Resumptions, Weak Bisimilarity and Big-Step Semantics for While with Interactive I/O: An Exercise in Mixed Induction-Coinduction

# Resumptions, Weak Bisimilarity and Big-Step Semantics for While with Interactive I/O: An Exercise in Mixed Induction-Coinduction

Keiko Nakata and Tarmo Uustalu
Institute of Cybernetics at Tallinn University of Technology, Akadeemia tee 21, EE-12618 Tallinn, Estonia
{keiko|tarmo}@cs.ioc.ee
###### Abstract

We look at the operational semantics of languages with interactive I/O through the glasses of constructive type theory. Following on from our earlier work on coinductive trace-based semantics for While [17], we define several big-step semantics for While with interactive I/O, based on resumptions and termination-sensitive weak bisimilarity. These require nesting inductive definitions in coinductive definitions, which is interesting both mathematically and from the point-of-view of implementation in a proof assistant.

After first defining a basic semantics of statements in terms of resumptions with explicit internal actions (delays), we introduce a semantics in terms of delay-free resumptions that essentially removes finite sequences of delays on the fly from those resumptions that are responsive. Finally, we also look at a semantics in terms of delay-free resumptions supplemented with a silent divergence option. This semantics hinges on decisions between convergence and divergence and is only equivalent to the basic one classically. We have fully formalized our development in Coq.

L. Aceto, P. Sobociński (Eds.): Seventh Workshop on Structural Operational Semantics 2010 (SOS ’10) EPTCS 32, 2010, pp. Resumptions, Weak Bisimilarity and Big-Step Semantics for While with Interactive I/O: An Exercise in Mixed Induction-CoinductionLABEL:LastPage, doi:10.4204/EPTCS.32.5

Resumptions, Weak Bisimilarity and Big-Step Semantics for While with Interactive I/O:

An Exercise in Mixed Induction-Coinduction

Keiko Nakata and Tarmo Uustalu
 Institute of Cybernetics at Tallinn University of Technology, Akadeemia tee 21, EE-12618 Tallinn, Estonia
{keiko|tarmo}@cs.ioc.ee

## 1 Introduction

Interactive programs are those programs that take inputs, do some computation, output results, and iterate this cycle possibly infinitely. Operating systems and data base systems are typical examples. They are important programs and have attracted formal study to guarantee their correctness/safety. For instance, a web application should protect confidentiality of the data it processes in interaction with possibly untrusted agents, and a certified compiler should preserve input/output behavior of the source program in the compiled code. These works call for formal semantics of interactive programs.

Continuing our previous work [17] on a trace-based coinductive big-step semantics for potentially nonterminating programs, we present a constructive account of interactive input-output resumptions111The word ‘resumption’ is sometimes reserved for denotations of parallel threads. We apply it more liberally to datastructures recording evolution in small steps. This usage dates back to Plotkin [20] and was reinforced by Cenciarelli and Moggi [5]., their important properties, such as weak bisimilarity and responsiveness (a program always eventually performs input or output unless it terminates) and big-step semantics of reactive programs. We devise both constructive-style and classical-style concepts and identify their relationships. Classical-style concepts rely on upfront decisions of whether a computation is going to terminate, make an observable action, i.e., perform input or output, or silently diverge. The problem is generally undecidable. Hence, classical-style concepts tend to be too strong for constructive reasoning.

Our operational semantics are resumption-based. A resumption is roughly a tree representing possible runs of a program. The tree branches on inputs, each edge corresponding to each possible input, and has infinitely deep paths if the program may diverge. We begin the paper by formalizing important properties of resumptions, among which (termination-sensitive) weak bisimilarity is the most interesting one technically, requiring nesting of induction into coinduction. We give a constructive-style formulation of weak bisimilarity and relate it to the classical-style version adapted from previous work [13, 3]. We then present three big-step semantics for interactive While, i.e., While extended with input/output statements: a basic semantics which explicitly deals with internal actions (delay steps) and assigns a resumption for all configurations (statement-state pairs); a delay-free semantics for responsive configurations; and a classical-style semantics, which is total classically for all configurations. The two latter semantics collapse finite sequences of delay steps on the fly. The classical-style semantics can in addition recognize silent divergence; classical-style resumptions include a distinguished element to represent divergence. Moreover, all three semantics are equivalent under suitable assumptions. Our approach with big-step semantics in terms of resumptions allow for reasoning about operational behaviors of programs in a syntax-independent way. We therefore argue that it is more abstract than approaches by means of small-step semantics, or labelled transition systems (in terms of configurations involving a residual program or a control point). To compare our big-step semantics to more traditional approaches, we also define an uncontroversial small-step semantics with an associated notion of weak bisimilarity of configurations and show that it agrees with our basic big-step semantics. These technical results form the main contributions of the paper.

Why do we want to be constructive? First, let us state that our choice is neither motivated nor depends on any argument of truth: we are not claiming in this paper that classical logic is less true than intuitionistic logic and none of the points we make hinge on this being the case. Nevertheless, we do think that working in a constructive logic is very useful also if one has no philosophical problem in accepting non-constructive arguments. Our reasons are these. For us, using constructive logic is primarily a technical way to be conscious about the principles we depend on in our arguments. We are by no means limiting ourselves: when we really need some non-constructive principle in a constructive argument, we can always explicitly assume this principle (or the specific instance that we need). But it so happens that a need for unexpectedly strong principles is often a sign of some imperfect design choice in the setup of a theory. Another reason to be constructive as a semanticist is that programming is about computable functions only. In constructive logic, we do not have to specifically worry about computability: only computable functions are there and can be spoken about. For example, the formula \forall x.\,p\,x\vee\neg(p\,x) is not a tautology, it states that p is a decidable: there is a computable function mapping any x to a proof of p\,x or a proof of \neg(p\,x) (so also to yes or no, should one not care about the proofs). In big-step semantics, although we specify evaluation as a relation in this paper, it is important for us that it can be turned into a function, or else we do not capture the intuitive idea that programs represent computable functions from initial configurations into behaviors.

We have formalized the development in Coq version 8.2pl1. This gives us greater confidence in the correctness of our reasoning, in particular regarding the productivity of coinductive proofs, since the type checker of Coq helps us avoid mistakes by ruling out improductivity. We rely on Mendler-style coinduction to circumvent the limitations imposed by syntactic guardedness approach [9] of Coq. The Coq development is available at http://cs.ioc.ee/~keiko/sophie.tgz.

The language we consider is the While language extended with input and output primitives, with statements s:\mathit{stmt} defined inductively by

 \small s::=\mathsf{skip}\mid s_{0};s_{1}\mid x:=e\mid\mathsf{if~{}}e\mathsf{~{% }then~{}}s_{t}\mathsf{~{}else~{}}s_{f}\mid\mathsf{while~{}}e\mathsf{~{}do~{}}s% _{t}\mid\mathsf{input}~{}x\mid\mathsf{output}~{}e

We assume given the sets of variables and (pure) expressions, whose elements are ranged over by metavariables x and e respectively. We assume the set of values to be the integers, non-zero integers counting as truth and zero as falsity. The metavariable v ranges over values. A state, ranged over by \sigma, maps variables to values. The notation \sigma[x\mapsto v] denotes the update of a state \sigma with v at x. We assume given an evaluation function \llbracket e\rrbracket\sigma, which evaluates e in the state \sigma. We write \sigma\models e and \sigma\not\models e to denote that e is true, resp. false in \sigma.

## 2 Resumptions

We will define operational semantics of interactive While in terms of states and (interactive input-output) resumptions. Informally, a resumption is a datastructure that captures all possible evolutions of a configuration (a statement-state pair), a computation tree branching according to the external non-determinism resulting from interactive input.222There are alternatives. We could have chosen to work, e.g., with functions from streams of input values into traces, i.e., computation paths.

Basic (delayful) resumptions r:\mathit{res} are defined coinductively by the rules333We mark inductive definitions by single horizontal rules and coinductive definitions by double horizontal rules.

 {{{{\small\vbox{ \moveright 28.664588pt\vbox{\halign{\cr}$\sigma:\mathit{state}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 57.329176pt heig% ht 1px\kern 1.0pt\hrule width 57.329176pt height 1px}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\hbox{$\mathit{ret}~{}\sigma:\mathit{res}$}}\quad\vbox{ \moveright 25.28964pt\vbox{\halign{\cr}$f:\mathit{Int}\rightarrow\ \mathit{res% }$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 50.579279pt % height 1px\kern 1.0pt\hrule width 50.579279pt height 1px}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\hbox{$\mathit{in}~{}f:\mathit{res}$}}\quad\vbox{ \moveright 33.704537pt\vbox{\halign{\cr}$v:\mathit{Int}$&\quad$r:\mathit{res}$% }}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 67.409073pt he% ight 1px\kern 1.0pt\hrule width 67.409073pt height 1px}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\hbox{$\mathit{out}~{}v~{}r:\mathit{res}$}}\quad\vbox{ \moveright 21.914691pt\vbox{\halign{\cr}$r:\mathit{res}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 43.829382pt height 1px\kern 1.0% pt\hrule width 43.829382pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\hbox{$\delta~{}r:\mathit{res}$}}

so a resumption either has terminated with some final state, \mathit{ret}~{}\sigma, takes an integer input v and evolves into a new resumption f~{}v, \mathit{in}~{}f, outputs an integer v and evolves into r, \mathit{out}~{}v~{}r, or performs an internal action (observable at best as a delay) and becomes r, \delta~{}r. For simplicity, we assume input totality; i.e., input resumptions, represented by total functions, accept any integers. But we could instead have had them partial, e.g., by letting the constructor \mathit{in} take the intended domain of definedness as an additional argument. We also define (strong) bisimilarity of two resumptions, r\approx r_{*}, coinductively by

 {{{{\small\vbox{ \moveright 33.704537pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 67.409073pt height 1px\kern 1.0pt\hrule wid% th 67.409073pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{ret}~{}\sigma\approx\mathit{ret}~{}\sigma}}\quad\vbox{ \moveright 28.844611pt\vbox{\halign{\cr}\forall v.\,f~{}v\approx f_{*}~{}v}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 57.689221pt heig% ht 1px\kern 1.0pt\hrule width 57.689221pt height 1px}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\hbox{\mathit{in}~{}f\approx\mathit{in}~{}f_{*}}}\quad% \vbox{ \moveright 45.674405pt\vbox{\halign{\cr}r\approx r_{*}}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 91.348809pt height 1px\kern 1.0% pt\hrule width 91.348809pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\hbox{\mathit{out}~{}v~{}r\approx\mathit{out}~{}v~{}r_{*}}}\quad\vbox{ \moveright 22.094714pt\vbox{\halign{\cr}r\approx r_{*}}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 44.189427pt height 1px\kern 1.0% pt\hrule width 44.189427pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\hbox{\delta~{}r\approx\delta~{}r_{*}}} Bisimilarity is straightforwardly seen to be an equivalence. We think of bisimilar resumptions as equal, i.e., type-theoretically we treat resumptions as a setoid with bisimilarity as the equivalence relation444Classically, strong bisimilarity is equality. But we work in an intensional type theory where strong bisimilarity of colists is weaker than equality (just as equality of two functions on all arguments is weaker than equality of these two functions). E.g., \bot and \delta~{}\bot are only strongly bisimilar.. Accordingly, we have to make sure that all functions and predicates we define on resumptions are setoid functions and predicates, i.e., insensitive to bisimilarity. Here are some examples of resumptions, defined by corecursion:  \begin{array}[]{rclrcl}\bot&=&\delta~{}\bot\\ \mathit{rep}~{}n&=&\delta~{}(\delta~{}(\mathit{out}~{}n~{}(\mathit{rep}~{}n)))% \\ \mathit{rep^{\prime}}~{}n&=&\delta~{}(\mathit{out}~{}n~{}(\mathit{rep^{\prime}% }~{}n))\\ \mathit{echo}~{}\sigma&=&\mathit{in}~{}(\lambda n.~{}\delta~{}(\mathit{if}~{}n% \neq 0~{}\mathit{then}~{}\mathit{out}~{}n~{}(\mathit{echo}~{}\sigma)~{}\mathit% {else}~{}\mathit{ret}~{}\sigma))\\ \mathit{echo^{\prime}}&=&\mathit{in}~{}(\lambda n.~{}\delta~{}(\mathit{if}~{}n% \neq 0~{}\mathit{then}~{}\mathit{out}~{}n~{}\mathit{echo^{\prime}}~{}\mathit{% else}~{}\bot))\end{array} \bot represents a resumption that silently diverges. \mathit{rep} outputs an integer n forever. \mathit{rep^{\prime}} is similar but has shorter latency. Both \mathit{echo} and \mathit{echo^{\prime}} echo input interactively; the former terminates when the input is 0, whereas the latter diverges in this situation. Convergence, r\downarrow r^{\prime}, states that r converges in a finite number of steps to a resumption r^{\prime}, which has terminated or makes an observable action (performs input/output) as its first move. It is defined inductively by  {{{{\small\vbox{ \moveright 33.704537pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 67.409073pt height 1px}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$\mathit{ret}~{}\sigma\downarrow\mathit{ret}~% {}\sigma$}}\quad\vbox{ \moveright 28.844611pt\vbox{\halign{\cr}$\forall v.\,f~{}v\approx f_{*}~{}v$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 57.689221pt heig% ht 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\mathit{in}~{}f% \downarrow\mathit{in}~{}f_{*}$}}\quad\vbox{ \moveright 45.674405pt\vbox{\halign{\cr}$r\approx r_{*}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 91.348809pt height 1px}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\mathit{out}~{}v~{}r% \downarrow\mathit{out}~{}v~{}r_{*}$}}\quad\vbox{ \moveright 17.054765pt\vbox{\halign{\cr}$r\downarrow r^{\prime}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 34.10953pt heigh% t 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\delta~{}r\downarrow r% ^{\prime}$}}

In contrast, divergence, r\,{\uparrow}, states that r diverges silently. It is defined coinductively by

 r\,{\uparrow}    \delta~{}r\,{\uparrow}

For instance, we have \delta~{}(\delta~{}(\mathit{ret}~{}\sigma))\downarrow\mathit{ret}~{}\sigma, \mathit{rep}~{}n\downarrow\mathit{out}~{}n~{}(\mathit{rep}~{}n) and \bot\,{\uparrow}.

Both convergence and divergence are setoid predicates. Constructively, it is not the case that \forall r.\,(\exists r^{\prime}.\,r\downarrow r^{\prime})\vee r\,{\uparrow}, which amounts to decidability of convergence. But classically, this dichotomy is true. In particular, \forall r.\,\neg\,(\exists r^{\prime}.\,r\downarrow r^{\prime})\to r\,{\uparrow} is constructively provable, but \forall r.\,\neg\,r\,{\uparrow}\to\exists r^{\prime}.\,r\downarrow r^{\prime} holds only classically.

We can now introduce a useful notion of responsiveness. A resumption r is responsive, if it keeps converging. It is defined coinductively with the help of the convergence predicate by

 {{{\small\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{ret}~{}\sigma$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 15.166461pt heig% ht 1px\kern 1.0pt\hrule width 15.166461pt height 1px}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\hbox{$r\,{\Downarrow}$}}\kern-37.082818pt\kern 5.0pt\raise 6% .049938pt\hbox{$\mathsf{[resp\mbox{-}ret]}$}\kern 0.0pt}\quad\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{in}~{}f$&\quad$% \forall v.\,(f~{}v)\,{\Downarrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\vbox{\hrule width 15.166461pt height 1px\kern 1.0pt\hrule width 15.166461pt% height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\,{\Downarrow}$% }}\kern-37.082818pt\kern 5.0pt\raise 6.049938pt\hbox{$\mathsf{[resp\mbox{-}in]% }$}\kern 0.0pt}\quad\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{out}~{}v~{}r^{\prime% }$&\quad$r^{\prime}\,{\Downarrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\vbox{\hrule width 15.166461pt height 1px\kern 1.0pt\hrule width 15.166461pt% height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\,{\Downarrow}$% }}\kern-37.082818pt\kern 5.0pt\raise 6.049938pt\hbox{$\mathsf{[resp\mbox{-}out% ]}$}\kern 0.0pt}

For instance, \mathit{rep}~{}n, \mathit{rep^{\prime}}~{}n and \mathit{echo}~{}\sigma are responsive, but \bot and \mathit{echo^{\prime}} are not.

Classically, a resumption is responsive, if it can never evolve into a diverging resumption. Indeed, by augmenting the definition of responsiveness with a divergence option we obtain a classically tautological predicate, r\,{\Updownarrow}, that we call commitedness.

 {{{{\small\begin{array}[]{c}\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{ret}~{}\sigma$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 15.166461pt\kern 1% .0pt\hrule width 15.166461pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% $r\,{\Updownarrow}$}}\kern-37.082818pt\kern 5.0pt\raise 6.049938pt\hbox{$% \mathsf{[comm\mbox{-}ret]}$}\kern 0.0pt}\quad\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{in}~{}f$&\quad$% \forall v.\,(f~{}v)\,{\Updownarrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\vbox{\hrule width 15.166461pt\kern 1.0pt\hrule width 15.166461pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\,{\Updownarrow}$}}\kern-37% .082818pt\kern 5.0pt\raise 6.049938pt\hbox{$\mathsf{[comm\mbox{-}in]}$}\kern 0% .0pt}\quad\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\downarrow\mathit{out}~{}v~{}r^{\prime% }$&\quad$r^{\prime}\,{\Updownarrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\vbox{\hrule width 15.166461pt\kern 1.0pt\hrule width 15.166461pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\,{\Updownarrow}$}}\kern-37% .082818pt\kern 5.0pt\raise 6.049938pt\hbox{$\mathsf{[comm\mbox{-}out]}$}\kern 0% .0pt}\quad\hbox{\vbox{ \moveright 7.58323pt\vbox{\halign{\cr}$r\,{\uparrow}$}}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\vbox{\hrule width 15.166461pt\kern 1.0pt\hrule width 15.1% 66461pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\,{\Updownarrow}$}}% \kern-37.082818pt\kern 5.0pt\raise 6.049938pt\hbox{$\mathsf{[comm\mbox{-}div]}%$}\kern 0.0pt}\end{array}

For a resumption r to be committed, it must be the case that it always either converges or diverges. So, classically, any resumption is committed.

###### Lemma 2.1

Classically, for all r, r\,{\Updownarrow}.

Proof Specifically, we use an instance of excluded middle, \forall r.\,(\exists r^{\prime}.\,r\downarrow r^{\prime})\vee\neg(\exists r^{% \prime}.\,r\downarrow r^{\prime}), which amounts to assuming that convergence is decidable. \Box

###### Lemma 2.2

Convergence, divergence, responsiveness and committedness are setoid predicates.

## 3 Weak Bisimilarity

Two resumptions are weakly bisimilar, if they are bisimilar modulo collapsing finite sequences of delay steps between observable actions. It is conceivable that, in practice, weak bisimilarity is what is needed: one may well be interested only in observable behavior, disregarding finite delays. For instance, to guarantee correctness of a compiler optimization, we would want to prove that the optimization does not change the observable behavior of the source program, including termination and divergence behaviors, but the optimized code may perform fewer internal steps and thus be faster. We therefore formalize termination-sensitive weak bisimilarity, which distinguishes termination and silent divergence.

Technically, getting the definition of weak bisimilarity right is not straightforward, especially not in a constructive setting. It requires both induction and coinduction: we need to collapse a finite number of delay steps between observable actions possibly infinitely. Here we present two equivalent formulations (actually, we will also give a third one for classical reasoning, which is only equivalent to the first two classically). The first is closer to the formulations typically found in process calculi literature (except that, in process calculi, one usually works with termination-insensitive weak bisimilarity). The second nests induction into coinduction, exhibiting a useful technique for implementation in Coq. In our development, we use both formulations and their equivalence result, freely choosing the one of the two that facilitates the proof.

The first one, noted r\cong r_{*}, uses coinduction atop the inductive definition of convergence and is defined by the rules

 {{{{\small\begin{array}[]{c}\vbox{ \moveright 12.014817pt\vbox{\halign{\cr}$r\downarrow\mathit{ret}~{}\sigma$&% \quad$r_{*}\downarrow\mathit{ret}~{}\sigma$}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 24.029633pt\kern 1.0pt\hrule width 24.02963% 3pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\cong r_{*}$}}\quad% \vbox{ \moveright 12.014817pt\vbox{\halign{\cr}$r\downarrow\mathit{in}~{}f$&\quad$r_{% *}\downarrow\mathit{in}~{}f_{*}$&\quad$\forall v.\,f~{}v\cong f_{*}~{}v$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 24.029633pt\kern 1% .0pt\hrule width 24.029633pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% $r\cong r_{*}$}}\quad\vbox{ \moveright 12.014817pt\vbox{\halign{\cr}$r\downarrow\mathit{out}~{}v~{}r^{% \prime}$&\quad$r_{*}\downarrow\mathit{out}~{}v~{}r_{*}^{\prime}$&\quad$r^{% \prime}\cong r_{*}^{\prime}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox% {\hrule width 24.029633pt\kern 1.0pt\hrule width 24.029633pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$r\cong r_{*}$}}\quad\vbox{ \moveright 22.094714pt\vbox{\halign{\cr}$r\cong r_{*}$}}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\vbox{\hrule width 44.189427pt\kern 1.0pt\hrule width 44.1% 89427pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\delta~{}r\cong% \delta~{}r_{*}$}}\end{array}

so two resumptions are weakly bisimilar if they converge at the same action or can both perform an internal action, with weakly bisimilar residual resumptions. In particular, two terminating resumptions are derived to be weakly bisimilar by a single application of the first rule, whereas two silently diverging resumptions are weakly bisimilar by corecursive application of the fourth rule. For instance, we have \mathit{rep}~{}n\cong\mathit{rep^{\prime}}~{}n but \mathit{echo}~{}\sigma\cong\mathit{echo^{\prime}} does not hold.

###### Lemma 3.1

For any r,r^{\prime} and r_{*}, if r\downarrow r^{\prime} and r_{*}\,{\uparrow} then \neg~{}r\cong r_{*}.

As a corollary, we obtain that the silently diverging resumption \bot and resumptions that have terminated, \mathit{ret}~{}\sigma, are not weakly bisimilar.

The second formulation, denoted r\mathbin{\cong^{\circ}}r_{*} nests induction into coinduction. We first define {\downarrow}X{\downarrow} inductively in terms of X, for any relation (read: setoid relation) X, and then define {\cong^{\circ}} coinductively in terms of {\downarrow}{\cong^{\circ}}{\downarrow}. For binary relations X, Y, X\subseteq Y denotes \forall x,x_{*}.\,x\mathbin{X}x_{*}\to x\mathbin{Y}x_{*}.

 {{{{{{{\small\begin{array}[]{c}\vbox{ \moveright 40.454434pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 80.908867pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{\mathit{ret}~{}\sigma\mathbin{{\downarrow}X{\downarrow}% }\mathit{ret}~{}\sigma}}\quad\vbox{ \moveright 52.424302pt\vbox{\halign{\cr}r~{}X~{}r_{*}}}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\vbox{\hrule width 104.848603pt}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\hbox{\mathit{out}~{}v~{}r\mathbin{{\downarrow}X{\downarrow% }}\mathit{out}~{}v~{}r_{*}}}\quad\vbox{ \moveright 35.594508pt\vbox{\halign{\cr}\forall v.\,f~{}v~{}X~{}f_{*}~{}v}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 71.189015pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\mathit{in}~{}f\mathbin{{% \downarrow}X{\downarrow}}\mathit{in}~{}f_{*}}}\quad\vbox{ \moveright 23.804662pt\vbox{\halign{\cr}r\mathbin{{\downarrow}X{\downarrow}}r% _{*}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 47.609324% pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\delta~{}r\mathbin{{% \downarrow}X{\downarrow}}r_{*}}}\quad\vbox{ \moveright 23.804662pt\vbox{\halign{\cr}r\mathbin{{\downarrow}X{\downarrow}}r% _{*}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 47.609324% pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{r\mathbin{{\downarrow}X{% \downarrow}}\delta~{}r_{*}}}\\ \vbox{ \moveright 13.904788pt\vbox{\halign{\cr}X\subseteq{\cong^{\circ}}&\quadr% \mathbin{{\downarrow}X{\downarrow}}r_{*}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 27.809576pt\kern 1.0pt\hrule width 27.80957% 6pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{r\mathbin{\cong^{\circ}}% r_{*}}}\quad\vbox{ \moveright 23.984685pt\vbox{\halign{\cr}r\mathbin{\cong^{\circ}}r_{*}}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 47.96937pt\kern 1% .0pt\hrule width 47.96937pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \delta~{}r\mathbin{\cong^{\circ}}\delta~{}r_{*}}}\end{array} Intuitively, r\mathbin{{\downarrow}X{\downarrow}}r_{*} means that r and r_{*} converge to resumptions related by X. In the first rule of {\cong^{\circ}}, we have used Mendler-style coinduction in order to enable Coq’s syntactic guarded corecursion for {\cong^{\circ}}. The natural (Park-style) rule to stipulate would have been:  r\mathbin{{\downarrow}{\cong^{\circ}}{\downarrow}}r_{*} r\mathbin{\cong^{\circ}}r_{*} Coq’s guardedness condition for induction nested into coinduction is too weak to work with the Park-style rule: we cannot construct the corecursive functions (coinductive proofs) that we need. With our definition, the Park-style rule is derivable. We can also prove that {\downarrow}X{\downarrow} is monotone in X, which allows us to recover the natural inversion principle for {\cong^{\circ}}. Induction and coinduction can be mixed in several ways. An inductive definition can be mutual with a coinductive definition, if the occurrence of one predicate in the definition of the other is contravariant.555This means looking for a least X and greatest Y solving a system of equations X=F(Y,X), Y=G(X,Y), where F and G are contravariant in their first arguments and covariant in the second arguments. But this is not our situation. Instead, in our case, we have an inductive and a coinductive definition that use each other covariantly, but one is nested in the other. Specifically, we have the inductive definition nested in the coinductive definition666i.e., we have a definition of the form \nu X.\,G(\mu Y.\,F(X,Y),X) with both F and G covariant in both arguments, since we want finite chunks of {\downarrow}{\cong^{\circ}}{\downarrow} derivations to be weaved into an infinite {\cong^{\circ}} derivation. The Agda developer community is currently exploring a novel approach to coinductive types (based on suspension types) [6, 7] where this form of mixing induction and coinduction is easily encoded while nesting the other way is problematic. The two definitions of weak bisimilarity are equivalent. ###### Lemma 3.2 For any r and r_{*}, r\cong r_{*} iff r\mathbin{\cong^{\circ}}r_{*}. Weak bisimilarity is a setoid predicate and an equivalence relation. ###### Lemma 3.3 Weak bisimilarity is a setoid predicate: For any r, r^{\prime}, r_{*}, r_{*}^{\prime}, if r\approx r^{\prime}, r\cong r_{*} and r_{*}\approx r_{*}^{\prime}, then r^{\prime}\cong r_{*}^{\prime}. Weak bisimilarity is an equivalence. Proof Reflexivity and symmetry are straightforward to prove by coinduction. Below we sketch the proof for transitivity with the second formulation, r\mathbin{\cong^{\circ}}r_{*}, to show Mendler-style coinduction working in our favour. For binary relations X,Y, let X\circ Y denote their composition; namely, x\mathbin{(X\circ Y)}x^{\prime} if there is x^{\prime\prime} such that x\mathbin{X}x^{\prime\prime} and x^{\prime\prime}\mathbin{Y}x^{\prime}. We first prove, by induction, the transitivity for {\downarrow}X{\downarrow}, i.e., that, for any resumptions r_{0},r_{1},r_{2} and setoid relations X,Y, if r_{0}\mathbin{{\downarrow}X{\downarrow}}r_{1} and r_{1}\mathbin{{\downarrow}Y{\downarrow}}r_{2}, then r_{0}\mathbin{{\downarrow}(X\circ Y){\downarrow}}r_{2}. The transitivity of {\cong^{\circ}} states that, for any resumptions r_{0},r_{1} and r_{2}, if r_{0}\mathbin{\cong^{\circ}}r_{1} and r_{1}\mathbin{\cong^{\circ}}r_{2}, then r_{0}\mathbin{\cong^{\circ}}r_{2}. The proof of this is by coinduction and inversion on r_{0}\mathbin{\cong^{\circ}}r_{1} and r_{1}\mathbin{\cong^{\circ}}r_{2}. We show the main case. Suppose we have r_{0}\mathbin{\cong^{\circ}}r_{1} and r_{1}\mathbin{\cong^{\circ}}r_{2}, because r_{0}\mathbin{{\downarrow}X{\downarrow}}r_{1} and r_{1}\mathbin{{\downarrow}Y{\downarrow}}r_{2} for some X and Y such that X\subseteq{\cong^{\circ}} and Y\subseteq{\cong^{\circ}}. By the transitivity of {\downarrow}X{\downarrow} (which was proved by induction separately above), we obtain r_{0}\mathbin{{\downarrow}X\circ Y{\downarrow}}r_{2}. Using the coinduction hypothesis, we have X\circ Y\subseteq{\cong^{\circ}}\circ{\cong^{\circ}}\subseteq{\cong^{\circ}}, which closes the case. Notably, the invocation of the coinduction hypothesis here is properly guarded thanks to our use of Mendler’s trick. \Box As one should expect, strongly bisimilar resumptions are weakly bisimilar. ###### Corollary 3.1 For any r, r_{*}, r\approx r_{*}, then r\cong r_{*}. Proof Immediate from \cong being a reflexive setoid predicate. \Box Termination-sensitive bisimilarity has previously been considered by Kučera and Mayr [13] and Bohannon et al. [3] (but see also Bergstra et al. [1]). Their version is best suited for classical reasoning in the sense that terminating and silently diverging resumptions are distinguished by an upfront choice between convergence and divergence. This version of weak bisimilarity, denoted r\cong_{\mathrm{c}}r_{*}, is defined coinductively by  {{{{\small\begin{array}[]{c}\vbox{ \moveright 13.904788pt\vbox{\halign{\cr}r\downarrow\mathit{ret}~{}\sigma&% \quadr_{*}\downarrow\mathit{ret}~{}\sigma}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 27.809576pt\kern 1.0pt\hrule width 27.80957% 6pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{r\cong_{\mathrm{c}}r_{*}% }}\quad\vbox{ \moveright 13.904788pt\vbox{\halign{\cr}r\downarrow\mathit{out}~{}v~{}r^{% \prime}&\quadr_{*}\downarrow\mathit{out}~{}v~{}r^{\prime}_{*}&\quadr^{% \prime}\cong_{\mathrm{c}}r^{\prime}_{*}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 27.809576pt\kern 1.0pt\hrule width 27.80957% 6pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{r\cong_{\mathrm{c}}r_{*}% }}\quad\vbox{ \moveright 13.904788pt\vbox{\halign{\cr}r\downarrow\mathit{in}~{}f&\quadr_{% *}\downarrow\mathit{in}~{}f_{*}&\quad\forall v.\,f~{}v\cong_{\mathrm{c}}f_{*% }~{}v}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 27.80957% 6pt\kern 1.0pt\hrule width 27.809576pt}\nointerlineskip\kern 2.0pt\moveright 0% .0pt\hbox{r\cong_{\mathrm{c}}r_{*}}}\quad\vbox{ \moveright 13.904788pt\vbox{\halign{\cr}r\,{\uparrow}&\quadr_{*}\,{\uparrow% }}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 27.809576pt% \kern 1.0pt\hrule width 27.809576pt}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\hbox{r\cong_{\mathrm{c}}r_{*}}}\end{array} Only the fourth rule is different from the rules of \cong and refers directly to divergence. The classical-style version of weak bisimilarity, \cong_{\mathrm{c}}, is stronger than the constructive-style version, \cong. The converse is only true classically. ###### Lemma 3.4 For any r and r_{*}, if r\cong_{\mathrm{c}}r_{*}, then r\cong r_{*}. Classically, for any r and r_{*}, if r\cong r_{*}, then r\cong_{\mathrm{c}}r_{*}. We insist on the use constructive-style weak bisimilarity, \cong, in the constructive setting, because the classical-style notion fails to enjoy some fundamental properties constructively. ###### Lemma 3.5 Classical-style weak bisimilarity is a setoid predicate. Classically, it is also an equivalence weaker than strong bisimilarity. Proof We only prove that \cong_{\mathrm{c}} is an equivalence. Reflexivity: We prove that for any r, r\cong_{\mathrm{c}}r by coinduction. Classically, we have \forall r_{0}.\,(\exists r_{0}^{\prime}.\,r_{0}\downarrow r_{0}^{\prime})\vee r% _{0}\,{\uparrow}. Should r\,{\uparrow} hold, we immediately conclude r\cong_{\mathrm{c}}r. Suppose there exists r^{\prime} such that r\downarrow r^{\prime}. Moreover suppose r^{\prime}=\mathit{in}~{}f for some f. The coinduction hypothesis gives us that for any v, f~{}v\cong_{\mathrm{c}}f~{}v, from which r\cong_{\mathrm{c}}r follows. The other cases, i.e., when r^{\prime}=\mathit{out}~{}v~{}r^{\prime\prime} for some v and r^{\prime\prime} or r^{\prime}=\mathit{ret}~{}\sigma for some \sigma, are similar. Symmetry: We prove constructively that for any r and r^{\prime}, if r\cong_{\mathrm{c}}r^{\prime} then r^{\prime}\cong_{\mathrm{c}}r by coinduction and inversion on r\cong_{\mathrm{c}}r^{\prime}. Transitivity: We prove constructively that for any r,r^{\prime} and r^{\prime\prime}, if r\cong_{\mathrm{c}}r^{\prime} and r^{\prime}\cong_{\mathrm{c}}r^{\prime\prime} then r\cong_{\mathrm{c}}r^{\prime\prime} by coinduction and inversion on r\cong_{\mathrm{c}}r^{\prime} and r^{\prime}\cong_{\mathrm{c}}r^{\prime\prime}. \Box Constructively, it is not possible to show classical-style weak bisimilarity reflexive and hence we cannot show any two strong bisimilar resumptions classical-style weakly bisimilar. A simple example of a resumption r not classical-style weakly bisimilar to itself constructively is given by any search process that is classically total, but cannot be proved terminating constructively, since no bound on the search can be given. By definition, a resumption can only be classical-style weakly bisimilar to another if it terminates or diverges. Constructively, the resumption r is only nondiverging, we cannot show it terminating. ## 4 Big-Step Semantics We now proceed to a first, basic (delayful) big-step operational semantics for our reactive While in terms of delayful resumptions. Evaluation (s,\sigma)\Rightarrow r, expressing that running a statement s from a state \sigma produces a resumption r, is defined coinductively by the rules in Figure 1. The rules for sequence and while implement the necessary sequencing with the help of extended evaluation (s,r)\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r^{\prime}, expressing that running a statement s from the last state (if it exists) of an already accumulated resumption r results in a total resumption r^{\prime}. Extended evaluation is also defined coinductively, as the coinductive prefix closure of evaluation. Input and output statements produce corresponding resumptions that perform input or output actions and terminate thereafter. We consider assignments and testing of guards of if- and while-statements to constitute internal actions, observable as delays. This way we avoid introducing semantic anomalies, by making sure that any while-loop always progresses. But this choice also ensures that evaluation is total—as we should expect. Given that it is deterministic as well777Note that the external nondeterminism resulting from input actions is encapsulated in resumptions., we can equivalently turn our relational big-step semantics into a functional one: the unique resumption for a given configuration (statement-state pair) is definable by corecursion.888This aspect makes our big-step operational semantics very close in spirit to denotational semantics, specifically, denotational semantics in terms of Kleisli categories, here, the Kleisli category of a resumptions monad. This semantics is a straightforward adaptation of the trace-based coinductive big-step semantics of non-interactive While from our previous work [17], where the details can be found and where we motivate all our design choices (e.g., why \mathsf{skip} takes no time whereas the boolean guards do; we argue that our design is canonical). ###### Lemma 4.1 Evaluation is a setoid predicate. It is total and deterministic up to bisimilarity. Let us look at some examples. We have (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip},\sigma)\Rightarrow\bot for any \sigma. I.e., \mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip} silently diverges. We also have (\mathsf{input}~{}x;\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{% output}~{}x;x:=x+1),\sigma)\Rightarrow\mathit{in}~{}(\lambda n.~{}\mathit{up}~% {}n) where \mathit{up} is defined corecursively by \mathit{up}~{}n=\delta~{}(\mathit{out}~{}n~{}(\delta~{}(\mathit{up}~{}(n+1)))). I.e., the statement counts up from the given input n. The two delays around every output action account for the internal actions of the assignment and testing of the boolean guard. An interactive adder takes two inputs and outputs their sum, and repeats this process, that is, we have (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{input}~{}x;\mathsf{% input}~{}y;\mathsf{output}~{}(x+y)),\sigma)\Rightarrow\mathop{sum} where \mathop{sum} is defined cocursively by \mathop{sum}=\delta~{}(\mathit{in}~{}(\lambda m.~{}\mathit{in}~{}(\lambda n.~{% }\mathit{out}~{}(m+n)~{}\mathop{sum}))). Weak bisimilarity is useful for reasoning about soundness of program transformations, where we accept that transformations may change the timing of a resumption. For instance, we have (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(z:=x;\mathsf{output}~{}z),% \sigma)\Rightarrow\mathit{rep}~{}(\sigma~{}x), where \mathit{rep} is defined corecursively by \mathit{rep}~{}n=\delta~{}\delta~{}(\mathit{out}~{}n~{}(\mathit{rep}~{}n)), and (z:=x;\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{output}~{}z,% \sigma)\Rightarrow\delta~{}(\mathit{rep^{\prime}}~{}(\sigma~{}x)), where \mathit{rep^{\prime}} is defined corecursively by \mathit{rep^{\prime}}~{}n=\delta~{}(\mathit{out}~{}n~{}(\mathit{rep^{\prime}}~% {}n)), with \mathit{rep}~{}n\cong\mathit{rep^{\prime}}~{}n. The latter resumption is faster than the former, but they are weakly bisimilar. In fact, we can prove \mathsf{while~{}}e\mathsf{~{}do~{}}(z:=x;s) and z:=x;\mathsf{while~{}}e\mathsf{~{}do~{}}s to be weakly bisimilar whenever e is true of the initial state and s does not change x. Here, the latter statement is obtained from the former by loop-invariant code motion, a well-known compiler optimization; the optimization preserves the observable behaviour of the source statement, irrespective of its termination behaviour, which it must respect as well. We note that \mathsf{output}~{}1 is not observationally equivalent to (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip});\mathsf{output}% ~{}1. More importantly, \mathsf{output}~{}1 is not observationally equivalent to \mathsf{output}~{}1;(\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{% skip}), since our weak bisimilarity is termination-sensitive. Of course, we can deal with more interesting program equivalences, such as the equivalence of \mathsf{mult}=\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{input}~{% }x;\mathsf{input}~{}y;z:=0;\mathsf{while~{}}x\neq 0\mathsf{~{}do~{}}(z:=z+y;x:% =x-1);\mathsf{output}~{}z) and \mathsf{mult\_opt}=\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{% input}~{}x;\mathsf{input}~{}y;\mathsf{if~{}}x\geq 0\mathsf{~{}then~{}}\mathsf{% output}~{}x*y\mathsf{~{}else~{}}(\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{% }}\mathsf{skip})), slow and fast interactive multipliers, which silently diverge when given a negative first operand. ## 5 Small-Step Semantics In this section, we introduce an equivalent small-step semantics and define weak bisimilarity of configurations (statement-state pairs) in terms of it. We then prove two configurations to be weakly bisimilar if and only if their evaluations produce weakly bisimilar resumptions. A configuration (s,\sigma) is a pair of a statement and state. Labelled configurations c:\mathit{lconf} are defined by the sum999The definition is non-recursive, but we pretend that it is inductive, as we also do in Coq.:  {{{{\small\begin{array}[]{c}\vbox{ \moveright 29.039582pt\vbox{\halign{\cr}s:\mathit{state}}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 58.079165pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{\mathit{\underline{ret}}~{}\sigma:\mathit{% lconf}}}\quad\vbox{ \moveright 34.079531pt\vbox{\halign{\cr}s:\mathit{stmt}&\quadg:\mathit{Int}% \rightarrow\ \mathit{state}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox% {\hrule width 68.159062pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{\underline{in}}~{}s~{}g:\mathit{lconf}}}\quad\vbox{ \moveright 39.119479pt\vbox{\halign{\cr}v:\mathit{Int}&\quads:\mathit{stmt}% &\quad\sigma:\mathit{state}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \vbox{\hrule width 78.238959pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \hbox{\mathit{\underline{out}}~{}v~{}s~{}\sigma:\mathit{lconf}}}\quad\vbox{ \moveright 34.079531pt\vbox{\halign{\cr}s:\mathit{stmt}&\quad\sigma:\mathit% {state}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 68.159% 062pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\underline{\delta}~{}s% ~{}\sigma:\mathit{lconf}}}\end{array} A terminality predicate/one-step reduction relation {\rightarrow} is defined in Figure 2 (top half). If c=\mathit{\underline{ret}}~{}\sigma, then the proposition (s,\sigma)\rightarrow c means that the configuration (s,\sigma) has terminated at state \sigma. In other cases, it corresponds to a labelled transition: if c=\mathit{\underline{in}}~{}s^{\prime}~{}g, we take an input v and evolve to a configuration (s^{\prime},g~{}v); if c=\mathit{\underline{out}}~{}v~{}s^{\prime}~{}\sigma^{\prime}, we output v and evolve to (s^{\prime},\sigma^{\prime}); if c=\underline{\delta}~{}s^{\prime}~{}\sigma^{\prime}, the configuration (s,\sigma) evolves to a configuration (s^{\prime},\sigma^{\prime}) in a delay step. We have chosen to label configurations rather than transitions so that labelled configurations become “trunks” of resumptions. Weak bisimilarity of two configurations is defined in terms of terminality/one-step reduction. Again, convergence, (s,\sigma)\downarrow c, states that either (s,\sigma) terminates or performs an observable action in a finite number of steps. It is defined inductively by  {{{{\small\begin{array}[]{c}\vbox{ \moveright 30.929553pt\vbox{\halign{\cr}(s,\sigma)\rightarrow\mathit{% \underline{ret}}~{}\sigma^{\prime}}}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\vbox{\hrule width 61.859107pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \hbox{(s,\sigma)\downarrow\mathit{\underline{ret}}~{}\sigma^{\prime}}}\quad% \vbox{ \moveright 42.899422pt\vbox{\halign{\cr}(s,\sigma)\rightarrow\mathit{% \underline{out}}~{}v~{}s^{\prime}~{}\sigma^{\prime}}}\nointerlineskip\kern 2.% 0pt\moveright 0.0pt\vbox{\hrule width 85.798843pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{(s,\sigma)\downarrow\mathit{\underline{out}}~{}v~{}s^{% \prime}~{}\sigma^{\prime}}}\quad\vbox{ \moveright 35.969502pt\vbox{\halign{\cr}(s,\sigma)\rightarrow\mathit{% \underline{in}}~{}s^{\prime}~{}g}}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \vbox{\hrule width 71.939004pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \hbox{(s,\sigma)\downarrow\mathit{\underline{in}}~{}s^{\prime}~{}g}}\quad% \vbox{ \moveright 23.62464pt\vbox{\halign{\cr}(s,\sigma)\rightarrow\underline{\delta% }~{}s^{\prime}~{}\sigma^{\prime}&\quad(s^{\prime},\sigma^{\prime})\downarrow c% }}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 47.249279pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s,\sigma)\downarrow c}}% \end{array} (We overload the same notations for resumptions and configurations without ambiguity.) Weak bisimilarity on configurations is defined coinductively by  {{{{\small\begin{array}[]{c}\vbox{ \moveright 40.904376pt\vbox{\halign{\cr}(s,\sigma)\downarrow\mathit{% \underline{ret}}~{}\sigma^{\prime}&\quad(s_{*},\sigma_{*})\downarrow\mathit{% \underline{ret}}~{}\sigma^{\prime}}}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\vbox{\hrule width 81.808752pt\kern 1.0pt\hrule width 81.808752pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s,\sigma)\cong(s_{*},\sigma% _{*})}}\\ \vbox{ \moveright 40.904376pt\vbox{\halign{\cr}(s,\sigma)\downarrow\mathit{% \underline{in}}~{}s^{\prime}~{}g&\quad(s_{*},\sigma_{*})\downarrow\mathit{% \underline{in}}~{}s^{\prime}_{*}~{}g_{*}&\quad\forall v.\,(s^{\prime},g~{}v)% \cong(s^{\prime}_{*},g_{*}~{}v)}}\nointerlineskip\kern 2.0pt\moveright 0.0pt% \vbox{\hrule width 81.808752pt\kern 1.0pt\hrule width 81.808752pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s,\sigma)\cong(s_{*},\sigma% _{*})}}\\ \vbox{ \moveright 40.904376pt\vbox{\halign{\cr}(s,\sigma)\downarrow\mathit{% \underline{out}}~{}v~{}(s^{\prime},\sigma^{\prime})&\quad(s_{*},\sigma_{*})% \downarrow\mathit{\underline{out}}~{}v~{}(s^{\prime}_{*},\sigma^{\prime}_{*})% &\quad(s^{\prime},\sigma^{\prime})\cong(s^{\prime}_{*},\sigma^{\prime}_{*})}% }\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 81.808752pt% \kern 1.0pt\hrule width 81.808752pt}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\hbox{(s,\sigma)\cong(s_{*},\sigma_{*})}}\\ \vbox{ \moveright 40.904376pt\vbox{\halign{\cr}(s,\sigma)\rightarrow\underline{% \delta}~{}s^{\prime}~{}\sigma^{\prime}&\quad(s_{*},\sigma_{*})\rightarrow% \underline{\delta}~{}s^{\prime}_{*}~{}\sigma^{\prime}_{*}&\quad(s^{\prime},% \sigma^{\prime})\cong(s^{\prime}_{*},\sigma^{\prime}_{*})}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 81.808752pt\kern 1.0pt\hrule wid% th 81.808752pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s,\sigma)% \cong(s_{*},\sigma_{*})}}\end{array} Two configurations are weakly bisimilar if and only if their evaluations yield weakly bisimilar resumptions. ###### Lemma 5.1 For any s,s_{*},\sigma and \sigma_{*}, (s,\sigma)\cong(s_{*},\sigma_{*}) iff there exist r and r_{*} such that (s,\sigma)\Rightarrow r and (s_{*},\sigma_{*})\Rightarrow r_{*} and r\cong r_{*}. The evaluation relation of the small-step semantics is defined in Figure 2 (bottom half). It is the terminal many-step reduction relation, defined coinductively. The proposition (s,\sigma)\rightsquigarrow r means that running s from the state \sigma produces the resumption r. The big-step and small-step semantics are equivalent. ###### Proposition 5.1 For any s, \sigma and r, (s,\sigma)\Rightarrow r iff (s,\sigma)\rightsquigarrow r. ## 6 Delay-Free Big-Step Semantics So far we explicitly dealt with delay steps in a fully general and constructive manner. However, it is also possible to define big-step semantics in terms of resumptions without delay steps, by collapsing them on the fly, if they come in finite sequences. In this section, we define a delay-free semantics for configurations that lead to responsive resumptions. We define delay-free resumptions, r:\mathit{res}_{\mathrm{r}}, and their (strong) bisimilarity coinductively by  {{{{{{\small\begin{array}[]{c}\vbox{ \moveright 32.44453pt\vbox{\halign{\cr}\sigma:\mathit{state}}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 64.889061pt\kern 1% .0pt\hrule width 64.889061pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{ret}_{\mathrm{r}}~{}\sigma:\mathit{res}_{\mathrm{r}}}}\quad\vbox{ \moveright 29.069582pt\vbox{\halign{\cr}f:\mathit{Int}\rightarrow\ \mathit{% res}_{\mathrm{r}}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule wi% dth 58.139164pt\kern 1.0pt\hrule width 58.139164pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{\mathit{in}_{\mathrm{r}}~{}f:\mathit{res}_{\mathrm{r}}% }}\quad\vbox{ \moveright 37.484479pt\vbox{\halign{\cr}v:\mathit{Int}&\quadr:\mathit{res}_% {\mathrm{r}}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 7% 4.968958pt\kern 1.0pt\hrule width 74.968958pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{\mathit{out}_{\mathrm{r}}~{}v~{}r:\mathit{res}_{\mathrm% {r}}}}\\ \vbox{ \moveright 37.484479pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 74.968958pt\kern 1.0pt\hrule width 74.96895% 8pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\mathit{ret}_{\mathrm{r}% }~{}\sigma\approx\mathit{ret}_{\mathrm{r}}~{}\sigma$}}\quad\vbox{ \moveright 32.624553pt\vbox{\halign{\cr}$\forall v.\,f~{}v\approx f_{*}~{}v$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 65.249106pt\kern 1% .0pt\hrule width 65.249106pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% $\mathit{in}_{\mathrm{r}}~{}f\approx\mathit{in}_{\mathrm{r}}~{}f_{*}$}}\quad% \vbox{ \moveright 49.454347pt\vbox{\halign{\cr}$r\approx r_{*}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 98.908694pt\kern 1.0pt\hrule wid% th 98.908694pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\mathit{out}_% {\mathrm{r}}~{}v~{}r\approx\mathit{out}_{\mathrm{r}}~{}v~{}r_{*}$}}\end{array}

A responsive delayful resumption r:\mathit{res} can be normalized into a delay-free resumption by collapsing the finite sequences of delay steps it has between observable actions. We define normalization, \mathit{norm}:(r:\mathit{res})\to r\,{\Downarrow}\to\mathit{res}_{\mathrm{r}}, and embedding of delay-free resumptions into delayful resumptions, \mathit{emb}:\mathit{res}_{\mathrm{r}}\to\mathit{res} by corecursion. In the definition of \mathit{norm}, we examine the proof of r\,{\Downarrow}, i.e., r’s responsiveness.

 \small\hskip-8.535827pt\begin{array}[]{rcl@{\hspace*{0mm}}rcl}\mathit{norm}~{}% r~{}(\mathsf{resp\mbox{-}ret}~{}\sigma~{}\_\,)&=&\mathit{ret}_{\mathrm{r}}~{}% \sigma\hskip 0.0pt&\mathit{emb}~{}(\mathit{ret}_{\mathrm{r}}~{}\sigma)&=&% \mathit{ret}~{}\sigma\\ \mathit{norm}~{}r~{}(\mathsf{resp\mbox{-}in}~{}f~{}\_~{}k)&=&\mathit{in}_{% \mathrm{r}}~{}(\lambda v.\,\mathit{norm}~{}(f~{}v)~{}(k~{}v))\hskip 0.0pt&% \mathit{emb}~{}(\mathit{in}_{\mathrm{r}}~{}f)&=&\mathit{in}~{}(\lambda v.\ % \mathit{emb}~{}(f~{}v))\\ \mathit{norm}~{}r~{}(\mathsf{resp\mbox{-}out}~{}v~{}r^{\prime}~{}\_~{}h)&=&% \mathit{out}_{\mathrm{r}}~{}v~{}(\mathit{norm}~{}r^{\prime}~{}h)\hskip 0.0pt&% \mathit{emb}~{}(\mathit{out}_{\mathrm{r}}~{}v~{}r)&=&\mathit{out}~{}v~{}(% \mathit{emb}~{}r)\end{array}

A delayful resumption is weakly bisimilar to a delay-free one if and only if it is responsive and its normal form is strongly bisimilar to the same.

###### Lemma 6.1

For any r:\mathit{res} and r_{*}:\mathit{res}_{\mathrm{r}}, r\cong\mathit{emb}~{}r_{*} iff \mathit{norm}~{}r~{}h\approx r_{*} for some h:r\,{\Downarrow}.

(The convergence proofs of a resumption are strong bisimilar, so h is unique up to that extent.)

###### Corollary 6.1

(i) For any r:\mathit{res}, h:r\,{\Downarrow}, r\cong\mathit{emb}~{}(\mathit{norm}~{}r~{}h). (ii) For any r, h:r\,{\Downarrow} and r_{*}, h_{*}:r_{*}\,{\Downarrow}, r\cong r_{*} iff \mathit{norm}~{}r~{}h\approx\mathit{norm}~{}r_{*}~{}h_{*}.

In Figure 3, we define the delay-free big-step semantics for responsive programs. Here we have an inductive definition of a parameterized evaluation relation {{\Rightarrow}{\downarrow}}(X) defined in terms of X, for any relation X, nested into a coinductive definition of an extended evaluation relation {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}}, defined in terms of {{{\Rightarrow}{\downarrow}}}({\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}}). Finally, the actual evaluation relation {\Rightarrow_{\mathrm{r}}} of interest is obtained by instantiating {{\Rightarrow}{\downarrow}} at {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}}. Since we collapse delay-steps on the fly, an assignment immediately terminates at the updated state. Likewise, testing the guard of a condition or a while-loop takes no time. The crucial rules are those for sequence and while-loop. If the first statement of a sequence or the body of a while-loop terminate silently, the second statement or the new iteration of the loop are run using the inductive evaluation. The coinductive extended evaluation is used only if the first statement or the body perform at least one input or output action.

This way, we make sure that only a finite number of delay steps may be collapsed between two observable actions, while allowing for diverging runs which perform input and output every now and then. Indeed, if we replaced the while-ret rule with

 e\models\sigma  (s_{t},\sigma)\mathbin{{\Rightarrow}{\downarrow}(X)}\mathit{ret}_{\mathrm{r}}~% {}\sigma^{\prime}  (\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},\mathit{ret}_{\mathrm{r}}~{}\sigma^{% \prime})\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r^{\prime}   (\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},\sigma)\mathbin{{\Rightarrow}{% \downarrow}(X)}r^{\prime}

we would obtain semantic anomalies. E.g., (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip},\sigma)\mathbin{% \Rightarrow_{\mathrm{r}}}r would be derived for any r:\mathit{res}_{\mathrm{r}}.

Coming back to the examples of the previous section, we have (\mathsf{input}~{}x;\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{% output}~{}x;x:=x+1),\sigma)\mathbin{\Rightarrow_{\mathrm{r}}}\mathit{in}~{}(% \lambda n.~{}\mathit{up_{r}}~{}n) where \mathit{up_{r}} is defined corecursively by \mathit{up_{r}}~{}n=\mathit{out}_{\mathrm{r}}~{}n~{}(\mathit{up_{r}}~{}(n+1)). We also have (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}z:=x;\mathsf{output}~{}z,% \sigma)\mathbin{\Rightarrow_{\mathrm{r}}}\mathit{rep_{r}}~{}(\sigma~{}x) and (z:=x;\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{output}~{}z,% \sigma)\Rightarrow\mathit{rep_{r}}~{}(\sigma~{}x) where \mathit{rep_{r}} is defined corecursively by \mathit{rep_{r}}~{}n=\mathit{out}_{\mathrm{r}}~{}n~{}(\mathit{rep_{r}}~{}n). Since the delay steps are collapsed on the fly in the delay-free semantics, the two statements produce the same, i.e., strongly bisimilar, (delay-free) resumptions. The delay-free semantics does not account for (i.e., does not assign a resumption to) non-responsive configurations, such as \mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip} and the interactive multipliers from the previous section (since they diverge given a negative input for the first operand), with any initial state.

We state adequacy of the delay-free semantics by relating it to the delayful semantics of Section 4. Namely, for configurations leading to responsive resumptions they agree.

###### Proposition 6.1 (Soundness)

For any s, \sigma, r:\mathit{res}_{\mathrm{r}}, if (s,\sigma)\mathbin{\Rightarrow_{\mathrm{r}}}r then there exists r^{\prime}:\mathit{res} such that (s,\sigma)\Rightarrow r^{\prime} and \mathit{emb}~{}r\cong r^{\prime}.

###### Proposition 6.2 (Completeness)

For any s, \sigma, r:\mathit{res} and h:r\,{\Downarrow}, if (s,\sigma)\Rightarrow r, then (s,\sigma)\mathbin{\Rightarrow_{\mathrm{r}}}\mathit{norm}~{}r~{}h.

The proofs are omitted due to the space limitation. They are nontrivial and the details can be found in the accompanying Coq development. Below we demonstrate the key proof technique on an example.

Consider the statement \mathsf{count}=\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}(\mathsf{if~{}}i% >0\mathsf{~{}then~{}}i:=i-1\mathsf{~{}else~{}}(\mathsf{output}~{}x;x:=x+1;i:=x)). It counts up from 0, so we should have (\mathsf{count},\sigma)\mathbin{\Rightarrow_{\mathrm{r}}}\mathit{up_{r}}~{}0 for an initial state \sigma that maps x and i to 0. We need coinduction since \mathsf{count} performs outputs infinitely often; we also need induction, nested into coinduction, since the loop silently iterates n times each time before outputting n. Note that the latency is finite but unbounded.

We cannot perform induction inside coinduction naïvely. That would be rejected by Coq’s syntactic guardedness checker, which is there to ensure productivity of coinduction. Mendler-style coinduction comes to rescue. Let (s,r)~{}R~{}r^{\prime} be a relation on pairs (s,r) of a statement and a resumption and resumptions r^{\prime}, defined inductively by

 {{{\small\vbox{ \moveright 94.813655pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 189.62731pt height 1px}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{(\mathsf{count},\mathit{ret}_{\mathrm{r}}~{}% \sigma[x\mapsto n,i\mapsto n])~{}R~{}\mathit{up_{r}}~{}n}}\quad\vbox{ \moveright 66.284141pt\vbox{\halign{\cr}(s,r)~{}R~{}r^{\prime}}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 132.568282pt hei% ght 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s,\mathit{out}_{% \mathrm{r}}~{}v~{}r)~{}R~{}\mathit{out}_{\mathrm{r}}~{}v~{}r^{\prime}}}\quad% \vbox{ \moveright 40.634456pt\vbox{\halign{\cr}(s,\sigma)\mathbin{{\Rightarrow}{% \downarrow}(R)}r}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule wid% th 81.268912pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(s% ,\mathit{ret}_{\mathrm{r}}~{}\sigma)~{}R~{}r}} The key fact is that R is stronger than {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}} (Lemma 6.6 below). We first prove that {{\Rightarrow}{\downarrow}} is monotone by induction. ###### Lemma 6.2 For any X, Y, s, \sigma and r such that X\subseteq Y, if (s,\sigma)\mathbin{{\Rightarrow}{\downarrow}(X)}r, then (s,\sigma)\mathbin{{\Rightarrow}{\downarrow}(Y)}r. The following two lemmata are proved by straightforward application of the rules in Figure 3. ###### Lemma 6.3 For any n, (\mathsf{if~{}}i>0\mathsf{~{}then~{}}i:=i-1\mathsf{~{}else~{}}(\mathsf{output}% ~{}x;x:=x+1;i:=x),\sigma[x\mapsto n,i\mapsto 0])\mathbin{{\Rightarrow}{% \downarrow}(R)}\mathit{out}_{\mathrm{r}}~{}n~{}(\mathit{ret}_{\mathrm{r}}~{}% \sigma[x\mapsto n+1,i\mapsto n+1]). ###### Lemma 6.4 For any n and m, (\mathsf{if~{}}i>0\mathsf{~{}then~{}}i:=i-1\mathsf{~{}else~{}}(\mathsf{output}% ~{}x;x:=x+1;i:=x),\sigma[x\mapsto n,i\mapsto m+1])\mathbin{{\Rightarrow}{% \downarrow}(R)}\mathit{ret}_{\mathrm{r}}~{}\sigma[x\mapsto n,i\mapsto m]. The next lemma is proved by induction on m, using the two lemmata just proved. ###### Lemma 6.5 For any n and m, (\mathsf{count},\sigma[x\mapsto n,i\mapsto m])\mathbin{{\Rightarrow}{% \downarrow}(R)}\mathit{out}_{\mathrm{r}}~{}n~{}(\mathit{up_{r}}~{}(n+1)). ###### Corollary 6.2 For any n, (\mathsf{count},\sigma[x\mapsto n,i\mapsto n])\mathbin{{\Rightarrow}{% \downarrow}(R)}\mathit{up_{r}}~{}n. We can now prove that R is stronger than {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}} by coinduction and inversion on (s,r)~{}R~{}r^{\prime}. Here is the crux: corollary 6.2 together with the coinduction hypothesis gives (\mathsf{count},\mathit{ret}_{\mathrm{r}}~{}\sigma[x\mapsto n,i\mapsto n])% \lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}\mathit{up_{r}}~{}n, and the use of the coinduction hypothesis is properly guarded. ###### Lemma 6.6 For any s,r and r^{\prime}, if (s,r)~{}R~{}r^{\prime} then (s,r)\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r^{\prime} The main proposition follows from corollary 6.2, lemma 6.6 and the monotonicity of {{\Rightarrow}{\downarrow}} (lemma 6.2). ###### Proposition 6.3 For any n, (\mathsf{count},\sigma[x\mapsto n,i\mapsto n])\mathbin{\Rightarrow_{\mathrm{r}% }}\mathit{up_{r}}~{}n. ## 7 Classical-Style Big-Step Semantics In Section 2, we augmented the definition of responsiveness with a divergence option to obtain a concept of committedness, which is a classically tautological predicate. Similarly, we can obtain a delay-free semantics for committed configurations from the delay-free semantics for responsive configurations of the previous section. To do so, we extend the definition of delay-free resumptions with a “black hole” constructor, \bullet, representing silent divergence, arriving at classical-style resumptions, and adjust the definition of (strong) bisimilarity:  {{{{{{{{\small\begin{array}[]{c}\vbox{ \moveright 32.44453pt\vbox{\halign{\cr}\sigma:\mathit{state}}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 64.889061pt\kern 1% .0pt\hrule width 64.889061pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{ret}_{\mathrm{c}}~{}\sigma:\mathit{res}_{\mathrm{c}}}}\quad\vbox{ \moveright 29.069582pt\vbox{\halign{\cr}f:\mathit{Int}\rightarrow\ \mathit{% res}_{\mathrm{c}}}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule wi% dth 58.139164pt\kern 1.0pt\hrule width 58.139164pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{\mathit{in}_{\mathrm{c}}~{}f:\mathit{res}_{\mathrm{c}}% }}\quad\vbox{ \moveright 37.484479pt\vbox{\halign{\cr}r:\mathit{res}_{\mathrm{c}}}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 74.968958pt\kern 1% .0pt\hrule width 74.968958pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{out}_{\mathrm{c}}~{}v~{}r:\mathit{res}_{\mathrm{c}}}}\quad\vbox{ \moveright 18.764714pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 37.529427pt\kern 1.0pt\hrule width 37.52942% 7pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\bullet:\mathit{res}_{% \mathrm{c}}$}}\\ \vbox{ \moveright 37.484479pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 74.968958pt\kern 1.0pt\hrule width 74.96895% 8pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\mathit{ret}_{\mathrm{c}% }~{}\sigma\approx\mathit{ret}_{\mathrm{c}}~{}\sigma}}\quad\vbox{ \moveright 32.624553pt\vbox{\halign{\cr}\forall v.\,f~{}v\approx f_{*}~{}v}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 65.249106pt\kern 1% .0pt\hrule width 65.249106pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{in}_{\mathrm{c}}~{}f\approx\mathit{in}_{\mathrm{c}}~{}f_{*}}}\quad% \vbox{ \moveright 49.454347pt\vbox{\halign{\cr}r\approx r_{*}}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 98.908694pt\kern 1.0pt\hrule wid% th 98.908694pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\mathit{out}_% {\mathrm{c}}~{}v~{}r\approx\mathit{out}_{\mathrm{c}}~{}v~{}r_{*}}}\quad\vbox{ \moveright 10.124846pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 20.249691pt\kern 1.0pt\hrule width 20.24969% 1pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\bullet\approx\bullet$}}% \end{array}

Given a proof h:r\,{\Updownarrow} of committedness of a delayful resumption r:\mathit{res}, we can normalize r into a classical resumption by collapsing the finite delays between observable actions and sending silent divergence into the black hole.

 \small\hskip-14.226378pt\begin{array}[]{rcl@{\hspace*{0mm}}rcl}\mathit{norm}~{% }r~{}(\mathsf{comm\mbox{-}ret}~{}\sigma~{}\_)&=&\mathit{ret}_{\mathrm{c}}~{}% \sigma\hskip 0.0pt&\mathit{emb}~{}(\mathit{ret}_{\mathrm{c}}~{}\sigma)&=&% \mathit{ret}~{}\sigma\\ \mathit{norm}~{}r~{}(\mathsf{comm\mbox{-}in}~{}f~{}\_~{}k)&=&\mathit{in}_{% \mathrm{c}}~{}(\lambda v.\,\mathit{norm}~{}(f~{}v)~{}(k~{}v))\hskip 0.0pt&% \mathit{emb}~{}(\mathit{in}_{\mathrm{c}}~{}f)&=&\mathit{in}~{}(\lambda v.\ % \mathit{emb}~{}(f~{}v))\\ \mathit{norm}~{}r~{}(\mathsf{comm\mbox{-}out}~{}v~{}r^{\prime}~{}\_~{}h)&=&% \mathit{out}_{\mathrm{c}}~{}v~{}(\mathit{norm}~{}r^{\prime}~{}h)\hskip 0.0pt&% \mathit{emb}~{}(\mathit{out}_{\mathrm{c}}~{}v~{}r)&=&\mathit{out}~{}v~{}(% \mathit{emb}~{}r)\\ \mathit{norm}~{}r~{}(\mathsf{comm\mbox{-}div}~{}\_)&=&\bullet\hskip 0.0pt&% \mathit{emb}~{}\bullet&=&\delta~{}(\mathit{emb}~{}\bullet)\end{array}

Again, a delayful resumption is weakly bisimilar to a classical-style one if and only if it is committed and its normal form is strongly bisimilar.

###### Lemma 7.1

For any r:\mathit{res} and r_{*}:\mathit{res}_{\mathrm{c}}, r\cong\mathit{emb}~{}r_{*} iff \mathit{norm}~{}r~{}h\approx r_{*} for some h:r\,{\Updownarrow}.

In Figure 4, we define the classical-style semantics in terms of classical-style resumptions. We have an inductive parameterized evaluation relation {{\Rightarrow}{\downarrow}}(X), defined in terms of X, for any relation X, for convergent runs; its inference rules are the same as those in the previous section. But we also have a coinductive parameterized evaluation {\Rightarrow}{\uparrow}(X), again defined in terms of X, for any relation X, for silently diverging runs, so that (s,\sigma)~{}{\Rightarrow}{\uparrow}({\lx@stackrel{{\scriptstyle*}}{{% \Rightarrow}}}) expresses that running a statement s from a state \sigma diverges without performing input or output. It uses the inductive evaluation in case the first statement of a sequence or the first iteration of the body of a while-loop silently terminates, but the whole sequence or while-loop silently diverges. Then we define coinductively an extended evaluation relation {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}}, in terms of these two evaluation relations, nesting the latter into the former. Finally, we instantiate both {{\Rightarrow}{\downarrow}} and {\Rightarrow}{\uparrow} at {\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}} to obtain the “real” evaluation relation {\Rightarrow_{\mathrm{c}}}. Note that, to derive an evaluation proposition in this semantics, one has to decide upfront whether inductive or coinductive evaluation should be used—a decision that can be made classically, but not constructively.

The classical-style semantics is adequate wrt. the basic semantics of Section 4.

###### Proposition 7.1 (Soundness)

For any s, \sigma and r:\mathit{res}_{\mathrm{c}}, if (s,\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}r, then there exists r^{\prime}:\mathit{res} such that (s,\sigma)\Rightarrow r^{\prime} and \mathit{emb}~{}r\cong r^{\prime}.

###### Proposition 7.2 (Completeness)

For any s, \sigma and r:\mathit{res} and h:r\,{\Updownarrow}, if (s,\sigma)\Rightarrow r, then (s,\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}\mathit{norm}~{}r~{}h.

###### Corollary 7.1

Classically, for any s, \sigma and r:\mathit{res}, if (s,\sigma)\Rightarrow r, then there exists r^{\prime}:\mathit{res}_{\mathrm{c}} such that (s,\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}r^{\prime} and r\cong\mathit{emb}~{}r^{\prime}.

The classical-style semantics is more expressive than responsive semantics, since it offers the option of “detected” divergence. In particular we have (\mathsf{while~{}}\mathsf{true}\mathsf{~{}do~{}}\mathsf{skip},\sigma)\mathbin{% \Rightarrow_{\mathrm{c}}}\bullet and our interactive multipliers are assigned a classical-style resumption \mathit{mult} defined corecursively by \mathit{mult}=\mathit{in}_{\mathrm{c}}~{}(\lambda m.~{}\mathit{in}_{\mathrm{c}% }~{}(\lambda n.~{}\mathit{if}~{}m\geq 0~{}\mathit{then}~{}\mathit{out}_{% \mathrm{c}}~{}(m*n)~{}\mathit{mult}~{}\mathit{else}~{}\bullet)); i.e., we have (\mathsf{mult},\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}\mathit{mult} and (\mathsf{mult\_opt},\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}\mathit{mult}.

## 8 Related Work

Formalized semantics are an important ingredient in the trusted computing base of certified compilers. Proof assistants, like Coq, are a good tool for such formalization projects, as both the object semantics of interest and its metatheory can be developed in the same framework. For introductions, see [2].

To account for nontermination or silent divergence properly in a big-step semantics is nontrivial already for languages without interactive I/O. Leroy and Grall [14] introduced two big-step semantics for lambda-calculus. One is classical in spirit, with two evaluation relations, inductive and coinductive, for terminating and diverging runs, and relies on decidability between termination and divergence. The other, with a single coinductive evaluation relation, is essentially suited for constructive reasoning, but contains a semantic anomaly (a function can continue reducing after the argument diverges), which results from its ability to collapse an infinite sequence of internal actions (contraction steps).

In our work [17] on While with nontermination, we developed a trace-based coinductive big-step semantics where traces were non-empty colists of intermediate states, agreeing with the very standard coinductive small-step trace-based semantics. This semantics relied on traces being a monad; a central component in the definition was an extended evaluation relation, corresponding to the Kleisli extension of evaluation. Capretta [4] studied constructive denotational semantics of nontermination as the Kleisli semantics for the delayed state monad, corresponding to hiding the intermediate states in the trace monad as internal actions and quotienting by termination-sensitive weak bisimilarity. Rutten [21] carried out a similar project in classical set theory where the quotient is the state space extended with an extra element for nontermination.

Operational semantics of interactive programs is most often described in the small-step style where it amounts to a labelled transition system. Especially, this is the dominating approach in process calculi. Big-step semantics is closer to denotational semantics. In this field, resumption-based descriptions go back to Plotkin [20], Gunter et al.  [10] and Cenciarelli and Moggi [5]. Resumptions are a monad and resumptions-based denotational semantics is a Kleisli semantics. Our big-step semantics are directly inspired by this approach, except that we work in a constructive setting and must take extra care to avoid the need to invoke classical principles where they are dispensable.

We are not aware of many other works on constructive semantics of interactive I/O. But similar in its spirit to ours is the work of Hancock et al. [11] on stream processors and the stream functions that these induce by “eating”. Stream processors are like our delay-free resumptions, except that the authors emphasize parallel composition of stream processors (one processor’s output becomes another processor’s input) and, for this to be well-defined, a stream processor must not terminate and may only do a finite number of input actions consecutively. Hancock et al. [8] also characterize realizable stream functions. In a precursor work, Hancock and Setzer [12] studied a model of interaction where a client sends a server commands and expects responses.

Weak bisimilarity tends to be defined termination-insensitively, identifying termination and divergence. In particular, this is also the approach of CCS [16]. Termination-sensitive weak bisimilarity has been considered by Bergstra, Klop and Olderog [1], Kučera and Mayr [13] and Bohannon et al. [3], but only in what we call the classical-style version, relying on decisions between convergence and divergence. (The weak bisimilarity of Capretta [4] is termination-sensitive and tailored for constructive reasoning, but restricted to behaviours without I/O. Weak bisimilarity also motivated the study of Danielsson and Altenkirch [6] on mixed induction-coinduction.)

Mixed inductive-coinductive definitions in the form of induction nested into coinduction (\nu X.\,\mu Y.\,F\,(X,Y) or, more generally, \nu X.\,G(\mu Y.\,F\,(X,Y),X)) seem to be quite fundamental in applications (e.g., the stream processors of Hancock et al., our delay-free semantics). Danielsson and Altenkirch [6, 7] argue for making this mix the basic form of inductive-coinductive definitions in the dependently-typed programming language Agda. Unfortunately, nestings the other way around (definitions \mu X.\,\nu Y.\,F\,(X,Y)) seem to become difficult or impossible to code. With our approach, coinduction nested into induction is handled symmetrically to induction nested into coinduction [19].

Mendler-style (co)recursion originates from Mendler [15]. It uses that a monotone (co)inductive definition is equivalent to a positive one, via a syntactic left (right) Kan extension along identity (instead of \mu X.\,F\,X one works with \mu X.\,\exists Y.\,(Y\to X)\to F\,Y). We exploited this fact to enable Coq’s guarded corecursion for a coinductive definition with a nested inductive definition, at the price of impredicativity.

We have previously developed and formalized a Hoare logic for the trace-based semantics of While with nontermination [18]. A similar enterprise should be possible for resumptions, weak bisimilarity and While with interactive I/O.

## 9 Conclusion

We have developed a constructive treatment of resumption-based big-step semantics of While with interactive I/O. We have devised constructive-style definitions of important concepts on resumptions such as termination-sensitive weak bisimilarity and responsiveness, and devised two variations of delay-free big-step semantics for programs that produce responsive and committed resumptions, respectively. Responsiveness is for interactive computation what termination is for noninteractive computation. And likewise, committedness compares to a decided domain of definedness. Indeed, all three variations of big-step semantics for While with interactive I/O have counterparts in big-step semantics for noninteractive While (see Appendix). Mathematically, we find it reassuring that observations made for a more simpler noninteractive While naturally scale to a more involved language with interactive I/O. The central ideas are a concept of termination-sensitive weak bisimilarity tailored for constructive reasoning and the organization of evaluation in the delay-free semantics as an induction nested into coinduction.

Technically, we have carried out an advanced exercise in programming and reasoning with mixed induction and coinduction, which we have also formalized in Coq. The challenges in this exercise were both mathematical and tool-related (Coq-specific). We deem that the mathematical part was more interesting and important. The main new aspect in comparison to our earlier development of coinductive trace-based big-step semantics for noninteractive While was the need to deal with definitions of predicates that nest induction into coinduction—a relatively unexplored area in type theory. In Coq, we formalized them by parameterizing the inductive definition and converting the coinductive definition into Mendler-like format. Apparently, this technique is novel for the Coq community.

As future work, we would like to scale our development to concurrency.

#### Acknowledgments

We thank Andreas Lochbihler, Nils Anders Danielsson and Thorsten Altenkirch for discussions.

This research was supported by the Estonian Centre of Excellence in Computer Science, EXCS, funded by the European Regional Development Fund, and the Estonian Science Foundation grant no. 6940.

## References

• [1] J. Bergstra, J. Klop & E.-R. Olderog (1987): Failures without chaos: A new process semantics for fair abstraction. In: M. Wirsing (ed.) Proc. of 3rd IFIP TC2/WG2.2 Working Conf. on Formal Description of Programming Concepts (Ebberup, Aug. 1986). North Holland, Amsterdam, pp. 77–101.
• [2] Y. Bertot (2007): A survey of programming language semantics styles. Coq development, http://www-sop.inria.fr/marelle/Yves.Bertot/proofs.html
• [3] A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich & S. Zdancewic (2009): Reactive noninterference. In: Proc. of 2009 ACM Conf. on Computer and Communications Security, CCS 2009 (Chicago, IL, Nov. 2009), ACM Press, New York, pp. 79–90.
• [4] V. Capretta (2005): General recursion via coinductive types. Logical Methods in Computer Science 1(2), article 1.
• [5] P. Cenciarelli & E. Moggi (1993): A syntactic approach to modularity in denotational semantics. In: Proc. of 5th Biennial Meeting on Category Theory and Computer Science, CTCS ’93 (Amsterdam, Sept. 1993) Tech. report, CWI, Amsterdam.
• [6] N. A. Danielsson & T. Altenkirch (2009): Mixing induction and coinduction. Draft, http://www.cs.nott.ac.uk/~nad/publications/.
• [7] N. A. Danielsson & T. Altenkirch (2010): Subtyping, declaratively: an exercise in mixed induction and coinduction. In C. Bolduc, J. Desharnais & B. Ktari (Eds.): Proc. of 10th Int. Conf. on Mathematics of Program Construction, MPC 2010 (Québec City, July 2010), Lect. Notes in Comput. Sci. 6120. Springer, Berlin, pp. 100–118.
• [8] M. Ghani, P. Hancock & D. Pattinson (2009): Continuous functions on final coalgebras. In: S. Abramsky, M. Mislove & C. Palamidessi (eds.) Proc. of 25th Conf. on Mathematical Foundations of Programming Semantics, MFPS-25 (Oxford, Apr. 2009). Electr. Notes in Theor. Comput. Sci. 249. Elsevier, Amsterdam, pp. 3–18.
• [9] E. Giménez (1995): Codifying guarded definitions with recursive schemes. In P. Dybjer, B. Nordström & J. M. Smith (Eds.): Selected Papers from Int. Wksh. on Types for Proofs and Programs, TYPES ’94 (Båstad, June 1994), Lect. Notes in Comput. Sci. 996. Springer, Berlin, pp. 39–59
• [10] C. A. Gunter, P. D. Mosses & D. S. Scott (1989): Semantic Domains and Denotational Semantics.
• [11] P. Hancock, D. Pattinson & N. Ghani (2009): Representations of stream processors using nested fixed points. Logical Methods in Computer Science 5(3), article 9.
• [12] P. Hancock & A. Setzer, A. (2000): Interactive programs in dependent type theory. In: P. Clote & H. Schwichtenberg (eds.): Proc. of 14th Int. Wksh. on Computer Science Logic, CSL 2000 (Fischbachau, Aug. 2000). Lect. Notes in Comput. Sci. 1862. Springer, Berlin, pp. 317–331.
• [13] A. Kučera & R. Mayr (2002): Weak bisimilarity between finite-state systems and BPA or normed BPP is decidable in polynomial time. Theor. Comput. Sci. 270(1–2), pp. 677–700.
• [14] X. Leroy & H. Grall (2009): Coinductive big-step operational semantics. Inform. and Comput. 207(2), pp. 285­-305.
• [15] N. P. Mendler (1991): Inductive types and type constraints in the second-order lambda calculus. Ann. of Pure and Appl. Logic 51(1–2), pp. 159–172.
• [16] R. Milner (1989): Communication and Concurrency. Prentice Hall, New York.
• [17] K. Nakata & T. Uustalu (2009): Trace-based coinductive operational semantics for While: big-step and small-step, relational and functional styles. In: S. Berghofer, T. Nipkow, C. Urban & M. Wenzel (eds.) Proc. of 22nd Int. Conf. on Theorem Proving in Higher-Order Logics, TPHOLs 2009 (Munich, Aug. 2009). Lect. Notes in Comput. Sci. 5674. Springer, Berlin, pp. 375­-390.
• [18] K. Nakata & T. Uustalu (2010): A Hoare logic for the coinductive trace-based big-step semantics of While. In: A. D. Gordon (ed.) Proc. of 19th Europ. Symp. on Programming, ESOP 2010 (Paphos, March 2010). Lect. Notes in Comput. Sci. 6012. Springer, Berlin, pp. 488–506.
• [19] K. Nakata & T. Uustalu (2010): Mixed induction-coinduction at work for Coq (abstract). Abstract of talk presented at 2nd Coq Workshop (Edinburgh, July 2010), with accompanying slides and Coq development.
• [20] G. D. Plotkin (1983): Domains (“Pisa Notes”). Unpublished notes.
• [21] J. Rutten (1999): A note on coinduction and weak bisimilarity for While programs. Theor. Inform. and Appl. 33(4­-5), pp. 393­-400.

## Appendix A Resumptions, Weak Bisimilarity, Delayful, Delay-Free and Classical-Style Big-step Semantics for While

The notions of resumptions and weak bisimilarity and the evaluation relations in the three big-step semantics shown of the main text are fairly involved, because of the amount of detail. Therefore, we also spell out what they specialize (or degenerate) to in the case of ordinary non-interactive While, to better highlight the phenomena that arise even in the absence of interaction.

### A.1 Resumptions, Bisimilarity, Weak Bisimilarity

Delayful resumptions, with their strong bisimilarity, specialize to delayed states r:\mathit{res} à la Capretta [4] defined coinductively.

 {{{{\small\vbox{ \moveright 28.664588pt\vbox{\halign{\cr}$\sigma:\mathit{state}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 57.329176pt heig% ht 1px\kern 1.0pt\hrule width 57.329176pt height 1px}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\hbox{$\mathit{ret}~{}\sigma:\mathit{res}$}}\qquad\vbox{ \moveright 21.914691pt\vbox{\halign{\cr}$r:\mathit{res}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 43.829382pt height 1px\kern 1.0% pt\hrule width 43.829382pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\hbox{$\delta~{}r:\mathit{res}$}}\hskip 85.358268pt\vbox{ \moveright 33.704537pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 67.409073pt height 1px\kern 1.0pt\hrule wid% th 67.409073pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% \mathit{ret}~{}\sigma\approx\mathit{ret}~{}\sigma}}\qquad\vbox{ \moveright 22.094714pt\vbox{\halign{\cr}r\approx r_{*}}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 44.189427pt height 1px\kern 1.0% pt\hrule width 44.189427pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.% 0pt\hbox{\delta~{}r\approx\delta~{}r_{*}}} Convergence and (silent) divergence are defined inductively resp. coinductively; convergence reduces to termination at a final state.  {{{\small\vbox{ \moveright 33.704537pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 67.409073pt height 1px}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$\mathit{ret}~{}\sigma\downarrow\mathit{ret}~% {}\sigma$}}\qquad\vbox{ \moveright 17.054765pt\vbox{\halign{\cr}$r\downarrow r^{\prime}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 34.10953pt heigh% t 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\delta~{}r\downarrow r% ^{\prime}$}}\hskip 85.358268pt\vbox{ \moveright 12.623179pt\vbox{\halign{\cr}$r\,{\uparrow}$}}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\vbox{\hrule width 25.246358pt height 1px\kern 1.0pt\hrule w% idth 25.246358pt height 1px}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$% \delta~{}r\,{\uparrow}$}}

Responsiveness reduces to termination. Commitedness becomes decidability between and termination and divergence. Commitedness is tautologically true only classically.

Weak bisimilarity is defined in terms of convergence coinductively exactly as Capretta [4] did.

 {{\small\begin{array}[]{c}\vbox{ \moveright 12.014817pt\vbox{\halign{\cr}$r\downarrow\mathit{ret}~{}\sigma$&% \quad$r_{*}\downarrow\mathit{ret}~{}\sigma$}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 24.029633pt\kern 1.0pt\hrule width 24.02963% 3pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$r\cong r_{*}$}}\quad% \vbox{ \moveright 22.094714pt\vbox{\halign{\cr}$r\cong r_{*}$}}\nointerlineskip\kern 2% .0pt\moveright 0.0pt\vbox{\hrule width 44.189427pt\kern 1.0pt\hrule width 44.1% 89427pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$\delta~{}r\cong% \delta~{}r_{*}$}}\end{array}

Any terminating delayed state can be normalized into a state. Any decided delayed state can be normalized into a choice between a state or a special divergence token.

### A.2 Delayful Semantics

In the delayful big-step semantics, evaluation and extended evaluation are defined mutually coinductively as follows.

 {{{{{{{{{\small\begin{array}[]{c}\quad\vbox{ \moveright 84.328764pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 168.657528pt\kern 1.0pt\hrule width 168.657% 528pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{(x:=e,\sigma)% \Rightarrow\delta~{}(\mathit{ret}~{}\sigma[x\mapsto\llbracket e\rrbracket% \sigma])}}\qquad\vbox{ \moveright 45.539331pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 91.078661pt\kern 1.0pt\hrule width 91.07866% 1pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{skip},\sigma)% \Rightarrow\mathit{ret}~{}\sigma$}}\qquad\vbox{ \moveright 36.04445pt\vbox{\halign{\cr}$(s_{0},\sigma)\Rightarrow r$&\quad$(s_% {1},r)\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r^{\prime}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 72.0889pt\kern 1% .0pt\hrule width 72.0889pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(% s_{0};s_{1},\sigma)\Rightarrow r^{\prime}$}}\\ \vbox{ \moveright 76.228964pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\delta~{% }(\mathit{ret}~{}\sigma))\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 152.457928pt% \kern 1.0pt\hrule width 152.457928pt}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}\mathsf{~{}else~{}}s_{f},% \sigma)\Rightarrow r$}}\quad\vbox{ \moveright 76.228964pt\vbox{\halign{\cr}$e\not\models\sigma$&\quad$(s_{f},% \delta~{}(\mathit{ret}~{}\sigma))\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r%$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 152.457928pt% \kern 1.0pt\hrule width 152.457928pt}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}\mathsf{~{}else~{}}s_{f},% \sigma)\Rightarrow r$}}\\ \vbox{ \moveright 59.39917pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\delta{(% \mathit{ret}~{}\sigma)})\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r$&\quad$(% \mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},r)\lx@stackrel{{\scriptstyle*}}{{% \Rightarrow}}r^{\prime}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 118.79834pt\kern 1.0pt\hrule width 118.79834pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},% \sigma)\Rightarrow r^{\prime}$}}\quad\vbox{ \moveright 81.08889pt\vbox{\halign{\cr}$e\not\models\sigma$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 162.177779pt\kern 1.0pt\hrule wi% dth 162.177779pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{% while~{}}e\mathsf{~{}do~{}}s_{t},\sigma)\Rightarrow\delta~{}(\mathit{ret}~{}% \sigma)$}}\\ \vbox{ \moveright 37.776949pt\vbox{\halign{\cr}$(s,\sigma)\Rightarrow r$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 75.553898pt\kern 1% .0pt\hrule width 75.553898pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% $(s,\mathit{ret}~{}\sigma)\lx@stackrel{{\scriptstyle*}}{{\Rightarrow}}r$}}% \qquad\vbox{ \moveright 37.956972pt\vbox{\halign{\cr}$(s,r)\lx@stackrel{{\scriptstyle*}}{{% \Rightarrow}}r^{\prime}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 75.913943pt\kern 1.0pt\hrule width 75.913943pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(s,\delta~{}r)\lx@stackrel{{\scriptstyle*}}{% {\Rightarrow}}\delta~{}r^{\prime}$}}\end{array}

We have previously [17] conducted a thorough study of a variation of this semantics (with intermediate states instead of delays), explaining the design considerations in great detail. We have also [18] developed a Hoare logic for this semantics.

### A.3 Delay-Free Semantics

Delay-free resumptions are the same as states.

In the delay-free semantics, there is one inductive evaluation relation for terminating configurations. There is no need for a separate extended evaluation relation (which would coincide with evaluation anyhow, since resumptions and states are the same thing) and no need to parameterize the evaluation relation.

 {{{{{{{\small\begin{array}[]{c}\quad\vbox{ \moveright 64.124022pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 128.248043pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{(x:=e,\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma[% x\mapsto\llbracket e\rrbracket\sigma]}}\qquad\vbox{ \moveright 37.124434pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 74.248867pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(\mathsf{skip},\sigma)\mathbin{{\Rightarrow}{\downarrow% }}\sigma$}}\qquad\vbox{ \moveright 41.30937pt\vbox{\halign{\cr}$(s_{0},\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\sigma^{\prime}$&\quad$(s_{1},\sigma^{\prime})\mathbin{{% \Rightarrow}{\downarrow}}\sigma^{\prime\prime}$}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 82.618739pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(s_{0};s_{1},\sigma)\mathbin{{\Rightarrow}{\downarrow}}% \sigma^{\prime\prime}$}}\\ \vbox{ \moveright 81.493884pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)% \mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\vbox{\hrule width 162.987767pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}\mathsf{~{}else% ~{}}s_{f},\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\quad% \vbox{ \moveright 81.493884pt\vbox{\halign{\cr}$e\not\models\sigma$&\quad$(s_{f},% \sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 162.987767pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}% \mathsf{~{}else~{}}s_{f},\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{% \prime}$}}\\ \vbox{ \moveright 64.66409pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)% \mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$&\quad$(\mathsf{while~{}}e% \mathsf{~{}do~{}}s_{t},\sigma^{\prime})\mathbin{{\Rightarrow}{\downarrow}}% \sigma^{\prime\prime}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 129.328179pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(% \mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\sigma^{\prime\prime}$}}\qquad\vbox{ \moveright 60.884147pt\vbox{\halign{\cr}$e\not\models\sigma$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 121.768294pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},% \sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma$}}\end{array}

The delay-free semantics agrees with the delayful semantics for terminating delayed states.

It is the textbook big-step semantics of While, which accounts for terminating configurations and assigns no evaluation result to diverging configurations.

### A.4 Classical-Style Semantics

A classical-style resumption is a state or the special token \bullet for divergence.

 {{\small\begin{array}[]{c}\vbox{ \moveright 32.44453pt\vbox{\halign{\cr}$\sigma:\mathit{state}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 64.889061pt\kern 1% .0pt\hrule width 64.889061pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{% $\mathit{ret}_{\mathrm{c}}~{}\sigma:\mathit{res}_{\mathrm{c}}$}}\quad\vbox{ \moveright 18.764714pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 37.529427pt\kern 1.0pt\hrule width 37.52942% 7pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{\bullet:\mathit{res}_{% \mathrm{c}}}}\end{array} The classical-style semantics has an inductively defined terminating evaluation relation (defined exactly as that of the delay-free semantics) and a coinductively defined diverging evaluation relation. The latter depends on the former, but not the other way around. There is no need for an extended evaluation relation.  {{{{{{{{{{{{{{{\small\begin{array}[]{c}\quad\vbox{ \moveright 64.124022pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 128.248043pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(x:=e,\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma[% x\mapsto\llbracket e\rrbracket\sigma]$}}\qquad\vbox{ \moveright 37.124434pt\vbox{\halign{\cr}}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 74.248867pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(\mathsf{skip},\sigma)\mathbin{{\Rightarrow}{\downarrow% }}\sigma$}}\qquad\vbox{ \moveright 41.30937pt\vbox{\halign{\cr}$(s_{0},\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\sigma^{\prime}$&\quad$(s_{1},\sigma^{\prime})\mathbin{{% \Rightarrow}{\downarrow}}\sigma^{\prime\prime}$}}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\vbox{\hrule width 82.618739pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(s_{0};s_{1},\sigma)\mathbin{{\Rightarrow}{\downarrow}}% \sigma^{\prime\prime}$}}\\ \vbox{ \moveright 81.493884pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)% \mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\nointerlineskip\kern 2.0% pt\moveright 0.0pt\vbox{\hrule width 162.987767pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}\mathsf{~{}else% ~{}}s_{f},\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\quad% \vbox{ \moveright 81.493884pt\vbox{\halign{\cr}$e\not\models\sigma$&\quad$(s_{f},% \sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 162.987767pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}% \mathsf{~{}else~{}}s_{f},\sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma^{% \prime}$}}\\ \vbox{ \moveright 64.66409pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)% \mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$&\quad$(\mathsf{while~{}}e% \mathsf{~{}do~{}}s_{t},\sigma^{\prime})\mathbin{{\Rightarrow}{\downarrow}}% \sigma^{\prime\prime}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 129.328179pt}\nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(% \mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\sigma^{\prime\prime}$}}\qquad\vbox{ \moveright 60.884147pt\vbox{\halign{\cr}$e\not\models\sigma$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 121.768294pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},% \sigma)\mathbin{{\Rightarrow}{\downarrow}}\sigma$}}\\ \vbox{ \moveright 35.819479pt\vbox{\halign{\cr}$(s_{0},\sigma)~{}{\Rightarrow}{% \uparrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 71.6% 38958pt\kern 1.0pt\hrule width 71.638958pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(s_{0};s_{1},\sigma)~{}{\Rightarrow}{\uparrow}$}}\qquad% \vbox{ \moveright 35.819479pt\vbox{\halign{\cr}$(s_{0},\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\sigma^{\prime}$&\quad$(s_{1},\sigma^{\prime})~{}{\Rightarrow}{% \uparrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 71.6% 38958pt\kern 1.0pt\hrule width 71.638958pt}\nointerlineskip\kern 2.0pt% \moveright 0.0pt\hbox{$(s_{0};s_{1},\sigma)~{}{\Rightarrow}{\uparrow}$}}\qquad% \vbox{ \moveright 77.893964pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)~% {}{\Rightarrow}{\uparrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 155.787928pt\kern 1.0pt\hrule width 155.787928pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}then~{}}s_{t}% \mathsf{~{}else~{}}s_{f},\sigma)~{}{\Rightarrow}{\uparrow}$}}\quad\vbox{ \moveright 77.893964pt\vbox{\halign{\cr}$e\not\models\sigma$&\quad$(s_{f},% \sigma)~{}{\Rightarrow}{\uparrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\vbox{\hrule width 155.787928pt\kern 1.0pt\hrule width 155.787928pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{if~{}}e\mathsf{~{}% then~{}}s_{t}\mathsf{~{}else~{}}s_{f},\sigma)~{}{\Rightarrow}{\uparrow}$}}\\ \vbox{ \moveright 59.174199pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)~% {}{\Rightarrow}{\uparrow}$}}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{% \hrule width 118.348397pt\kern 1.0pt\hrule width 118.348397pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},% \sigma)~{}{\Rightarrow}{\uparrow}$}}\qquad\vbox{ \moveright 59.174199pt\vbox{\halign{\cr}$e\models\sigma$&\quad$(s_{t},\sigma)% \mathbin{{\Rightarrow}{\downarrow}}\sigma^{\prime}$&\quad$(\mathsf{while~{}}e% \mathsf{~{}do~{}}s_{t},\sigma^{\prime})~{}{\Rightarrow}{\uparrow}$}}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 118.348397pt% \kern 1.0pt\hrule width 118.348397pt}\nointerlineskip\kern 2.0pt\moveright 0.0% pt\hbox{$(\mathsf{while~{}}e\mathsf{~{}do~{}}s_{t},\sigma)~{}{\Rightarrow}{% \uparrow}$}}\\ \vbox{ \moveright 27.404582pt\vbox{\halign{\cr}$(s,\sigma)\mathbin{{\Rightarrow}{% \downarrow}}\mathit{ret}_{\mathrm{c}}~{}\sigma^{\prime}$}}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\vbox{\hrule width 54.809164pt}\nointerlineskip% \kern 2.0pt\moveright 0.0pt\hbox{$(s,\sigma)\mathbin{\Rightarrow_{\mathrm{c}}}% \sigma^{\prime}$}}\quad\vbox{ \moveright 25.514611pt\vbox{\halign{\cr}$(s,\sigma)~{}{\Rightarrow}{\uparrow}$% }}\nointerlineskip\kern 2.0pt\moveright 0.0pt\vbox{\hrule width 51.029221pt}% \nointerlineskip\kern 2.0pt\moveright 0.0pt\hbox{$(s,\sigma)\mathbin{% \Rightarrow_{\mathrm{c}}}\bullet$}}\end{array}

The classical-style semantics agrees with the delayful semantics for decided delayed states (classically, any delayed state is decided).

A semantics in this spirit (with separate convergent and divergent evaluation relations) was proposed for untyped lambda calculus by Leroy and Grall [14].

The delayful semantics (together with the identification of weakly bisimilar delayed states) and the classical-style semantics have the same purposes, but the delayful semantics is better behaved from the constructive point-of-view. As a practical consequence, it has the advantage that the evaluation relation can be turned into a function (highly desirable, if one wants to be able to directly execute the big-step semantics). This is not possible with the classical-style semantics, as one would have to be able to decide whether a configuration terminates before actually running it.

You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters

49135

How to quickly get a good answer:
• Keep your question short and to the point
• Check for grammar or spelling errors.
• Phrase it like a question
Test
Test description