source: src/RTLabs/CostCheck.ma @ 2305

include "RTLabs/CostSpec.ma".

(* TODO: move ----→ *)

lemma Exists_to_All : ∀T,P,l.
  (∀x. Exists ? (λy. y = x) l → P x) →
  All T P l.
#T #P #l elim l [ // | #h #t #IH #H % [ @H %1 % | @IH #t #E @H %2 @E ] ]
qed.

let rec all (A:Type[0]) (P:A → bool) (l:list A) on l : bool ≝
match l with
[ nil ⇒ true
| cons h t ⇒ P h ∧ all A P t
].

lemma all_All : ∀A,P,l. bool_to_Prop (all A P l) ↔ All A (λa.bool_to_Prop (P a)) l.
#A #P #l elim l
[ % //
| #h #t * #IH #IH' %
  [ whd in ⊢ (?% → %); cases (P h) [ #p % /2/ | * ]
  | * #p #H whd in ⊢ (?%); >p /2/
  ]
] qed.

(* ←---- move *)

definition check_well_cost_fn : internal_function → bool ≝
λf.
  idmap_all … (f_graph f) (λl,s,PR. well_cost_labelled_statement f s (f_closed f l s PR)) ∧
  is_cost_label (lookup_present … (f_graph f) (f_entry f) ?).
cases (f_entry f) //
qed.

lemma check_well_cost_fn_ok : ∀fn. bool_to_Prop (check_well_cost_fn fn) ↔ well_cost_labelled_fn fn.
#fn %
[ #H cases (andb_Prop_true … H) #ST #EN
  % [ lapply (proj1 … (idmap_all_ok …) ST) // | @EN ]
| * #ST #EN @andb_Prop
  [ @(proj2 … (idmap_all_ok …)) #l #st #L
    cut (present ?? (f_graph fn) l) [ whd >L % #E destruct ] #PR
    lapply (ST l PR) generalize in ⊢ (?(???%) → ?);
    >(lookup_present_eq ????? L PR) //
  | @eq_true_to_b @EN
  ]
] qed.

include "basics/lists/listb.ma".
include alias "utilities/deqsets.ma".

lemma successors_present : ∀g,st.
  labels_present g st →
  ∀l. l ∈ successors st →
  present ?? g l.
#g *
[ #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #cs #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #ty #r #c #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #ty1 #ty2 #op #r1 #r2  #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #ty1 #ty2 #ty3 #op #r1 #r2 #r3 #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #ty #r1 #r2 #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #ty #r1 #r2 #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #id #args #dst #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #r #args #dst #l1 #PR #l2 #IN >(memb_single … IN) @PR
| #r #l1 #l2 * #PR1 #PR2 #l3 whd in ⊢ (?% → ?); @eqb_elim [ // | #_ #IN >(memb_single … IN) // ]
| #_ #l *
] qed.

include alias "common/Identifiers.ma".

(* Check that from [checking] we reach a cost label without going through
   [checking_tail], which would form a loop in the CFG.  We also have a set of
   labels that we have still [to_check], and return an updated set of labels
   to check if the check for the current label is successful. *)
let rec check_label_bounded
  (g : graph statement)
  (CL : graph_closed g)
  (checking : label)
  (PR : present ?? g checking)
  (checking_tail : list label)
  (to_check : identifier_set LabelTag)
  (term_check : nat)
on term_check : gt term_check (id_map_size … to_check) → option (identifier_set LabelTag) ≝
let stop_now ≝ Some ? to_check in
match term_check return λx. ge x ? → ? with
[ O ⇒ λH.⊥
| S term_check' ⇒ λH.
  let st ≝ lookup_present … g checking PR in
  let succs ≝ successors st in
  match succs return λsc. (∀l.l∈sc → ?) → ? with
  [ nil ⇒ λ_. stop_now
  | cons h t ⇒
    match t with
    [ nil ⇒ λSC. (* single successor *)
      match try_remove … to_check h return λx. (∀a,m'. x = ? → ?) → ? with
      [ Some to_check' ⇒ λH'.
        if h ∈ checking_tail then None ? else
        let PR' ≝ ? in
        let st' ≝ lookup_present … g h PR' in
        if is_cost_label st' then stop_now else
          check_label_bounded g CL h PR' (checking::checking_tail) (\snd to_check') term_check' ?
      | None ⇒ λ_. stop_now (* already checked successor *)
      ] (try_remove_some_card … to_check h)
    | cons _ _ ⇒ λ_. stop_now (* all branches are followed by a cost label *)
    ]
  ] (successors_present g st (CL … checking … (lookup_lookup_present …)))
].
[ /2 by absurd/
| lapply (H' (\fst to_check') (\snd to_check') ?) [ cases to_check' // ]
  #E -PR' >E in H; #H' /2/
| @SC >memb_hd // 
] qed.

(* An inductive specification of the above function that's easier to work with. *)

inductive check_label_bounded_spec (g:graph statement) : label → list label → identifier_set LabelTag → identifier_set LabelTag → Prop ≝
| clbs_ret : ∀l,PR,tl,toch.
    successors (lookup_present … g l PR) = [ ] →
    check_label_bounded_spec g l tl toch toch
| clbs_checked : ∀l,PR,l',tl,toch.
    successors (lookup_present … g l PR) = [l'] →
    ¬ l' ∈ toch →
    check_label_bounded_spec g l tl toch toch
| clbs_cost : ∀l,PR,l',PR',tl,toch.
    successors (lookup_present … g l PR) = [l'] →
    l' ∈ toch →
    is_cost_label (lookup_present … g l' PR') →
    check_label_bounded_spec g l tl toch toch
| clbs_step : ∀l,PR,l',PR',tl,toch,toch',toch''.
    successors (lookup_present … g l PR) = [l'] →
(*    l' ∈ toch → implied *)
    ¬ l' ∈ tl →
    ¬ is_cost_label (lookup_present … g l' PR') →
    try_remove … toch l' = Some ? 〈it,toch'〉 →
    check_label_bounded_spec g l' (l::tl) toch' toch'' →
    check_label_bounded_spec g l tl toch toch''
| clbs_branch : ∀l,PR,x,y,zs,tl,toch.  (* the other check will show that these are cost labels *)
    successors (lookup_present … g l PR) = x::y::zs →
    check_label_bounded_spec g l tl toch toch.

(* TODO: move (or is it somewhere already?) *)
lemma if_elim : ∀T:Type[0]. ∀b:bool. ∀e1,e2:T. ∀P:T → Type[0].
  (b → P e1) →
  (¬b → P e2) →
  P (if b then e1 else e2).
#T * /2/
qed.

lemma check_label_bounded_s : ∀term_check,g,CL,checking,PR,checking_tail,to_check,TERM,to_check'.
  check_label_bounded g CL checking PR checking_tail to_check term_check TERM = Some ? to_check' →
  check_label_bounded_spec g checking checking_tail to_check to_check'.
#n elim n
[ #a #b #c #d #d #e #g @⊥ /3 by n_plus_1_n_to_False, div_plus_times/ (* ! *)
| #term_check #IH #g #CL #checking #PR #checking_tail #to_check #TERM #to_check'
  whd in ⊢ (??%? → ?);
  generalize in ⊢ (??(?%)? → ?);
  lapply (refl ? (successors (lookup_present … PR)))
  cases (successors (lookup_present … PR)) in ⊢ (???% → %);
  [ #SUCC whd in ⊢ (? → ??%? → ?); #_ #E destruct %1 //
  | #h * [ #SUCC whd in ⊢ (? → ??%? → ?); #PR' generalize in ⊢ (??(?%)? → ?);
           lapply (refl ? (try_remove … to_check h))
           cases (try_remove ????) in ⊢ (???% → %);
           [ #RM whd in ⊢ (? → ??%? → ?); #H #E destruct @(clbs_checked … SUCC)
             whd in ⊢ (?(?%)); >(proj1 … (try_remove_empty …) RM) //
           | * * #to_check'' #RM #H whd in ⊢ (??%? → ?);
             @if_elim
             [ #IN whd in ⊢ (??%? → ?); #E destruct
             | #OUT whd in ⊢ (??%? → ?);
               @if_elim
               [ #CS #E destruct @(clbs_cost … SUCC … CS)
                 cases (try_remove_some ?????? RM) * #L #_ #_ whd in ⊢ (?%); >L //
               | #CS #H @(clbs_step … SUCC OUT CS RM) @(IH … H)
               ]
             ]
           ]
         | #h2 #t #SUCCS whd in ⊢ (? → ??%? → ?); #PR' #E destruct
           @(clbs_branch … SUCCS)
         ]
  ]
] qed.



lemma check_label_bounded_subset : ∀g,checking,checking_tail,to_check,to_check'.
  check_label_bounded_spec g checking checking_tail to_check to_check' →
  set_subset … to_check' to_check.
#g #lX #lX' #tX #tX' #S elim S //
#l #PR #l' #PR' #tl #toch #toch' #toch'' #SC #NI #CS #RM #H #IH
cases (try_remove_some … toch' RM) * #L1 #L2 #L3
#id #IN cases (L3 id)
[ #E destruct whd in ⊢ (?%); >L1 //
| #L4 whd in ⊢ (?%); >L4 @IH @IN
] qed.

let rec check_graph_bounded
  (g : graph statement)
  (CL : graph_closed g)
  (to_check : identifier_set LabelTag)
  (SUB : set_subset … to_check g)
  (start : label)
  (PR : present ?? g start)
  (SMALLER : gt (id_map_size … g) (id_map_size … to_check))
  (term_check : nat)
on term_check : gt term_check (id_map_size … to_check) → bool ≝ 
match term_check return λx. ge x ? → bool with
[ O ⇒ λH.⊥
| S term_check' ⇒ λH.
  let TERM' ≝ ? in
  match check_label_bounded g CL start PR [ ] to_check (id_map_size … g) TERM' return λx. check_label_bounded ???????? = x → ? with
  [ None ⇒ λ_. false
  | Some to_check' ⇒ λH'.
    match choose … to_check' return λx. (∀id,a,m'. x = ? → ?) → (∀id,a,m'. x = ? → ?) → (∀id,a,m'. x = ? → ?) → ? with
    [ None ⇒ λ_.λ_.λ_. true
    | Some l_to_check'' ⇒ λL,SUB',C.
        check_graph_bounded g CL (\snd l_to_check'') ? (\fst (\fst l_to_check'')) ?? term_check' ?
    ] (choose_some … to_check') (choose_some_subset … to_check') (choose_some_card … to_check')
  ] (refl ??)
].
[ 2,3,4,5: cases l_to_check'' in C L SUB' ⊢ %; * #l * #to_check'' #C #L #SUB'
  lapply (check_label_bounded_subset … (check_label_bounded_s … H')) #SUB''
]
[ #id #IN @SUB @SUB'' @(SUB' ??? (refl ??)) @IN
| @member_present @SUB @SUB'' cases (L ??? (refl ??)) * #L #_ #_ whd in ⊢ (?%); >L //
| whd <(C ??? (refl ??)) lapply (subset_card … SUB'') #Z @(transitive_le … Z) /2/
| whd <(C ??? (refl ??)) lapply (subset_card … SUB'') #Z @(transitive_le … Z) /2/
| /2/
| @SMALLER
] qed.

(* TODO: move *)
definition id_set_of_map : ∀tag,A. identifier_map tag A → identifier_set tag ≝
λtag,A,m. an_id_map tag unit (map … (λ_. it) (match m with [ an_id_map m' ⇒ m'])).

lemma id_set_of_map_subset : ∀tag,A,m.
  id_set_of_map tag A m ⊆ m.
#tag #A * #m * #id normalize
>lookup_opt_map normalize cases (lookup_opt ???) //
qed.

lemma id_set_of_map_present : ∀tag,A,m,id.
  present tag A m id ↔ present tag unit (id_set_of_map … m) id.
#tag #A * #m * #id %
normalize @not_to_not
>lookup_opt_map cases (lookup_opt ???) normalize //
#a #E destruct
qed.

lemma id_set_of_map_card : ∀tag,A,m.
  |m| = |id_set_of_map tag A m|.
#tag #A * #m whd in ⊢ (??%%); >map_size //
qed.

definition check_sound_cost_fn : internal_function → bool ≝
λfn.
  match try_remove … (id_set_of_map … (f_graph fn)) (f_entry fn) return λx. (x = ? → ?) → (∀a,m'. x = ? → ?) → (∀a,m'. x = ? → ?) → ? with
  [ None ⇒ λEMP. ⊥
  | Some to_check ⇒ λ_.λCARD,L.
              check_graph_bounded (f_graph fn) (f_closed fn) (\snd to_check) ? (f_entry fn) ?? (|f_graph fn|) ?
  ] (proj1 ?? (try_remove_empty LabelTag unit (id_set_of_map … (f_graph fn)) (f_entry fn)))
    (try_remove_some_card ????)
    (try_remove_some ????).
[ cases (f_entry fn) in EMP; #l #PR cases (proj1 … (id_set_of_map_present …) PR) #PR' #H
  @PR' @H %
| cases to_check in L ⊢ %; * #m' #L cases (L … (refl ??)) * #L1 #L2 #L3 #id #IN
  cases (L3 id)
  [ #E destruct whd in ⊢ (?%); cases (f_entry fn) #l * cases (lookup ????) /2/
  | #E whd in ⊢ (?%); lapply (id_set_of_map_present … (f_graph fn) id) *
    whd in match (present ????); whd in match (present ? unit ??);
    lapply (member_present … IN) whd in match (present ? unit ??); <E
    cases (lookup … (f_graph fn) id) // #X #_ #Y @⊥ cases (Y X) /2/
  ]
| cases (f_entry fn) //
| 4,5: <id_set_of_map_card in CARD; cases to_check * #m' #CARD >(CARD ?? (refl ??)) //
] qed.

axiom check_sound_cost_fn_ok : ∀fn. bool_to_Prop (check_sound_cost_fn fn) ↔ soundly_labelled_fn fn.

definition check_cost_program : RTLabs_program → bool ≝
λp. all ? (λfn. match \snd fn with
                 [ Internal fn ⇒ check_well_cost_fn fn ∧ check_sound_cost_fn fn
                 | External _ ⇒ true
                 ]) (prog_funct … p).

theorem check_cost_program_ok : ∀p. bool_to_Prop (check_cost_program p) ↔ well_cost_labelled_program p.
#p whd in ⊢ (?(?%)%); %
[ #H lapply ((proj1 ?? (all_All ???)) H) @All_mp
  * #id * #fd
  [ #H cases (andb_Prop_true … H) #W #S %
    [ @(proj1 … (check_well_cost_fn_ok … )) //
    | @(proj1 … (check_sound_cost_fn_ok …)) //
    ]
  | //
  ]
| #H @(proj2 … (all_All …)) @(All_mp … H)
  * #id * #fd
  [ * #W #S
    lapply ((proj2 … (check_well_cost_fn_ok …)) W)
    lapply ((proj2 … (check_sound_cost_fn_ok …)) S) /2/
  | //
  ]
] qed.