UniTO/tesi/gabriel/part4.tex
2020-04-09 01:44:19 +02:00

659 lines
22 KiB
TeX

% Created 2020-04-09 Thu 01:36
% Intended LaTeX compiler: pdflatex
\documentclass[11pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{graphicx}
\usepackage{grffile}
\usepackage{longtable}
\usepackage{wrapfig}
\usepackage{rotating}
\usepackage[normalem]{ulem}
\usepackage{amsmath}
\usepackage{textcomp}
\usepackage{amssymb}
\usepackage{capt-of}
\usepackage{hyperref}
\linespread{1.25}
\usepackage{algorithm}
\usepackage{comment}
\usepackage{algpseudocode}
\usepackage{amsmath,amssymb,amsthm}
\newtheorem{definition}{Definition}
\usepackage{mathpartir}
\usepackage{graphicx}
\usepackage{listings}
\usepackage{color}
\usepackage{stmaryrd}
\newcommand{\semTEX}[1]{{\llbracket{#1}\rrbracket}}
\newcommand{\EquivTEX}[3]{\mathsf{equiv}(#1, #2, #3)} % \equiv is already taken
\newcommand{\coversTEX}[2]{#1 \mathrel{\mathsf{covers}} #2}
\newcommand{\YesTEX}{\mathsf{Yes}}
\newcommand{\NoTEX}[2]{\mathsf{No}(#1, #2)}
\usepackage{comment}
\usepackage{mathpartir}
\usepackage{stmaryrd} % llbracket, rrbracket
\usepackage{listings}
\usepackage{notations}
\lstset{
mathescape=true,
language=[Objective]{Caml},
basicstyle=\ttfamily,
extendedchars=true,
showstringspaces=false,
aboveskip=\smallskipamount,
% belowskip=\smallskipamount,
columns=fullflexible,
moredelim=**[is][\color{blue}]{/*}{*/},
moredelim=**[is][\color{green!60!black}]{/!}{!/},
moredelim=**[is][\color{orange}]{/(}{)/},
moredelim=[is][\color{red}]{/[}{]/},
xleftmargin=1em,
}
\lstset{aboveskip=0.4ex,belowskip=0.4ex}
\author{Francesco Mecca}
\date{}
\hypersetup{
pdfkeywords={},
pdfsubject={},
pdfcreator={Emacs 26.3 (Org mode 9.1.9)},
pdflang={English}}
\begin{document}
\maketitle
\begin{comment}
TODO: neg is parsed incorrectly
TODO: chiedi a Gabriel se T e S vanno bene, ma prima controlla che siano coerenti
\section{{\bfseries\sffamily TODO} Scaletta [1/6]}
\label{sec:org530707f}
\begin{itemize}
\item[{$\boxtimes$}] Introduction
\item[{$\boxminus$}] Background [80\%]
\begin{itemize}
\item[{$\boxtimes$}] Low level representation
\item[{$\boxtimes$}] Lambda code [0\%]
\item[{$\boxtimes$}] Pattern matching
\item[{$\boxtimes$}] Symbolic execution
\item[{$\square$}] Translation Validation
\end{itemize}
\item[{$\square$}] Translation validation of the Pattern Matching Compiler
\begin{itemize}
\item[{$\square$}] Source translation
\begin{itemize}
\item[{$\square$}] Formal Grammar
\item[{$\square$}] Compilation of source patterns
\item[{$\square$}] Rest?
\end{itemize}
\item[{$\square$}] Target translation
\begin{itemize}
\item[{$\square$}] Formal Grammar
\item[{$\square$}] Symbolic execution of the Lambda target
\end{itemize}
\item[{$\square$}] Equivalence between source and target
\end{itemize}
\item[{$\square$}] Proof of correctness
\item[{$\square$}] Practical results
\end{itemize}
Magari prima pattern matching poi compilatore?
\end{comment}
\section{Correctness of the algorithm}
\label{sec:org4188d38}
Running a program t$_S$ or its translation $\llbracket$t$_S$$\rrbracket$ against an input v$_S$
produces as a result \emph{r} in the following way:
\begin{center}
\begin{tabular}{l}
( $\llbracket$t$_S$$\rrbracket$$_S$(v$_S$) = C$_S$(v$_S$) ) $\to$ r\\
t$_S$(v$_S$) $\to$ r\\
\end{tabular}
\end{center}
Likewise
\begin{center}
\begin{tabular}{l}
( $\llbracket$t$_T$$\rrbracket$$_T$(v$_T$) = C$_T$(v$_T$) ) $\to$ r\\
t$_T$(v$_T$) $\to$ r\\
\end{tabular}
\end{center}
where result r ::= guard list * (Match blackbox | NoMatch | Absurd)
and guard ::= blackbox.
Having defined equivalence between two inputs of which one is
expressed in the source language and the other in the target language
v$_S$ $\simeq$ v$_T$ (TODO define, this talks about the representation of source values in the target)
we can define the equivalence between a couple of programs or a couple
of decision trees
\begin{center}
\begin{tabular}{l}
t$_S$ $\simeq$ t$_T$ := $\forall$v$_S$$\simeq$v$_T$, t$_S$(v$_S$) = t$_T$(v$_T$)\\
C$_S$ $\simeq$ C$_T$ := $\forall$v$_S$$\simeq$v$_T$, C$_S$(v$_S$) = C$_T$(v$_T$)\\
\end{tabular}
\end{center}
The proposed equivalence algorithm that works on a couple of
decision trees is returns either \emph{Yes} or \emph{No(v$_S$, v$_T$)} where v$_S$ and
v$_T$ are a couple of possible counter examples for which the constraint
trees produce a different result.
\subsection{Statements}
\label{sec:orgccf94c1}
Theorem. We say that a translation of a source program to a decision tree
is correct when for every possible input, the source program and its
respective decision tree produces the same result
\begin{center}
\begin{tabular}{l}
$\forall$v$_S$, t$_S$(v$_S$) = $\llbracket$t$_S$$\rrbracket$$_S$(v$_S$)\\
\end{tabular}
\end{center}
Likewise, for the target language:
\begin{center}
\begin{tabular}{l}
$\forall$v$_T$, t$_T$(v$_T$) = $\llbracket$t$_T$$\rrbracket$$_T$(v$_T$)\\
\end{tabular}
\end{center}
Definition: in the presence of guards we can say that two results are
equivalent modulo the guards queue, written \emph{r$_1$ $\simeq$gs r$_2$}, when:
\begin{center}
\begin{tabular}{l}
(gs$_1$, r$_1$) $\simeq$gs (gs$_2$, r$_2$) $\Leftrightarrow$ (gs$_1$, r$_1$) = (gs$_2$ ++ gs, r$_2$)\\
\end{tabular}
\end{center}
Definition: we say that C$_T$ covers the input space \emph{S}, written
/covers(C$_T$, S) when every value v$_S$$\in $S is a valid input to the
decision tree C$_T$. (TODO: rephrase)
Theorem: Given an input space \emph{S} and a couple of decision trees, where
the target decision tree C$_T$ covers the input space \emph{S}, we say that
the two decision trees are equivalent when:
\begin{center}
\begin{tabular}{l}
equiv(S, C$_S$, C$_T$, gs) = Yes $\wedge$ covers(C$_T$, S) $\to$ $\forall$v$_S$$\simeq$v$_T$ $\in $ S, C$_S$(v$_S$) $\simeq$gs C$_T$(v$_T$)\\
\end{tabular}
\end{center}
Similarly we say that a couple of decision trees in the presence of
an input space \emph{S} are \emph{not} equivalent when:
\begin{center}
\begin{tabular}{l}
equiv(S, C$_S$, C$_T$, gs) = No(v$_S$,v$_T$) $\wedge$ covers(C$_T$, S) $\to$ v$_S$$\simeq$v$_T$ $\in $ S $\wedge$ C$_S$(v$_S$) $\ne$gs C$_T$(v$_T$)\\
\end{tabular}
\end{center}
Corollary: For a full input space \emph{S}, that is the universe of the
target program we say:
\begin{center}
\begin{tabular}{l}
equiv(S, $\llbracket$t$_S$$\rrbracket$$_S$, $\llbracket$t$_T$$\rrbracket$$_T$, $\varnothing$) = Yes $\Leftrightarrow$ t$_S$ $\simeq$ t$_T$\\
\end{tabular}
\end{center}
\begin{enumerate}
\item Proof of the correctness of the translation from source programs to source decision trees
\label{sec:orgfa2a152}
We define a source term t$_S$ as a collection of patterns pointing to blackboxes
\begin{center}
\begin{tabular}{l}
t$_S$ ::= (p $\to$ bb)\(^{\text{i$\in $I}}\)\\
\end{tabular}
\end{center}
A pattern is defined as either a constructor pattern, an or pattern or
a constant pattern
\begin{center}
\begin{tabular}{lllll}
p ::= & K(p$_i$)$^i$, i $\in $ I & (p & q) & n $\in $ $\mathbb{N}$\\
\end{tabular}
\end{center}
A decision tree is defined as either a Leaf, a Failure terminal or
an intermediate node with different children sharing the same accessor \emph{a}
and an optional fallback.
Failure is emitted only when the patterns don't cover the whole set of
possible input values \emph{S}. The fallback is not needed when the user
doesn't use a wildcard pattern.
\%\%\% Give example of thing
\begin{center}
\begin{tabular}{ll}
C$_S$ ::= Leaf bb & Node(a, (K$_i$ $\to$ C$_i$)\(^{\text{i$\in $S}}\) , C?)\\
a ::= Here & n.a\\
v$_S$ ::= K(v$_i$)\(^{\text{i$\in $I}}\) & n $\in $ $\mathbb{N}$\\
\end{tabular}
\end{center}
\begin{comment}
Are K and Here clear here?
\end{comment}
We define the decomposition matrix \emph{m$_S$} as
\begin{center}
\begin{tabular}{l}
SMatrix m$_S$ := (a$_j$)\(^{\text{j$\in $J}}\), ((p\(_{\text{ij}}\))\(^{\text{j$\in $J}}\) $\to$ bb$_i$)\(^{\text{i$\in $I}}\)\\
\end{tabular}
\end{center}
\begin{comment}
Correggi prendendo in considerazione l'accessor
\end{comment}
We define the decision tree of source programs
$\llbracket$t$_S$$\rrbracket$
in terms of the decision tree of pattern matrices
$\llbracket$m$_S$$\rrbracket$
by the following:
$\llbracket$((p$_i$ $\to$ bb$_i$)\(^{\text{i$\in $I}}\)$\rrbracket$ := $\llbracket$(Root), (p$_i$ $\to$ bb$_i$)\(^{\text{i$\in $I}}\) $\rrbracket$
decision tree computed from pattern matrices respect the following invariant:
\begin{center}
\begin{tabular}{l}
$\forall$v (v$_i$)\(^{\text{i$\in $I}}\) = v(a$_i$)\(^{\text{i$\in $I}}\) $\to$ $\llbracket$m$\rrbracket$(v) = m(v$_i$)\(^{\text{i$\in $I}}\) for m = ((a$_i$)\(^{\text{i$\in $I}}\), (r$_i$)\(^{\text{i$\in $I}}\))\\
\end{tabular}
\end{center}
where
\begin{center}
\begin{tabular}{l}
v(Here) = v\\
K(v$_i$)$^i$(k.a) = v$_k$(a) if k $\in $ [0;n[\\
\end{tabular}
\end{center}
\begin{comment}
TODO: EXPLAIN
\end{comment}
We proceed to show the correctness of the invariant by a case
analysys.
Base cases:
\begin{enumerate}
\item\relax [| $\varnothing$, ($\varnothing$ $\to$ bb$_i$)$^i$ |] := Leaf bb$_i$ where i := min(I), that is a
decision tree [|ms|] defined by an empty accessor and empty
patterns pointing to blackboxes \emph{bb$_i$}. This respects the invariant
because a decomposition matrix in the case of empty rows returns
the first expression and we known that (Leaf bb)(v) := Match bb
\item\relax [| (a$_j$)$^j$, $\varnothing$ |] := Failure
\end{enumerate}
Regarding non base cases:
Let's first define
\begin{center}
\begin{tabular}{l}
let Idx(k) := [0; arity(k)[\\
let First($\varnothing$) := $\bot$\\
let First((a$_j$)$^j$) := a\(_{\text{min(j$\in $J$\ne$$\varnothing$)}}\)\\
\end{tabular}
\end{center}
\[
m := ((a_i)^i ((p_{ij})^i \to e_j)^{ij})
\]
\[
(k_k)^k := headconstructor(p_{i0})^i
\]
\begin{equation}
Groups(m) := ( k_k \to ((a)_{0.l})^{l \in Idx(k_k)} +++ (a_i)^{i \in I\backslash \{0\} }), \\
( if p_{0j} is k(q_l) then \\
(q_l)^{l \in Idx(k_k)} +++ (p_{ij})^{i \in I\backslash \{0\}} \to e_j \\
if p_{0j} is \_ then \\
(\_)^{l \in Idx(k_k)} +++ (p_{ij})^{i \in I\backslash \{0\}} \to e_j \\
else \bot )^j ), \\
((a_i)^{i \in I\backslash \{0\}}, ((p_{ij})^{i \in I\backslash \{0\}} \to e_j if p_{0j} is \_ else \bot)^{j \in J})
\end{equation}
Groups(m) is an auxiliary function that decomposes a matrix m into
submatrices, according to the head constructor of their first pattern.
Groups(m) returns one submatrix m\_r for each head constructor k that
occurs on the first row of m, plus one "wildcard submatrix" m\(_{\text{wild}}\)
that matches on all values that do not start with one of those head
constructors.
Intuitively, m is equivalent to its decompositionin the following
sense: if the first pattern of an input vector (v\_i)\^{}i starts with one
of the head constructors k, then running (v\_i)\^{}i against m is the same
as running it against the submatrix m\_k; otherwise (its head
constructor is none of the k) it is equivalent to running it against
the wildcard submatrix.
We formalize this intuition as follows:
Lemma (Groups):
Let \[m\] be a matrix with \[Groups(m) = (k_r \to m_r)^k, m_{wild}\].
For any value vector \[(v_i)^l\] such that \[v_0 = k(v'_l)^l\] for some
constructor k,
we have:
\[
if k = k_k for some k then
m(v_i)^i = m_k((v'_l)^l +++ (v_i)^{i\in I\backslash \{0\}})
else
m(v_i)^i = m_{wild}(v_i)^{i\in I\backslash \{0\}}
\]
\item Proof:
\label{sec:org8dad6fc}
Let \[m\] be a matrix with \[Group(m) = (k_r \to m_r)^k, m_{wild}\].
Let \[(v_i)^i\] be an input matrix with \[v_0 = k(v'_l)^l\] for some k.
We proceed by case analysis:
\begin{itemize}
\item either k is one of the k$_k$ for some k
\item or k is none of the (k$_k$)$^k$
\end{itemize}
Both m(v$_i$)$^i$ and m$_k$(v$_k$)$^k$ are defined as the first matching result of
a family over each row r$_j$ of a matrix
We know, from the definition of
Groups(m), that m$_k$ is
\[
((a){0.l})^{l\in Idx(k_k)} +++ (a_i)^{i\in I\backslash \{0\}}),
(
if p_{0j} is k(q_l) then
(q_l)^l +++ (p_{ij})^{i\in I\backslash \{0\}} \to e_j
if p_{0j} is _ then
(_)^l +++ (p_{ij})^{i\in I\backslash \{0\}} \to e_j
else \bot
)^j
\]
By definition, m(v$_i$)$^i$ is
m(v$_i$)$^i$ = First(r$_j$(v$_i$)$^i$)$^j$ for m = ((a$_i$)$^i$, (r$_j$)$^j$)
(p$_i$)$^i$ (v$_i$)$^i$ = \{
if p$_0$ = k(q$_l$)$^l$, v$_0$ = k'(v'$_k$)$^k$, k=Idx(k') and l=Idx(k)
if k $\ne$ k' then $\bot$
if k = k' then ((q$_l$)$^l$ \sout{+} (p$_i$)\(^{\text{i$\in $I}\backslash\ \text{$\backslash${0$\backslash$}}}\)) ((v'$_k$)$^k$ \sout{+} (v$_i$)\(^{\text{i$\in $I}\backslash\ \text{$\backslash${0$\backslash$}}}\))
if p$_0$ = (q$_1$|q$_2$) then
First( (q$_1$p$_i$\(^{\text{i$\in $I }\backslash\ \text{$\backslash${0$\backslash$}}}\)) v$_i$\(^{\text{i$\in $I }\backslash\ \text{$\backslash${0$\backslash$}}}\), (q$_2$p$_i$\(^{\text{i$\in $I }\backslash\ \text{$\backslash${0$\backslash$}}}\)) v$_i$\(^{\text{i$\in $I }\backslash\ \text{$\backslash${0$\backslash$}}}\) )
\}
For this reason, if we can prove that
\begin{center}
\begin{tabular}{l}
$\forall$j, r$_j$(v$_i$)$^i$ = r'$_j$((v'$_k$)$^k$ ++ (v$_i$)$^i$)\\
\end{tabular}
\end{center}
it follows that
\begin{center}
\begin{tabular}{l}
m(v$_i$)$^i$ = m$_k$((v'$_k$)$^k$ ++ (v$_i$)$^i$)\\
\end{tabular}
\end{center}
from the above definition.
We can also show that a$_i$ = a\(_{\text{0.l}}\)$^l$ \sout{+} a\(_{\text{i$\in $I}\backslash\ \text{$\backslash${0$\backslash$}}}\) because v(a$_0$) = K(v(a)\{0.l\})$^l$)
\end{enumerate}
\subsection{Proof of equivalence checking}
\label{sec:orgffce3ea}
\begin{comment}
TODO: put ^i$\in $I where needed
\end{comment}
\subsubsection{The trimming lemma}
The trimming lemma allows to reduce the size of a decision tree given
an accessor $\to$ $\pi$ relation (TODO: expand)
\begin{center}
\begin{tabular}{l}
$\forall$v$_T$ $\in $ (a$\to$$\pi$), C$_T$(v$_T$) = C\(_{\text{t/a$\to$$\pi$(k$_i$)}}\)(v$_T$)\\
\end{tabular}
\end{center}
We prove this by induction on C$_T$:
a. C$_T$ = Leaf\(_{\text{bb}}\): when the decision tree is a leaf terminal, we
know that
\begin{center}
\begin{tabular}{l}
Leaf\(_{\text{bb/a$\to$$\pi$}}\)(v) = Leaf\(_{\text{bb}}\)(v)\\
\end{tabular}
\end{center}
That means that the result of trimming on a Leaf is the Leaf itself
b. The same applies to Failure terminal
\begin{center}
\begin{tabular}{l}
Failure\(_{\text{/a$\to$$\pi$}}\)(v) = Failure(v)\\
\end{tabular}
\end{center}
c. When C$_T$ = Node(b, ($\pi$$\to$C$_i$)$^i$)\(_{\text{/a$\to$$\pi$}}\) then
we look at the accessor \emph{a} of the subtree C$_i$ and
we define $\pi$$_i$' = $\pi$$_i$ if a$\ne$b else $\pi$$_i$$\cap$$\pi$
Trimming a switch node yields the following result:
\begin{center}
\begin{tabular}{l}
Node(b, ($\pi$$\to$C$_i$)$^i$)\(_{\text{/a$\to$$\pi$}}\) := Node(b, ($\pi$'$_i$$\to$C\(_{\text{i/a$\to$$\pi$}}\))$^i$)\\
\end{tabular}
\end{center}
\begin{comment}
Actually in the proof.org file I transcribed:
e. Unreachabe $\to$ $\bot$
This is not correct because you don't have Unreachable nodes in target decision trees
\end{comment}
For the trimming lemma we have to prove that running the value v$_T$ against
the decistion tree C$_T$ is the same as running v$_T$ against the tree
C\(_{\text{trim}}\) that is the result of the trimming operation on C$_T$
\begin{center}
\begin{tabular}{l}
C$_T$(v$_T$) = C\(_{\text{trim}}\)(v$_T$) = Node(b, ($\pi$$_i$'$\to$C\(_{\text{i/a$\to$$\pi$}}\))$^i$)(v$_T$)\\
\end{tabular}
\end{center}
We can reason by first noting that when v$_T$$\notin$(b$\to$$\pi$$_i$)$^i$ the node must be a Failure node.
In the case where $\exists$k| v$_T$$\in $(b$\to$$\pi$$_k$) then we can prove that
\begin{center}
\begin{tabular}{l}
C\(_{\text{k/a$\to$$\pi$}}\)(v$_T$) = Node(b, ($\pi$$_i$'$\to$C\(_{\text{i/a$\to$$\pi$}}\))$^i$)(v$_T$)\\
\end{tabular}
\end{center}
because when a $\ne$ b then $\pi$$_k$'= $\pi$$_k$ and this means that v$_T$$\in $$\pi$$_k$'
while when a = b then $\pi$$_k$'=($\pi$$_k$$\cap$$\pi$) and vt$\in $$\pi$$_k$' because:
\begin{itemize}
\item by the hypothesis, v$_T$$\in $$\pi$
\item we are in the case where v$_T$$\in $$\pi$$_k$
\end{itemize}
So v$_T$ $\in $ $\pi$$_k$' and by induction
\begin{center}
\begin{tabular}{l}
C$_k$(v$_T$) = C\(_{\text{k/a$\to$$\pi$}}\)(v$_T$)\\
\end{tabular}
\end{center}
We also know that $\forall$v$_T$$\in $(b$\to$$\pi$$_k$) $\to$ C$_T$(v$_T$) = C$_k$(v$_T$)
By putting together the last two steps, we have proven the trimming
lemma.
\begin{comment}
TODO: what should I say about covering??? I swap $\pi$ and $\pi$'
Covering lemma:
$\forall$a,$\pi$ covers(C$_T$,S) $\to$ covers(C_{t/a$\to$$\pi$}, (S$\cap$a$\to$$\pi$))
U$_i$$\pi$$^i$ $\approx$ U$_i$$\pi$'$\cap$(a$\to$$\pi$) $\approx$ (U$_i$$\pi$')$\cap$(a$\to$$\pi$) %%
%%%%%%% Also: Should I swap $\pi$ and $\pi$' ?
\end{comment}
\subsubsection{Equivalence checking}
The equivalence checking algorithm takes as parameters an input space
\emph{S}, a source decision tree \emph{C$_S$} and a target decision tree \emph{C$_T$}:
\begin{center}
\begin{tabular}{ll}
equiv(S, C$_S$, C$_T$) $\to$ Yes & No(v$_S$, v$_T$)\\
\end{tabular}
\end{center}
When the algorithm returns Yes and the input space is covered by \emph{C$_S$}
we can say that the couple of decision trees are the same for
every couple of source value \emph{v$_S$} and target value \emph{v$_T$} that are equivalent.
\begin{comment}
Define "covered"
Is it correct to say the same? How to correctly distinguish in words $\simeq$ and = ?
\end{comment}
\begin{center}
\begin{tabular}{l}
equiv(S, C$_S$, C$_T$) = Yes and cover(C$_T$, S) $\to$ $\forall$ v$_S$ $\simeq$ v$_T$$\in $S $\wedge$ C$_S$(v$_S$) = C$_T$(v$_T$)\\
\end{tabular}
\end{center}
In the case where the algorithm returns No we have at least a couple
of counter example values v$_S$ and v$_T$ for which the two decision trees
outputs a different result.
\begin{center}
\begin{tabular}{l}
equiv(S, C$_S$, C$_T$) = No(v$_S$,v$_T$) and cover(C$_T$, S) $\to$ $\forall$ v$_S$ $\simeq$ v$_T$$\in $S $\wedge$ C$_S$(v$_S$) $\ne$ C$_T$(v$_T$)\\
\end{tabular}
\end{center}
We define the following
\begin{center}
\begin{tabular}{l}
Forall(Yes) = Yes\\
Forall(Yes::l) = Forall(l)\\
Forall(No(v$_S$,v$_T$)::\_) = No(v$_S$,v$_T$)\\
\end{tabular}
\end{center}
There exists and are injective:
\begin{center}
\begin{tabular}{l}
int(k) $\in $ $\mathbb{N}$ (arity(k) = 0)\\
tag(k) $\in $ $\mathbb{N}$ (arity(k) > 0)\\
$\pi$(k) = \{n\(\vert{}\) int(k) = n\} x \{n\(\vert{}\) tag(k) = n\}\\
\end{tabular}
\end{center}
where k is a constructor.
\begin{comment}
TODO: explain:
$\forall$v$\in $a$\to$$\pi$, C_{/a$\to$$\pi$}(v) = C(v)
\end{comment}
We proceed by case analysis:
\begin{comment}
I start numbering from zero to leave the numbers as they were on the blackboard, were we skipped some things
I think the unreachable case should go at the end.
\end{comment}
\begin{enumerate}
\item in case of unreachable:
\end{enumerate}
\begin{center}
\begin{tabular}{l}
C$_S$(v$_S$) = Absurd(Unreachable) $\ne$ C$_T$(v$_T$) $\forall$v$_S$,v$_T$\\
\end{tabular}
\end{center}
\begin{enumerate}
\item In the case of an empty input space
\begin{center}
\begin{tabular}{l}
equiv($\varnothing$, C$_S$, C$_T$) := Yes\\
\end{tabular}
\end{center}
and that is trivial to prove because there is no pair of values (v$_S$, v$_T$) that could be
tested against the decision trees.
In the other subcases S is always non-empty.
\item When there are \emph{Failure} nodes at both sides the result is \emph{Yes}:
\begin{center}
\begin{tabular}{l}
equiv(S, Failure, Failure) := Yes\\
\end{tabular}
\end{center}
Given that $\forall$v, Failure(v) = Failure, the statement holds.
\item When we have a Leaf or a Failure at the left side:
\begin{center}
\begin{tabular}{l}
equiv(S, Failure as C$_S$, Node(a, ($\pi$$_i$ $\to$ C$_T$$_i$)$^i$)) := Forall(equiv( S$\cap$a$\to$$\pi$(k$_i$)), C$_S$, C$_T$$_i$)$^i$)\\
equiv(S, Leaf bb$_S$ as C$_S$, Node(a, ($\pi$$_i$ $\to$ C$_T$$_i$)$^i$)) := Forall(equiv( S$\cap$a$\to$$\pi$(k$_i$)), C$_S$, C$_T$$_i$)$^i$)\\
\end{tabular}
\end{center}
The algorithm either returns Yes for every sub-input space S$_i$ := S$\cap$(a$\to$$\pi$(k$_i$)) and
subtree C$_T$$_i$
\begin{center}
\begin{tabular}{l}
equiv(S$_i$, C$_S$, C$_T$$_i$) = Yes $\forall$i\\
\end{tabular}
\end{center}
or we have a counter example v$_S$, v$_T$ for which
\begin{center}
\begin{tabular}{l}
v$_S$$\simeq$v$_T$$\in $S$_k$ $\wedge$ c$_S$(v$_S$) $\ne$ C$_T$$_k$(v$_T$)\\
\end{tabular}
\end{center}
then because
\begin{center}
\begin{tabular}{l}
v$_T$$\in $(a$\to$$\pi$$_k$) $\to$ C$_T$(v$_T$) = C$_T$$_k$(v$_T$) ,\\
v$_S$$\simeq$v$_T$$\in $S $\wedge$ C$_S$(v$_S$)$\ne$C$_T$(v$_T$)\\
\end{tabular}
\end{center}
we can say that
\begin{center}
\begin{tabular}{l}
equiv(S$_i$, C$_S$, C$_T$$_i$) = No(v$_S$, v$_T$) for some minimal k$\in $I\\
\end{tabular}
\end{center}
\item When we have a Node on the right we define $\pi$$_n$ as the domain of
values not covered but the union of the constructors k$_i$
\begin{center}
\begin{tabular}{l}
$\pi$$_n$ = ¬($\bigcup$$\pi$(k$_i$)$^i$)\\
\end{tabular}
\end{center}
The algorithm proceeds by trimming
\begin{center}
\begin{tabular}{l}
equiv(S, Node(a, (k$_i$ $\to$ C$_S$$_i$)$^i$, C\(_{\text{sf}}\)), C$_T$) :=\\
Forall(equiv( S$\cap$(a$\to$$\pi$(k$_i$)$^i$), C$_S$$_i$, C\(_{\text{t/a$\to$$\pi$(k$_i$)}}\))$^i$ \sout{+} equiv(S$\cap$(a$\to$$\pi$(k$_i$)), C$_S$, C\(_{\text{a$\to$$\pi$$_n$}}\)))\\
\end{tabular}
\end{center}
The statement still holds and we show this by first analyzing the
\emph{Yes} case:
\begin{center}
\begin{tabular}{l}
Forall(equiv( S$\cap$(a$\to$$\pi$(k$_i$)$^i$), C$_S$$_i$, C\(_{\text{t/a$\to$$\pi$(k$_i$)}}\))$^i$ = Yes\\
\end{tabular}
\end{center}
The constructor k is either included in the set of constructors k$_i$:
\begin{center}
\begin{tabular}{l}
k \(\vert{}\) k$\in $(k$_i$)$^i$ $\wedge$ C$_S$(v$_S$) = C$_S$$_i$(v$_S$)\\
\end{tabular}
\end{center}
We also know that
\begin{center}
\begin{tabular}{l}
(1) C$_S$$_i$(v$_S$) = C\(_{\text{t/a$\to$$\pi$$_i$}}\)(v$_T$)\\
(2) C\(_{\text{T/a$\to$$\pi$$_i$}}\)(v$_T$) = C$_T$(v$_T$)\\
\end{tabular}
\end{center}
(1) is true by induction and (2) is a consequence of the trimming lemma.
Putting everything together:
\begin{center}
\begin{tabular}{l}
C$_S$(v$_S$) = C$_S$$_i$(v$_S$) = C\(_{\text{T/a$\to$$\pi$$_i$}}\)(v$_T$) = C$_T$(v$_T$)\\
\end{tabular}
\end{center}
When the k$\notin$(k$_i$)$^i$ [TODO]
The auxiliary Forall function returns \emph{No(v$_S$, v$_T$)} when, for a minimum k,
\begin{center}
\begin{tabular}{l}
equiv(S$_k$, C$_S$$_k$, C\(_{\text{T/a$\to$$\pi$$_k$}}\) = No(v$_S$, v$_T$)\\
\end{tabular}
\end{center}
Then we can say that
\begin{center}
\begin{tabular}{l}
C$_S$$_k$(v$_S$) $\ne$ C\(_{\text{t/a$\to$$\pi$$_k$}}\)(v$_T$)\\
\end{tabular}
\end{center}
that is enough for proving that
\begin{center}
\begin{tabular}{l}
C$_S$$_k$(v$_S$) $\ne$ (C\(_{\text{t/a$\to$$\pi$$_k$}}\)(v$_T$) = C$_T$(v$_T$))\\
\end{tabular}
\end{center}
\end{enumerate}
\end{document}