Changeset 2203

Timestamp:

Jul 17, 2012, 6:57:40 PM (6 years ago)

Author:

campbell

Message:

A general result about simulations of executions.

Location:

src

Files:

• Clight/Cexec.ma (modified) (1 diff)
• Clight/labelSimulation.ma (modified) (35 diffs)
• common/Executions.ma (modified) (2 diffs)
• common/SmallstepExec.ma (modified) (1 diff)

src/Clight/Cexec.ma

@@ -551 +551 @@
 definition clight_fullexec : fullexec io_out io_in ≝
   mk_fullexec ??? clight_exec make_global make_initial_state.
+
+
+(* A few lemmas about the semantics. *)
+
+lemma cl_step_not_final : ∀ge,s1,tr,s2.
+  exec_step ge s1 = OK … 〈tr,s2〉 →
+  is_final s1 = None ?.
+#ge * //
+#r #tr #s2 #E
+whd in E:(??%%);
+destruct
+qed.
+
+(* If you can step in Clight, then you aren't in a final state.  Hence we can
+   give nicer constructors for plus. *)
+lemma cl_plus_one : ∀ge,s1,tr,s2.
+  exec_step ge s1 = OK … 〈tr,s2〉 →
+  plus … clight_exec ge s1 tr s2.
+#ge #s1 #tr #s2 #EX @(plus_one … EX) /2/
+qed.
+
+lemma cl_plus_succ : ∀ge,s1,tr,s2,tr',s3.
+    exec_step ge s1 = OK … 〈tr,s2〉 →
+    plus … clight_exec ge s2 tr' s3 →
+    plus … clight_exec ge s1 (tr⧺tr') s3.
+#ge #s1 #tr #s2 #tr' #s3 #EX @plus_succ /2/ @EX
+qed.
+

src/Clight/labelSimulation.ma

@@ -314 +314 @@
 . 
 
-(* TODO: this (or something like it) ought to be elsewhere. *)
-inductive plus (ge:genv) : state → trace → state → Prop ≝
-| plus_one : ∀s1,tr,s2. exec_step ge s1 = OK … 〈tr,s2〉 → plus ge s1 tr s2
-| plus_succ : ∀s1,tr,s2,tr',s3. exec_step ge s1 = OK … 〈tr,s2〉 → plus ge s2 tr' s3 → plus ge s1 (tr⧺tr') s3.
-
 (* Some details are invariant under labelling. *)
 lemma label_function_return : ∀f.
@@ -653 +648 @@
   state_with_labels_partial s1 s1' →
   exec_step ge s1 = Value … 〈tr,s2〉 →
-   ∃tr',s2'. plus ge' s1' tr' s2' ∧
+   ∃tr',s2'. plus … clight_exec ge' s1' tr' s2' ∧
              trace_with_extra_labels tr tr' ∧
              state_with_labels s2 s2'.
@@ -669 +664 @@
       lapply (refl ? (fn_return f)) cases (fn_return f) in ⊢ (???% → ?);
       [ #E >E in EX; whd in ⊢ (??%% → ?); #EX' destruct %{(Returnstate Vundef Kstop (free_list m (blocks_of_env e)))}
-        % [ % [ @plus_one whd in ⊢ (??%?); >label_function_return >E @refl
+        % [ % [ @cl_plus_one whd in ⊢ (??%?); >label_function_return >E @refl
         | // ] | /3/ ]
       | *: #A [ 1,4,5,6,7: #B ] #E >E in EX; #EX whd in EX:(??%%); destruct
@@ -676 +671 @@
       %{(State (label_function f) (\fst (label_statement s0 u)) k0' e m)}
       whd in EX:(??%%); destruct
-      % [ % [ @plus_one @refl | // ] | /3/ ]
+      % [ % [ @cl_plus_one @refl | // ] | /3/ ]
     | #ue #e0 #us0 #s0 #cs #cpost #k0 #k0' #K #_ #E1 #E2 #E3 destruct %{tr}
       whd in EX:(??%%); destruct
-      % [ 2: % [ % [ @plus_one @refl | // ] | @swl_partial @swl_whilestate // ] | skip ]
+      % [ 2: % [ % [ @cl_plus_one @refl | // ] | @swl_partial @swl_whilestate // ] | skip ]
     | #ue #e0 #us0 #s0 #cs #cpost #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       cases (bindIO_inversion ??????? EX) * #ve #tre * #EXe #EXrem
@@ -685 +680 @@
       normalize in EXbrem; destruct
       cases ((proj1 ?? (label_expr_ok ge ge' e m RG)) ??? EXe ue) #tre' * #EXe' #Te
-      [ % [ 2: % [ 2: % [ % [ @plus_one
+      [ % [ 2: % [ 2: % [ % [ @cl_plus_one
         whd in ⊢ (??%?); >EXe' in ⊢ (??%?);
         whd in ⊢ (??%?); >label_expr_type >EXb in ⊢ (??%?);
@@ -691 +686 @@
         | // ]
         | @swl_partial @swl_dowhilestate // ] | skip ] | skip ]
-      | % [ 2: % [ 2: % [ % [ @plus_succ [
+      | % [ 2: % [ 2: % [ % [ @cl_plus_succ [
         4: whd in ⊢ (??%?); >EXe' in ⊢ (??%?);
            whd in ⊢ (??%?); >label_expr_type >EXb in ⊢ (??%?);
            whd in ⊢ (??%?); @refl
         | skip | skip
-        | 5: @plus_succ [ 4: @refl | skip | skip
-        | 5: @plus_one @refl | skip ] | skip ]
+        | 5: @cl_plus_succ [ 4: @refl | skip | skip
+        | 5: @cl_plus_one @refl | skip ] | skip ]
         | <(E0_right tr) @twel_app /2/ ]
         | /3/ ] | skip ] | skip ]
@@ -703 +698 @@
     | #ue #e0 #us1 #st1 #us2 #st2 #cs #cpost #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       whd in EX:(??%?); destruct
-      %{E0} % [2: % [ % [ @plus_one @refl | // ] | /3/ ] | skip ]
+      %{E0} % [2: % [ % [ @cl_plus_one @refl | // ] | /3/ ] | skip ]
     | #ue #e0 #us1 #st1 #us2 #st2 #cs #cpost #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       whd in EX:(??%?); destruct
-      %{E0} % [2: % [ % [ @plus_one @refl | // ] | /4/ ] | skip ]
+      %{E0} % [2: % [ % [ @cl_plus_one @refl | // ] | /4/ ] | skip ]
     | #ue #e0 #us1 #st1 #us2 #st2 #cs #cpost #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       whd in EX:(??%?); destruct
-      %{E0} % [2: % [ % [ @plus_one @refl | // ] | /4/ ] | skip ]
+      %{E0} % [2: % [ % [ @cl_plus_one @refl | // ] | /4/ ] | skip ]
     | #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       whd in EX:(??%?); destruct
-      %{E0} % [2: % [ % [ @plus_one @refl | // ] | /4/ ] | skip ]
+      %{E0} % [2: % [ % [ @cl_plus_one @refl | // ] | /4/ ] | skip ]
     | #r #f0 #en #k0 #k0' #K #_ #E1 #E2 #E3 destruct
       whd in EX:(??%?);
       lapply (refl ? (fn_return f)) cases (fn_return f) in ⊢ (???% → ?);
       [ #E >E in EX; whd in ⊢ (??%? → ?); #EX destruct
-        %{E0} % [2: % [ % [ @plus_one whd in ⊢ (??%?); >label_function_return >E in ⊢ (??%?);
+        %{E0} % [2: % [ % [ @cl_plus_one whd in ⊢ (??%?); >label_function_return >E in ⊢ (??%?);
         @refl | // ] | /4/ ] | skip ]
       | *: #A [ 1,4,5,6,7: #B ] #E >E in EX; #EX whd in EX:(??%%); destruct
       ]
     | #ls #u #k0 #k0' #K #_ #E1 #E2 #E3 destruct whd in EX:(??%?); destruct
-      % [2: % [2: % [ % [ @plus_one @refl | // ] | /3/ ]| skip ]| skip ]
+      % [2: % [2: % [ % [ @cl_plus_one @refl | // ] | /3/ ]| skip ]| skip ]
     ]
   | * #a1 #ty1 #a2 #EX
@@ -734 +729 @@
     cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX2 ua1) #tr2' * #EX2' #T2
     % [2: % [2: % [ % [
-      @plus_one whd in ⊢ (??%?);     
+      @cl_plus_one whd in ⊢ (??%?);     
       >exec_lvalue_labelled >EX1' in ⊢ (??%?);
       whd in ⊢ (??%?); >EX2' in ⊢ (??%?);
@@ -757 +752 @@
     [ cases (proj2 ?? (label_expr_ok ge ge' e m RG) ????? EX5 us) #tr5' * #EX5' #T5 ]
     % [2,4: % [2,4: % [1,3: % [1,3:
-      @plus_one whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX why do I need the repetition? *)
+      @cl_plus_one whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX why do I need the repetition? *)
       whd in ⊢ (??%?); [ >EX2' in ⊢ (??%?); | >EX2' in ⊢ (??%?); ]
       whd in ⊢ (??%?); >(opt_find_funct … RG … EX3) in ⊢ (??%?);
@@ -766 +761 @@
     whd in EX:(??%%); destruct
     whd in match (label_statement ??); @label_gen_elim #u1 @label_gen_elim #u2
-    %{E0} % [2: % [ % [ @plus_one @refl | // ] | @swl_partial @swl_state /2/ ] | skip ]
+    %{E0} % [2: % [ % [ @cl_plus_one @refl | // ] | @swl_partial @swl_state /2/ ] | skip ]
   | #a #st1 #st2 #EX
     cases (bindIO_inversion ??????? EX) -EX * #v1 #tr1 * #EX1 #EX
@@ -777 +772 @@
     whd in match (add_cost_before ??); cases (fresh ??) #c7 #u7
     cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 us) #tr1' * #EX1' #T1
-    % [2,4: % [2,4: % [1,3: % [1,3: @plus_succ [ 4,9:
+    % [2,4: % [2,4: % [1,3: % [1,3: @cl_plus_succ [ 4,9:
       whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX repeated? *)
       whd in ⊢ (??%?); >label_expr_type [ >EX2 in ⊢ (??%?); | >EX2 in ⊢ (??%?); ] 
       whd in ⊢ (??%?); @refl
     | 1,2,6,7: skip
-    | 5,10: @plus_one @refl
+    | 5,10: @cl_plus_one @refl
     | *: skip
     ]
@@ -797 +792 @@
     >shift_fst
     cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 us) #tr1' * #EX1' #T1
-    % [2,4: % [2,4: % [1,3: % [1,3: @plus_succ [ 4,9: @refl | 1,2,6,7: skip
-      | 5,10: @plus_succ [ 4,9: 
+    % [2,4: % [2,4: % [1,3: % [1,3: @cl_plus_succ [ 4,9: @refl | 1,2,6,7: skip
+      | 5,10: @cl_plus_succ [ 4,9: 
       whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX repeated? *)
       whd in ⊢ (??%?); >label_expr_type [ >EX2 in ⊢ (??%?); | >EX2 in ⊢ (??%?); ] 
       whd in ⊢ (??%?); @refl
     | 1,2,6,7: skip
-    | 5: @plus_one @refl
-    | 10: @plus_succ [ 4: @refl | 5: @plus_one @refl | *: skip ] |*: skip ]
+    | 5: @cl_plus_one @refl
+    | 10: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl | *: skip ] |*: skip ]
     | *: skip
     ]
@@ -815 +810 @@
     whd in match (add_cost_before ??); cases (fresh ??) #c6 #u6 >shift_fst
     whd in match (add_cost_after ??); cases (fresh ??) #c7 #u7 >shift_fst
-    % [2: % [2: % [ % [ @plus_succ [ 4: @refl | 1,2: skip
-      | 5: @plus_succ [ 4: @refl | 1,2: skip | 5: @plus_one // | skip ] | skip ]
+    % [2: % [2: % [ % [ @cl_plus_succ [ 4: @refl | 1,2: skip
+      | 5: @cl_plus_succ [ 4: @refl | 1,2: skip | 5: @cl_plus_one // | skip ] | skip ]
       | /2/ ] | /4/ ] | skip ] | skip ]
   | #st1 #a #st2 #st #EX
@@ -829 +824 @@
       normalize in EX; destruct
       cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 us) #tr1' * #EX1' #T1
-      % [2,4: % [2,4: % [1,3: % [1,3: @plus_succ [ 4,9: @refl | 1,2,6,7: skip
-      | 5,10: @plus_succ [ 4,9: 
+      % [2,4: % [2,4: % [1,3: % [1,3: @cl_plus_succ [ 4,9: @refl | 1,2,6,7: skip
+      | 5,10: @cl_plus_succ [ 4,9: 
       whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX repeated? *)
       whd in ⊢ (??%?); >label_expr_type [ >EX2 in ⊢ (??%?); | >EX2 in ⊢ (??%?); ] 
       whd in ⊢ (??%?); @refl
       | 1,2,6,7: skip
-      | 5: @plus_one @refl
-      | 10: @plus_succ [ 4: @refl | 5: @plus_one @refl | *: skip ] |*: skip ]
+      | 5: @cl_plus_one @refl
+      | 10: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl | *: skip ] |*: skip ]
       | *: skip
       ]
@@ -842 +837 @@
       ]| 2,4: /4/ ] | *: skip ] | *: skip ]
     | whd in EX:(??%%); destruct
-      % [2: % [2: %[ %[ @plus_succ [ 4: @refl | 5: @plus_one
+      % [2: % [2: %[ %[ @cl_plus_succ [ 4: @refl | 5: @cl_plus_one
         whd in ⊢ (??%?); cases (labelled_is_not_skip ? u1 Esk) #Esk' #Eskip'
         >Eskip' whd in ⊢ (??%?); @refl | *: skip ]| // ] | @swl_partial @swl_state /2/ ]
@@ -861 +856 @@
     whd in match (label_statement ??);
     % [2,4,6,8,10,12,14: % [2,4,6,8,10,12,14: % [1,3,5,7,9,11,13: %
-    [1,11,13: @plus_one @refl | 2,12,14: //
-    | @plus_succ [ 4: @refl | 5: @plus_succ [ 4: @refl | 5: @plus_one @refl |*:skip]|*:skip] | /2/
-    | @plus_succ [ 4: @refl | 5: @plus_succ [ 4: @refl | 5: @plus_one @refl |*:skip]|*:skip] | /2/
-    | @plus_succ [ 4: @refl | 5: @plus_one @refl |*:skip] | /2/
-    | @plus_succ [ 4: @refl | 5: @plus_succ [ 4: @refl | 5: @plus_one @refl |*:skip]|*:skip] | /2/
-    ]| *: /3/ ]|*: skip]|*: skip ]
+    [1,11,13: @cl_plus_one @refl | 2,12,14: //
+    | @cl_plus_succ [ 4: @refl | 5: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl |*:skip]|*:skip] | /2/
+    | @cl_plus_succ [ 4: @refl | 5: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl |*:skip]|*:skip] | /2/
+    | @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl |*:skip] | /2/
+    | @cl_plus_succ [ 4: @refl | 5: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl |*:skip]|*:skip] | /2/
+    ]| *: /3 by swl_partial, swl_state/ ]|*: skip]|*: skip ]
   | #EX inversion KL
     [ #E1 #E2 #E3 destruct whd in EX:(??%?); destruct
@@ -881 +876 @@
     whd in match (label_statement ??);
     [ 1,2,4,5,6,7: % [2,4,6,8,10,12: % [2,4,6,8,10,12: % [1,3,5,7,9,11: %
-      [1,3,7,9,11: @plus_one @refl | 5: @plus_succ [4:@refl | 5:@plus_one @refl | *: skip ]
+      [1,3,7,9,11: @cl_plus_one @refl | 5: @cl_plus_succ [4:@refl | 5:@cl_plus_one @refl | *: skip ]
       | *: // ] | *: @swl_partial /3 by cwl_for3, swl_state, swl_whilestate/ ]| *:skip ]| *: skip ]
     | cases (bindIO_inversion ??????? EX) -EX * #v1 #tr1 * #EX1 #EX
@@ -887 +882 @@
       normalize in EX; destruct
       cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 ue) #tr1' * #EX1' #T1
-      % [2,4: % [2,4: % [1,3: % [1,3: [ @plus_one | @plus_succ ] [ 1,5:
+      % [2,4: % [2,4: % [1,3: % [1,3: [ @cl_plus_one | @cl_plus_succ ] [ 1,5:
         whd in ⊢ (??%?); [ >EX1' in ⊢ (??%?); | >EX1' in ⊢ (??%?); ] (* XXX repeated? *)
       whd in ⊢ (??%?); >label_expr_type [ >EX2 in ⊢ (??%?); | >EX2 in ⊢ (??%?); ] 
       whd in ⊢ (??%?); @refl
-      | 6: @plus_succ [ 4: @refl | 5: @plus_one @refl | *: skip ] |*: skip ]
+      | 6: @cl_plus_succ [ 4: @refl | 5: @cl_plus_one @refl | *: skip ] |*: skip ]
       | // | <(E0_right tr) @twel_app /2/
       ]
@@ -911 +906 @@
     [ @label_gen_elim #u' whd in match (label_opt_expr ??); @label_gen_elim #u'' ]
     whd in EX:(??%%); destruct
-    % [2,4: % [2,4: % [1,3: %[1,3: @plus_one
+    % [2,4: % [2,4: % [1,3: %[1,3: @cl_plus_one
       whd in ⊢ (??%?);
       [ >label_function_return @(dec_false ? (type_eq_dec ??) Ety) #Ety''
@@ -927 +922 @@
     cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 us) #tr1' * #EX1' #T1
     whd in match (label_statement ??); @label_gen_elim #u1 @label_gen_elim #u2
-    % [2: % [2: % [ % [ @plus_one whd in ⊢ (??%?); >EX1' in ⊢ (??%?); @refl
+    % [2: % [2: % [ % [ @cl_plus_one whd in ⊢ (??%?); >EX1' in ⊢ (??%?); @refl
       | // ]| cases (label_select_ls … sz i ls u1) #u3 #Els >Els /3/
       ]|skip ]| skip ]
@@ -934 +929 @@
     whd in match (label_statement ??); @label_gen_elim #u1 >shift_fst
     whd in match (add_cost_before ??); cases (fresh ??) #cs #u2 >shift_fst
-    %[2: %[2: %[ %[ @plus_succ
-      [ 4: @refl | 5: @plus_one @refl | *: skip ]
+    %[2: %[2: %[ %[ @cl_plus_succ
+      [ 4: @refl | 5: @cl_plus_one @refl | *: skip ]
       | /2/ ] | /3/ ] |skip ]| skip ]
   | #l #EX
@@ -946 +941 @@
       cases (label_find_label_fn … KL F)
       #u' * #cs * #k1' * #F' #K'
-      % [2: %[2: %[ %[ @plus_succ
-        [ 4: whd in ⊢ (??%?); >F' in ⊢ (??%?); @refl | 5: @plus_one @refl | *: skip ]
+      % [2: %[2: %[ %[ @cl_plus_succ
+        [ 4: whd in ⊢ (??%?); >F' in ⊢ (??%?); @refl | 5: @cl_plus_one @refl | *: skip ]
         | /2/ ] | /3/ ] | skip ] | skip ]
     ]
   | #c #st #EX whd in EX:(??%?); destruct @blindly_label #u1
-    % [2: % [2: % [ % [ @plus_one @refl | // ] | /3/ ] | skip ]| skip ]
+    % [2: % [2: % [ % [ @cl_plus_one @refl | // ] | /3/ ] | skip ]| skip ]
   ]
 | #f #ua #a #us #s #cs #cpost #k #k' #e #m #K #EX
@@ -959 +954 @@
   cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 ua) #tr1' * #EX1' #T1
   [ % [2: % [2: % [ % [
-    @plus_succ [4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
+    @cl_plus_succ [4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
                    whd in ⊢ (??%?); >label_expr_type >EX2 in ⊢ (??%?); @refl
-               |5: @plus_one @refl | *: skip ]
-    | <(E0_right tr) /3/ ]| /4/ ]| skip ]| skip ]
+               |5: @cl_plus_one @refl | *: skip ]
+    | <(E0_right tr) /3/ ]| /4 by swl_partial, swl_state, cwl_while/ ]| skip ]| skip ]
   | % [2: % [2: % [ % [
-    @plus_succ [4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
+    @cl_plus_succ [4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
                    whd in ⊢ (??%?); >label_expr_type >EX2 in ⊢ (??%?); @refl
-    | 5: @plus_succ [4: @refl
-    | 5: @plus_one @refl | *: skip ] | *: skip ]
+    | 5: @cl_plus_succ [4: @refl
+    | 5: @cl_plus_one @refl | *: skip ] | *: skip ]
     | <(E0_right tr) /3/ ]| /3/ ]| skip ]| skip ]
   ]
@@ -973 +968 @@
   whd in EX:(??%%); destruct
   % [2: % [2: % [ % [
-    @plus_succ [4: % | 5: @plus_one % | *: skip ]
+    @cl_plus_succ [4: % | 5: @cl_plus_one % | *: skip ]
     | /2/ ]| /4/ ]| skip ]| skip ]
 | #f #ua2 #a2 #us3 #s3 #us #s #cs #cpost #k #k' #e #m #K #EX
@@ -981 +976 @@
   cases (proj1 ?? (label_expr_ok ge ge' e m RG) ??? EX1 ua2) #tr1' * #EX1' #T1
   [ % [2: % [2: % [ % [
-    @plus_succ [ 4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
+    @cl_plus_succ [ 4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
                     whd in ⊢ (??%?); >label_expr_type >EX2 in ⊢ (??%?); @refl
-    | 5: whd in ⊢ (??(??%%??)??); @plus_one @refl
+    | 5: whd in ⊢ (?????(??%%??)??); @cl_plus_one @refl
     | *: skip ]| <(E0_right tr) /3/ ] | /4/ ]| skip ]| skip ]
   | % [2: % [2: % [ % [
-    @plus_succ [ 4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
+    @cl_plus_succ [ 4: whd in ⊢ (??%?); >EX1' in ⊢ (??%?);
                     whd in ⊢ (??%?); >label_expr_type >EX2 in ⊢ (??%?); @refl
-    | 5: whd in ⊢ (??(??%%??)??); @plus_succ [4: @refl
-    | 5: @plus_one @refl ]| *: skip ]| <(E0_right tr) /3/ ]| /3/ ]| skip ]| skip
+    | 5: whd in ⊢ (?????(??%%??)??); @cl_plus_succ [4: @refl
+    | 5: @cl_plus_one @refl ]| *: skip ]| <(E0_right tr) /3/ ]| /3/ ]| skip ]| skip
     ]
   ]
@@ -1000 +995 @@
     lapply (refl ? (label_function f)) whd in ⊢ (???% → ?);
     @label_gen_elim #u1 @label_gen_elim #u2 >shift_fst #Ef
-    % [2: % [2: % [ % [ @plus_succ [4: whd in ⊢ (??%?); >EX1 in ⊢ (??%?);
+    % [2: % [2: % [ % [ @cl_plus_succ [4: whd in ⊢ (??%?); >EX1 in ⊢ (??%?);
       whd in ⊢ (??%?); >EX2 in ⊢ (??%?); @refl
-    | 5: @plus_one @refl | *: skip ] | /2/ ]| <Ef @swl_partial @swl_state @K ]| skip ]| skip ]
+    | 5: @cl_plus_one @refl | *: skip ] | /2/ ]| <Ef @swl_partial @swl_state @K ]| skip ]| skip ]
   | #id #tys #ty #args #k #k' #m #K #EX
     cases (bindIO_inversion ??????? EX) -EX #vs * #EX1 #EX
@@ -1013 +1008 @@
     | *: normalize #A try #B try #C destruct
     ]
-    % [2: % [2: % [ % [ @plus_one @refl | // ]| /2/ ]| skip ]| skip ]
+    % [2: % [2: % [ % [ @cl_plus_one @refl | // ]| /2/ ]| skip ]| skip ]
   | 9: #r #f #en #k0 #k0' #K' #_ #E1 #E2 #E3 destruct cases r in EX ⊢ %;
     [ #EX whd in EX:(??%?); destruct
-      % [2: % [2: % [ % [ @plus_one @refl | // ]| /3/ ]| skip ]| skip ]
+      % [2: % [2: % [ % [ @cl_plus_one @refl | // ]| /3/ ]| skip ]| skip ]
     | * * #b #o #ty #EX
       cases (bindIO_inversion ??????? EX) -EX #m2 * #EX1 #EX
       whd in EX:(??%%); destruct
-      % [2: % [2: % [ % [ @plus_one whd in ⊢ (??%?); >EX1 in ⊢ (??%?); @refl | // ]| /3/ ]| skip ]| skip ]
+      % [2: % [2: % [ % [ @cl_plus_one whd in ⊢ (??%?); >EX1 in ⊢ (??%?); @refl | // ]| /3/ ]| skip ]| skip ]
     ]
   | *: #A #B #C #D #E #F #G try #H try #I try #J try #L try #M try #N try #O
@@ -1034 +1029 @@
   state_with_labels s1 s1' →
   (exec_step ge s1 = Value … 〈tr,s2〉 →
-   ∃tr',s2'. plus ge' s1' tr' s2' ∧
+   ∃tr',s2'. plus … clight_exec ge' s1' tr' s2' ∧
              trace_with_extra_labels tr tr' ∧
              state_with_labels s2 s2').
@@ -1048 +1043 @@
     cases (step_with_labels_partial … RG (State f s k e m) (State (label_function f) (\fst (label_statement s u)) k' e m) tr s2 (swl_state … K) EX)
     #tr' * #s2' * * #P #T #S
-    % [2: % [2: % [ % [ @plus_succ [4: @refl | 5: @P | *: skip ] | /2/ ]| @S ]| skip ]| skip ]
+    % [2: % [2: % [ % [ @cl_plus_succ [4: @refl | 5: @P | *: skip ] | /2/ ]| @S ]| skip ]| skip ]
 (* but for LScase it's just like the cases in step_with_labels_partial *)
   | #sz #i #s #ls #k #k' #e #m #K #EX
@@ -1055 +1050 @@
     @label_gen_elim #u3 >shift_fst whd in match (seq_of_labeled_statement ?);
     whd in EX:(??%?); destruct
-    % [2: % [2: % [ % [ @plus_succ [4: @refl | 5: @plus_one @refl | *: skip ] | /2/ ]| /4/ ]| skip ]| skip ]
+    % [2: % [2: % [ % [ @cl_plus_succ [4: @refl | 5: @cl_plus_one @refl | *: skip ] | /2/ ]| /4/ ]| skip ]| skip ]
   ]    
 ] qed.
@@ -1188 +1183 @@
 
 
-lemma not_wrong_init : ∀p.
-  not_wrong state (exec_inf … clight_fullexec p) →
-  ∃s. make_initial_state … p = OK ? s.
-#p whd in ⊢ (??% → ?); change with (make_initial_state p) in match (make_initial_state ??? p);
-cases (make_initial_state p)
-[ /2/
-| normalize #m #NW @⊥
-  inversion NW #H1 #H2 #H3 #H4 try #H5 destruct
-] qed.
 
 lemma final_related : ∀s1,s2.
@@ -1204 +1190 @@
 [ #s1y #s2y * //
 | //
-] qed.
-
-lemma plus_not_final : ∀ge,s,tr,s'.
-  plus ge s tr s' →
-  is_final s = None ?.
-#ge #s0 #tr0 #s0' * 
-[ #s1 #tr #s2 #EX | #s1 #tr #s2 #tr' #s3 #EX #PL ]
-lapply (refl ? (is_final s1))
-cases (is_final s1) in ⊢ (???% → %);
-//
-#r cases s1 in EX ⊢ %;
-#H9 #H10 #H11 try #H12 try #H13 try #H14 try #H15
-[ 1,5: whd in H15:(??%?); | 2,6: whd in H14:(??%?); | 3,7: whd in H13:(??%?); | 4,8: whd in H11:(??%?); ]
-destruct
-normalize in H10;
-destruct
-qed.
-
-lemma plus_exec : ∀ge,s,tr,s'.
-  plus ge s tr s' →
-  is_final s' = None ? →
-  steps state tr
-    (exec_inf_aux … clight_fullexec ge (exec_step ge s))
-    (exec_inf_aux … clight_fullexec ge (exec_step ge s')).
-#ge #s0 #tr0 #s0' #P elim P
-[ #s1 #tr #s2 #EX #NF >EX >exec_inf_aux_unfold
-  whd in ⊢ (???%?);
-  whd in match (is_final ?????); >NF
-  %2
-| #s1 #tr #s2 #tr' #s3 #EX1 #P2 #IH #NF
-  >exec_inf_aux_unfold >EX1
-  whd in ⊢ (???%?);
-  whd in match (is_final ?????); >(plus_not_final … P2)
-  %3 @IH //
-] qed.
-
-lemma plus_exec_final : ∀ge,s,tr,s',r.
-  plus ge s tr s' →
-  is_final s' = Some ? r →
-  ∃tr'. steps state tr
-          (exec_inf_aux … clight_fullexec ge (exec_step ge s))
-          (e_stop … tr' r s').
-#ge #s0 #tr0 #s0' #r #P elim P
-[ #s1 #tr #s2 #EX #F >EX >exec_inf_aux_unfold
-  %{tr} whd in ⊢ (???%?);
-  whd in match (is_final ?????); >F
-  %1
-| #s1 #tr #s2 #tr' #s3 #EX1 #P2 #IH #F
-  cases (IH … F)
-  #tr' #S' %{tr'}
-  >exec_inf_aux_unfold >EX1
-  whd in ⊢ (???%?);
-  whd in match (is_final ?????); >(plus_not_final … P2)
-  %3 @S'
 ] qed.
 
@@ -1278 +1210 @@
   #tr2 * #s2' * * #PL #TWL #S'
   lapply F1 whd in ⊢ (??%? → ?); >(final_related … S') #F2
-  cases (plus_exec_final ????? PL F2)
+  cases (plus_final … clight_fullexec … PL F2)
   #tr2' #S2
   @(swl_stop … S2 TWL)
@@ -1286 +1218 @@
   cases (step_with_labels … RG … S EX1)
   #tr2 * #s2' * * #EX2 #TR #S' (*>E1' in NW1 ⊢ %; #NW1*)
-  @(swl_steps … (plus_exec … EX2 ?))
-  [ <(final_related … S') @(exec_e_step_not_final ?? clight_fullexec … E1)
+  @(swl_steps … (plus_exec … clight_fullexec … EX2 ?))
+  [ whd in ⊢ (??%?); <(final_related … S') @(exec_e_step_not_final ?? clight_fullexec … E1)
   | //
   | (* Manual rewrite to prevent guardedness condition getting upset. *)
@@ -1330 +1262 @@
 #p
 #NW
-cases (not_wrong_init p NW)
-#s1 #I1
+cases (not_wrong_init clight_fullexec p NW)
+whd in ⊢ (% → ??%? → ?); #s1 #I1
 cases (initial_state_in_simulation … I1)
 #s2 * #I2

src/common/Executions.ma

@@ -11 +11 @@
 | steps_steps : ∀tr,s,e,tr',e'. steps state tr e e' → steps state (tr'⧺tr) (e_step … tr' s e) e'.
 
+(* Go from individual steps to part of an execution trace. *)
+lemma plus_exec : ∀FE:fullexec io_out io_in. ∀gl,s,tr,s'.
+  plus … FE gl s tr s' →
+  is_final … FE gl s' = None ? →
+  steps (state … gl) tr
+    (exec_inf_aux … FE gl (step … FE gl s))
+    (exec_inf_aux … FE gl (step … FE gl s')).
+#FE #gl #s0 #tr0 #s0' #P elim P
+[ #s1 #tr #s2 #NF1 #EX #NF2 >EX >exec_inf_aux_unfold
+  whd in ⊢ (???%?); >NF2
+  %2
+| #s1 #tr #s2 #tr' #s3 #NF1 #EX1 #P2 #IH #NF3
+  >EX1 >exec_inf_aux_unfold
+  whd in ⊢ (???%?); >(plus_not_final … P2) /3/
+] qed.
+
+lemma plus_final : ∀FE:fullexec io_out io_in. ∀gl,s,tr,s',r.
+  plus … FE gl s tr s' →
+  is_final … FE gl s' = Some ? r →
+  ∃tr'. steps (state … gl) tr
+    (exec_inf_aux … FE gl (step … FE gl s))
+    (e_stop … tr' r s'). 
+#FE #gl #s0 #tr0 #s0' #r #P elim P
+[ #s1 #tr #s2 #NF1 #EX #F2 >EX >exec_inf_aux_unfold
+  whd in ⊢ (??(λ_.???%?)); >F2
+  %{tr} %1
+| #s1 #tr #s2 #tr' #s3 #NF1 #EX1 #P2 #IH #F3
+  >EX1 >exec_inf_aux_unfold
+  whd in ⊢ (??(λ_.???%?)); >(plus_not_final … P2)
+  cases (IH F3) #tr'' #S' %{tr''} /2/
+] qed.
+
 (* In some places we do not consider wrong executions. *)
 
@@ -18 +50 @@
 | nw_interact : ∀o,k. (∀i. not_wrong state (k i)) → not_wrong state (e_interact … o k).
 
+lemma not_wrong_not_wrong : ∀state,m.
+  ¬ (not_wrong state (e_wrong … m)).
+#state #m % #NW inversion NW
+#A #B #C #D #E destruct
+qed.
+
+lemma not_wrong_steps : ∀state,e,e',tr.
+  steps state tr e e' →
+  not_wrong state e →
+  not_wrong state e'.
+#state #e0 #e0' #tr0 #S elim S
+[ //
+| #tr #s #e #NW inversion NW 
+  #A #B #C #D #E try #F destruct //
+| #tr #s #e #tr' #e' #S' #IH #NW @IH
+  inversion NW 
+  #A #B #C #D #E try #F destruct //
+] qed.
+
+lemma not_wrong_init : ∀FE,p.
+  not_wrong ? (exec_inf … FE p) →
+  ∃s. make_initial_state … p = OK ? s.
+#FE #p whd in ⊢ (??% → ?);
+cases (make_initial_state ??? p)
+[ /2/
+| normalize #m #NW @⊥
+  inversion NW #H1 #H2 #H3 #H4 try #H5 destruct
+] qed.
+
+
 (* One execution is simulated by another, but possibly using a different number
-   of steps. *)
+   of steps.  Note that we have to allow for several steps at the end to make
+   the trace match up. *)
 
-coinductive simulates (state:Type[0]) : execution state io_out io_in → execution state io_out io_in → Prop ≝
-| sim_stop : ∀tr,tr',r,s1,s2,e1,e2.
-    steps state tr e1 (e_stop … tr' r s1) →
-    steps state tr e2 (e_stop … tr' r s2) →
-    simulates state e1 e2
+coinductive simulates (S1,S2:Type[0]) : execution S1 io_out io_in → execution S2 io_out io_in → Prop ≝
+| sim_stop : ∀tr,r,s1,s2,e1,e2,tr1,tr2.
+    steps S1 tr e1 (e_stop … tr1 r s1) →
+    steps S2 tr e2 (e_stop … tr2 r s2) →
+    simulates S1 S2 e1 e2
 | sim_steps : ∀tr,e1,e1',e2,e2'.
-    steps state tr e1 e1' →
-    steps state tr e2 e2' →
-    simulates state e1' e2' →
-    simulates state e1 e2
+    steps S1 tr e1 e1' →
+    steps S2 tr e2 e2' →
+    simulates S1 S2 e1' e2' →
+    simulates S1 S2 e1 e2
 | sim_interact : ∀o,k1,k2.
-    (∀i. simulates state (k1 i) (k2 i)) →
-    simulates state (e_interact … o k1) (e_interact … o k2).
+    (∀i. simulates S1 S2 (k1 i) (k2 i)) →
+    simulates S1 S2 (e_interact … o k1) (e_interact … o k2).
 
+
+(* Result for lifting simulations on states to simulations on execution traces.
+   At the time of writing this hasn't been used in anger yet...
+   
+   This probably isn't the best route for the stages of the compiler that have
+   results in terms of structured traces, but it should be good for the
+   front-end.
+ *)
+
+let corec build_cofix_simulation
+  (FS1,FS2:fullexec io_out io_in)
+  (g1:global … FS1) (g2:global … FS2)
+  (SIM:state … g1 → state … g2 → Prop)
+  (s1:state … g1) (s2:state … g2)
+  (NF:is_final … FS1 g1 s1 = None ?)
+  (S:SIM s1 s2)
+  (SIM_FINAL: ∀x,y. SIM x y → is_final … FS1 g1 x = is_final … FS2 g2 y)
+  (SIM_GOOD: ∀x,y. SIM x y →
+         not_wrong ? (exec_inf_aux … FS1 g1 (step … FS1 g1 x)) →
+         is_final … FS1 g1 x = None ? →
+         ∃tr,x',y'. And (plus … FS1 g1 x tr x') (And (plus … FS2 g2 y tr y') (SIM x' y')) )
+  (NW:not_wrong ? (exec_inf_aux … FS1 g1 (step … FS1 g1 s1)))
+: simulates ?? (exec_inf_aux … FS1 g1 (step … FS1 g1 s1)) (exec_inf_aux ?? FS2 g2 (step … FS2 g2 s2)) ≝ ?.
+lapply (SIM_GOOD … S NW NF)
+* #tr * #s1' * #s2' * #P1 * #P2 #S'
+lapply (refl ? (is_final … FS1 g1 s1'))
+cases (is_final … s1') in ⊢ (???% → ?);
+[ #NF1
+  @(sim_steps … tr … (build_cofix_simulation … S' SIM_FINAL SIM_GOOD ?))
+  [ @(plus_exec … P1) //
+  | @(plus_exec … P2) <SIM_FINAL //
+  | @(not_wrong_steps … (plus_exec … P1 …)) //
+  | //
+  ]
+| #r #F1
+  cases (plus_final … P1 F1) #tr1' #S1
+  cases (plus_final … P2 ?) [ 3: <SIM_FINAL [ @F1 | // | skip ] | 2: skip ] #tr2' #S2
+  @(sim_stop … S1 S2)
+] qed.
+
+theorem lift_simulation : ∀FE1,FE2:fullexec io_out io_in.
+  ∀p1:program … FE1.  ∀p2:program … FE2.
+  let g1 ≝ make_global … p1 in
+  let g2 ≝ make_global … p2 in
+  ∀SIM: state … g1 → state … g2 → Prop.
+  ∀SIM_INIT: ∀s1. make_initial_state … p1 = OK ? s1 →
+             ∃s2. And (make_initial_state … p2 = OK ? s2) (SIM s1 s2).
+  ∀SIM_FINAL: ∀x,y. SIM x y → is_final … FE1 g1 x = is_final … FE2 g2 y.
+  ∀SIM_GOOD: ∀x,y. SIM x y →
+         not_wrong ? (exec_inf_aux … FE1 g1 (step … FE1 g1 x)) →
+         is_final … FE1 g1 x = None ? →
+         ∃tr,x',y'. And (plus … FE1 g1 x tr x') (And (plus … FE2 g2 y tr y') (SIM x' y')).
+  let e1 ≝ exec_inf … FE1 p1 in
+  let e2 ≝ exec_inf … FE2 p2 in
+  not_wrong … e1 →
+  simulates … e1 e2.
+
+#FE1 #FE2 #p1 #p2
+letin g1 ≝ (make_global … p1)
+letin g2 ≝ (make_global … p2)
+#SIM #SIM_INIT #SIM_FINAL #SIM_GOOD
+#NW
+cases (not_wrong_init … p1 NW)
+#s1 #I1
+cases (SIM_INIT … I1) #s2 * #I2 #S
+whd in NW:(??%) ⊢ (???%%);
+>I1 in NW ⊢ %; >I2 whd in ⊢ (??% → ???%%);
+change with g1 in match (make_global … p1);
+change with g2 in match (make_global … p2);
+
+>exec_inf_aux_unfold whd in ⊢ (??% → ???%?);
+lapply (SIM_FINAL … S)
+lapply (refl ? (is_final … s1))
+cases (is_final … s1) in ⊢ (???% → %);
+[ #F1 #F2 >(exec_inf_aux_unfold … FE2) whd in ⊢ (??% → ???%%);
+  <F2 whd in ⊢ (? → ???%%); #NW
+  @(sim_steps … E0 … (build_cofix_simulation … SIM_FINAL SIM_GOOD …)) try assumption
+  [ // | // | inversion NW #A #B #C #D #E try #F destruct assumption ]
+| #r #F1 #F2 #NW whd in ⊢ (???%%);
+  >exec_inf_aux_unfold whd in ⊢ (???%%);
+  <F2 whd in ⊢ (???%%);
+  @(sim_stop … (steps_stop …) (steps_stop …))
+] qed.
+

src/common/SmallstepExec.ma

@@ -19 +19 @@
          repeat n' ?? exec g s1
 ].
+
+(* We take care here to check that we're not at the final state.  It is not
+   necessarily the case that a success step guarantees this (e.g., because
+   there may be no way to stop a processor, so an infinite loop is used
+   instead). *)
+inductive plus (O) (I) (TS:trans_system O I) (ge:global … TS) : state … TS ge → trace → state … TS ge → Prop ≝
+| plus_one : ∀s1,tr,s2.
+    is_final … TS ge s1 = None ? →
+    step … TS ge s1 = OK … 〈tr,s2〉 →
+    plus … ge s1 tr s2
+| plus_succ : ∀s1,tr,s2,tr',s3.
+    is_final … TS ge s1 = None ? →
+    step … TS ge s1 = OK … 〈tr,s2〉 →
+    plus … ge s2 tr' s3 →
+    plus … ge s1 (tr⧺tr') s3.
+
+lemma plus_not_final : ∀O,I,FE. ∀gl,s,tr,s'.
+  plus O I FE gl s tr s' →
+  is_final … FE gl s = None ?.
+#O #I #FE #gl #s0 #tr0 #s0' * //
+qed.
 
 let rec trace_map (A,B:Type[0]) (f:A → res (trace × B))