On relational compilation

Language definitions

On the left is the Coq definition of S, with only three constructors: constants, negation, and addition; on the right is the definition of T: a program in T is a list of stack operations T_Op, which may be pushing a constant, popping the two values on the top of the stack and pushing their difference, or popping the two values on the top of the stack and pushing their sum.

Inductive S :=
| SInt z
| SOpp (s : S)
| SAdd (s1 s2 : S).

Inductive T_Op :=
| TPush z
| TPopSub
| TPopAdd.

Definition T := list T_Op.

Semantics

The semantics of these languages are easy to define using interpreters. On the left, operations on terms in S are mapped to corresponding operations on \(\mathbb{Z}\), producing an integer. On the right, stack operations are interpreted one by one, starting from a stack and producing a new stack.

Fixpoint σS s : Z :=
  match s with
  | SInt z     => z
  | SOpp s     => - σS s
  | SAdd s1 s2 => σS s1 + σS s2
  end.

 Notation Stack := (list Z).

 Definition σOp (ts: Stack) op : Stack :=
   match op, ts with
   | TPush n, ts => n :: ts
   | TPopAdd, n2::n1::ts => n1+n2 :: ts
   | TPopSub, n2::n1::ts => n1-n2 :: ts
   | _, ts => ts (* Invalid: no-op *)
   end.

Definition σT t (ts: Stack) : Stack :=
  List.fold_left σOp t ts.

With these definitions, program equivalence is straightforward to define (the definition is contextual, in the sense that it talks about equivalence in the context of a non-empty stack):

Notation "t ∼ s" := (forall ts, σT t ts = σS s :: ts).

Compilation

In the simplest case, a compiler is a single recursive function; more typically, compilers are engineered as a sequence (composition) of passes, each responsible for a well-defined task: typically, either an optimization (within one language, intended to improve performance of the output) or lowering (from one intermediate language to another, intended to bring the program closer to its final form), though these boundaries are porous. Here is a simple one-step compiler for our pair of languages:

Fixpoint StoT s := match s with
  | SInt z     => [TPush z]
  | SOpp s     => [TPush 0] ++ StoT s ++ [TPopSub]
  | SAdd s1 s2 => StoT s1 ++ StoT s2 ++ [TPopAdd]
end.

The SInt case maps to a stack machine program that simply pushes the constant z on the stack; the SOpp case returns a program that first puts a 0 on the stack, then computes the value corresponding to the operand s, and finally computes the subtraction of these two using the TPopSub opcode; and the SAdd case produces a program that pushes both operans in succession before computing their sum using the TPopAdd opcode.

The Coq command Compute lets us run this compiler and confirm that it seems to operate correctly:

Example s7 :=
  SAdd (SAdd (SInt 3) (SInt 6))
        (SOpp (SInt 2)).

• Running the example program s7 directly returns 7:

  Compute σS s7.
  = 7
  : Z

• Compiling the program and then running it produces the same result (a stack with a single element, 7):

  Compute StoT s7.
  = [TPush 3; TPush 6; TPopAdd; TPush 0; TPush 2; TPopSub; TPopAdd]
  : list T_Op
  Compute σT (StoT s7) [].
  = [7]
  : Stack

Compiler correctness

Of course, one example is not enough to establish that the compiler above works; instead, here is a proof of its correctness, which proceeds by induction with three cases:

Lemma StoT_Rok : forall s, StoT s ∼ s.
forall s, StoT s ∼ s
Proof.1
  induction s.
z: Z
StoT (SInt z) ∼ SInt z
s: S
IHs: StoT s ∼ s
StoT (SOpp s) ∼ SOpp s
s1, s2: S
IHs1: StoT s1 ∼ s1
IHs2: StoT s2 ∼ s2
StoT (SAdd s1 s2) ∼ SAdd s1 s2
  all: intros; unfold σT; simpl.
z: Z
ts: Stack
z :: ts = z :: ts
s: S
IHs: StoT s ∼ s
ts: Stack
fold_left σOp (StoT s ++ [TPopSub]) (0 :: ts) = - σS s :: ts
s1, s2: S
IHs1: StoT s1 ∼ s1
IHs2: StoT s2 ∼ s2
ts: Stack
fold_left σOp (StoT s1 ++ StoT s2 ++ [TPopAdd]) ts = σS s1 + σS s2 :: ts
  - (* `SInt` case *)
z: Z
ts: Stack
z :: ts = z :: ts
    reflexivity.
  - (* `SOpp` case *)
s: S
IHs: StoT s ∼ s
ts: Stack
fold_left σOp (StoT s ++ [TPopSub]) (0 :: ts) = - σS s :: ts
    rewrite fold_left_app.
s: S
IHs: StoT s ∼ s
ts: Stack
fold_left σOp [TPopSub] (fold_left σOp (StoT s) (0 :: ts)) = - σS s :: ts
    rewrite IHs.
s: S
IHs: StoT s ∼ s
ts: Stack
fold_left σOp [TPopSub] (σS s :: 0 :: ts) = - σS s :: ts
    reflexivity.
  - (* `SAdd` case *)
s1, s2: S
IHs1: StoT s1 ∼ s1
IHs2: StoT s2 ∼ s2
ts: Stack
fold_left σOp (StoT s1 ++ StoT s2 ++ [TPopAdd]) ts = σS s1 + σS s2 :: ts
    rewrite !fold_left_app.
s1, s2: S
IHs1: StoT s1 ∼ s1
IHs2: StoT s2 ∼ s2
ts: Stack
fold_left σOp [TPopAdd] (fold_left σOp (StoT s2) (fold_left σOp (StoT s1) ts)) =
σS s1 + σS s2 :: ts
    rewrite IHs1, IHs2.
s1, s2: S
IHs1: StoT s1 ∼ s1
IHs2: StoT s2 ∼ s2
ts: Stack
fold_left σOp [TPopAdd] (σS s2 :: σS s1 :: ts) = σS s1 + σS s2 :: ts
    reflexivity.
Qed.

This compiler operates in a single pass, but arguably even a small compiler like this could benefit from a multi-pass approach: for example, we might prefer to separate lowering in two phases translating all unary SOpp operations to a new binary operator SSub (SOpp x → SSub (Sconst 0) x) in a first pass, and dealing with stack operations in a second pass.

Compiling with relations

We will observe two things about StoT and its proof.

First, StoT, like any function, can be rewritten as a relation (any function \(f: x \mapsto f(x)\) defines a relation \(\sim _f\) such that \(t \sim _f s\) iff. \(t = f(s)\); this is sometimes called the graph of the function). Here is one natural way to rephrase StoT as a relation ℜ; notice how each branch of the recursion maps to a case in the inductive definition of the relation (each constructor defines an introduction rule for ℜ, which corresponds to a branch in the original recursion, and each x ℜ y premise of each case corresponds to a recursive call to the function):

Inductive StoT_rel : T -> S -> Prop :=
| StoT_RNat : forall z,
    [TPush z] ℜ SInt z
| StoT_ROpp : forall t s,
    t ℜ s ->
    [TPush 0] ++ t ++ [TPopSub] ℜ SOpp s
| StoT_RAdd : forall t1 s1 t2 s2,
    t1 ℜ s1 ->
    t2 ℜ s2 ->
    t1 ++ t2 ++ [TPopAdd] ℜ SAdd s1 s2
where "t 'ℜ' s" := (StoT_rel t s).

Now, what does correctness mean for StoT? Correctness for this compilation relation is… just a subset relation:

The relation ℜ is a correct compilation relation for languages \(S\) and \(T\) if its graph is a subset of the graph of \(\sim \).

And that condition is sufficient: any relation that is a subset of \(\sim \) defines a correct (possibly one-to-many, possibly suboptimal, but correct) mapping from source programs to destination programs.

And indeed, the relation above is a correct compilation relation:

Theorem StoT_rel_ok : forall t s,
    t ℜ s -> t ∼ s.
forall t s, t ℜ s -> t ∼ s
Proof.2
  induction 1.
z: Z
[TPush z] ∼ SInt z
t: T
s: S
H: t ℜ s
IHStoT_rel: t ∼ s
[TPush 0] ++ t ++ [TPopSub] ∼ SOpp s
t1: T
s1: S
t2: T
s2: S
H: t1 ℜ s1
H0: t2 ℜ s2
IHStoT_rel1: t1 ∼ s1
IHStoT_rel2: t2 ∼ s2
t1 ++ t2 ++ [TPopAdd] ∼ SAdd s1 s2
  all: intros; unfold σT; simpl.
z: Z
ts: Stack
z :: ts = z :: ts
t: T
s: S
H: t ℜ s
IHStoT_rel: t ∼ s
ts: Stack
fold_left σOp (t ++ [TPopSub]) (0 :: ts) = - σS s :: ts
t1: T
s1: S
t2: T
s2: S
H: t1 ℜ s1
H0: t2 ℜ s2
IHStoT_rel1: t1 ∼ s1
IHStoT_rel2: t2 ∼ s2
ts: Stack
fold_left σOp (t1 ++ t2 ++ [TPopAdd]) ts = σS s1 + σS s2 :: ts
  - (* `StoT_RNat` case *)
z: Z
ts: Stack
z :: ts = z :: ts
    reflexivity.
  - (* `StoT_ROpp` case *)
t: T
s: S
H: t ℜ s
IHStoT_rel: t ∼ s
ts: Stack
fold_left σOp (t ++ [TPopSub]) (0 :: ts) = - σS s :: ts
    rewrite fold_left_app.
t: T
s: S
H: t ℜ s
IHStoT_rel: t ∼ s
ts: Stack
fold_left σOp [TPopSub] (fold_left σOp t (0 :: ts)) = - σS s :: ts
    rewrite IHStoT_rel.
t: T
s: S
H: t ℜ s
IHStoT_rel: t ∼ s
ts: Stack
fold_left σOp [TPopSub] (σS s :: 0 :: ts) = - σS s :: ts
    reflexivity.
  - (* `StoT_RAdd` case *)
t1: T
s1: S
t2: T
s2: S
H: t1 ℜ s1
H0: t2 ℜ s2
IHStoT_rel1: t1 ∼ s1
IHStoT_rel2: t2 ∼ s2
ts: Stack
fold_left σOp (t1 ++ t2 ++ [TPopAdd]) ts = σS s1 + σS s2 :: ts
    rewrite !fold_left_app.
t1: T
s1: S
t2: T
s2: S
H: t1 ℜ s1
H0: t2 ℜ s2
IHStoT_rel1: t1 ∼ s1
IHStoT_rel2: t2 ∼ s2
ts: Stack
fold_left σOp [TPopAdd] (fold_left σOp t2 (fold_left σOp t1 ts)) =
σS s1 + σS s2 :: ts
    rewrite IHStoT_rel1, IHStoT_rel2.
t1: T
s1: S
t2: T
s2: S
H: t1 ℜ s1
H0: t2 ℜ s2
IHStoT_rel1: t1 ∼ s1
IHStoT_rel2: t2 ∼ s2
ts: Stack
fold_left σOp [TPopAdd] (σS s2 :: σS s1 :: ts) = σS s1 + σS s2 :: ts
    reflexivity.
Qed.

Now that we have ℜ, we can use it to prove specific program equivalences: for example, we can write a proof to show specifically that the compiled version of our example program s7 matches the original s7 by applying each of the constructors of the relation ℜ one by one:

Goal ([TPush 3] ++ [TPush 6] ++ [TPopAdd]) ++
     ([TPush 0] ++ [TPush 2] ++ [TPopSub]) ++
     [TPopAdd] ℜ
     SAdd (SAdd (SInt 3) (SInt 6))
     (SOpp (SInt 2)).
([TPush 3] ++ [TPush 6] ++ [TPopAdd]) ++
([TPush 0] ++ [TPush 2] ++ [TPopSub]) ++ [TPopAdd]
ℜ SAdd (SAdd (SInt 3) (SInt 6)) (SOpp (SInt 2))
Proof.
  apply StoT_RAdd.
[TPush 3] ++ [TPush 6] ++ [TPopAdd] ℜ SAdd (SInt 3) (SInt 6)
[TPush 0] ++ [TPush 2] ++ [TPopSub] ℜ SOpp (SInt 2)
  -
[TPush 3] ++ [TPush 6] ++ [TPopAdd] ℜ SAdd (SInt 3) (SInt 6) apply StoT_RAdd.
[TPush 3] ℜ SInt 3
[TPush 6] ℜ SInt 6
    +
[TPush 3] ℜ SInt 3 apply StoT_RNat.
    +
[TPush 6] ℜ SInt 6 apply StoT_RNat.
  -
[TPush 0] ++ [TPush 2] ++ [TPopSub] ℜ SOpp (SInt 2) apply StoT_ROpp.
[TPush 2] ℜ SInt 2
    +
[TPush 2] ℜ SInt 2 apply StoT_RNat.
Qed.

Now, how can we use this relation to run the compiler instead? By using proof search! This is standard practice in the world of logic programming. To compile our earlier program s7, for example, we can simply search for a program t7 such that t7 ℜ s7, which in Coq terms looks like this:

Example t7_rel: { t7 | t7 ℜ s7 }.
{t7 : T | t7 ℜ s7}
Proof.
  unfold s7; eexists.
?t7 ℜ SAdd (SAdd (SInt 3) (SInt 6)) (SOpp (SInt 2))

Now the goal includes an inderminate value ?t7, called an existential variable (evar), corresponding to the program that we are attempting to derive, and each application or a lemma refines that evar by plugging in a partial program:

  apply StoT_RAdd.
?t1 ℜ SAdd (SInt 3) (SInt 6)
?t2 ℜ SOpp (SInt 2)

After applying the lemma StoT_RAdd, we are asked to provide two subprograms, each corresponding to one operand of the addition:

  -
?t1 ℜ SAdd (SInt 3) (SInt 6) apply StoT_RAdd.
?t1 ℜ SInt 3
?t20 ℜ SInt 6
    +
?t1 ℜ SInt 3 apply StoT_RNat.
    +
?t20 ℜ SInt 6 apply StoT_RNat.
  -
?t2 ℜ SOpp (SInt 2) apply StoT_ROpp.
?t ℜ SInt 2
    +
?t ℜ SInt 2 apply StoT_RNat.
Defined.

We get the exact same program, but this time instead of validating a previous compilation pass, we have generated the program from scratch:

Compute t7_rel.
= exist [TPush 3; TPush 6; TPopAdd; TPush 0; TPush 2; TPopSub; TPopAdd]
: {t7 : T | t7 ℜ s7}

We can also use Coq's inspection facilities to see the proof term as it is being generated (this time the interstitial boxes show the internal proof term, not the goals):

(exist ?t7)  apply StoT_RAdd.
(exist (?t1 ++ ?t2 ++ [TPopAdd]))  - apply StoT_RAdd.
(exist ((?t1 ++ ?t20 ++ [TPopAdd]) ++ ?t2 ++ [TPopAdd]))    + apply StoT_RNat.
(exist (([TPush 3] ++ ?t20 ++ [TPopAdd]) ++ ?t2 ++ [TPopAdd]))    + apply StoT_RNat.
(exist (([TPush 3] ++ [TPush 6] ++ [TPopAdd]) ++ ?t2 ++ [TPopAdd]))  - apply StoT_ROpp.
(exist
   (([TPush 3] ++ [TPush 6] ++ [TPopAdd]) ++
    ([TPush 0] ++ ?t ++ [TPopSub]) ++ [TPopAdd]))    + apply StoT_RNat.
(exist
   (([TPush 3] ++ [TPush 6] ++ [TPopAdd]) ++
    ([TPush 0] ++ [TPush 2] ++ [TPopSub]) ++ [TPopAdd]))

This shows how the program gets built: each lemma application is equivalent to one recursive call in a run of the compilation function StoT.

Coq has facilities to automatically perform proof search using a set of lemmas, which we can use to automate the derivation of t7: it suffices to register all constructors of ℜ in a “hint database”, as follows: [2]

Create HintDb cc.
Hint Constructors StoT_rel : cc.

Example t7_rel_eauto: { t7 | t7 ℜ s7 }.
{t7 : T | t7 ℜ s7}
Proof. eauto with cc. Defined.

Compute t7_rel_eauto.
= exist [TPush 3; TPush 6; TPopAdd; TPush 0; TPush 2; TPopSub; TPopAdd]
: {t7 : T | t7 ℜ s7}

And of course, the result is correct-by-construction, in the sense that it carries its own proof of correctness:

Eval cbn in type of (proj2_sig t7_rel_eauto).
= [TPush 3; TPush 6; TPopAdd; TPush 0; TPush 2; TPopSub; TPopAdd] ℜ s7
: Type

This is traditional logic programming, applied to compilers. We have now learned one fact:

Correctly compiling a program \(s\) is the same as proving \(\exists \: t, t \sim s\).

Open-ended compilation

The proofs of correctness for the functional version of the compiler (StoT, 1) and for the relational version (StoT_rel, 2) have the exact same structure. They are both composed of three orthogonal lemmas:

1. [TPush z] ∼ SInt z

2. [TPush 0] ++ t ++ [TPopSub] ∼ SOpp s

3. t1 ++ t2 ++ [TPopAdd] ∼ SAdd s1 s2

Each of these is really a standalone fact, and they each correspond to a partial relation between \(S\) and \(T\), each connecting some programs in \(S\) to some programs in \(T\). In other words:

A relational compiler is really just a collection of facts connecting programs in the target language to programs in the source language.

This means that we don't even need to define a relation. Instead, we can have three lemmas that directly refer to the original equivalence ~:

Lemma StoT_Int z :
    [TPush z] ∼ SInt z.
z: Z
[TPush z] ∼ SInt z

Lemma StoT_Opp t s :
    t ∼ s ->
    [TPush 0] ++ t ++ [TPopSub] ∼ SOpp s.
t: T
s: S
t ∼ s -> [TPush 0] ++ t ++ [TPopSub] ∼ SOpp s

Lemma StoT_Plus t1 s1 t2 s2 :
    t1 ∼ s1 ->
    t2 ∼ s2 ->
    t1 ++ t2 ++ [TPopAdd] ∼ SAdd s1 s2.
t1: T
s1: S
t2: T
s2: S
t1 ∼ s1 -> t2 ∼ s2 -> t1 ++ t2 ++ [TPopAdd] ∼ SAdd s1 s2

And from these, we can build a compiler! We just need to place all these facts into a new database of lemmas, which Coq will use as part of its proof search:

Create HintDb c.
Opaque σS σT.
Hint Resolve StoT_Int : c.
Hint Resolve StoT_Opp : c.
Hint Resolve StoT_Plus : c.

And then we can derive compiled programs and their proofs:

Example t7_fn_eauto: { t7 | t7 ∼ s7 }.
{t7 : T | t7 ∼ s7}
Proof. eauto with c. Defined.

Compute t7_fn_eauto.
= exist [TPush 3; TPush 6; TPopAdd; TPush 0; TPush 2; TPopSub; TPopAdd]
: {t7 : T | t7 ∼ s7}

That is the core idea of relational compilation. On this simple example it looks mostly like an odd curiosity, but it is actually very useful for compiling (shallowly) embedded domain-specific languages (EDSLs), especially when the compiler needs to be extensible.

Automating the derivation

The process above is closer to tool-assisted program derivation than to “compilation”. Automating it is not hard, but it requires tricks beyond what we have seen above. We will start by creating a hint database to hold our custom compilation lemmas:

Create HintDb circuits.

For readability, we will use Coq's Derive feature to state our compilation goal. Derive defines a dependent pair (a term and a proof of a property about it) as two separate names:

Derive cc1' SuchThat (forall pc ppc r1 r2,
    cc1' ≋ gc1 pc ppc r1 r2 @ Σ0
    // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)])
  As cc1'ok.
cc1':= ?Goal: circuit
forall pc ppc r1 r2 : Z,
cc1' ≋ gc1 pc ppc r1 r2 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
Proof.
  unfold cc1', gc1; clear cc1'.
forall pc ppc r1 r2 : Z,
?Goal ≋ testbit (if pc =? ppc then r1 else r2) 4 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

The first trick we will introduce is forward reasoning. Until now, we have used eauto to pull from a database of lemmas to try to derive a complete proof of a goal. In this mode, eauto is all-or-nothing: it will not make any progress on this goal until we introduce all relevant lemmas:

  eauto using compile_nth.
forall pc ppc r1 r2 : Z,
?Goal ≋ testbit (if pc =? ppc then r1 else r2) 4 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

This isn't sustainable: we need to guess exactly all lemmas that are required, or nothing happens. Instead we will use a partial progress style popularized by [CoqProlog+Zimmermann+TTT2017], in which we program eauto to take a single step and then return to its caller:

  Hint Extern 2 => simple apply compile_Const; shelve : circuits.
  Hint Extern 2 => simple apply compile_add; shelve : circuits.
  Hint Extern 2 => simple apply compile_xor; shelve : circuits.
  Hint Extern 2 => simple apply compile_nth; shelve : circuits.

Each of these hints allow eauto to shelve the current goal after applying the corresponding lemma, which removes the subgoals generated by that lemma from the pool of things the eauto is required to solve and places the on Coq's shelf.

These hints are enough to get us started with the derivation of our program. forward with … is a tactic similar to eauto, but it supports partial progress:

   forward with circuits.
forall z n : Z, Σ0 "nth" [z; n] = testbit z n
?cz ≋ if pc =? ppc then r1 else r2 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

The first goal we get asks us to prove that we have the right function under the name "nth" in our function context, as before:

forall z n : Z, Σ0 "nth" [z; n] = testbit z n    Hint Extern 1 => reflexivity : circuits.
forall z n : Z, Σ0 "nth" [z; n] = testbit z n
    forward with circuits.

The second goal is where this new approach of partial compilation begins to be useful: we have partially compiled our program, and we can now add more hints to continue making progress. As before, compile_Mux doesn't apply:

?cz ≋ if pc =? ppc then r1 else r2 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]    apply compile_Mux.
In environment
pc, ppc, r1, r2 : Z
Unable to unify
 "Mux ?M1502 ?M1504 ?M1506 ≋ if ?M1503 =? 0 then ?M1507 else ?M1505 @ ?Σ // ?R"
with
 "?cz ≋ if pc =? ppc then r1 else r2 @ Σ0 //
  [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]".

We could use Z_lxor_eqb as before to rewrite the equality test pc =? ppc into an exclusive-or test Z.lxor pc ppc =? 0, but for consistency we will prove a new compilation lemma instead (this gives us a unified way to handle all extensions):

Lemma compile_Mux_eqb {Σ R} c1 g1 c2 g2 ct gt cf gf:
  (forall x y, Σ "xor" [x; y] = Z.lxor x y) ->
  c1 ≋ g1 @ Σ // R ->
  c2 ≋ g2 @ Σ // R ->
  ct ≋ gt @ Σ // R ->
  cf ≋ gf @ Σ // R ->
  Mux (Op "xor" [c1; c2]) ct cf ≋
  if g1 =? g2 then gf else gt @ Σ // R.
Σ: string -> list Z -> Z
c1: circuit
g1: Z
c2: circuit
g2: Z
ct: circuit
gt: Z
cf: circuit
gf: Z
(forall x y : Z, Σ "xor" [x; y] = Z.lxor x y) ->
c1 ≋ g1 @ Σ // R ->
c2 ≋ g2 @ Σ // R ->
ct ≋ gt @ Σ // R ->
cf ≋ gf @ Σ // R ->
Mux (Op "xor" [c1; c2]) ct cf ≋ if g1 =? g2 then gf else gt @ Σ // R

This is enough to step further in the compilation process, leaving us with four very similar goals:

  Hint Extern 2 =>
    simple apply compile_Mux_eqb; shelve : circuits.
forall pc ppc r1 r2 : Z,
?Goal ≋ testbit (if pc =? ppc then r1 else r2) 4 @ Σ0 //
[("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
  forward with circuits.
?c1 ≋ pc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?c2 ≋ ppc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?ct ≋ r2 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?cf ≋ r1 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

This time, we get stuck because we did not register compile_Read:

?c1 ≋ pc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?c2 ≋ ppc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?ct ≋ r2 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?cf ≋ r1 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

Why not? Because as written, compile_Read applies to all goals, often leaving an unsolvable goal: when applied to a goal _ ≋ g @ _ // R, compile_Read will simply generate a goal asking to find g in R, regardless of whether such a binding in fact exists in R. For example:

  eexists ?[c].
?c ≋ 1 + 1 @ Σ0 // [("r0", 14)]
  apply compile_Read.
1 + 1 = [("r0", 14)].[?r]
Abort.

There are two ways to proceed in such cases: add logic to apply compile_Read eagerly, and backtrack if no corresponding binding can be found; or use a more clever strategy to apply compile_Read more discerningly. Up to this point our derivations have all been deterministic, and we want the compiler to be as predictable as possible, so we will do the latter by restricting the use of the compile_Read lemma to cases where the Gallina term g is a single variable. Additionally, we will give compile_Read a low priority (the backtracking approach is discussed in a note at the end of this section):

  Hint Extern 3 (_ ≋ ?v @ _ // _) =>
    is_var v; simple apply compile_Read; shelve : circuits.
?c1 ≋ pc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?c2 ≋ ppc @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?ct ≋ r2 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]
?cf ≋ r1 @ Σ0 // [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)]

  all: forward with circuits.
pc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r]
ppc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r0]
r2 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r1]
r1 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r2]

The remaining goals are the preconditions of compile_Read: the variables should in fact be in context:

pc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r]
ppc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r0]
r2 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r1]
r1 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r2]

To solve these goals automatically, we will use two simple lemmas.

1. assoc_hd, which handles the case in which the value we're looking for is the first in the list:

   Lemma assoc_hd (v: V) k tl:
     v = ((k, v) :: tl).[k].
   V: Type
   H: HasDefault V
   v: V
   k: string
   tl: list (string * V)
   v = ((k, v) :: tl).[k]

2. assoc_tl, which handles the case in which the value we're looking for is in the tail of the list:

   Lemma assoc_tl (v v': V) k k' tl:
     v = tl.[k'] ->
     k <> k' ->
     v = ((k, v') :: tl).[k'].
   V: Type
   H: HasDefault V
   v, v': V
   k, k': string
   tl: list (string * V)
   v = tl.[k'] -> k <> k' -> v = ((k, v') :: tl).[k']

Here is how these come into play, on a standalone example. We start with a goal asking us to locate the value 3 in a context. Applying assoc_tl discards the first binding ("x", 1) and asks us to find 3 among the remaining bindings; then, applying assoc_hd selects the first of the remaining bindings ("y", 3):

3 = [("x", 1); ("y", 3)].[?k]  apply assoc_tl.
3 = [("y", 3)].[?k]
"x" <> ?k
  -
3 = [("y", 3)].[?k] apply assoc_hd.
  -
"x" <> "y" congruence.

Plugging in these two lemmas completes the derivation:

  Hint Extern 1 => congruence : circuits.
pc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r]
ppc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r0]
r2 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r1]
r1 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r2]
  Hint Resolve assoc_hd assoc_tl | 2 : circuits.
pc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r]
ppc = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r0]
r2 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r1]
r1 = [("pc", pc); ("ppc", ppc); ("r1", r1); ("r2", r2)].[?r2]
  all: forward with circuits.
Qed.

Print cc1'.
cc1' = 
Op "nth"
  [Mux (Op "xor" [Read "pc"; Read "ppc"]) (Read "r2") (Read "r1"); Const 4]
     : circuit

Tactic Notation "setup" "with" ident(db) :=
  intros; autounfold with db;
  lazymatch goal with c := _ |- _ => subst c end.

Tactic Notation "compile" "with" ident(db) :=
  setup with db; forward with db.

Derive c SuchThat (forall z, c ≋ z + z @ Σ0 // [("z", z)]) As cok.
c:= ?Goal: circuit
forall z, c ≋ z + z @ Σ0 // [("z", z)]
Proof. compile with circuits. Qed.

Print c.
c = Op "add" [Read "z"; Read "z"]
     : circuit

Extending the compiler

There are all sorts of ways we can extend this compiler; the following are just a few examples:

  Context Σ R c z
          (Hadd: forall x y, Σ "add" [x; y] = x + y)
          (Hc: c ≋ z @ Σ // R).

  Derive c3 SuchThat (c3 ≋ z + z + z @ Σ // R) As c3ok.
Σ: string -> list Z -> Z
c: circuit
z: Z
Hadd: forall x y : Z, Σ "add" [x; y] = x + y
Hc: c ≋ z @ Σ // R
c3:= ?Goal: circuit
c3 ≋ z + z + z @ Σ // R
  Proof. compile with circuits. Qed.

  Print c3.
c3 = Op "add" [Op "add" [c; c]; c]
     : circuit

  Hint Extern 2 => simple apply c3ok : circuits.

  Derive c6 SuchThat (c6 ≋ (z+z+z) + (z+z+z) @ Σ // R) As c6ok.
Σ: string -> list Z -> Z
c: circuit
z: Z
Hadd: forall x y : Z, Σ "add" [x; y] = x + y
Hc: c ≋ z @ Σ // R
c6:= ?Goal: circuit
c6 ≋ z + z + z + (z + z + z) @ Σ // R
  Proof. compile with circuits. Qed.

  Print c6.
c6 = Op "add" [c3; c3]
     : circuit

Lemma compile_lsl {Σ R} c1 g1 c2 g2:
  (forall x y, Σ "lsl" [x; y] = x << y) ->
  c1 ≋ g1 @ Σ // R -> c2 ≋ g2 @ Σ // R ->
  Op "lsl" [c1; c2] ≋ g1 << g2 @ Σ // R.
Σ: string -> list Z -> Z
c1: circuit
g1: Z
c2: circuit
g2: Z
(forall x y : Z, Σ "lsl" [x; y] = x << y) ->
c1 ≋ g1 @ Σ // R -> c2 ≋ g2 @ Σ // R -> Op "lsl" [c1; c2] ≋ g1 << g2 @ Σ // R
Proof. cbn; repeat intros ->; reflexivity. Qed.

Hint Extern 2 => simple apply compile_lsl; shelve : circuits.

Example Σ1 fn args := match fn, args with
  | "lsl", [z1; z2] => z1 << z2
  | _, _ => Σ0 fn args
end.

Derive c4 SuchThat (forall z, c4 ≋ z << 2 @ Σ1 // [("z", z)]) As c4ok.
c4:= ?Goal: circuit
forall z, c4 ≋ z << 2 @ Σ1 // [("z", z)]
Proof. compile with circuits. Qed.

Print c4.
c4 = Op "lsl" [Read "z"; Const 2]
     : circuit

Ltac assocv v ctx :=
  lazymatch ctx with
  | []             => fail
  | (?k, v) :: _    => k
  |       _ :: ?ctx => assocv v ctx
  | _ => let ctx := eval red in ctx in assocv v ctx
  end.

Compute assocv 14 [("x", 3); ("y", 14)].
= "y"
: string

Ltac instantiate_assoc_eq := match goal with
  | |- ?v = ?ctx.[?k] =>
    is_evar k; let k0 := assocv v ctx in unify k k0
end.

3 = [("x", 1); ("y", 3)].[?k]  instantiate_assoc_eq.
3 = [("x", 1); ("y", 3)].["y"]

Hint Extern 1 => instantiate_assoc_eq : circuits.

Derive cc2 SuchThat
  (forall x y, cc2 ≋ x + y @ Σ0 // [("x", x); ("y", y)])
As cc2ok.
cc2:= ?Goal: circuit
forall x y : Z, cc2 ≋ x + y @ Σ0 // [("x", x); ("y", y)] compile with circuits. Qed.

Print cc2.
cc2 = Op "add" [Read "x"; Read "y"]
     : circuit

Leveraging contextual information

The last extension is important enough that it deserves its own section. It is a common pattern in functional programming languages to use a monad to describe an effect that is not supported by the language. Part of compiling the program down to a lower-level language is mapping the monadic structure to low-level primitives, and we can do that using relational compilation.

Even better, we can support native compilation of arbitrary monads (!): unlike traditional compilers that hard-code a list of built-in monads that get special compiler support (think IO in Haskell), we can plug-in native compilation support for arbitrary user-defined monads. This means that we never have to define an interpreter for a free monad (this is the usual approach in Coq for extraction effectful program: define a free monad specialized to a functor capturing effects, extract to OCaml, and define an unverified interpreter to map the effects to native OCaml effects; here, we can instead directly map the monad to effects of the target language).

We will start by exploring the example of the Writer monad with a compiler specialized for that monad, and then we will see an extra twist that allows us to define the pure parts of the compiler in a monad-agnostic way, so that they can be shared between different EDSL compilers specialized to different monads, reducing duplication. Rupicola itself has many more examples of relational compilation for monadic programs.

Definition Trace := list string.
Record S {α: Type} := { val: α; trace: Trace }.

Example puts str := {| val := tt; trace := [str] |}.

Definition ret (a: α) : S α :=
  {| val := a; trace := [] |}.

Definition tr_bind (a: S α) (b: S β) :=
  {| val := b.(val); trace := a.(trace) ++ b.(trace) |}.

Definition bind (a: S α) (k: α -> S β) : S β :=
  tr_bind a (k a.(val)).

Notation "v ← a ; body" := (bind a%string (fun v => body)).

Lemma bind_ret (ca: S α) :
  bind ca ret = ca.
α, β, γ: Type
ca: S α
v ← ca;
ret v = ca
Lemma ret_bind a (k: α -> S β) :
  bind (ret a) k = (k a).
α, β, γ: Type
a: α
k: α -> S β
v ← ret a;
k v = k a
Lemma bind_bind ca (ka: α -> S β) (kb: β -> S γ) :
  bind (bind ca ka) kb = bind ca (fun a => bind (ka a) kb).
α, β, γ: Type
ca: S α
ka: α -> S β
kb: β -> S γ
v ← v ← ca;
    ka v;
kb v = a ← ca;
       v ← ka a;
       kb v

Inductive Expr :=
| Ref var
| Const str
| Concat (e1 e2: Expr).

Inductive T :=
| Seq (t1 t2: T)
| Assign var (e: Expr)
| Puts (e: Expr)
| Skip.

Definition Ctx := list (Var * string).

Fixpoint interp ctx e : string := match e with
  | Ref var      => ctx.[var]
  | Const str    => str
  | Concat e1 e2 => interp ctx e1 ++ interp ctx e2
end.

Inductive RunsTo : Ctx -> T -> Ctx -> Trace -> Prop :=
| RunsToSeq ctx0 t1 ctx1 tr1 t2 ctx2 tr2:
    ⟨ctx0, t1⟩ ⇓ ⟨ctx1, tr1⟩ ->
    ⟨ctx1, t2⟩ ⇓ ⟨ctx2, tr2⟩ ->
    ⟨ctx0, Seq t1 t2⟩ ⇓ ⟨ctx2, tr1 ++ tr2⟩
| RunsToAssign ctx var e:
    ⟨ctx, Assign var e⟩ ⇓ ⟨(var, interp ctx e) :: ctx, []⟩
| RunsToPuts ctx e:
    ⟨ctx, Puts e⟩ ⇓ ⟨ctx, [interp ctx e]⟩
| RunsToSkip ctx e:
    ⟨ctx, Skip⟩ ⇓ ⟨ctx, []⟩
where "⟨ ctx , p ⟩ ⇓ ⟨ ctx' , tr ⟩" :=
  (RunsTo ctx p ctx' tr).

Notation "e ~ₑ g // ctx" := (interp ctx e = g%string).

Derive eHello SuchThat (forall name,
  eHello ~ₑ ("hello, " ++ name) // [("name", name)])
As eHello_ok.
eHello:= ?Goal: Expr
forall name : string, eHello ~ₑ "hello, " ++ name // [("name", name)] compile with str. Qed.

Print eHello.
eHello = Concat (Const "hello, ") (Ref "name")
     : Expr

Definition related t g var ctx :=
  (forall ctx' tr,
      ⟨ ctx, t ⟩ ⇓ ⟨ ctx', tr ⟩ ->
      g.(trace) = tr /\
      g.(val) = ctx'.[var]).

Notation "t ~ₜ g @ var // ctx" :=
  (related t g%string var ctx).

Lemma compile_Puts ctx e g t k var:
  e ~ₑ g // ctx ->
  t ~ₜ k tt @ var // ctx ->
  Seq (Puts e) t ~ₜ bind (puts g) k @ var // ctx.
ctx: Ctx
e: Expr
g: string
t: T
k: unit -> S string
var: Var
e ~ₑ g // ctx ->
t ~ₜ k tt @ var // ctx -> Seq (Puts e) t ~ₜ v ← puts g;
                                            k v @ var // ctx

Lemma compile_Assign ctx e g t k var tmp:
  e ~ₑ g // ctx ->
  (forall v, v = g -> t ~ₜ k v @ var // (tmp, v) :: ctx) ->
  Seq (Assign tmp e) t ~ₜ bind (ret g) k @ var // ctx.
ctx: Ctx
e: Expr
g: string
t: T
k: string -> S string
var, tmp: Var
e ~ₑ g // ctx ->
(forall v : string, v = g -> t ~ₜ k v @ var // (tmp, v) :: ctx) ->
Seq (Assign tmp e) t ~ₜ v ← ret g;
                        k v @ var // ctx

Lemma compile_Skip ctx e str var:
  e ~ₑ str // ctx ->
  Assign var e ~ₜ ret str @ var // ctx.
ctx: Ctx
e: Expr
str: string
var: Var
e ~ₑ str // ctx -> Assign var e ~ₜ ret str @ var // ctx

Hint Extern 1 => simple apply compile_Puts; shelve : str.
Hint Extern 1 => simple apply compile_Skip; shelve : str.

Hint Extern 1 (_ ~ₜ bind ?s ?k @ _ // _) =>
  simple apply compile_Assign
    with (tmp := ltac:(binder_name k)); shelve : str.

Definition greet (name: string) :=
  greeting ← ret ("hello, " ++ name);
  _ ← puts greeting;
  _ ← puts "!";
  ret greeting.
Hint Unfold greet : str.

Derive tHello SuchThat (forall name,
  tHello ~ₜ greet name @ "out" // [("name", name)])
As tHello_ok.
tHello:= ?Goal: T
forall name : string, tHello ~ₜ greet name @ "out" // [("name", name)] compile with str. Qed.

Print tHello.
tHello = 
Seq (Assign "greeting" (Concat (Const "hello, ") (Ref "name")))
  (Seq (Puts (Ref "greeting"))
     (Seq (Puts (Const "!")) (Assign "out" (Ref "greeting"))))
     : T

Definition triple {α}
           (ctx: Ctx) (prog: T) (spec: α)
           (post: α -> Trace -> Ctx -> Prop) :=
  forall ctx' tr,
    ⟨ctx, prog⟩ ⇓ ⟨ctx', tr⟩ -> post spec tr ctx'.

Notation "<{ ctx }> prog <{ spec | post }>" :=
  (triple ctx prog spec post).

Goal forall t g var ctx,
    <{ ctx }>
    t
    <{ g | fun g tr' ctx' =>
         g.(val) = ctx'.[var] /\
         g.(trace) = tr' }> ->
    t ~ₜ g @ var // ctx.
forall t (g : S string) var ctx,
<{ ctx }> t <{ g
| fun (g0 : S string) (tr' : Trace) ctx' => val g0 = ctx'.[var] /\ trace g0 = tr'
}> -> t ~ₜ g @ var // ctx

Lemma compile_Assign e g ctx tmp:
  e ~ₑ g // ctx ->
  <{ ctx }>
    Assign tmp e
  <{ g | fun v tr ctx' =>
       tr = [] /\ ctx' = (tmp, v) :: ctx }>.
e: Expr
g: string
ctx: Ctx
tmp: Var
e ~ₑ g // ctx ->
<{ ctx }> Assign tmp e <{ g
| fun (v : string) (tr : Trace) ctx' => tr = [] /\ ctx' = (tmp, v) :: ctx }>

Lemma compile_Seq {α β} ctx post middle p1 p2 (s1: S α) (s2: α -> S β):
  <{ ctx }> p1 <{ s1 | middle }> ->
  (forall g1 tr1 ctx1, g1 = s1 -> middle g1 tr1 ctx1 ->
   let post' g2 tr2 := post (tr_bind g1 g2) (tr1 ++ tr2) in
   <{ ctx1 }> p2 <{ s2 g1.(val) | post' }>) ->
  <{ ctx }> Seq p1 p2 <{ bind s1 s2 | post }>.
α, β: Type
ctx: Ctx
post: S β -> list string -> Ctx -> Prop
middle: S α -> Trace -> Ctx -> Prop
p1, p2: T
s1: S α
s2: α -> S β
<{ ctx }> p1 <{ s1 | middle }> ->
(forall (g1 : S α) (tr1 : Trace) ctx1,
 g1 = s1 ->
 middle g1 tr1 ctx1 ->
 let post' :=
   fun (g2 : S β) (tr2 : list string) => post (tr_bind g1 g2) (tr1 ++ tr2) in
 <{ ctx1 }> p2 <{ s2 (val g1) | post' }>) ->
<{ ctx }> Seq p1 p2 <{ v ← s1;
                       s2 v | post }>

Lemma compile_Skip g ctx post :
  post g [] ctx ->
  <{ ctx }> Skip <{ g | post }>.
α: Type
g: α
ctx: Ctx
post: α -> Trace -> Ctx -> Prop
post g [] ctx -> <{ ctx }> Skip <{ g | post }>

Lemma compile_Assign {α} ctx e g t (k: string -> α) tmp post:
  e ~ₑ g // ctx ->
  (forall v, v = g -> <{ (tmp, v) :: ctx }> t <{ k v | post }>) ->
  <{ ctx }> Seq (Assign tmp e) t <{ blet g k | post }>.
α: Type
ctx: Ctx
e: Expr
g: string
t: T
k: string -> α
tmp: Var
post: α -> Trace -> Ctx -> Prop
e ~ₑ g // ctx ->
(forall v : string, v = g -> <{ (tmp, v) :: ctx }> t <{ k v | post }>) ->
<{ ctx }> Seq (Assign tmp e) t <{ blet g k | post }>
Proof. unfold triple; hammer. Qed.