Changeset 2151

Timestamp:

Jul 3, 2012, 6:12:24 PM (6 years ago)

Author:

sacerdot

Message:

1. Lemmas from AssemblyProof? anticipated to Assembly.ma
2. Jaap's specification strengthened again a little bit (for simplicity of use)
3. 3/4 of the proof in Assembly.ma closed (up to 3 daemons)

Location:

src/ASM

Files:

• Assembly.ma (modified) (5 diffs)
• AssemblyProof.ma (modified) (3 diffs)

src/ASM/Assembly.ma

@@ -708 +708 @@
      ∧
      (nat_of_bitvector … pc + instruction_size lookup_labels sigma policy ppc instruction < 2^16
-      (*nat_of_bitvector … pc < nat_of_bitvector … next_pc*) ∨
-      S (nat_of_bitvector … ppc) = |instr_list| ∧ next_pc = zero …).
+     ∨
+     S (nat_of_bitvector … ppc) = |instr_list| ∧
+     nat_of_bitvector … pc + instruction_size lookup_labels sigma policy ppc instruction = 2^16).
+
+
+(*CSC: move elsewhere*)
+axiom add_bitvector_of_nat:
+ ∀n,m1,m2.
+  bitvector_of_nat n (m1 + m2) =
+   add n (bitvector_of_nat n m1) (bitvector_of_nat n m2).
+
+lemma fst_assembly_1_pseudoinstruction_insensible_to_lookup_datalabels:
+ ∀lookup_labels,sigma,policy,ppc,pi.
+  ∀lookup_datalabels1,lookup_datalabels2.
+   \fst (assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels1 pi) =
+   \fst (assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels2 pi).
+#lookup_labels #sigma #policy #ppc #pi #lookup_datalabels1 #lookup_datalabels2
+cases pi //
+qed.
+
+lemma fst_snd_assembly_1_pseudoinstruction:
+ ∀lookup_labels,sigma,policy,ppc,pi,lookup_datalabels,len,assembled.
+   assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels pi
+   = 〈len,assembled〉 →
+    len = |assembled|.
+#lookup #sigma #policy #ppc #pi #lookup_datalabels #len #assembled
+inversion (assembly_1_pseudoinstruction ??????) #len' #assembled'
+whd in ⊢ (??%? → ?); #EQ1 #EQ2 destruct %
+qed.
 
 definition assembly:
@@ -736 +763 @@
            nth_safe ? (nat_of_bitvector … (add … (sigma ppc) (bitvector_of_nat ? j)))
             assembled K
-≝ ?. cases daemon(*
+≝
   λp.
   λsigma.
   λpolicy.
   deplet 〈preamble, instr_list〉 as p_refl ≝ p in
-  let 〈labels_to_ppc,ppc_to_costs〉 ≝ create_label_cost_map instr_list in
+  deplet 〈labels_to_ppc,ppc_to_costs〉 as eq_create_label_cost_map ≝ create_label_cost_map instr_list in
   let datalabels ≝ construct_datalabels preamble in
   let lookup_labels ≝ λx. bitvector_of_nat ? (lookup_def … labels_to_ppc x 0) in
@@ -753 +780 @@
         let 〈ppc,code〉 ≝ ppc_code in
          ppc = bitvector_of_nat … (|pre|) ∧
+         |code| ≤ 2^16 ∧
          (nat_of_bitvector … (sigma ppc) = |code| ∨
           sigma ppc = zero … ∧ |code| = 2^16) ∧
@@ -760 +788 @@
            let 〈len,assembledi〉 ≝
             assembly_1_pseudoinstruction lookup_labels sigma policy ppc' lookup_datalabels pi in
+           |assembledi| ≤ |reverse … code| ∧
            ∀j:nat. ∀H: j < |assembledi|. ∀K.
             nth_safe ? j assembledi H =
@@ -773 +802 @@
      〈reverse … revcode,
       fold … (λppc.λcost.λpc_to_costs. insert … (sigma ppc) cost pc_to_costs) ppc_to_costs (Stub ??)〉.
-  [ cases (foldl_strong ? (λx.Σy.?) ???) in p2; #ignore_revcode #Hfold #EQignore_revcode
+  [ cases (foldl_strong ? (λx.Σy.?) ???) in p1; #ignore_revcode #Hfold #EQignore_revcode
     >EQignore_revcode in Hfold; #Hfold #sigma_pol_ok #instr_list_ok
-    cases (Hfold sigma_pol_ok instr_list_ok) -Hfold * #Hfold1 #Hfold3 #Hfold2 whd >p1 whd %
+    cases (Hfold sigma_pol_ok instr_list_ok) -Hfold * * #Hfold1 #Hfold4 #Hfold3 #Hfold2 whd
+    <eq_create_label_cost_map whd %
     [2: #ppc #LTppc @Hfold2 >Hfold1 @(eqb_elim (|instr_list|) 2^16)
       [ #limit %2 @limit
       | #nlimit %1 >nat_of_bitvector_bitvector_of_nat_inverse try assumption
         @not_eq_to_le_to_lt assumption ]
-    | >length_reverse <Hfold3 %
-      [ @(transitive_le … (S (nat_of_bitvector … (sigma next_pc))))
-        [ // | change with (? < ?); @lt_nat_of_bitvector ]
-      | >Hfold1 % ]]
+    | >length_reverse % try assumption cases Hfold3 -Hfold3
+      [ #Hfold3 <Hfold3 % >Hfold1 %
+      | #Hfold5 %2 <Hfold1 assumption ]]
   | * #sigma_pol_ok1 #_ #instr_list_ok %
-    [ % // >sigma_pol_ok1 % ]
+    [ % % // >sigma_pol_ok1 % ]
     #ppc' #ppc_ok' #abs @⊥ cases abs
      [#abs2 cases (not_le_Sn_O ?) [#H @(H abs2) | skip]
      |#abs2 change with (0 = S ?) in abs2; destruct(abs2) ]
   | * #sigma_pol_ok1 #sigma_pol_ok2 #instr_list_ok cases ppc_code in p1; -ppc_code #ppc_code #IH #EQppc_code >EQppc_code in IH; -EQppc_code
-    #IH cases (IH ? instr_list_ok) [2: % assumption ] * #IH1 #IH3 #IH2 whd % [%
+    #IH cases (IH ? instr_list_ok) [2: % assumption ] -IH
+    * * #IH1 #IH2 *
+    [2: #H @⊥ cases daemon (*CSC: impossible case, using Jaaps's ? *)]
+    #IH3 #IH5
+    cut (|prefix| < |instr_list|)
+    [ >prf >length_append normalize <plus_n_Sm @le_S_S // ] #LT_prefix_instr_list
+    cut (|prefix| < 2^16)
+    [ @(lt_to_le_to_lt … (|instr_list|)) assumption ] #prefix_ok
+    cut (nat_of_bitvector … ppc < |instr_list|)
+    [ >IH1 >nat_of_bitvector_bitvector_of_nat_inverse assumption ] #ppc_ok
+    cut (\snd hd = \fst (fetch_pseudo_instruction instr_list ppc ppc_ok))
+    [ >prf in ppc_ok; >IH1 >(add_zero … (bitvector_of_nat … (|prefix|)))
+      >fetch_pseudo_instruction_append
+      [ #ppc_ok whd in match fetch_pseudo_instruction; normalize nodelta
+        whd in match (nth_safe ????); [ cases hd // | normalize // ]
+      | <add_zero >nat_of_bitvector_bitvector_of_nat_inverse
+        [ <prf assumption | assumption ]
+      | skip
+      | <prf assumption
+      ]] #eq_fetch_pseudo_instruction
+    lapply (fst_snd_assembly_1_pseudoinstruction … p2) #EQpc_delta
+    cut (pc_delta < 2^16)
+    [cases daemon (*CSC: DA FARE*) ] #pc_delta_ok
+    % [ % [% ] ]
+    [ >length_append normalize nodelta >IH1 @sym_eq @add_bitvector_of_nat
+    | >length_append >length_reverse <IH3 cases daemon (*CSC: maybe, using monotonicity*)
+    | cases (sigma_pol_ok2 … ppc_ok)
+      whd in match instruction_size; normalize nodelta >p2 <eq_fetch_pseudo_instruction
+      <eq_create_label_cost_map
+      >fst_assembly_1_pseudoinstruction_insensible_to_lookup_datalabels [ >p2 | skip]
+      #sigma_ok >sigma_ok #sigma_pol_ok3 -sigma_pol_ok2
+      >length_append >length_reverse <IH3 <EQpc_delta cases sigma_pol_ok3
+      [ #LT %1 >nat_of_bitvector_add
+        [2: >nat_of_bitvector_bitvector_of_nat_inverse assumption]
+        >nat_of_bitvector_bitvector_of_nat_inverse try assumption //
+      | * #EQ1 #EQ2 %2 %
+        [ lapply (eq_f … (bitvector_of_nat 16) … EQ2) <add_bitvector_of_nat_plus
+          >bitvector_of_nat_inverse_nat_of_bitvector #X >X @bitvector_of_nat_exp_zero
+        | >commutative_plus assumption ]]
+  | cases daemon
+  ]
+    
+(*    
+    
+     % [%
     [ >length_append normalize nodelta >IH1 (*CSC: TRUE, LEMMA NEEDED *) cases daemon
     |2: (*CSC: NEES JAAP INVARIANT*) cases daemon]]

src/ASM/AssemblyProof.ma

@@ -179 +179 @@
     | _ ⇒ True
     ].
-
-lemma fst_assembly_1_pseudoinstruction_insensible_to_lookup_datalabels:
- ∀lookup_labels,sigma,policy,ppc,pi.
-  ∀lookup_datalabels1,lookup_datalabels2.
-   \fst (assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels1 pi) =
-   \fst (assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels2 pi).
-#lookup_labels #sigma #policy #ppc #pi #lookup_datalabels1 #lookup_datalabels2
-cases pi //
-qed.
-
-lemma fst_snd_assembly_1_pseudoinstruction:
- ∀lookup_labels,sigma,policy,ppc,pi,lookup_datalabels,len,assembled.
-   assembly_1_pseudoinstruction lookup_labels sigma policy ppc lookup_datalabels pi
-   = 〈len,assembled〉 →
-    len = |assembled|.
-#lookup #sigma #policy #ppc #pi #lookup_datalabels #len #assembled
-inversion (assembly_1_pseudoinstruction ??????) #len' #assembled'
-whd in ⊢ (??%? → ?); #EQ1 #EQ2 destruct %
-qed.
 
 (* XXX: easy but tedious *)
@@ -355 +336 @@
      ]
    | * #EQ1 #EQ2 %2 %
-     [ <add_bitvector_of_nat_Sm >add_commutative assumption 
+     [ <add_bitvector_of_nat_Sm >add_commutative >H
+       lapply (eq_f … (bitvector_of_nat 16) … EQ2)
+       <add_bitvector_of_nat_plus
+       >bitvector_of_nat_inverse_nat_of_bitvector #X >X @bitvector_of_nat_exp_zero
      | <(nat_of_bitvector_bitvector_of_nat_inverse 16 m) try assumption
      ]]]
@@ -437 +421 @@
           [2: * #EQ1 #EQ2 @⊥ <EQ1 in EQlen_assembled';
               <add_bitvector_of_nat_Sm >add_commutative
-              >bitvector_of_nat_inverse_nat_of_bitvector >OK >EQ2 assumption ]
+              >bitvector_of_nat_inverse_nat_of_bitvector >OK >EQ2
+              lapply (eq_f … (bitvector_of_nat 16) … EQ2) -EQ2
+              <add_bitvector_of_nat_plus >bitvector_of_nat_inverse_nat_of_bitvector
+              #X >X #Y @NOT_EMPTY <Y >bitvector_of_nat_exp_zero % ]
           cases (le_to_or_lt_eq … instr_list_ok)
           [2: #abs @⊥ >abs in EQlen_assembled'; >bitvector_of_nat_exp_zero >sigma_zero