source: Deliverables/D4.2-4.3/reports/D4-2.tex @ 1373

\documentclass[11pt, epsf, a4wide]{article}

\usepackage{../../style/cerco}

\usepackage{amsfonts}
\usepackage{amsmath}
\usepackage{amssymb} 
\usepackage[english]{babel}
\usepackage{graphicx}
\usepackage[utf8x]{inputenc}
\usepackage{listings}
\usepackage{stmaryrd}
\usepackage{url}

\title{
INFORMATION AND COMMUNICATION TECHNOLOGIES\\
(ICT)\\
PROGRAMME\\
\vspace*{1cm}Project FP7-ICT-2009-C-243881 \cerco{}}

\lstdefinelanguage{matita-ocaml}
  {keywords={definition,coercion,lemma,theorem,remark,inductive,record,qed,let,in,rec,match,return,with,Type,try},
   morekeywords={[2]whd,normalize,elim,cases,destruct},
   morekeywords={[3]type,of},
   mathescape=true,
  }

\lstset{language=matita-ocaml,basicstyle=\small\tt,columns=flexible,breaklines=false,
        keywordstyle=\color{red}\bfseries,
        keywordstyle=[2]\color{blue},
        keywordstyle=[3]\color{blue}\bfseries,
        commentstyle=\color{green},
        stringstyle=\color{blue},
        showspaces=false,showstringspaces=false}

\lstset{extendedchars=false}
\lstset{inputencoding=utf8x}
\DeclareUnicodeCharacter{8797}{:=}
\DeclareUnicodeCharacter{10746}{++}
\DeclareUnicodeCharacter{9001}{\ensuremath{\langle}}
\DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}}

\date{}
\author{}

\begin{document}

\thispagestyle{empty}

\vspace*{-1cm}
\begin{center}
\includegraphics[width=0.6\textwidth]{../../style/cerco_logo.png}
\end{center}

\begin{minipage}{\textwidth}
\maketitle
\end{minipage}

\vspace*{0.5cm}
\begin{center}
\begin{LARGE}
\textbf{
Report n. D4.2\\
Functional encoding in the Calculus of Constructions
}
\end{LARGE} 
\end{center}

\vspace*{2cm}
\begin{center}
\begin{large}
Version 1.0
\end{large}
\end{center}

\vspace*{0.5cm}
\begin{center}
\begin{large}
Main Authors:\\
Dominic P. Mulligan and Claudio Sacerdoti Coen
\end{large}
\end{center}

\vspace*{\fill}

\noindent
Project Acronym: \cerco{}\\
Project full title: Certified Complexity\\
Proposal/Contract no.: FP7-ICT-2009-C-243881 \cerco{}\\

\clearpage
\pagestyle{myheadings}
\markright{\cerco{}, FP7-ICT-2009-C-243881}

\newpage

\vspace*{7cm}
\paragraph{Abstract}
We describe the encoding, in the Calculus of Constructions, of the intermediate languages for the CerCo compiler.
The CerCo backend consists of four distinct intermediate languages---RTL, ERTL, LTL and LIN, respectively---though we also handle the translations from the last frontend intermediate language, RTLabs, into RTL, and the translation of LIN into assembly language.
Where feasible, we have made use of dependent types to enforce invariants and to make otherwise partial functions total.
\newpage

\tableofcontents

\newpage

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\section{Task}
\label{sect.task}

The Grant Agreement states that Task T4.2, entitled `Functional encoding in the Calculus of Constructions' has associated Deliverable D4.2, consisting of the following:
\begin{quotation}
CIC encoding: Back-end: Functional Specification in the internal language of the Proof Assistant (the Calculus of Inductive Construction) of the back end of the compiler. This unit is meant to be composable with the front-end of deliverable D3.2, to obtain a full working compiler for Milestone M2. A first validation of the design principles and implementation choices for the Untrusted Cost-annotating OCaml Compiler D2.2 is achieved and reported in the deliverable, possibly triggering updates of the Untrusted Cost-annotating OCaml Compiler sources.
\end{quotation}
This report details our implementation of this deliverable.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{Connections with other deliverables}
\label{subsect.connections.with.other.deliverables}

Deliverable D4.2 enjoys a close relationship with three other deliverables, namely deliverables D2.2, D4.3 and D4.4.

Deliverable D2.2, the O'Caml implementation of a cost preserving compiler for a large subset of the C programming language, is the basis upon which we have implemented the current deliverable.
In particular, the architecture of the compiler, its intermediate languages, and the overall implementation of the Matita encodings has been taken from the O'Caml compiler.
Any variations from the O'Caml design are due to bugs identified in the prototype compiler during the Matita implementation, our identification of code that can be abstracted and made generic, or our use of Matita's much stronger type system to enforce invariants through the use of dependent types.

Deliverable D4.3 can be seen as a `sister' deliverable to the deliverable reported on herein.
In particular, where this deliverable reports on the encoding in the Calculus of Constructions of the backend translations, D4.3 is the encoding in the Calculus of Constructions of the semantics of those languages.
As a result, a substantial amount of Matita code is shared between the two deliverables.

Deliverable D4.4, the backend correctness proofs, is the immediate successor of this deliverable.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{A brief overview of the backend compilation chain}
\label{subsect.brief.overview.backend.compilation.chain}

The Matita compiler's backend consists of five distinct intermediate languages: RTL, RTLntl, ERTL, LTL and LIN.
A fifth language, RTLabs, serves as the entry point of the backend and the exit point of the frontend.
RTL, RTLntl, ERTL and LTL are `graph based' languages, whereas LIN is a linearised language, the final language before translation to assembly.

We now briefly discuss the properties of the intermediate languages, and discuss the various transformations that take place during the translation process:

\paragraph{RTLabs ((Abstract) Register Transfer Language)}
As mentioned, this is the final language of the compiler's frontend and the entry point for the backend.
This language uses pseudoregisters, not hardware registers.\footnote{There are an unbounded number of pseudoregisters.  Pseudoregisters are converted to hardware registers of stack positions during register allocation.}
Functions still use stackframes, where arguments are passed on the stack and results are stored in addresses.
During the pass to RTL, these are eliminated, and instruction selection is carried out.

\paragraph{RTL (Register Transfer Language)}
This language uses pseudoregisters, not hardware registers.
Tailcall elimination is carried out during the translation from RTL to RTLntl.

\paragraph{RTLntl (Register Transfer Language --- No Tailcalls)}
This language is a pseudoregister, graph based language where all tailcalls are eliminated.
RTLntl is not present in the O'Caml compiler.

\paragraph{ERTL (Extended Register Transfer Language)}
In this language most instructions still operate on pseudoregisters, apart from instructions that move data to, and from, the accumulator.
The ERTL to LTL pass performs the following transformations: liveness analysis, register colouring and register/stack slot allocation.

\paragraph{LTL (Linearisable Transfer Language)}
Another graph based language, but uses hardware registers instead of pseudoregisters.
Tunnelling (branch compression) should be implemented here.

\paragraph{LIN (Linearised)}
This is a linearised form of the LTL language; function graphs have been linearised into lists of statements.
All registers have been translated into hardware registers or stack addresses.
This is the final stage of compilation before translating directly into assembly language.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\section{The backend intermediate languages in Matita}
\label{sect.backend.intermediate.languages.matita}

We now discuss the encoding of the compiler backend languages in the Calculus of Constructions proper.
We pay particular heed to changes that we made from the O'Caml prototype.
In particular, many aspects of the backend languages have been unified into a single `joint' language.
We have also made heavy use of dependent types to reduce `spurious partiality' and to encode invariants.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{Abstracting related languages}
\label{subsect.abstracting.related.languages}

The O'Caml compiler is written in the following manner.
Each intermediate language has its own dedicated syntax, notions of internal function, and so on.
Here, we make a distinction between `internal functions'---other functions that are explicitly written by the programmer, and `external functions', which belong to external library and require explictly linking.
Internal functions are represented as a record, consisting of a sequential structure, of some description, of statements, entry and exit points to this structure, and other book keeping devices.
Translations between intermediate language map syntaxes to syntaxes, and internal function representations to internal function representations explicitly.

This is a perfectly valid way to write a compiler, where everything is made explicit, but writing a \emph{verified} compiler poses new challenges.
In particular, we must look ahead to see how our choice of encodings will affect the size and complexity of the forthcoming proofs of correctness.
We now discuss some abstractions, introduced in the Matita code, which we hope will make our proofs shorter, amongst other benefits.

\paragraph{Changes between languages made explicit}
Due to the bureaucracy inherent in explicating each intermediate language's syntax in the O'Caml compiler, it can often be hard to see exactly what changes between each successive intermediate language.
By abstracting the syntax of the RTL, ERTL, LTL and LIN intermediate languages, we make these changes much clearer.

Our abstraction takes the following form:
\begin{lstlisting}
inductive joint_instruction (p: params__) (globals: list ident): Type[0] :=
  | COMMENT: String $\rightarrow$ joint_instruction p globals
  ...
  | INT: generic_reg p $\rightarrow$ Byte $\rightarrow$ joint_instruction p globals
  ...
  | OP1: Op1 → acc_a_reg p → acc_a_reg p → joint_instruction p globals
  ...
  | extension: extend_statements p $\rightarrow$ joint_instruction p globals.
\end{lstlisting}
We first note that for the majority of intermediate languages, many instructions are shared.
However, these instructions expect different register types (either a pseudoregister or a hardware register) as arguments.
We must therefore parameterise the joint syntax with a record of parameters that will be specialised to each intermediate language.
In the type above, this parameterisation is realised with the \texttt{params\_\_} record.
As a result of this parameterisation, we have also added a degree of `type safety' to the intermediate languages' syntaxes.
In particular, we note that the \texttt{OP1} constructor expects quite a specific type, in that the two register arguments must both be the accumulator A.
Contrast this with the \texttt{INT} constructor, which expects a \texttt{generic\_reg}, corresponding to an `arbitrary' register type.

Further, we note that some intermediate languages have language specific instructions (i.e. the instructions that change between languages).
We therefore add a new constructor to the syntax, \texttt{extension}, which expects a value of type \texttt{extend\_statements p}.
As \texttt{p} varies between intermediate languages, we can provide language specific extensions to the syntax of the joint language.
For example, ERTL's extended syntax consists of the following extra statements:
\begin{lstlisting}
inductive ertl_statement_extension: Type[0] :=
  | ertl_st_ext_new_frame: ertl_statement_extension
  | ertl_st_ext_del_frame: ertl_statement_extension
  | ertl_st_ext_frame_size: register $\rightarrow$ ertl_statement_extension.
\end{lstlisting}
These are further packaged into an ERTL specific instance of \texttt{params\_\_} as follows:
\begin{lstlisting}
definition ertl_params__: params__ :=
  mk_params__ register register ... ertl_statement_extension.
\end{lstlisting}

\paragraph{Shared code, reduced proofs}
Many features of individual backend intermediate languages are shared with other intermediate languages.
For instance, RTLabs, RTL, ERTL and LTL are all graph based languages, where functions are represented as a graph of statements that form their bodies.
Functions for adding statements to a graph, searching the graph, and so on, are remarkably similar across all languages, but are duplicated in the O'Caml code.

As a result, we chose to abstract the representation of internal functions for the RTL, ERTL, LTL and LIN intermediate languages into a `joint' representation.
This representation is parameterised by a record that dictates the layout of the function body for each intermediate language.
For instance, in RTL, the layout is graph like, whereas in LIN, the layout is a linearised list of statements.
Further, a generalised way of accessing the successor statement to the one currently under consideration is needed, and so forth.

Our joint internal function record looks like so:
\begin{lstlisting}
record joint_internal_function (globals: list ident) (p:params globals) : Type[0] ≝
{ 
  ...
  joint_if_params   : paramsT p;
  joint_if_locals   : localsT p;
  ...
  joint_if_code     : codeT … p;
  ...
}.
\end{lstlisting}
In particular, everything that can vary between differing intermediate languages has been parameterised.
Here, we see the number of parameters, the listing of local variables, and the internal code representation has been parameterised.
Other particulars are also parameterised, though here omitted.

Hopefully this abstraction process will reduce the number of proofs that need to be written, dealing with internal functions.
We only need to prove once that fetching a statement's successor is `correct', and we inherit this property for free for every intermediate language.

\paragraph{Dependency on instruction selection}
We note that the backend languages are all essentially `post instruction selection languages'.
The `joint' syntax makes this especially clear.
For instance, in the definition:
\begin{lstlisting}
inductive joint_instruction (p:params__) (globals: list ident): Type[0] ≝
  ...
  | INT: generic_reg p → Byte → joint_instruction p globals
  | MOVE: pair_reg p → joint_instruction p globals
  ...
  | PUSH: acc_a_reg p → joint_instruction p globals
  ...
  | extension: extend_statements p → joint_instruction p globals.
\end{lstlisting}
The capitalised constructors---\texttt{INT}, \texttt{MOVE}, and so on---are all machine specific instructions.
Retargetting the compiler to another microprocessor would entail replacing these constructors with constructors that correspond to the instructions of the new target.
We feel that this makes which instructions are target dependent, and which are not (i.e. those language specific instructions that fall inside the \texttt{extension} constructor) much more explicit.

\paragraph{Independent development and testing}
We have essentially modularised the intermediate languages in the compiler backend.
As with any form of modularisation, we reap benefits in the ability to independently test and develop each intermediate language separately.

\paragraph{Future reuse for other compiler projects}
Another advantage of our modularisation scheme is the ability to quickly use and reuse intermediate languages for other compiler projects.
For instance, in creating a cost-preserving compiler for a functional language, we may choose to target the RTL language directly.
Naturally, the register requirements for a functional language may differ from those of an imperative language, a reconfiguration which our parameterisation makes easy.

\paragraph{Easy addition of new compiler passes}
Under our modularisation and abstraction scheme, new compiler passes can easily be injected into the backend.
We have a concrete example of this in the RTLntl language, an intermediate language that was not present in the original O'Caml code.
To specify a new intermediate language we must simply specify, through the use of the statement extension mechanism, what differs in the new intermediate language from the `joint' language, and configure a new notion of internal function record, by specialising parameters, to the new language.
As generic code for the `joint' language exists, for example to add statements to control flow graphs, this code can be reused for the new intermediate language.

\paragraph{Possible language commutations}
The backend translation passes of the CerCo compiler differ quite a bit from the CompCert compiler.
In the CompCert compiler, linearisation occurs much earlier in the compilation chain, and passes such as register colouring and allocation are carried out on a linearised form of program.
Contrast this with our own approach, where the code is represented as a graph for much longer.

However, by abstracting the representation of intermediate functions, we are now much more free to reorder translation passes as we see fit.
The linearisation process, for instance, now no longer cares about the specific representation of code in the source and target languages.
It just relies on a common interface.
We are therefore, in theory, free to pick where we wish to linearise our representation.
This adds an unusual flexibility into the compilation process, and allows us to freely experiment with different orderings of translation passes.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{Use of dependent types}
\label{subsect.use.of.dependent.types}

We see three potential ways in which a compiler can fail to compile a program:
\begin{enumerate}
\item
The program is malformed, and there is no hope of making sense of the program.
\item
A heuristic or algorithm in the compiler is implemented incorrectly, in which case an otherwise correct source program fails to be compiler to correct assembly code.
\item
An invariant in the compiler is invalidated.
\end{enumerate}
The first source of failure we are unable to do anything about.
The latter two sources of failure should be interpreted as a compiler bug, and, as part of a verified compiler project, we'd like to rule out all such bugs.
In CerCo, we aim to use dependent types to help us enforce invariants and prove our heuristics and algorithms correct.

First, we encode informal invariants, or uses of \texttt{assert false} in the O'Caml code, with dependent types, converting partial functions into total functions.
There are numerous examples of this throughout the backend.
For example, in the \texttt{RTLabs} to \texttt{RTL} transformation pass, many functions only `make sense' when lists of registers passed to them as arguments conform to some specific length.
For instance, the \texttt{translate\_negint} function, which translates a negative integer constant:
\begin{lstlisting}
definition translate_negint ≝
  $\lambda$globals: list ident.
  $\lambda$destrs: list register.
  $\lambda$srcrs: list register.
  $\lambda$start_lbl: label.
  $\lambda$dest_lbl: label.
  $\lambda$def: rtl_internal_function globals.
  $\lambda$prf: |destrs| = |srcrs|. (* assert here *)
    ...
\end{lstlisting}
The last argument to the function, \texttt{prf}, is a proof that the lengths of the lists of source and destination registers are the same.
This was an assertion in the O'Caml code.

Secondly, we make use of dependent types to make the Matita code easier to read, and eventually the proofs of correctness for the compiler easier to write.
For instance, many intermediate languages in the backend of the compiler, from RTLabs to LTL, are graph based languages.
Here, function definitions consist of a graph (i.e. a map from labels to statements) and a pair of labels denoting the entry and exit points of this graph.
Practically, we would always like to ensure that the entry and exit labels are present in the statement graph.
We ensure that this is so with a dependent sum type in the \texttt{joint\_internal\_function} record, which all graph based languages specialise to obtain their own internal function representation:
\begin{lstlisting}
record joint_internal_function (globals: list ident) (p: params globals): Type[0] :=
{
  ...
  joint_if_code     : codeT $\ldots$ p;
  joint_if_entry    : $\Sigma$l: label. lookup $\ldots$ joint_if_code l $\neq$ None $\ldots$;
  ...
}.
\end{lstlisting}
Here, \texttt{codeT} is a parameterised type representing the `structure' of the function's body (a graph in graph based languages, and a list in the linearised LIN language).
Specifically, the \texttt{joint\_if\_entry} is a dependent pair consisting of a label and a proof that the label in question is a vertex in the function's graph.
A similar device exists for the exit label.

Finally, we make use of dependent types for another reason: experimentation.
Namely, CompCert makes little use of dependent types to encode invariants.
In contrast, we wish to make as much use of dependent types as possible, both to experiment with different ways of encoding compilers in a proof assistant, but also as a way of `stress testing' Matita's support for dependent types.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{What we do not implement}
\label{subsect.what.we.do.not.implement}

There are several classes of functionality that we have chosen not to implement in the backend languages:
\begin{itemize}
\item
\textbf{Datatypes and functions over these datatypes that are not supported by the compiler.}
In particular, the compiler does not support the floating point datatype, nor accompanying functions over that datatype.
At the moment, frontend languages within the compiler possess constructors corresponding to floating point code.
These are removed during instruction selection (in the RTLabs to RTL transformation) using a daemon.\footnote{A Girardism.  An axiom of type \texttt{False}, from which we can prove anything.}
However, at some point, we would like the front end of the compiler to recognise programs that use floating point code and reject them as being invalid.
\item
\textbf{Axiomatised components that will be implemented using external oracles.}
Several large, complex pieces of compiler infrastructure, most noticably register colouring and fixed point calculation during liveness analysis have been axiomatised.
This was already agreed upon before the start of the project, and is clearly marked in the project proposal, following comments by those involved with the CompCert project about the difficulty in formalising register colouring in that project.
Instead, these components are axiomatised, along with the properties that they need to satisfy in order for the rest of the compilation chain to be correct.
These axiomatised components are found in the ERTL to LTL pass.

It should be noted that these axiomatised components fall into the following pattern: whilst their implementation is complex, and their proof of correctness is difficult, we are able to quickly and easily verify that any answer that they provide is correct.
As a result, we do not see this axiomatisation process as being too onerous.
\item
\textbf{A few non-computational proof obligations.}
A few difficult-to-close, but non-computational (i.e. they do not prevent us from executing the compiler inside Matita), proof obligations have been closed using daemons in the backend.
These proof obligations originate with our use of dependent types for expressing invariants in the compiler.
However, here, it should be mentioned that many open proof obligations are simply impossible to close until we start to obtain stronger invariants from the proof of correctness for the compiler proper.
In particular, in the RTLabs to RTL pass, several proof obligations relating to lists of registers stored in a `local environment' appear to fall into this pattern.
\item
\textbf{Branch compression (tunnelling).}
This was a feature of the O'Caml compiler.
It is not yet currently implemented in the Matita compiler.
This feature is only an optimisation, and will not affect the correctness of the compiler.
\item
\textbf{`Real' tailcalls}
For the time being, tailcalls in the backend are translated to `vanilla' function calls during the ERTL to LTL pass.
This follows the O'Caml compiler, which did not implement tailcalls, and did this simplification step.
`Real' tailcalls are being implemented in the O'Caml compiler, and when this implementation is complete, we aim to port this code to the Matita compiler.
\end{itemize}

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\section{Associated changes to O'Caml compiler}
\label{sect.associated.changes.to.ocaml.compiler}

At the moment, no changes we have made in the Matita backend have made their way back into the O'Caml compiler.
We do not see the heavy process of modularisation and abstraction as making its way back into the O'Caml codebase, as this is a significant rewrite of the backend code.
However, several bugfixes, and the identification of `hidden invariants' in the O'Caml code will be incorporated back into the prototype.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\section{Future work}
\label{sect.future.work}

As mentioned in Section~\ref{subsect.what.we.do.not.implement}, there are several unimplemented features in the compiler, and several aspects of the Matita code that can be improved in order to make currently partial functions total.
We summarise this future work here:
\begin{itemize}
\item
We plan to make use of dependent types to identify `floating point' free programs and make all functions total over such programs.
This will remove a swathe of uses of daemons.
This should be routine.
\item
We plan to move expansion of integer modulus, and other related functions, into the instruction selection (RTLabs to RTL) phase.
This will also help to remove a swathe of uses of daemons, as well as potentially introduce new opportunities for optimisations that we currently miss in expanding these instructions at the C-light level.
\item
We plan to close all existing proof obligations that are closed using daemons, arising from our use of dependent types in the backend.
However, many may not be closable until we have completed Deliverable D4.4, the certification of the whole compiler, as we may not have invariants strong enough at the present time.
\item
We plan to port the O'Caml compiler's implementation of tailcalls when this is completed, and eventually port the branch compression code currently in the O'Caml compiler to the Matita implementation.
This should not cause any major problems.
\item
We plan to validate the backend translations, removing any obvious bugs, by executing the translation inside Matita on small C programs.
This is not critical, as the certification process will find all bugs anyway.
\end{itemize}

\newpage

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\section{Code listing}
\label{sect.code.listing}

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{Listing of files}
\label{subsect.listing.files}

Translation specific files (files relating to language semantics have been omitted).
Syntax:
\begin{center}
\begin{tabular*}{\textwidth}{p{3.5cm}p{5.5cm}p{3.5cm}p{1cm}}
Title & Description & O'Caml & Ratio \\
\hline
\texttt{RTLabs/syntax.ma} & The syntax of RTLabs & \texttt{RTLabs/RTLabs.mli} & 0.65 \\
\texttt{joint/Joint.ma} & Joint syntax for backend languages & N/A & N/A \\
\texttt{RTL/RTL.ma} & The syntax of RTL & \texttt{RTL/RTL.mli} & 0.41 \\
\texttt{ERTL/ERTL.ma} & The syntax of ERTL & \texttt{ERTL/ERTL.mli} & 0.13 \\
\texttt{LTL/LTL.ma} & The syntax of LTL & \texttt{LTL/LTL.mli} & 0.13 \\
\texttt{LIN/LIN.ma} & The syntax of LIN & \texttt{LIN/LIN.mli} & 0.36
\end{tabular*}
\end{center}
Here, the O'Caml column denotes the O'Caml source file in the prototype compiler's implementation that corresponds to the Matita script in question.
The ratios are the linecounts of the Matita file divided by the line counts of the corresponding O'Caml file.
These are computed with \texttt{wc -l}, a standard Unix tool.

\noindent
Translations and utilities:
\begin{center}
\begin{tabular*}{\textwidth}{p{4.5cm}p{4.5cm}p{4.5cm}p{1cm}}
Title & Description & O'Caml & Ratio \\
\hline
\texttt{RTLabs/RTLabsToRTL.ma} & The translation from RTLabs to RTL & \texttt{RTLabs/RTLabsToRTL.ml} & 1.61 \\
\texttt{joint/TranslateUtils.ma} & Generic translation utilities & N/A & N/A \\
\texttt{RTL/RTLToERTL.ma} & The translation from RTL to ERTL & \texttt{RTL/RTLToERTL.ml} & 0.88 \\
\texttt{RTL/RTLtailcall.ma} & Elimination of tailcalls & \texttt{RTL/RTLtailcall.ml} & 2.08 \\
\texttt{ERTL/ERTLToLTL.ma} & The translation from ERTL to LTL & \texttt{ERTL/ERTLToRTL.ml} & 3.46 \\
\texttt{ERTL/Interference.ma} & Axiomatised graph colouring component & \texttt{common/interference.ml} & 0.03\footnote{The majority of this file is axiomatised.} \\
\texttt{ERTL/liveness.ma} & Liveness analysis & \texttt{ERTL/liveness.ml} & 0.92 \\
\texttt{LTL/LTLToLIN.ma} & The translation from LTL to LIN & \texttt{LTL/LTLToLIN.ml} & 0.75 \\
\texttt{LIN/LINToASM.ma} & The translation from LIN to assembly language & \texttt{LIN/LINToASM.ml} 2.45 &
\end{tabular*}
\end{center}
Given that Matita code is much more verbose than O'Caml code, with explicit typing and inline proofs, we have achieved respectable line count ratios in the translation.

%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
% SECTION.                                                                    %
%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%
\subsection{Listing of important functions and axioms}
\label{subsect.listing.important.functions.and.axioms}

We list some important functions and axioms in the backend compilation:

\paragraph{From RTL/RTLabsToRTL.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{translate\_stmt} & Translation of an RTLabs statement to an RTL statement \\
\texttt{translate\_internal} & Translation of an RTLabs internal function to an RTL internal function \\
\texttt{rtlabs\_to\_rtl} & Translation of an RTLabs program to an RTL program
\end{tabular*}
\end{center}

\paragraph{From joint/TranslateUtils.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{fresh\_regs} & Generic fresh pseudoregister generation, for any intermediate language \\
\texttt{adds\_graph} & Generic means of adding a statement to a graph, for any intermediate language
\end{tabular*}
\end{center}

\paragraph{From RTL/RTLTailcall.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{simplify\_statement} & Remove a single tailcall \\
\texttt{simplify\_graph} & Remove all tailcalls in the function graph \\
\texttt{tailcall\_simplify} & Simplify an RTL program by removing tailcalls
\end{tabular*}
\end{center}

\paragraph{From RTL/RTLToERTL.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{translate\_stmt} & Translation of an RTL statement to an ERTL statement \\
\texttt{translate\_funct\_internal} & Translation of an RTL internal function to an ERTL internal function \\
\texttt{translate} & Translation of an RTL program to an ERTL program
\end{tabular*}
\end{center}

\paragraph{From ERTL/liveness.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{analyse} & Dead code analysis
\end{tabular*}
\end{center}

\paragraph{From ERTL/Interference.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{build} & The (axiomatised) graph colouring for register and stack slot allocation
\end{tabular*}
\end{center}

\paragraph{From ERTL/ERTLToLTL.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{translate\_statement} & Translation of an ERTL statement into multiple LTL statements \\
\texttt{translate\_internal} & Translation of an ERTL internal function into an LTL internal function \\
\texttt{ertl\_to\_ltl} & Translation of an ERTL program into an LTL program
\end{tabular*}
\end{center}

\paragraph{From LTL/LTLToLIN.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{visit} & Visits, in order, every node in the statement graph for linearisation \\
\texttt{translate\_stmt} & Translation of an LTL statement to a LIN statement \\
\texttt{branch\_compress} & Place holder (currently identity) function for branch compression \\
\texttt{translate\_internal} & Translation of an LTL internal function into a LIN internal function \\
\texttt{ltl\_to\_lin} & Translation of an LTL program to a LIN program
\end{tabular*}
\end{center}

\paragraph{From LIN/LINToASM.ma}
\begin{center}
\begin{tabular*}{0.9\textwidth}{p{5cm}p{8cm}}
Title & Description \\
\hline
\texttt{translate\_statements} & Translation of a LIN statement to mutliple assembly instructions \\
\texttt{translate\_fun\_def} & Translation of a LIN internal function definition into assembly \\
\texttt{translate} & Translation of a LIN program into assembly
\end{tabular*}
\end{center}

\end{document}