UniTO/tesi/gabriel/part4_unicode.org
2020-04-11 00:26:05 +02:00

27 KiB
Raw Blame History

Translation validation of the Pattern Matching Compiler

Source program

The algorithm takes as its input a source program and translates it into an algebraic data structure which type we call decision_tree.

type decision_tree =
  | Unreachable
  | Failure
  | Leaf of source_expr
  | Guard of source_blackbox * decision_tree * decision_tree
  | Switch of accessor * (constructor * decision_tree) list * decision_tree

Unreachable, Leaf of source_expr and Failure are the terminals of the three. We distinguish

  • Unreachable: statically it is known that no value can go there
  • Failure: a value matching this part results in an error
  • Leaf: a value matching this part results into the evaluation of a source black box of code

The algorithm doesn't support type-declaration-based analysis to know the list of constructors at a given type. Let's consider some trivial examples:

function true -> 1

is translated to

Switch ([(true, Leaf 1)], Failure)

while

function 
true -> 1 
| false -> 2

will be translated to

Switch ([(true, Leaf 1); (false, Leaf 2)])

It is possible to produce Unreachable examples by using refutation clauses (a "dot" in the right-hand-side)

function 
true -> 1 
| false -> 2 
| _ -> .

that gets translated into Switch ([(true, Leaf 1); (false, Leaf 2)], Unreachable)

We trust this annotation, which is reasonable as the type-checker verifies that it indeed holds.

Guard nodes of the tree are emitted whenever a guard is found. Guards node contains a blackbox of code that is never evaluated and two branches, one that is taken in case the guard evaluates to true and the other one that contains the path taken when the guard evaluates to true.

\begin{comment} [ ] Finisci con Switch [ ] Spiega del fallback [ ] rivedi compilazione per tenere in considerazione il tuo albero invece che le Lambda \end{comment}

The source code of a pattern matching function has the following form:

match variable with
| pattern₁ → expr₁
| pattern₂ when guard → expr₂
| pattern₃ as var → expr₃
| pₙ → exprₙ

Patterns could or could not be exhaustive.

Pattern matching code could also be written using the more compact form:

| pattern₁ → expr₁
| pattern₂ when guard → expr₂
| pattern₃ as var → expr₃
| pₙ → exprₙ

This BNF grammar describes formally the grammar of the source program:

start ::= "match" id "with" patterns | "function" patterns
patterns ::= (pattern0|pattern1) pattern1+
;; pattern0 and pattern1 are needed to distinguish the first case in which
;; we can avoid writing the optional vertical line
pattern0 ::= clause
pattern1 ::= "|" clause
clause ::= lexpr "->" rexpr
lexpr ::= rule (ε|condition)
rexpr ::= _code ;; arbitrary code
rule ::= wildcard|variable|constructor_pattern|or_pattern ;;
;; rules
wildcard ::= "_"
variable ::= identifier
constructor_pattern ::= constructor (rule|ε) (assignment|ε)
constructor ::= int|float|char|string|bool |unit|record|exn|objects|ref |list|tuple|array|variant|parameterized_variant ;; data types
or_pattern ::= rule ("|" wildcard|variable|constructor_pattern)+
condition ::= "when" bexpr
assignment ::= "as" id
bexpr ::= _code ;; arbitrary code

A source program tₛ is a collection of pattern clauses pointing to bb terms. Running a program tₛ against an input value vₛ produces as a result r:

tₛ ::= (p → bb)i∈I
p ::= | K(pᵢ)ⁱ, i ∈ I | (p|q) | n ∈
r ::= guard list * (Match bb | NoMatch | Absurd)
tₛ(vₛ) → r

TODO: argument on what it means to run a source program

guard and bb expressions are treated as blackboxes of OCaml code. A sound approach for treating these blackboxes would be to inspect the OCaml compiler during translation to Lambda code and extract the blackboxes compiled in their Lambda representation. This would allow to test for equality with the respective blackbox at the target level. Given that this level of introspection is currently not possibile, we decided to restrict the structure of blackboxes to the following (valid) OCaml code:

external guard : 'a -> 'b = "guard"
external observe : 'a -> 'b = "observe"

We assume these two external functions guard and observe with a valid type that lets the user pass any number of arguments to them. All the guards are of the form \texttt{guard <arg> <arg> <arg>}, where the <arg> are expressed using the OCaml pattern matching language. Similarly, all the right-hand-side expressions are of the form \texttt{observe <arg> <arg> …} with the same constraints on arguments.

type t = K1 | K2 of t (* declaration of an algebraic and recursive datatype t *)

let _ = function
  | K1 -> observe 0
  | K2 K1 -> observe 1
  | K2 x when guard x -> observe 2
  | K2 (K2 x) as y when guard x y -> observe 3
  | K2 _ -> observe 4

In our prototype we make use of accessors to encode stored values. \begin{minipage}{0.2\linewidth}

\begin{verbatim} let value = 1 :: 2 :: 3 :: [] (* that can also be written *) let value = [] |> List.cons 3 |> List.cons 2 |> List.cons 1 \end{verbatim}

\end{minipage} \hfill \begin{minipage}{0.5\linewidth}

\begin{verbatim} (field 0 x) = 1 (field 0 (field 1 x)) = 2 (field 0 (field 1 (field 1 x)) = 3 (field 0 (field 1 (field 1 (field 1 x)) = [] \end{verbatim}

\end{minipage} An \emph{accessor} a represents the access path to a value that can be reached by deconstructing the scrutinee.

a ::= Here | n.a

The above example, in encoded form:

\begin{verbatim} Here = 1 1.Here = 2 1.1.Here = 3 1.1.1.Here = [] \end{verbatim}

In our prototype the source matrix mₛ is defined as follows

SMatrix mₛ := (aⱼ)j∈J, ((pij)j∈J → bbᵢ)i∈I

Source matrices are used to build source decision trees Cₛ. A decision tree is defined as either a Leaf, a Failure terminal or an intermediate node with different children sharing the same accessor a and an optional fallback. Failure is emitted only when the patterns don't cover the whole set of possible input values S. The fallback is not needed when the user doesn't use a wildcard pattern. %%% Give example of thing

Cₛ ::= Leaf bb | Switch(a, (Kᵢ → Cᵢ)i∈S , C?) | Failure | Unreachable
vₛ ::= K(vᵢ)i∈I | n ∈
\begin{comment} Are K and Here clear here? \end{comment}

We say that a translation of a source program to a decision tree is correct when for every possible input, the source program and its respective decision tree produces the same result

∀vₛ, tₛ(vₛ) = 〚tₛ〛ₛ(vₛ)

We define the decision tree of source programs 〚tₛ〛 in terms of the decision tree of pattern matrices 〚mₛ〛 by the following:

〚((pᵢ → bbᵢ)i∈I〛 := 〚(Here), (pᵢ → bbᵢ)i∈I

Decision tree computed from pattern matrices respect the following invariant:

∀v (vᵢ)i∈I = v(aᵢ)i∈I → 〚m〛(v) = m(vᵢ)i∈I for m = ((aᵢ)i∈I, (rᵢ)i∈I)
v(Here) = v
K(vᵢ)ⁱ(k.a) = vₖ(a) if k ∈ [0;n[
\begin{comment} TODO: EXPLAIN \end{comment}

We proceed to show the correctness of the invariant by a case analysys.

Base cases:

  1. [| ∅, (∅ → bbᵢ)ⁱ |] ≡ Leaf bbᵢ where i := min(I), that is a decision tree [|ms|] defined by an empty accessor and empty patterns pointing to blackboxes bbᵢ. This respects the invariant because a source matrix in the case of empty rows returns the first expression and (Leaf bb)(v) := Match bb
  2. [| (aⱼ)ʲ, ∅ |] ≡ Failure

Regarding non base cases: Let's first define

let Idx(k) := [0; arity(k)[
let First(∅) := ⊥
let First((aⱼ)ʲ) := amin(j∈J≠∅)

\[ m := ((a_i)^i ((p_{ij})^i \to e_j)^{ij}) \] \[ (k_k)^k := headconstructor(p_{i0})^i \]

\begin{equation} Groups(m) := ( k_k \to ((a)_{0.l})^{l \in Idx(k_k)} +++ (a_i)^{i \in I\DZ}), \\ ( if p_{0j} is k(q_l) then \\ (qₗ)^{l \in Idx(k_k)} +++ (p_{ij})^{i \in I\DZ} \to e_j \\ if p_{0j} is \_ then \\ (\_)^{l \in Idx(k_k)} +++ (p_{ij})^{i \in I\DZ} \to e_j \\ else \bot )^j ), \\ ((a_i)^{i \in I\DZ}, ((p_{ij})^{i \in I\DZ} \to eⱼ if p_{0j} is \_ else \bot)^{j \in J}) \end{equation}

Groups(m) is an auxiliary function that source a matrix m into submatrices, according to the head constructor of their first pattern. Groups(m) returns one submatrix m_r for each head constructor k that occurs on the first row of m, plus one "wildcard submatrix" mwild that matches on all values that do not start with one of those head constructors.

Intuitively, m is equivalent to its decomposition in the following sense: if the first pattern of an input vector (vᵢ)ⁱ starts with one of the head constructors k, then running (vᵢ)ⁱ against m is the same as running it against the submatrix mₖ; otherwise (its head constructor is none of the k) it is equivalent to running it against the wildcard submatrix.

We formalize this intuition as follows: Lemma (Groups): Let \[m\] be a matrix with \[Groups(m) = (k_r \to m_r)^k, m_{wild}\]. For any value vector $(v_i)^l$ such that $v_0 = k(v'_l)^l$ for some constructor k, we have:

if k = kₖ \text{ for some k then}
\quad m(vᵢ)ⁱ = mₖ((vl')ˡ + (vi)i∈I\DZ)
\text{else}
\quad m(vᵢ)ⁱ = mwild(vᵢ)i∈I\DZ
\begin{comment} TODO: fix \{0} \end{comment}

Proof:

Let $m$ be a matrix with \[Group(m) = (k_r \to m_r)^k, m_{wild}\] Let $(v_i)^i$ be an input matrix with $v_0 = k(v'_l)^l$ for some k. We proceed by case analysis:

  • either k is one of the kₖ for some k
  • or k is none of the (kₖ)ᵏ

Both m(vᵢ)ⁱ and mₖ(vₖ)ᵏ are defined as the first matching result of a family over each row rⱼ of a matrix

We know, from the definition of Groups(m), that mₖ is

((a){0.l})l∈Idx(kₖ) + (aᵢ)i∈I\DZ),
(
\quad if p0j is k(qₗ) then
\quad \quad (qₗ)ˡ + (pij)i∈I\DZ → eⱼ
\quad if p0j is _ then
\quad \quad (_)ˡ + (pij)i∈I\DZ → eⱼ
\quad else ⊥
)j∈J

By definition, m(vᵢ)ⁱ is

m(vᵢ)ⁱ = First(rⱼ(vᵢ)ⁱ)ʲ for m = ((aᵢ)ⁱ, (rⱼ)ʲ)
(pᵢ)ⁱ (vᵢ)ⁱ = {
\quad if p₀ = k(qₗ)ˡ, v₀ = k'(v'ₖ)ᵏ, k=Idx(k') and l=Idx(k)
\quad \quad if k ≠ k' then ⊥
if k = k' then ((qₗ)ˡ + (pᵢ)i∈I\DZ) ((v'ₖ)ᵏ + (vᵢ)i∈I\DZ )
if p₀ = (q₁|q₂) then
First( (q₁pᵢi∈I\DZ) vᵢi∈I\DZ, (q₂pᵢi∈I \DZ) vᵢi∈I\DZ)}

For this reason, if we can prove that

∀j, rⱼ(vᵢ)ⁱ = r'ⱼ((v'ₖ)ᵏ ++ (vᵢ)ⁱ)

it follows that

m(vᵢ)ⁱ = mₖ((v'ₖ)ᵏ ++ (vᵢ)ⁱ)

from the above definition.

We can also show that aᵢ = (a0.l+ ai∈I\DZ because v(a₀) = K(v(a){0.l})ˡ)

Target translation

The target program of the following general form is parsed using a parser generated by Menhir, a LR(1) parser generator for the OCaml programming language. Menhir compiles LR(1) a grammar specification, in this case a subset of the Lambda intermediate language, down to OCaml code. This is the grammar of the target language (TODO: check menhir grammar)

start ::= sexpr
sexpr ::= variable | string | "(" special_form ")"
string ::= "\"" identifier "\"" ;; string between doublequotes
variable ::= identifier
special_form ::= let|catch|if|switch|switch-star|field|apply|isout
let ::= "let" assignment sexpr ;; (assignment sexpr)+ outside of pattern match code
assignment ::= "function" variable variable+ ;; the first variable is the identifier of the function
field ::= "field" digit variable
apply ::= ocaml_lambda_code ;; arbitrary code
catch ::= "catch" sexpr with sexpr
with ::= "with" "(" label ")"
exit ::= "exit" label
switch-star ::= "switch*" variable case*
switch::= "switch" variable case* "default:" sexpr
case ::= "case" casevar ":" sexpr
casevar ::= ("tag"|"int") integer
if ::= "if" bexpr sexpr sexpr
bexpr ::= "(" ("!="|"="\vert{}">"|"<="|">"|"<") sexpr digit | field ")"
label ::= integer

The prototype doesn't support strings.

The AST built by the parser is traversed and evaluated by the symbolic execution engine. Given that the target language supports jumps in the form of "catch - exit" blocks the engine tries to evaluate the instructions inside the blocks and stores the result of the partial evaluation into a record. When a jump is encountered, the information at the point allows to finalize the evaluation of the jump block. In the environment the engine also stores bindings to values and functions. Integer additions and subtractions are simplified in a second pass. The result of the symbolic evaluation is a target decision tree Cₜ

Cₜ ::= Leaf bb | Switch(a, (πᵢ → Cᵢ)i∈S , C?) | Failure
vₜ ::= Cell(tag ∈ , (vᵢ)i∈I) | n ∈

Every branch of the decision tree is "constrained" by a domain

Domain π = { n|n∈ x n|n∈Tag⊆ }

Intuitively, the π condition at every branch tells us the set of possible values that can "flow" through that path. π conditions are refined by the engine during the evaluation; at the root of the decision tree the domain corresponds to the set of possible values that the type of the function can hold. C? is the fallback node of the tree that is taken whenever the value at that point of the execution can't flow to any other subbranch. Intuitively, the πfallback condition of the C? fallback node is

πfallback = ¬\bigcuplimitsi∈Iπᵢ

The fallback node can be omitted in the case where the domain of the children nodes correspond to set of possible values pointed by the accessor at that point of the execution

domain(vₛ(a)) = \bigcuplimitsi∈Iπᵢ

We say that a translation of a target program to a decision tree is correct when for every possible input, the target program and its respective decision tree produces the same result

∀vₜ, tₜ(vₜ) = 〚tₜ〛ₜ(vₜ)

Equivalence checking

The equivalence checking algorithm takes as input a domain of possible values \emph{S} and a pair of source and target decision trees and in case the two trees are not equivalent it returns a counter example. The algorithm respects the following correctness statement:

\begin{comment} TODO: we have to define what \coversTEX mean for readers to understand the specifications (or we use a simplifying lie by hiding \coversTEX in the statements). \end{comment} \begin{align*} \EquivTEX S {C_S} {C_T} \emptyqueue = \YesTEX \;\land\; \coversTEX {C_T} S & \implies \forall v_S \approx v_T \in S,\; C_S(v_S) = C_T(v_T) \\ \EquivTEX S {C_S} {C_T} \emptyqueue = \NoTEX {v_S} {v_T} \;\land\; \coversTEX {C_T} S & \implies v_S \approx v_T \in S \;\land\; C_S(v_S) \neq C_T(v_T) \end{align*}

Our equivalence-checking algorithm $\EquivTEX S {C_S} {C_T} G$ is a exactly decision procedure for the provability of the judgment $(\EquivTEX S {C_S} {C_T} G)$, defined below.

\begin{mathpar} \begin{array}{l@{~}r@{~}l} & & \text{\emph{constraint trees}} \\ C & \bnfeq & \Leaf t \\ & \bnfor & \Failure \\ & \bnfor & \Switch a {\Fam i {\pi_i, C_i}} \Cfb \\ & \bnfor & \Guard t {C_0} {C_1} \\ \end{array} \begin{array}{l@{~}r@{~}l} & & \text{\emph{boolean result}} \\ b & \in & \{ 0, 1 \} \\[0.5em] & & \text{\emph{guard queues}} \\ G & \bnfeq & (t_1 = b_1), \dots, (t_n = b_n) \\ \end{array} \begin{array}{l@{~}r@{~}l} & & \text{\emph{input space}} \\ S & \subseteq & \{ (v_S, v_T) \mid \vrel {v_S} {v_T} \} \\ \end{array} \\ \infer{ } {\EquivTEX \emptyset {C_S} {C_T} G} \infer{ } {\EquivTEX S \Failure \Failure \emptyqueue} \infer {\trel {t_S} {t_T}} {\EquivTEX S {\Leaf {t_S}} {\Leaf {t_T}} \emptyqueue} \infer {\forall i,\; \EquivTEX {(S \land a = K_i)} {C_i} {\trim {C_T} {a = K_i}} G \\ \EquivTEX {(S \land a \notin \Fam i {K_i})} \Cfb {\trim {C_T} {a \notin \Fam i {K_i}}} G } {\EquivTEX S {\Switch a {\Fam i {K_i, C_i}} \Cfb} {C_T} G} \begin{comment} % TODO explain somewhere why the judgment is not symmetric: % we avoid defining trimming on source trees, which would % require more expressive conditions than just constructors \end{comment} \infer {C_S \in {\Leaf t, \Failure} \\ \forall i,\; \EquivTEX {(S \land a \in D_i)} {C_S} {C_i} G \\ \EquivTEX {(S \land a \notin \Fam i {D_i})} {C_S} \Cfb G} {\EquivTEX S {C_S} {\Switch a {\Fam i {D_i} {C_i}} \Cfb} G} \infer {\EquivTEX S {C_0} {C_T} {G, (t_S = 0)} \\ \EquivTEX S {C_1} {C_T} {G, (t_S = 1)}} {\EquivTEX S {\Guard {t_S} {C_0} {C_1}} {C_T} G} \infer {\trel {t_S} {t_T} \\ \EquivTEX S {C_S} {C_b} G} {\EquivTEX S {C_S} {\Guard {t_T} {C_0} {C_1}} {(t_S = b), G}} \end{mathpar}

Running a program tₛ or its translation 〚tₛ〛 against an input vₛ produces as a result r in the following way:

( 〚tₛ〛ₛ(vₛ) ≡ Cₛ(vₛ) ) → r
tₛ(vₛ) → r

Likewise

( 〚tₜ〛ₜ(vₜ) ≡ Cₜ(vₜ) ) → r
tₜ(vₜ) → r
result r ::= guard list * (Match blackbox | NoMatch | Absurd)
guard ::= blackbox.

Having defined equivalence between two inputs of which one is expressed in the source language and the other in the target language, vₛ ≃ vₜ, we can define the equivalence between a couple of programs or a couple of decision trees

tₛ ≃ tₜ := ∀vₛ≃vₜ, tₛ(vₛ) = tₜ(vₜ)
Cₛ ≃ Cₜ := ∀vₛ≃vₜ, Cₛ(vₛ) = Cₜ(vₜ)

The result of the proposed equivalence algorithm is Yes or No(vₛ, vₜ). In particular, in the negative case, vₛ and vₜ are a couple of possible counter examples for which the decision trees produce a different result.

In the presence of guards we can say that two results are equivalent modulo the guards queue, written r₁ ≃gs r₂, when:

(gs₁, r₁) ≃gs (gs₂, r₂) ⇔ (gs₁, r₁) = (gs₂ ++ gs, r₂)

We say that Cₜ covers the input space S, written covers(Cₜ, S) when every value vₛ∈S is a valid input to the decision tree Cₜ. (TODO: rephrase) Given an input space S and a couple of decision trees, where the target decision tree Cₜ covers the input space S, we say that the two decision trees are equivalent when:

equiv(S, Cₛ, Cₜ, gs) = Yes ∧ covers(Cₜ, S) → ∀vₛ≃vₜ ∈ S, Cₛ(vₛ) ≃gs Cₜ(vₜ)

Similarly we say that a couple of decision trees in the presence of an input space S are not equivalent when:

equiv(S, Cₛ, Cₜ, gs) = No(vₛ,vₜ) ∧ covers(Cₜ, S) → vₛ≃vₜ ∈ S ∧ Cₛ(vₛ) ≠gs Cₜ(vₜ)

Corollary: For a full input space S, that is the universe of the target program we say:

equiv(S, 〚tₛ〛ₛ, 〚tₜ〛ₜ, ∅) = Yes ⇔ tₛ ≃ tₜ
\begin{comment} TODO: put ^i∈I where needed \end{comment}

⊂subsection{The trimming lemma} The trimming lemma allows to reduce the size of a decision tree given an accessor a → π relation (TODO: expand)

∀vₜ ∈ (a→π), Cₜ(vₜ) = Ct/a→π(vₜ)

We prove this by induction on Cₜ:

  • Cₜ = Leafbb: when the decision tree is a leaf terminal, the result of trimming on a Leaf is the Leaf itself

    Leafbb/a→π(v) = Leafbb(v)
  • The same applies to Failure terminal

    Failure/a→π(v) = Failure(v)
  • When Cₜ = Switch(b, (π→Cᵢ)ⁱ)/a→π then we look at the accessor a of the subtree Cᵢ and we define πᵢ' = πᵢ if a≠b else πᵢ∩π Trimming a switch node yields the following result:

    Switch(b, (π→Cᵢ)i∈I)/a→π := Switch(b, (π'ᵢ→Ci/a→π)i∈I)
\begin{comment} TODO: understand how to properly align lists check that every list is aligned \end{comment}

For the trimming lemma we have to prove that running the value vₜ against the decision tree Cₜ is the same as running vₜ against the tree Ctrim that is the result of the trimming operation on Cₜ

Cₜ(vₜ) = Ctrim(vₜ) = Switch(b, (πᵢ'→Ci/a→π)i∈I)(vₜ)

We can reason by first noting that when vₜ∉(b→πᵢ)ⁱ the node must be a Failure node. In the case where ∃k | vₜ∈(b→πₖ) then we can prove that

Ck/a→π(vₜ) = Switch(b, (πᵢ'→Ci/a→π)i∈I)(vₜ)

because when a ≠ b then πₖ'= πₖ and this means that vₜ∈πₖ' while when a = b then πₖ'=(πₖ∩π) and vₜ∈πₖ' because:

  • by the hypothesis, vₜ∈π
  • we are in the case where vₜ∈πₖ

So vₜ ∈ πₖ' and by induction

Cₖ(vₜ) = Ck/a→π(vₜ)

We also know that ∀vₜ∈(b→πₖ) → Cₜ(vₜ) = Cₖ(vₜ) By putting together the last two steps, we have proven the trimming lemma.

\begin{comment} TODO: what should I say about covering??? I swap π and π' Covering lemma: ∀a,π covers(Cₜ,S) → covers(C_{t/a→π}, (S∩a→π)) Uᵢπⁱ ≈ Uᵢπ'∩(a→π) ≈ (Uᵢπ')∩(a→π) %% %%%%%%% Also: Should I swap π and π' ? \end{comment}

⊂subsection{Equivalence checking} The equivalence checking algorithm takes as parameters an input space S, a source decision tree Cₛ and a target decision tree Cₜ:

equiv(S, Cₛ, Cₜ) → Yes | No(vₛ, vₜ)

When the algorithm returns Yes and the input space is covered by Cₛ we can say that the couple of decision trees are the same for every couple of source value vₛ and target value vₜ that are equivalent.

\begin{comment} Define "covered" Is it correct to say the same? How to correctly distinguish in words ≃ and = ? \end{comment}
equiv(S, Cₛ, Cₜ) = Yes and cover(Cₜ, S) → ∀ vₛ ≃ vₜ∈S ∧ Cₛ(vₛ) = Cₜ(vₜ)

In the case where the algorithm returns No we have at least a couple of counter example values vₛ and vₜ for which the two decision trees outputs a different result.

equiv(S, Cₛ, Cₜ) = No(vₛ,vₜ) and cover(Cₜ, S) → ∀ vₛ ≃ vₜ∈S ∧ Cₛ(vₛ) ≠ Cₜ(vₜ)

We define the following

Forall(Yes) = Yes
Forall(Yes::l) = Forall(l)
Forall(No(vₛ,vₜ)::_) = No(vₛ,vₜ)

There exists and are injective:

int(k) ∈ (arity(k) = 0)
tag(k) ∈ (arity(k) > 0)
π(k) = {n| int(k) = n} x {n| tag(k) = n}

where k is a constructor.

\begin{comment} TODO: explain: ∀v∈a→π, C_{/a→π}(v) = C(v) \end{comment}

We proceed by case analysis:

\begin{comment} I start numbering from zero to leave the numbers as they were on the blackboard, were we skipped some things I think the unreachable case should go at the end. \end{comment}
  1. in case of unreachable:
Cₛ(vₛ) = Absurd(Unreachable) ≠ Cₜ(vₜ) ∀vₛ,vₜ
  1. In the case of an empty input space

    equiv(∅, Cₛ, Cₜ) := Yes

    and that is trivial to prove because there is no pair of values (vₛ, vₜ) that could be tested against the decision trees. In the other subcases S is always non-empty.

  2. When there are Failure nodes at both sides the result is Yes:

    equiv(S, Failure, Failure) := Yes

    Given that ∀v, Failure(v) = Failure, the statement holds.

  3. When we have a Leaf or a Failure at the left side:

    equiv(S, Failure as Cₛ, Switch(a, (πᵢ → Cₜᵢ)i∈I)) := Forall(equiv( S∩a→π(kᵢ)), Cₛ, Cₜᵢ)i∈I)
    equiv(S, Leaf bbₛ as Cₛ, Switch(a, (πᵢ → Cₜᵢ)i∈I)) := Forall(equiv( S∩a→π(kᵢ)), Cₛ, Cₜᵢ)i∈I)

    The algorithm either returns Yes for every sub-input space Sᵢ := S∩(a→π(kᵢ)) and subtree Cₜᵢ

    equiv(Sᵢ, Cₛ, Cₜᵢ) = Yes ∀i

    or we have a counter example vₛ, vₜ for which

    vₛ≃vₜ∈Sₖ ∧ cₛ(vₛ) ≠ Cₜₖ(vₜ)

    then because

    vₜ∈(a→πₖ) → Cₜ(vₜ) = Cₜₖ(vₜ) ,
    vₛ≃vₜ∈S ∧ Cₛ(vₛ)≠Cₜ(vₜ)

    we can say that

    equiv(Sᵢ, Cₛ, Cₜᵢ) = No(vₛ, vₜ) for some minimal k∈I
  4. When we have a Switch on the right we define πfallback as the domain of values not covered but the union of the constructors kᵢ

    πfallback = ¬\bigcuplimitsi∈Iπ(kᵢ)

    The algorithm proceeds by trimming

    equiv(S, Switch(a, (kᵢ → Cₛᵢ)i∈I, Csf), Cₜ) :=
    Forall(equiv( S∩(a→π(kᵢ)i∈I), Cₛᵢ, Ct/a→π(kᵢ))i∈I + equiv(S∩(a→πₙ), Cₛ, C_{a→πfallback}))

    The statement still holds and we show this by first analyzing the Yes case:

    Forall(equiv( S∩(a→π(kᵢ)i∈I), Cₛᵢ, Ct/a→π(kᵢ))i∈I = Yes

    The constructor k is either included in the set of constructors kᵢ:

    k | k∈(kᵢ)ⁱ ∧ Cₛ(vₛ) = Cₛᵢ(vₛ)

    We also know that

    (1) Cₛᵢ(vₛ) = Ct/a→πᵢ(vₜ)
    (2) CT/a→πᵢ(vₜ) = Cₜ(vₜ)

    (1) is true by induction and (2) is a consequence of the trimming lemma. Putting everything together:

    Cₛ(vₛ) = Cₛᵢ(vₛ) = CT/a→πᵢ(vₜ) = Cₜ(vₜ)

    When the k∉(kᵢ)ⁱ [TODO]

    The auxiliary Forall function returns No(vₛ, vₜ) when, for a minimum k,

    equiv(Sₖ, Cₛₖ, CT/a→πₖ = No(vₛ, vₜ)

    Then we can say that

    Cₛₖ(vₛ) ≠ Ct/a→πₖ(vₜ)

    that is enough for proving that

    Cₛₖ(vₛ) ≠ (Ct/a→πₖ(vₜ) = Cₜ(vₜ))