single big-step semantics definition (see Section 7.2).

An aspect of key relevance, especially for research, is the existence of big-step semantics capable of describing finite and infinite computations of programming languages, and that is well-behaved and mechanizable in Coq. Until now, it was unknown if this was possible; thus, step-indexed coevaluation, in particular, implies that work following this specific line of research could progress in the future. We consider the next important research step in this vein to be turning step-indexed coevaluation into a concise semantics.

Regarding conciseness, it should be noted that, in comparison to evaluation and divergence as two separate semantics where no potential (or perhaps very little) for factorization is available, step-indexed coevaluation is, a priori, an ideal candidate for factorization. Step-indexed coevaluation includes analogous rules to those of evaluation union divergence. The key aspect is that these rules are together in a single definition and are similar (for instance, some of them have very similar premises); hence, step-indexed coevaluation rules are potentially a target for factorization. In other words, step-indexed coevaluation has the potential to be concise.

If a concise step-indexed semantics were achieved, then, in particular, a concise formal specification (of finite and infinite computations) of programming languages would be made possible. In relation to compiler verification, Leroy and Grall [3] report that the addition of divergence rules increases the size of the semantics by 40% in CompCert C [41,42,43,44,45]. Assuming that step-indexed coevaluation serves to carry out this task, a concise step-indexed big-step semantics would reduce this increase and, as a consequence, would reduce the compiler verification effort.

7.4. Extension of Leroy’s Work

We discuss our work as an extension of that of Leroy and his collaborators [2,3,41,42,43,44,45].

In [46], Leroy shows that, he and his collaborators originally employ traditional big-step semantics, also known as evaluation, to account for finite computations, especially in the high- to mid-level intermediate languages of CompCert C. Then, in a second generation, they added divergence rules to cover infinite computations as well; as mentioned before (Section 7.3), due to the addition of these rules, Leroy and Grall [3] report an increase of 40% in the size of the semantics. At this point, it seems that Leroy was looking for a concise big-step semantics specification to reduce the increase due to the addition of divergence rules; this fact is supported by his coevaluation attempt [2]. However, since then, coevaluation behavior has not been completely understood in a satisfactory manner; Leroy and his collaborators resorted to using small-step semantics with continuations in a third generation of CompCert C, as exposed by Leroy in [46].

In this context, our work can be seen as a step towards what Leroy was seeking as a continuation for CompCert C second generation. The next natural step is to turn step-indexed coevaluation into a concise semantics. Currently, it is known that big-step semantics is easy and convenient for compiler correctness proofs [2,3,4,5,11,35,36,37,38,47] and for efficient interpreters [5,40]. The present work, in particular, opens the possibility to continue the research line of CompCert C in the big-step semantics setting.

Having considered our work from various points of view, in the upcoming section, we close our study by offering our conclusions.

8. Conclusions

Leroy, using traditional big-step semantics, originally only dealt with finite computations in the CompCert C verified compiler. Motivated by the desire to cover non-terminating programs, based on the work of Cousot and Cousot [9], he successfully introduced divergence, a form of semantics that accounts for infinite computations. Then, in an attempt to cover finite and infinite computations simultaneously, in a concise manner, using a single semantics definition, he introduced coevaluation. Unfortunately, coevaluation, as originally introduced by Leroy, is not well-behaved; perhaps in part due to this situation, it appears that, a possible effort to achieve a single big-step semantics capable of expressing finite and infinite computations for CompCert C was abandoned. Instead, Leroy [46] reports moving to small-step semantics in the next generations of this verified compiler. Leroy [2] and Leroy and Grall [3] claim that big-step semantics is easier and more convenient than small-step semantics for compiler verification. At present, this claim is supported by several works (see, for instance, [2,3,4,5,11,35,36,37,38,47,48]).

In this work, we introduce step-indexed coevaluation, a well-behaved big-step semantics capable of expressing finite and infinite computations in a single definition. Consequently, the exploration of Leroy’s idea of having a single concise big-step semantics accounting for finite and infinite computations in the intended way for CompCert C can be resumed. The next natural step towards this end is to turn step-indexed coevaluation semantics into a concise semantics.

One of the advantages of the development of step-indexed coevaluation is that it opens the possibility to reach a concise formal specification for programming languages; indeed, if, in future work, step-indexed coevaluation is transformed into a concise semantics, then it could be used as a formalism for this purpose.

In short, Leroy introduces coevaluation with the goal of describing finite and infinite computations in a concise way; however, since its introduction, it has become known that coevaluation is not well-behaved. In this work, as a main achievement, we present step-indexed coevaluation, which, to the best of our knowledge, is the first coevaluation-based semantics to be well-behaved. Although, certainly, not in the manner he originally hoped for, namely, coinductively interpreting the standard big-step evaluation rules, it only remains, as possible future work, to turn step-indexed coevaluation into a concise semantics to finally reach the original goal pursued by Leroy.