Changeset 2047 for src

Timestamp:

Jun 12, 2012, 2:18:16 PM (9 years ago)

Author:

mulligan

Message:

Big bugs in policy calculations found. Waiting for Jaap's commit.

Location:

src/ASM

Files:

• Assembly.ma (modified) (2 diffs)
• AssemblyProofSplit.ma (modified) (8 diffs)
• AssemblyProofSplitSplit.ma (modified) (8 diffs)
• Interpret.ma (modified) (1 diff)
• PolicyFront.ma (modified) (3 diffs)

src/ASM/Assembly.ma

@@ -430 +430 @@
    let lookup_address ≝ sigma (lookup_labels lbl) in
    let pc_plus_jmp_length ≝ sigma (add … ppc (bitvector_of_nat … 1)) in
-   let 〈result, flags〉 ≝ sub_16_with_carry pc_plus_jmp_length lookup_address false in
+   let 〈result, flags〉 ≝ sub_16_with_carry lookup_address pc_plus_jmp_length false in
    let 〈upper, lower〉 ≝ vsplit ? 8 8 result in
    if eq_bv ? upper (zero 8) then
@@ -553 +553 @@
     let do_a_long ≝ policy ppc in
     let lookup_address ≝ sigma (lookup_labels jmp) in
-    let 〈result, flags〉 ≝ sub_16_with_carry pc_plus_jmp_length lookup_address false in
+    let 〈result, flags〉 ≝ sub_16_with_carry lookup_address pc_plus_jmp_length false in
     let 〈upper, lower〉 ≝ vsplit ? 8 8 result in
     if eq_bv ? upper (zero 8) ∧ ¬ do_a_long then

src/ASM/AssemblyProofSplit.ma

@@ -170 +170 @@
 qed.
 
+lemma pair_replace:
+ ∀A,B,T:Type[0].∀P:T → Prop. ∀t. ∀a,b.∀c,c': A × B. c'=c → c ≃ 〈a,b〉 →
+  P (t a b) → P (let 〈a',b'〉 ≝ c' in t a' b').
+ #A #B #T #P #t #a #b * #x #y * #x' #y' #H1 #H2 destruct //
+qed.
+
 lemma get_arg_8_set_program_counter:
   ∀M: Type[0].
@@ -187 +193 @@
   try (#addr1 #addr2) try #addr1
   normalize nodelta try %
-  >external_ram_set_program_counter
-  >program_counter_set_program_counter
   cases daemon (* XXX: rewrite not working but provable *)
 qed.
@@ -354 +358 @@
 include alias "basics/logic.ma".
 include alias "ASM/BitVectorTrie.ma".
-
-lemma pair_replace:
- ∀A,B,T:Type[0].∀P:T → Prop. ∀t. ∀a,b.∀c,c': A × B. c'=c → c ≃ 〈a,b〉 →
-  P (t a b) → P (let 〈a',b'〉 ≝ c' in t a' b').
- #A #B #T #P #t #a #b * #x #y * #x' #y' #H1 #H2 destruct //
-qed.
 
 lemma jmpair_as_replace:
@@ -407 +405 @@
 include alias "ASM/Vector.ma".
 
+axiom main_lemma_preinstruction:
+  ∀M, M': internal_pseudo_address_map.
+  ∀preamble: preamble.
+  ∀instr_list: list labelled_instruction.
+  ∀cm: pseudo_assembly_program.
+  ∀EQcm: cm = 〈preamble, instr_list〉.
+  ∀sigma: Word → Word.
+  ∀policy: Word → bool.
+  ∀sigma_policy_witness: sigma_policy_specification cm sigma policy.
+  ∀ps: PseudoStatus cm.
+  ∀ppc: Word.
+  ∀EQppc: ppc = program_counter pseudo_assembly_program cm ps.
+  ∀labels: label_map.
+  ∀costs: BitVectorTrie costlabel 16.
+  ∀create_label_cost_refl: create_label_cost_map instr_list = 〈labels, costs〉.
+  ∀newppc: Word.
+  ∀lookup_labels: Identifier → Word.
+  ∀EQlookup_labels: lookup_labels = (λx:Identifier. address_of_word_labels_code_mem instr_list x).
+  ∀lookup_datalabels: Identifier → Word.
+  ∀EQlookup_datalabels: lookup_datalabels = (λx.lookup_def ASMTag Word (construct_datalabels preamble) x (zero 16)).
+  ∀EQnewppc: newppc = add 16 ppc (bitvector_of_nat 16 1).
+  ∀instr: preinstruction Identifier.
+  ∀ticks: nat × nat.
+  ∀EQticks: ticks = ticks_of0 〈preamble, instr_list〉 sigma policy ppc (Instruction instr).
+  ∀addr_of: Identifier → PreStatus pseudo_assembly_program cm → BitVector 16.
+  ∀EQaddr_of: addr_of = (λx:Identifier. λy:PreStatus pseudo_assembly_program cm. address_of_word_labels cm x).
+  ∀s: PreStatus pseudo_assembly_program cm.
+  ∀EQs: s = (set_program_counter pseudo_assembly_program cm ps (add 16 ppc (bitvector_of_nat 16 1))).
+  ∀P: preinstruction Identifier → PseudoStatus cm → Prop.
+  ∀EQP: P = (λinstr, s. sigma (add 16 ppc (bitvector_of_nat 16 1)) = add 16 (sigma ppc)
+              (bitvector_of_nat 16 (\fst (assembly_1_pseudoinstruction lookup_labels sigma policy ppc
+                  lookup_datalabels (Instruction instr)))) →
+              next_internal_pseudo_address_map0 pseudo_assembly_program (Instruction instr) M cm ps = Some internal_pseudo_address_map M' →
+                fetch_many (load_code_memory (\fst (pi1 … (assembly cm sigma policy)))) (sigma (add 16 ppc (bitvector_of_nat 16 1))) (sigma (program_counter pseudo_assembly_program cm ps))
+                  (expand_pseudo_instruction lookup_labels sigma policy (program_counter pseudo_assembly_program cm ps) lookup_datalabels (Instruction instr)) →
+                    ∃n: nat. execute n (code_memory_of_pseudo_assembly_program cm sigma policy) (status_of_pseudo_status M cm ps sigma policy) =
+                      status_of_pseudo_status M' cm s sigma policy).
+    P instr (execute_1_preinstruction ticks Identifier pseudo_assembly_program cm addr_of instr s).
+
+(*
 lemma main_lemma_preinstruction:
   ∀M, M': internal_pseudo_address_map.
@@ -878 +916 @@
     @(pair_replace ?????????? p) normalize nodelta
     [1,3:
+      >get_arg_8_set_program_counter
       cases daemon
     ]
@@ -900 +939 @@
       >EQstatus_after_1 in ⊢ (???%);
       whd in ⊢ (???%);
-      [1:
+      [1:exists_labelled_instruction id instr_list →
         <fetch_refl in ⊢ (???%);
       |2:
@@ -917 +956 @@
         change with (add ???) in match (\snd (half_add ???));
         >set_arg_8_set_program_counter in ⊢ (???%);
-        [2,4,6,8: cases daemon ]
+        [2,4,6,8: /2/ ]
         >program_counter_set_program_counter in ⊢ (???%);
         >(?: add ? intermediate_pc (sign_extension (bitvector_of_nat ? 2)) = intermediate_pc')
@@ -1392 +1431 @@
   ]
 qed.
-
-(*  
-    *
-    [1,2,3: (* ADD, ADDC, SUBB *)
-    @list_addressing_mode_tags_elim_prop try % whd
-    @list_addressing_mode_tags_elim_prop try % whd #arg
-    (* XXX: we first work on sigma_increment_commutation *)
-    #sigma_increment_commutation
-    normalize in match (assembly_1_pseudoinstruction ??????) in sigma_increment_commutation;
-    (* XXX: we work on the maps *)
-    whd in ⊢ (??%? → ?);
-    try (change with (if ? then ? else ? = ? → ?)
-         cases (addressing_mode_ok ????? ∧ addressing_mode_ok ?????) normalize nodelta)
-    #H try @(None_Some_elim ??? H) @(Some_Some_elim ????? H) #map_refl_assm <map_refl_assm
-    (* XXX: we assume the fetch_many hypothesis *)
-    #fetch_many_assm
-    (* XXX: we give the existential *)
-    %{1}
-    whd in match (execute_1_pseudo_instruction0 ?????);
-    (* XXX: work on the left hand side of the equality *)
-    whd in ⊢ (??%?); whd in match (program_counter ???); <EQppc
-    (* XXX: execute fetches some more *)
-    whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-    whd in fetch_many_assm;
-    >EQassembled in fetch_many_assm;
-    cases (fetch ??) * #instr #newpc #ticks normalize nodelta * *
-    #eq_instr #EQticks whd in EQticks:(???%); >EQticks
-    #fetch_many_assm whd in fetch_many_assm;
-    lapply (eq_bv_eq … fetch_many_assm) -fetch_many_assm #EQnewpc
-    >(eq_instruction_to_eq … eq_instr) -instr
-    [ @(pose … (pi1 … (execute_1_preinstruction' …))) #lhs #EQlhs
-      @(pose …
-        (λlhs. status_of_pseudo_status M 〈preamble,instr_list〉 lhs sigma policy))
-      #Pl #EQPl
-      cut (∀A,B:Type[0].∀f,f':A → B.∀x. f=f' → f x = f' x) [2: #eq_f_g_to_eq
-      lapply (λy.eq_f_g_to_eq ???? y EQPl) #XX <(XX lhs) -XX >EQlhs -lhs
-      whd in ⊢ (??%?); whd in ⊢ (??(???%)(?(???%)));
-      @pair_elim
-      >tech_pi1_let_as_commute
-    
-    
-    whd in ⊢ (??%?);
-    [ @(pose … (execute_1_preinstruction' ???????))
-      #lhs whd in ⊢ (???% → ?); #EQlhs
-      @(pose … (execute_1_preinstruction' ???????))
-      #rhs whd in ⊢ (???% → ?); #EQrhs
-
-
-      CSC: delirium
-      
-      >EQlhs -EQlhs >EQrhs -EQrhs
-      cases (add_8_with_carry ???) #bits1 #bits2 whd in ⊢ (??%%);
-      
-     lapply (refl ? (execute_1_preinstruction' ???????));
-    [ whd in match (execute_1_preinstruction' ???????);
-
-    whd in ⊢ (??%?);
-    [ whd in ⊢ (??(???%)%);
-      whd in match (execute_1_preinstruction' ???????);
-      cases (add_8_with_carry ???) #bits1 #bits2 whd in ⊢ (??%?);
-      @pair_elim #result #flags #Heq1
-    whd in match execute_1_preinstruction'; normalize nodelta
-    (* XXX: now we start to work on the mk_PreStatus equality *)
-    whd in ⊢ (??%?);
-  
-  
-  
-    [1,2,3: (* ADD, ADDC, SUBB *) #arg1 #arg2
-    (* XXX: we take up the hypotheses *)
-    #sigma_increment_commutation #next_map_assm #fetch_many_assm
-    (* XXX: we give the existential *)
-    %{1}
-    whd in match (execute_1_pseudo_instruction0 ?????);
-    whd in ⊢ (??%?); whd in match (program_counter ???); <EQppc
-    whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-    (* XXX: fetching of the instruction *)
-    whd in fetch_many_assm;
-    >EQassembled in fetch_many_assm;
-    cases (fetch ??) * #instr #newpc #ticks normalize nodelta * *
-    #eq_instr #EQticks whd in EQticks:(???%); >EQticks
-    #fetch_many_assm whd in fetch_many_assm;
-    lapply (eq_bv_eq … fetch_many_assm) -fetch_many_assm #EQnewpc
-    >(eq_instruction_to_eq … eq_instr) -instr
-    (* XXX: now we start to work on the mk_PreStatus equality *)
-    whd in ⊢ (??%?);
-    check execute_1_preinstruction
-    
-    
-     #MAP #H1 #H2 #EQ %[1,3,5:@1]
-       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-       change in ⊢ (? → ??%?) with (execute_1_0 ??)
-       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-       >H2b >(eq_instruction_to_eq … H2a)
-       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?); generalize in match MAP; -MAP;
-       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1;
-       @(list_addressing_mode_tags_elim_prop … arg2) whd try % -arg2; #ARG2
-       normalize nodelta; #MAP;
-       [1: change in ⊢ (? → %) with
-        ((let 〈result,flags〉 ≝
-          add_8_with_carry
-           (get_arg_8 ? ps false ACC_A)
-           (get_arg_8 ?
-             (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
-             false (DIRECT ARG2))
-           ? in ?) = ?)
-        [2,3: %]
-        change in ⊢ (???% → ?) with
-         (let 〈result,flags〉 ≝ add_8_with_carry ?(*(get_arg_8 ? ps false ACC_A)*) ?? in ?)
-        >get_arg_8_set_clock
-       [1,2: cases (addressing_mode_ok ???? ∧ addressing_mode_ok ????) in MAP ⊢ ?
-         [2,4: #abs @⊥ normalize in abs; destruct (abs)
-         |*:whd in ⊢ (??%? → ?) #H <(option_destruct_Some ??? H)]
-       [ change in ⊢ (? → %) with
-        ((let 〈result,flags〉 ≝
-          add_8_with_carry
-           (get_arg_8 ? ps false ACC_A)
-           (get_arg_8 ?
-             (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
-             false (DIRECT ARG2))
-           ? in ?) = ?)
-          >get_arg_8_set_low_internal_ram
-       
-        cases (add_8_with_carry ???)
-         
-        [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
-       #result #flags
-       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) %
-
-
-  |4: (* Jmp *) #label whd in ⊢ (??%? → ???% → ?);
-   @Some_Some_elim #MAP cases (pol ?) normalize nodelta
-       [3: (* long *) #EQ3 @(Some_Some_elim ????? EQ3) #EQ3'
-         whd in match eject normalize nodelta >EQ3' in ⊢ (% → ?) whd in ⊢ (% → ?)
-         @pair_elim' * #instr #newppc' #ticks #EQ4       
-         * * #H2a #H2b whd in ⊢ (% → ?) #H2
-         >H2b >(eq_instruction_to_eq … H2a)
-         #EQ %[@1]
-         <MAP >(eq_bv_eq … H2) >EQ
-         whd in ⊢ (??%?) >EQ4 whd in ⊢ (??%?)
-         cases ps in EQ4; #A1 #A2 #A3 #A4 #A5 #A6 #A7 #A8 #A9 #A10 #XXX >XXX %
-         whd in ⊢ (??%?)
-         whd in ⊢ (??(match ?%? with [_ ⇒ ?])?)
-         cases ps in EQ0 ⊢ %; #A1 #A2 #A3 #A4 #A5 #A6 #A7 #A8 #A9 #A10 #XXXX >XXXX %
-  |5: (* Call *) #label #MAP
-      generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP <MAP -MAP;
-      whd in ⊢ (???% → ?) cases (pol ?) normalize nodelta;
-       [ (* short *) #abs @⊥ destruct (abs)
-       |3: (* long *) #H1 #H2 #EQ %[@1]
-           (* normalize in H1; !!!*) generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-           change in ⊢ (? → ??%?) with (execute_1_0 ??)
-           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-           >H2b >(eq_instruction_to_eq … H2a)
-           generalize in match EQ; -EQ;
-           whd in ⊢ (???% → ??%?);
-           generalize in match (refl … (half_add 8 (get_8051_sfr ? ps SFR_SP) (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry #new_sp #EQ1 normalize nodelta;
-           >(eq_bv_eq … H2c)
-           change with
-            ((?=let 〈ppc_bu,ppc_bl〉 ≝ vsplit bool 8 8 newppc in ?) →
-                (let 〈pc_bu,pc_bl〉 ≝ vsplit bool 8 8 (sigma 〈preamble,instr_list〉 pol newppc) in ?)=?)
-           generalize in match (refl … (vsplit … 8 8 newppc)) cases (vsplit bool 8 8 newppc) in ⊢ (??%? → %) #ppc_bu #ppc_bl #EQppc
-           generalize in match (refl … (vsplit … 8 8 (sigma 〈preamble,instr_list〉 pol newppc))) cases (vsplit bool 8 8 (sigma 〈preamble,instr_list〉 pol newppc)) in ⊢ (??%? → %) #pc_bu #pc_bl #EQpc normalize nodelta;
-           >get_8051_sfr_write_at_stack_pointer >get_8051_sfr_write_at_stack_pointer
-           >get_8051_sfr_set_8051_sfr >get_8051_sfr_set_8051_sfr
-           generalize in match (refl … (half_add ? new_sp (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry' #new_sp' #EQ2 normalize nodelta;
-           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
-           @split_eq_status;
-            [ >code_memory_write_at_stack_pointer whd in ⊢ (??%?)
-              >code_memory_write_at_stack_pointer %
-            | >set_program_counter_set_low_internal_ram
-              >set_clock_set_low_internal_ram
-              @low_internal_ram_write_at_stack_pointer
-               [ >EQ0 @pol | % | %
-               | @(  … EQ1)
-               | @(pair_destruct_2 … EQ2)
-               | >(pair_destruct_1 ????? EQpc)
-                 >(pair_destruct_2 ????? EQpc)
-                 @vsplit_elim #x #y #H <H -x y H;
-                 >(pair_destruct_1 ????? EQppc)
-                 >(pair_destruct_2 ????? EQppc)
-                 @vsplit_elim #x #y #H <H -x y H;
-                 >EQ0 % ]
-            | >set_low_internal_ram_set_high_internal_ram
-              >set_program_counter_set_high_internal_ram
-              >set_clock_set_high_internal_ram
-              @high_internal_ram_write_at_stack_pointer
-               [ >EQ0 @pol | % | %
-               | @(pair_destruct_2 … EQ1)
-               | @(pair_destruct_2 … EQ2)
-               | >(pair_destruct_1 ????? EQpc)
-                 >(pair_destruct_2 ????? EQpc)
-                 @vsplit_elim #x #y #H <H -x y H;
-                 >(pair_destruct_1 ????? EQppc)
-                 >(pair_destruct_2 ????? EQppc)
-                 @vsplit_elim #x #y #H <H -x y H;
-                 >EQ0 % ]            
-            | >external_ram_write_at_stack_pointer whd in ⊢ (??%?)
-              >external_ram_write_at_stack_pointer whd in ⊢ (???%)
-              >external_ram_write_at_stack_pointer whd in ⊢ (???%)
-              >external_ram_write_at_stack_pointer %
-            | change with (? = sigma ?? (address_of_word_labels_code_mem (\snd (code_memory ? ps)) ?))
-              >EQ0 % 
-            | >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (??%?)
-              >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (???%)
-              >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (???%)
-              >special_function_registers_8051_write_at_stack_pointer %
-            | >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (??%?)
-              >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (???%)
-              >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (???%)
-              >special_function_registers_8052_write_at_stack_pointer %
-            | >p1_latch_write_at_stack_pointer whd in ⊢ (??%?)
-              >p1_latch_write_at_stack_pointer whd in ⊢ (???%)
-              >p1_latch_write_at_stack_pointer whd in ⊢ (???%)
-              >p1_latch_write_at_stack_pointer %
-            | >p3_latch_write_at_stack_pointer whd in ⊢ (??%?)
-              >p3_latch_write_at_stack_pointer whd in ⊢ (???%)
-              >p3_latch_write_at_stack_pointer whd in ⊢ (???%)
-              >p3_latch_write_at_stack_pointer %
-            | >clock_write_at_stack_pointer whd in ⊢ (??%?)
-              >clock_write_at_stack_pointer whd in ⊢ (???%)
-              >clock_write_at_stack_pointer whd in ⊢ (???%)
-              >clock_write_at_stack_pointer %]
-       (*| (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
-         @pair_elim' #fst_5_addr #rest_addr #EQ1
-         @pair_elim' #fst_5_pc #rest_pc #EQ2
-         generalize in match (refl … (eq_bv … fst_5_addr fst_5_pc))
-         cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta; #EQ3 #TEQ [2: destruct (TEQ)]
-         generalize in match (option_destruct_Some ??? TEQ) -TEQ; #K1 >K1 in H2; whd in ⊢ (% → ?)
-         change in ⊢ (? →??%?) with (execute_1_0 ??)
-         @pair_elim' * #instr #newppc' #ticks #EQn
-          * * #H2a #H2b whd in ⊢ (% → ?) #H2c >H2b >(eq_instruction_to_eq … H2a) whd in ⊢ (??%?)
-          generalize in match EQ; -EQ; normalize nodelta; >(eq_bv_eq … H2c)
-          @pair_elim' #carry #new_sp change with (half_add ? (get_8051_sfr ? ps ?) ? = ? → ?) #EQ4
-          @vsplit_elim' #pc_bu #pc_bl >program_counter_set_8051_sfr XXX change with (newppc = ?) #EQ5
-          @pair_elim' #carry' #new_sp' #EQ6 normalize nodelta; #EQx >EQx -EQx;
-          change in ⊢ (??(match ????% with [_ ⇒ ?])?) with (sigma … newppc)
-          @vsplit_elim' #pc_bu' #pc_bl' #EQ7 change with (newppc' = ? → ?)
-          >get_8051_sfr_set_8051_sfr
-          
-          whd in EQ:(???%) ⊢ ? >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) whd in ⊢ (??%?)
-           change with ((let 〈pc_bu,pc_bl〉 ≝ vsplit bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
-           generalize in match (refl … (vsplit bool 8 8 (sigma 〈preamble,instr_list〉 newppc)))
-           cases (vsplit ????) in ⊢ (??%? → %) #pc_bu #pc_bl normalize nodelta; #EQ4
-           generalize in match (refl … (vsplit bool 4 4 pc_bu))
-           cases (vsplit ????) in ⊢ (??%? → %) #nu #nl normalize nodelta; #EQ5
-           generalize in match (refl … (vsplit bool 3 8 rest_addr))
-           cases (vsplit ????) in ⊢ (??%? → %) #relevant1 #relevant2 normalize nodelta; #EQ6
-           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma … newppc) ? in ?) = ?)
-           generalize in match
-            (refl …
-             (half_add 16 (sigma 〈preamble,instr_list〉 newppc)
-             ((nu@@get_index' bool 0 3 nl:::relevant1)@@relevant2)))
-           cases (half_add ???) in ⊢ (??%? → %) #carry #new_pc normalize nodelta; #EQ7
-           @split_eq_status try %
-            [ change with (? = sigma ? (address_of_word_labels ps label))
-              (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
-            | whd in ⊢ (??%%) whd in ⊢ (??(?%?)?) whd in ⊢ (??(?(match ?(?%)? with [_ ⇒ ?])?)?) 
-              @(bitvector_3_elim_prop … (\fst (vsplit bool 3 8 rest_addr))) %]] *)]
-  |4: (* Jmp *) #label #MAP
-      generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP >MAP -MAP;
-      whd in ⊢ (???% → ?) cases (pol ?) normalize nodelta;
-       [3: (* long *) #H1 #H2 #EQ %[@1]
-           (* normalize in H1; !!!*) generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-           change in ⊢ (? → ??%?) with (execute_1_0 ??)
-           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-           >H2b >(eq_instruction_to_eq … H2a)
-           generalize in match EQ; -EQ;
-           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
-           cases ps in EQ0 ⊢ %; #A1 #A2 #A3 #A4 #A5 #A6 #A7 #A8 #A9 #A10 #XXXX >XXXX %
-       |1: (* short *) #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
-           generalize in match
-            (refl ?
-             (sub_16_with_carry
-              (sigma 〈preamble,instr_list〉 pol (program_counter … ps))
-              (sigma 〈preamble,instr_list〉 pol (address_of_word_labels_code_mem instr_list label))
-              false))
-           cases (sub_16_with_carry ???) in ⊢ (??%? → %); #results #flags normalize nodelta;
-           generalize in match (refl … (vsplit … 8 8 results)) cases (vsplit ????) in ⊢ (??%? → %) #upper #lower normalize nodelta;
-           generalize in match (refl … (eq_bv … upper (zero 8))) cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta;
-           #EQ1 #EQ2 #EQ3 #H1 [2: @⊥ destruct (H1)]
-           generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-           change in ⊢ (? → ??%?) with (execute_1_0 ??)
-           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-           >H2b >(eq_instruction_to_eq … H2a)
-           generalize in match EQ; -EQ;
-           whd in ⊢ (???% → ?);
-           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
-           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma ???) ? in ?) = ?)
-           generalize in match (refl … (half_add 16 (sigma 〈preamble,instr_list〉 pol newppc) (sign_extension lower)))
-           cases (half_add ???) in ⊢ (??%? → %) #carry #newpc normalize nodelta #EQ4
-           @split_eq_status try % change with (newpc = sigma ?? (address_of_word_labels ps label))
-           (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
-       | (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
-         generalize in match
-          (refl …
-            (vsplit … 5 11 (sigma 〈preamble,instr_list〉 pol (address_of_word_labels_code_mem instr_list label))))
-         cases (vsplit ????) in ⊢ (??%? → %) #fst_5_addr #rest_addr normalize nodelta; #EQ1
-         generalize in match
-          (refl …
-            (vsplit … 5 11 (sigma 〈preamble,instr_list〉 pol (program_counter … ps))))
-         cases (vsplit ????) in ⊢ (??%? → %) #fst_5_pc #rest_pc normalize nodelta; #EQ2
-         generalize in match (refl … (eq_bv … fst_5_addr fst_5_pc))
-         cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta; #EQ3 #TEQ [2: destruct (TEQ)]
-         generalize in match (option_destruct_Some ??? TEQ) -TEQ; #K1 >K1 in H2; whd in ⊢ (% → ?)
-         change in ⊢ (? →??%?) with (execute_1_0 ??)
-           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-           >H2b >(eq_instruction_to_eq … H2a)
-           generalize in match EQ; -EQ;
-           whd in ⊢ (???% → ?);
-           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) whd in ⊢ (??%?)
-           change with ((let 〈pc_bu,pc_bl〉 ≝ vsplit bool 8 8 (sigma 〈preamble,instr_list〉 pol newppc) in ?)=?)
-           generalize in match (refl … (vsplit bool 8 8 (sigma 〈preamble,instr_list〉 pol newppc)))
-           cases (vsplit ????) in ⊢ (??%? → %) #pc_bu #pc_bl normalize nodelta; #EQ4
-           generalize in match (refl … (vsplit bool 4 4 pc_bu))
-           cases (vsplit ????) in ⊢ (??%? → %) #nu #nl normalize nodelta; #EQ5
-           generalize in match (refl … (vsplit bool 3 8 rest_addr))
-           cases (vsplit ????) in ⊢ (??%? → %) #relevant1 #relevant2 normalize nodelta; #EQ6
-           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma … newppc) ? in ?) = ?)
-           generalize in match
-            (refl …
-             (half_add 16 (sigma 〈preamble,instr_list〉 pol newppc)
-             ((nu@@get_index' bool 0 3 nl:::relevant1)@@relevant2)))
-           cases (half_add ???) in ⊢ (??%? → %) #carry #new_pc normalize nodelta; #EQ7    
-           @split_eq_status try %
-            [ change with (? = sigma ?? (address_of_word_labels ps label))
-              (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
-            | whd in ⊢ (??%%) whd in ⊢ (??(?%?)?) whd in ⊢ (??(?(match ?(?%)? with [_ ⇒ ?])?)?) 
-              @(bitvector_3_elim_prop … (\fst (vsplit bool 3 8 rest_addr))) %]]
-  | (* Instruction *) -pi;  whd in ⊢ (? → ??%? → ?) *; normalize nodelta;
-    [1,2,3: (* ADD, ADDC, SUBB *) #arg1 #arg2 #MAP #H1 #H2 #EQ %[1,3,5:@1]
-       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-       change in ⊢ (? → ??%?) with (execute_1_0 ??)
-       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 pol (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-       >H2b >(eq_instruction_to_eq … H2a)
-       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?); generalize in match MAP; -MAP;
-       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1;
-       @(list_addressing_mode_tags_elim_prop … arg2) whd try % -arg2; #ARG2
-       normalize nodelta; #MAP;
-       [1: change in ⊢ (? → %) with
-        ((let 〈result,flags〉 ≝
-          add_8_with_carry
-           (get_arg_8 ? ps false ACC_A)
-           (get_arg_8 ?
-             (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
-             false (DIRECT ARG2))
-           ? in ?) = ?)
-        [2,3: %]
-        change in ⊢ (???% → ?) with
-         (let 〈result,flags〉 ≝ add_8_with_carry ?(*(get_arg_8 ? ps false ACC_A)*) ?? in ?)
-        >get_arg_8_set_clock
-       [1,2: cases (addressing_mode_ok ???? ∧ addressing_mode_ok ????) in MAP ⊢ ?
-         [2,4: #abs @⊥ normalize in abs; destruct (abs)
-         |*:whd in ⊢ (??%? → ?) #H <(option_destruct_Some ??? H)]
-       [ change in ⊢ (? → %) with
-        ((let 〈result,flags〉 ≝
-          add_8_with_carry
-           (get_arg_8 ? ps false ACC_A)
-           (get_arg_8 ?
-             (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
-             false (DIRECT ARG2))
-           ? in ?) = ?)
-          >get_arg_8_set_low_internal_ram
-       
-        cases (add_8_with_carry ???)
-         
-        [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
-       #result #flags
-       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) %
-    | (* INC *) #arg1 #H1 #H2 #EQ %[@1]
-       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
-       change in ⊢ (? → ??%?) with (execute_1_0 ??)
-       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
-       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
-       >H2b >(eq_instruction_to_eq … H2a)
-       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?);
-       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1; normalize nodelta; [1,2,3: #ARG]
-       [1,2,3,4: cases (half_add ???) #carry #result
-       | cases (half_add ???) #carry #bl normalize nodelta;
-         cases (full_add ????) #carry' #bu normalize nodelta ]
-        #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) -newppc';
-        [5: %
-        |1: <(set_arg_8_set_code_memory 0 [[direct]] ? ? ? (set_clock pseudo_assembly_program
-      (set_program_counter pseudo_assembly_program ps newppc)
-      (\fst  (ticks_of0 〈preamble,instr_list〉
-                   (program_counter pseudo_assembly_program ps)
-                   (Instruction (INC Identifier (DIRECT ARG))))
-       +clock pseudo_assembly_program
-        (set_program_counter pseudo_assembly_program ps newppc))) (load_code_memory assembled) result (DIRECT ARG))
-        [2,3: // ]
-            <(set_arg_8_set_program_counter 0 [[direct]] ? ? ? ? ?) [2://]
-            whd in ⊢ (??%%)
-            cases (vsplit bool 4 4 ARG)
-            #nu' #nl'
-            normalize nodelta
-            cases (vsplit bool 1 3 nu')
-            #bit_1' #ignore'
-            normalize nodelta
-            cases (get_index_v bool 4 nu' ? ?)
-            [ normalize nodelta (* HERE *) whd in ⊢ (??%%) %
-            |
-            ]
-cases daemon (* EASY CASES TO BE COMPLETED *)
-qed.
 *)

src/ASM/AssemblyProofSplitSplit.ma

@@ -1 +1 @@
 include "ASM/AssemblyProofSplit.ma".
+include "common/LabelledObjects.ma".
+
+check pseudo_instruction
+
+definition instruction_has_label ≝
+  λid: Identifier.
+  λi.
+  match i with
+  [ Jmp j ⇒ j = id
+  | Call j ⇒ j = id
+  | Instruction instr ⇒
+    match instr with
+    [ JC j ⇒ j = id
+    | JNC j ⇒ j = id
+    | JZ j ⇒ j = id
+    | JNZ j ⇒ j = id
+    | JB _ j ⇒ j = id
+    | JBC _ j ⇒ j = id
+    | DJNZ _ j ⇒ j = id
+    | CJNE _ j ⇒ j = id
+    | _ ⇒ False
+    ]
+  | _ ⇒ False
+  ].
+  
+
+definition is_well_labelled_p ≝
+  λinstr_list.
+  ∀id: Identifier.
+  ∀ppc.
+  ∀i.
+    fetch_pseudo_instruction instr_list ppc = i →
+      instruction_has_label id (\fst i) →
+        occurs_exactly_once ASMTag pseudo_instruction id instr_list.
 
 theorem main_thm:
   ∀M, M': internal_pseudo_address_map.
   ∀program: pseudo_assembly_program.
+  ∀is_well_labelled: is_well_labelled_p (\snd program).
   ∀sigma: Word → Word.
   ∀policy: Word → bool.
@@ -13 +48 @@
         status_of_pseudo_status M' … 
           (execute_1_pseudo_instruction (ticks_of program sigma policy) program ps) sigma policy.
-  #M #M' * #preamble #instr_list #sigma #policy #sigma_policy_witness #ps #program_counter_in_bounds
+  #M #M' * #preamble #instr_list #is_well_labelled_witness #sigma #policy #sigma_policy_witness #ps #program_counter_in_bounds
   change with (next_internal_pseudo_address_map0 ????? = ? → ?)
   @(pose … (program_counter ?? ps)) #ppc #EQppc
@@ -31 +66 @@
   generalize in match assm1; -assm1 -assm2 -assm3
   normalize nodelta
-  cases pi
+  inversion pi
   [2,3:
-    #arg
+    #arg #_
     (* XXX: we first work on sigma_increment_commutation *)
     #sigma_increment_commutation
@@ -49 +84 @@
     [1,2: /demod/ >EQnewppc >sigma_increment_commutation <add_zero % (*CSC: auto not working, why? *) ]
   |6: (* Mov *)
-    #arg1 #arg2
+    #arg1 #arg2 #_
     (* XXX: we first work on sigma_increment_commutation *)
     #sigma_increment_commutation
@@ -83 +118 @@
     >set_arg_16_mk_Status_commutation in ⊢ (???%);
     (* here we are *)
-    @split_eq_status //
+    @split_eq_status try %
     [1:
       assumption
     |2:
-      @special_function_registers_8051_set_arg_16
-      [2: %
-      |1: //
-      ]
+      @special_function_registers_8051_set_arg_16 %
     ]
   |1: (* Instruction *)
-    -pi #instr #EQP #EQnext #fetch_many_assm
+    #instr #_ #EQP #EQnext #fetch_many_assm
     @(main_lemma_preinstruction M M' preamble instr_list 〈preamble, instr_list〉 (refl …) sigma policy sigma_policy_witness
       ps ppc EQppc labels costs create_label_cost_refl newppc lookup_labels EQlookup_labels lookup_datalabels EQlookup_datalabels
@@ -100 +132 @@
       (refl …) ? (refl …))
     try assumption >assembly_refl <EQppc assumption
-    check status_of_pseudo_status
   |4:
+    #arg1 #pi_refl
+    (* XXX: we first work on sigma_increment_commutation *)
+    whd in match (assembly_1_pseudoinstruction ??????) in ⊢ (% → ?);
+    whd in match (expand_pseudo_instruction ??????);
+(*    generalize in match (refl … (expand_pseudo_instruction lookup_labels sigma policy ppc lookup_datalabels (Jmp arg1)));
+    whd in match (expand_pseudo_instruction ??????) in ⊢ (??%? → % → ?); *)
+    inversion (sub_16_with_carry ???) #result #flags #sub16_refl normalize nodelta
+    inversion (vsplit ????) #upper #lower #vsplit_refl normalize nodelta
+    inversion (eq_bv ??? ∧ ¬ policy ?) #eq_bv_policy_refl normalize nodelta
+    [2:
+      inversion (vsplit ????) #fst_5_addr #rest_addr #addr_refl normalize nodelta
+      inversion (vsplit ????) #fst_5_pc #rest_pc #pc_refl normalize nodelta
+      cases (eq_bv ??? ∧ ¬ policy ?) normalize nodelta
+    ]
+    #sigma_increment_commutation
+    normalize in sigma_increment_commutation:(???(???(??%)));
+    (* XXX: we work on the maps *)
+    whd in ⊢ (??%? → ?); @Some_Some_elim #map_refl_assm <map_refl_assm
+    (* XXX: we assume the fetch_many hypothesis *)
+    * #fetch_refl #fetch_many_assm
+    (* XXX: we give the existential *)
+    %{1}
+    (* XXX: work on the left hand side of the equality *)
+    whd in ⊢ (??%?); whd in match (program_counter ???); <EQppc
+    (* XXX: execute fetches some more *)
+    whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
+    whd in fetch_many_assm;
+    >EQassembled in fetch_refl; #fetch_refl <fetch_refl -fetch_refl
+    lapply (eq_bv_eq … fetch_many_assm) -fetch_many_assm #EQnewpc
+    whd in ⊢ (??%%);
+    (* XXX: now we start to work on the mk_PreStatus equality *)
+    (* XXX: lhs *)
+    (* XXX: rhs *)
+    (* here we are *)
+    @split_eq_status try % /demod nohyps/
+    [1,3,4:
+      change with (add ???) in match (\snd (half_add ???));
+      whd in match execute_1_pseudo_instruction0; normalize nodelta
+      /demod nohyps/ >set_clock_set_program_counter
+      >program_counter_set_program_counter
+      whd in ⊢ (??%?); normalize nodelta whd in match address_of_word_labels; normalize nodelta
+      lapply (create_label_cost_map_ok 〈preamble, instr_list〉) >create_label_cost_refl
+      normalize nodelta #address_of_word_labels_assm <address_of_word_labels_assm
+      [1:
+        -address_of_word_labels_assm >EQnewpc >pc_refl normalize nodelta
+        >(pair_destruct_2 ????? (sym_eq … addr_refl))
+        >(pair_destruct_1 ????? (sym_eq … pc_refl)) >EQnewpc
+        (* XXX: true but needs lemma about splitting *)
+        cases daemon
+      |3:
+        >EQnewpc >pc_refl normalize nodelta
+        >(pair_destruct_2 ????? (sym_eq … addr_refl))
+        >(pair_destruct_1 ????? (sym_eq … pc_refl)) >EQnewpc
+        >EQlookup_labels normalize nodelta
+        >address_of_word_labels_assm try %
+      |5:
+        >EQnewpc
+      ]
+      @(is_well_labelled_witness … fetch_pseudo_refl)
+      >pi_refl %
+    |2:
+      whd in match compute_target_of_unconditional_jump; normalize nodelta
+      >program_counter_set_program_counter
+      cases (vsplit ????) #pc_bu #pc_bl normalize nodelta
+      cases (vsplit ????) #nu #nl normalize nodelta
+      cases (vsplit ????) #relevant1 #relevant2 normalize nodelta
+      change with (add ???) in match (\snd (half_add ???)); >EQnewpc
+      cases daemon
+    |3:
+      whd in ⊢ (??%%);
+      /demod nohyps/
+      cases daemon
+    ]
+  |5: (* Call *)
     #arg1
     (* XXX: we first work on sigma_increment_commutation *)
@@ -119 +224 @@
     whd in fetch_many_assm;
     >EQassembled in fetch_many_assm;
-    cases (fetch ??) * #instr #newpc #ticks normalize nodelta *
+    cases (fetch ??) * #instr #newpc #?ticks normalize nodelta *
     #eq_instr
     #fetch_many_assm whd in fetch_many_assm;
@@ -145 +250 @@
       ]
     ]
-  |5: cases daemon
   ]
 qed.

src/ASM/Interpret.ma

@@ -990 +990 @@
         match addr return λx. bool_to_Prop (is_in … [[ addr11 ]] x) → Σs':?. ? with
         [ ADDR11 a ⇒ λaddr11: True.
-          let 〈pc_bu, pc_bl〉 ≝ vsplit ? 8 8 program_counter in
-          let 〈nu, nl〉 ≝ vsplit ? 4 4 pc_bu in
-          let bit ≝ get_index' ? O ? nl in
-          let 〈relevant1, relevant2〉 ≝ vsplit ? 3 8 a in
-          let new_addr ≝ (nu @@ (bit ::: relevant1)) @@ relevant2 in
-          let 〈carry, new_pc〉 ≝ half_add ? program_counter new_addr in
-            new_pc
+          let 〈pc_bu, pc_bl〉 ≝ vsplit ? 5 11 program_counter in
+          let new_addr ≝ pc_bu @@ a in
+            new_addr
         | _ ⇒ λother: False. ⊥
         ] (subaddressing_modein … addr)

src/ASM/PolicyFront.ma

@@ -324 +324 @@
   then \fst (bvt_lookup … (bitvector_of_nat 16 paddr) (\snd old_sigma) 〈0,short_jump〉) + added
   else \fst (bvt_lookup … (bitvector_of_nat 16 paddr) (\snd inc_sigma) 〈0,short_jump〉)) in
-  let 〈result, flags〉 ≝ sub_16_with_carry pc_plus_jmp_length addr false in
+  let 〈result, flags〉 ≝ sub_16_with_carry addr pc_plus_jmp_length false in
   let 〈upper, lower〉 ≝ vsplit ? 8 8 result in
   if eq_bv ? upper (zero 8)
@@ -356 +356 @@
   then \fst (bvt_lookup … (bitvector_of_nat 16 paddr) (\snd old_sigma) 〈0,short_jump〉) + added
   else \fst (bvt_lookup … (bitvector_of_nat 16 paddr) (\snd inc_sigma) 〈0,short_jump〉)) in
-  let 〈result, flags〉 ≝ sub_16_with_carry pc_plus_jmp_length addr false in
+  let 〈result, flags〉 ≝ sub_16_with_carry addr pc_plus_jmp_length false in
   let 〈upper, lower〉 ≝ vsplit ? 8 8 result in
   if eq_bv ? upper (zero 8)
@@ -748 +748 @@
 definition short_jump_cond: Word → Word → pseudo_instruction → Prop ≝
   λpc_plus_jmp_length.λaddr.λinstr.
-  let 〈result, flags〉 ≝ sub_16_with_carry pc_plus_jmp_length addr false in
+  let 〈result, flags〉 ≝ sub_16_with_carry addr pc_plus_jmp_length false in
   let 〈upper, lower〉 ≝ vsplit ? 8 8 result in
-  eq_bv 8 upper (zero 8) = true.
+    if flags then
+      eq_bv 8 upper [[true;true;true;true;true;true;true;true]] = true
+    else
+      eq_bv 8 upper (zero 8) = true.
 
 definition medium_jump_cond: Word → Word → pseudo_instruction → Prop ≝