Context Navigation

← Previous Change
Next Change →

Changeset 2240 for src/ASM

Timestamp:

Jul 24, 2012, 11:40:43 AM (9 years ago)

Author:

sacerdot

Message:

All "interesting" technical lemmas singled out, proofs to be uncommented.

File:

: 1 edited

src/ASM/PolicyStep.ma (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

src/ASM/PolicyStep.ma

-                      r2239
+                      r2240
 qed.
+(* One step in the search for a jump expansion fixpoint. *)
+definition jump_expansion_step: ∀program:(Σl:list labelled_instruction.
+  S (|l|) < 2^16 ∧ is_well_labelled_p l).
+  ∀labels:(Σlm:label_map.∀l.
+    occurs_exactly_once ?? l program →
+    bitvector_of_nat ? (lookup_def … lm l 0) =
+    address_of_word_labels_code_mem program l).
+  ∀old_policy:(Σpolicy:ppc_pc_map.
+    (* out_of_program_none program policy *)
+    And (And (And (And (not_jump_default program policy)
+    (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd policy) 〈0,short_jump〉) = 0))
+    (\fst policy = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd policy) 〈0,short_jump〉)))
+    (sigma_compact_unsafe program labels policy))
+    (\fst policy ≤ 2^16)).
+  (Σx:bool × (option ppc_pc_map).
+    let 〈no_ch,y〉 ≝ x in
+    match y with
+    [ None ⇒ nec_plus_ultra program old_policy
+    | Some p ⇒ And (And (And (And (And (And (And
+       (not_jump_default program p)
+       (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd p) 〈0,short_jump〉) = 0))
+       (\fst p = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd p) 〈0,short_jump〉)))
+       (jump_increase program old_policy p))
+       (sigma_compact_unsafe program labels p))
+       (sigma_jump_equal program old_policy p → no_ch = true))
+       (no_ch = true → sigma_pc_equal program old_policy p))
+       (\fst p ≤ 2^16)
+    ])
+    ≝
+  λprogram.λlabels.λold_sigma.
+  let 〈final_added, final_policy〉 ≝
+    pi1 ?? (foldl_strong (option Identifier × pseudo_instruction)
+    (λprefix.Σx:ℕ × ppc_pc_map.
+      let 〈added,policy〉 ≝ x in
+      And (And (And (And (And (And (And (And (And (not_jump_default prefix policy)
+      (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd policy) 〈0,short_jump〉) = 0))
+      (\fst policy = \fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd policy) 〈0,short_jump〉)))
+      (jump_increase prefix old_sigma policy))
+      (sigma_compact_unsafe prefix labels policy))
+      (sigma_jump_equal prefix old_sigma policy → added = 0))
+      (added = 0 → sigma_pc_equal prefix old_sigma policy))
+      (out_of_program_none prefix policy))
+      (\fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd policy) 〈0,short_jump〉) =
+       \fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd old_sigma) 〈0,short_jump〉) + added))
+      (sigma_safe prefix labels added old_sigma policy))
+    program
+    (λprefix.λx.λtl.λprf.λacc.
+      let 〈inc_added, inc_pc_sigma〉 ≝ (pi1 ?? acc) in
+      let 〈label,instr〉 ≝ x in
+      (* Now, we must add the current ppc and its pc translation.
+       * Three possibilities:
+       *   - Instruction is not a jump; i.e. constant size whatever the sigma we use;
+       *   - Instruction is a backward jump; we can use the sigma we're constructing,
+       *     since it will already know the translation of its destination;
+       *   - Instruction is a forward jump; we must use the old sigma (the new sigma
+       *     does not know the translation yet), but compensate for the jumps we
+       *     have lengthened.
+       *)
+      let add_instr ≝ match instr with
+      [ Jmp  j        ⇒ Some ? (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+      | Call c        ⇒ Some ? (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+      | Instruction i ⇒ jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added (|prefix|) i
+      | _             ⇒ None ?
+      ] in
+      let 〈inc_pc, inc_sigma〉 ≝ inc_pc_sigma in
+      let old_length ≝
+        \snd (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉) in
+      let old_size ≝ instruction_size_jmplen old_length instr in
+      let 〈new_length, isize〉 ≝ match add_instr with
+      [ None    ⇒ 〈short_jump, instruction_size_jmplen short_jump instr〉
+      | Some pl ⇒ 〈max_length old_length pl, instruction_size_jmplen (max_length old_length pl) instr〉
+      ] in
+      let new_added ≝ match add_instr with
+      [ None   ⇒ inc_added
+      | Some x ⇒ plus inc_added (minus isize old_size)
+      ] in
+      let old_Slength ≝
+        \snd (bvt_lookup … (bitvector_of_nat ? (S (|prefix|))) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉) in
+      let updated_sigma ≝
+        (* we add the new PC to the next position and the new jump length to this one *)
+        bvt_insert … (bitvector_of_nat ? (S (|prefix|))) 〈inc_pc + isize, old_Slength〉
+        (bvt_insert … (bitvector_of_nat ? (|prefix|)) 〈inc_pc, new_length〉 inc_sigma) in
+      〈new_added, 〈plus inc_pc isize, updated_sigma〉〉
+    ) 〈0, 〈0,
+      bvt_insert …
+        (bitvector_of_nat ? 0)
+        〈0, \snd (bvt_lookup … (bitvector_of_nat ? 0) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉)〉
+        (Stub ??)〉〉
+    ) in
+    if gtb (\fst final_policy) 2^16 then
+      〈eqb final_added 0, None ?〉
+    else
+      〈eqb final_added 0, Some ? final_policy〉.
+[ normalize nodelta @nmk #Habs lapply p -p cases (foldl_strong ? (λ_.Σx.?) ???)
+  #x #H #Heq >Heq in H; normalize nodelta -Heq -x #Hind
+  (* USE: inc_pc = fst of policy (from fold) *)
+  >(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) in p1;
+  (* USE: fst policy < 2^16, inc_pc = fst of policy (old_sigma) *)
+  lapply (proj2 ?? (pi2 ?? old_sigma)) >(proj2 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma))))
+  #Hsig #Hge
+  (* USE: added = 0 → policy_pc_equal (from fold) *)
+  lapply ((proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))) ? (|program|) (le_n (|program|)))
+  [ (* USE: policy_jump_equal → added = 0 (from fold) *)
+    @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind))))) #i #Hi
+    inversion (is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
+    [ #Hj
+      (* USE: policy_increase (from fold) *)
+      lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))) i (le_S_to_le … Hi))
+      lapply (Habs i Hi ?) [ >Hj %]
+      cases (bvt_lookup … (bitvector_of_nat ? i) (\snd old_sigma) 〈0,short_jump〉)
+      #opc #oj
+      cases (bvt_lookup … (bitvector_of_nat ? i) (\snd final_policy) 〈0,short_jump〉)
+      #pc #j normalize nodelta #Heq >Heq cases j
+      [1,2: #abs cases abs #abs2 try (cases abs2) @refl
+      |3: #_ @refl
+      ]
+    | #Hnj
+      (* USE: not_jump_default (from fold and old_sigma) *)
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) i Hi ?)
+      [2: >Hnj %]
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) i Hi ?) try %
+      >Hnj %
+    ]
+  | #abs >abs in Hsig; #Hsig
+    @(absurd ? Hsig) @lt_to_not_le @ltb_true_to_lt @Hge
+  ]
+| normalize nodelta lapply p -p cases (foldl_strong ? (λ_.Σx.?)???) in ⊢ (% → ?); #x #H #H2
+  >H2 in H; normalize nodelta -H2 -x #H @conj
+  [ @conj [ @conj
+  [ (* USE[pass]: not_jump_default, 0 ↦ 0, inc_pc = fst policy,
+     * jump_increase, sigma_compact_unsafe (from fold) *)
+    @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? H)))))
+  | #H2 (* USE[pass]: sigma_jump_equal → added = 0 (from fold) *)
+    @eq_to_eqb_true @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? H))))) @H2
+  ]
+  | (* USE[pass]: added = 0 → sigma_pc_equal (from fold) *)
+     #H2 @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? H)))) @eqb_true_to_eq @H2
+  ]
+  | @not_lt_to_le @ltb_false_to_not_lt @p1
+  ]
+|4: lapply (pi2 ?? acc) >p lapply (refl ? (inc_pc_sigma)) cases inc_pc_sigma in ⊢ (???% → %);
+  #inc_pc #inc_sigma #Hips
+  inversion (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉)
+  #old_pc #old_length #Holdeq #Hpolicy normalize nodelta in Hpolicy; @pair_elim
+  #added #policy normalize nodelta @pair_elim #new_length #isize normalize nodelta
+  #Heq1 #Heq2
+ cut (S (|prefix|) < 2^16)
+ [ @(transitive_lt … (proj1 … (pi2 ?? program))) @le_S_S >prf >append_length
+   <plus_n_Sm @le_S_S @le_plus_n_r ] #prefix_ok1
+ cut (|prefix| < 2^16) [ @(transitive_lt … prefix_ok1) %] #prefix_ok
+ cases (pair_destruct ?????? Heq2) -Heq2 #Heq2a #Heq2b
+  % [ % [ % [ % [ % [ % [ % [ % [ % ]]]]]]]]
+  (* NOTE: to save memory and speed up work, there's cases daemon here. They can be
+   * commented out for full proofs, but this needs a lot of memory and time *)
+  [ (* not_jump_default *)
+    @(jump_expansion_step1 … Heq1 Heq2b) try assumption
+    @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+  | (* 0 ↦ 0 *)
+    @(jump_expansion_step2 … Heq2b) try assumption
+    [ @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+    | @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))) ]
+  | (* inc_pc = fst of policy *)
+    <Heq2b >append_length >(commutative_plus (|prefix|)) >lookup_insert_hit @refl
+  | (* jump_increase *)
+    @(jump_expansion_step3 … (pi1 ?? old_sigma) … prf … p1 ??? old_length Holdeq
+      … Heq1 prefix_ok1 prefix_ok Heq2b)
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))
+    cases (pi2 … old_sigma) * * * #H #_ #_ #_ #_ @H
+  | (* sigma_compact_unsafe *)
+    @(jump_expansion_step4 … Heq1 … Heq2b) try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))
+    @(proj2 ?? (proj1 ?? (proj1 ?? Hpolicy)))
+  | (* policy_jump_equal → added = 0 *)
+    @(jump_expansion_step5 … Holdeq … Heq1 … Heq2b) try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))
+    @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+  | (* added = 0 → policy_pc_equal *) cases daemon
+lemma jump_expansion_step6:
+(*
+ program :
+  (Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l)
+ labels :
+  (Σlm:label_map
+   .(∀l:identifier ASMTag
+     .occurs_exactly_once ASMTag pseudo_instruction l program
+      →bitvector_of_nat 16 (lookup_def ASMTag ℕ lm l O)
+       =address_of_word_labels_code_mem program l))*)
+ ∀old_sigma : ppc_pc_map.(*
+  (Σpolicy:ppc_pc_map
+   .not_jump_default program policy
+    ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                 〈O,short_jump〉)
+     =O
+    ∧\fst  policy
+     =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|program|))
+                  (\snd  policy) 〈O,short_jump〉)
+    ∧sigma_compact_unsafe program labels policy
+    ∧\fst  policy≤ 2 \sup 16 )*)
+ ∀prefix : list (option Identifier×pseudo_instruction).(*
+ x : (option Identifier×pseudo_instruction)
+ tl : (list (option Identifier×pseudo_instruction))
+ prf : (program=prefix@[x]@tl)
+ acc :
+  (Σx0:ℕ×ppc_pc_map
+   .(let 〈added,policy〉 ≝x0 in
+     not_jump_default prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                  〈O,short_jump〉)
+      =O
+     ∧\fst  policy
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  policy) 〈O,short_jump〉)
+     ∧jump_increase prefix old_sigma policy
+     ∧sigma_compact_unsafe prefix labels policy
+     ∧(sigma_jump_equal prefix old_sigma policy→added=O)
+     ∧(added=O→sigma_pc_equal prefix old_sigma policy)
+     ∧out_of_program_none prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                  (\snd  policy) 〈O,short_jump〉)
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  old_sigma) 〈O,short_jump〉)
+       +added
+     ∧sigma_safe prefix labels added old_sigma policy))
+ inc_added : ℕ
+ inc_pc_sigma : ppc_pc_map
+ p : (acc≃〈inc_added,inc_pc_sigma〉)*)
+ ∀label : option Identifier.
+ ∀instr : pseudo_instruction.(*
+ p1 : (x≃〈label,instr〉)
+ add_instr ≝
+  match instr
+   in pseudo_instruction
+   return λ_:pseudo_instruction.(option jump_length)
+   with
+  [Instruction (i:(preinstruction Identifier))⇒
+   jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+   (|prefix|) i
+  |Comment (_:String)⇒None jump_length
+  |Cost (_:costlabel)⇒None jump_length
+  |Jmp (j:Identifier)⇒
+   Some jump_length
+   (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+  |Call (c:Identifier)⇒
+   Some jump_length
+   (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+  |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+ inc_pc : ℕ
+ inc_sigma : (BitVectorTrie (ℕ×jump_length) 16)
+ Hips : (inc_pc_sigma=〈inc_pc,inc_sigma〉)
+ old_pc : ℕ
+ old_length : jump_length
+ Holdeq :
+  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) (\snd  old_sigma)
+   〈O,short_jump〉
+   =〈old_pc,old_length〉)
+ Hpolicy :
+  (not_jump_default prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) inc_sigma
+                〈O,short_jump〉)
+    =O
+   ∧inc_pc
+    =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                 〈O,short_jump〉)
+   ∧jump_increase prefix old_sigma 〈inc_pc,inc_sigma〉
+   ∧sigma_compact_unsafe prefix labels 〈inc_pc,inc_sigma〉
+   ∧(sigma_jump_equal prefix old_sigma 〈inc_pc,inc_sigma〉→inc_added=O)
+   ∧(inc_added=O→sigma_pc_equal prefix old_sigma 〈inc_pc,inc_sigma〉)
+   ∧out_of_program_none prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                〈O,short_jump〉)
+    =old_pc+inc_added
+   ∧sigma_safe prefix labels inc_added old_sigma 〈inc_pc,inc_sigma〉)*)
+ ∀added : ℕ.
+ ∀policy : ppc_pc_map.(*
+ new_length : jump_length
+ isize : ℕ
+ Heq1 :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_:String)⇒None jump_length
+   |Cost (_:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).(jump_length×ℕ)
+    with
+   [None⇒〈short_jump,instruction_size_jmplen short_jump instr〉
+   |Some (pl:jump_length)⇒
+    〈max_length old_length pl,
+    instruction_size_jmplen (max_length old_length pl) instr〉]
+   =〈new_length,isize〉)
+ prefix_ok1 : (S (|prefix|)< 2 \sup 16 )
+ prefix_ok : (|prefix|< 2 \sup 16 )
+ Heq2a :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_0:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_0:String)⇒None jump_length
+   |Cost (_0:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_0:[[dptr]])   (_00:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).ℕ
+    with
+   [None⇒inc_added
+   |Some (x0:jump_length)⇒
+    inc_added+(isize-instruction_size_jmplen old_length instr)]
+   =added)
+ Heq2b :
+  (〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   =policy)
+*)
+ added=O→sigma_pc_equal (prefix@[〈label,instr〉]) old_sigma policy.
+cases daemon(*
     (* USE[pass]: added = 0 → policy_pc_equal *)
     (* lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))
+     lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))
     <(proj2 ?? (pair_destruct ?????? Heq2))
     <(proj1 ?? (pair_destruct ?????? Heq2))
 …
+        ]
+      ]
+    ] *)
+  | (* out_of_program_none *) cases daemon
+    (* #i #Hi2 >append_length <commutative_plus @conj
+    ]*)
+qed.
+lemma jump_expansion_step7:
+(*
+ program :
+  (Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l)
+ labels :
+  (Σlm:label_map
+   .(∀l:identifier ASMTag
+     .occurs_exactly_once ASMTag pseudo_instruction l program
+      →bitvector_of_nat 16 (lookup_def ASMTag ℕ lm l O)
+       =address_of_word_labels_code_mem program l))
+ old_sigma :
+  (Σpolicy:ppc_pc_map
+   .not_jump_default program policy
+    ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                 〈O,short_jump〉)
+     =O
+    ∧\fst  policy
+     =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|program|))
+                  (\snd  policy) 〈O,short_jump〉)
+    ∧sigma_compact_unsafe program labels policy
+    ∧\fst  policy≤ 2 \sup 16 )*)
+ ∀prefix : list (option Identifier×pseudo_instruction).(*
+ x : (option Identifier×pseudo_instruction)
+ tl : (list (option Identifier×pseudo_instruction))
+ prf : (program=prefix@[x]@tl)
+ acc :
+  (Σx0:ℕ×ppc_pc_map
+   .(let 〈added,policy〉 ≝x0 in
+     not_jump_default prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                  〈O,short_jump〉)
+      =O
+     ∧\fst  policy
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  policy) 〈O,short_jump〉)
+     ∧jump_increase prefix old_sigma policy
+     ∧sigma_compact_unsafe prefix labels policy
+     ∧(sigma_jump_equal prefix old_sigma policy→added=O)
+     ∧(added=O→sigma_pc_equal prefix old_sigma policy)
+     ∧out_of_program_none prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                  (\snd  policy) 〈O,short_jump〉)
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  old_sigma) 〈O,short_jump〉)
+       +added
+     ∧sigma_safe prefix labels added old_sigma policy))
+ inc_added : ℕ
+ inc_pc_sigma : ppc_pc_map
+ p : (acc≃〈inc_added,inc_pc_sigma〉)*)
+ ∀label : option Identifier.
+ ∀instr : pseudo_instruction.(*
+ p1 : (x≃〈label,instr〉)
+ add_instr ≝
+  match instr
+   in pseudo_instruction
+   return λ_:pseudo_instruction.(option jump_length)
+   with
+  [Instruction (i:(preinstruction Identifier))⇒
+   jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+   (|prefix|) i
+  |Comment (_:String)⇒None jump_length
+  |Cost (_:costlabel)⇒None jump_length
+  |Jmp (j:Identifier)⇒
+   Some jump_length
+   (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+  |Call (c:Identifier)⇒
+   Some jump_length
+   (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+  |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+ inc_pc : ℕ
+ inc_sigma : (BitVectorTrie (ℕ×jump_length) 16)
+ Hips : (inc_pc_sigma=〈inc_pc,inc_sigma〉)
+ old_pc : ℕ
+ old_length : jump_length
+ Holdeq :
+  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) (\snd  old_sigma)
+   〈O,short_jump〉
+   =〈old_pc,old_length〉)
+ Hpolicy :
+  (not_jump_default prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) inc_sigma
+                〈O,short_jump〉)
+    =O
+   ∧inc_pc
+    =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                 〈O,short_jump〉)
+   ∧jump_increase prefix old_sigma 〈inc_pc,inc_sigma〉
+   ∧sigma_compact_unsafe prefix labels 〈inc_pc,inc_sigma〉
+   ∧(sigma_jump_equal prefix old_sigma 〈inc_pc,inc_sigma〉→inc_added=O)
+   ∧(inc_added=O→sigma_pc_equal prefix old_sigma 〈inc_pc,inc_sigma〉)
+   ∧out_of_program_none prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                〈O,short_jump〉)
+    =old_pc+inc_added
+   ∧sigma_safe prefix labels inc_added old_sigma 〈inc_pc,inc_sigma〉)
+ added : ℕ*)
+ ∀policy : ppc_pc_map.(*
+ new_length : jump_length
+ isize : ℕ
+ Heq1 :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_:String)⇒None jump_length
+   |Cost (_:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).(jump_length×ℕ)
+    with
+   [None⇒〈short_jump,instruction_size_jmplen short_jump instr〉
+   |Some (pl:jump_length)⇒
+    〈max_length old_length pl,
+    instruction_size_jmplen (max_length old_length pl) instr〉]
+   =〈new_length,isize〉)
+ prefix_ok1 : (S (|prefix|)< 2 \sup 16 )
+ prefix_ok : (|prefix|< 2 \sup 16 )
+ Heq2a :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_0:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_0:String)⇒None jump_length
+   |Cost (_0:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_0:[[dptr]])   (_00:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).ℕ
+    with
+   [None⇒inc_added
+   |Some (x0:jump_length)⇒
+    inc_added+(isize-instruction_size_jmplen old_length instr)]
+   =added)
+ Heq2b :
+  (〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   =policy)
+*)
+ out_of_program_none (prefix@[〈label,instr〉]) policy.
+cases daemon (*
+    #i #Hi2 >append_length <commutative_plus @conj
     [ (* → *) #Hi normalize in Hi;
       cases instr in Heq2; normalize nodelta
 …
+        ]
+      ]
+    ] *)
+  | (* lookup p = lookup old_sigma + added *) cases daemon
+    (* <(proj2 ?? (pair_destruct ?????? Heq2)) >append_length <plus_n_Sm <plus_n_O
+    ]*)
+qed.
+lemma jump_expansion_step8:
+(*
+ program :
+  (Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l)
+ labels :
+  (Σlm:label_map
+   .(∀l:identifier ASMTag
+     .occurs_exactly_once ASMTag pseudo_instruction l program
+      →bitvector_of_nat 16 (lookup_def ASMTag ℕ lm l O)
+       =address_of_word_labels_code_mem program l))*)
+ ∀old_sigma : ppc_pc_map.(*
+  (Σpolicy:ppc_pc_map
+   .not_jump_default program policy
+    ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                 〈O,short_jump〉)
+     =O
+    ∧\fst  policy
+     =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|program|))
+                  (\snd  policy) 〈O,short_jump〉)
+    ∧sigma_compact_unsafe program labels policy
+    ∧\fst  policy≤ 2 \sup 16 )*)
+ ∀prefix : list (option Identifier×pseudo_instruction).(*
+ x : (option Identifier×pseudo_instruction)
+ tl : (list (option Identifier×pseudo_instruction))
+ prf : (program=prefix@[x]@tl)
+ acc :
+  (Σx0:ℕ×ppc_pc_map
+   .(let 〈added,policy〉 ≝x0 in
+     not_jump_default prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                  〈O,short_jump〉)
+      =O
+     ∧\fst  policy
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  policy) 〈O,short_jump〉)
+     ∧jump_increase prefix old_sigma policy
+     ∧sigma_compact_unsafe prefix labels policy
+     ∧(sigma_jump_equal prefix old_sigma policy→added=O)
+     ∧(added=O→sigma_pc_equal prefix old_sigma policy)
+     ∧out_of_program_none prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                  (\snd  policy) 〈O,short_jump〉)
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  old_sigma) 〈O,short_jump〉)
+       +added
+     ∧sigma_safe prefix labels added old_sigma policy))
+ inc_added : ℕ
+ inc_pc_sigma : ppc_pc_map
+ p : (acc≃〈inc_added,inc_pc_sigma〉)*)
+ ∀label : option Identifier.
+ ∀instr : pseudo_instruction.(*
+ p1 : (x≃〈label,instr〉)
+ add_instr ≝
+  match instr
+   in pseudo_instruction
+   return λ_:pseudo_instruction.(option jump_length)
+   with
+  [Instruction (i:(preinstruction Identifier))⇒
+   jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+   (|prefix|) i
+  |Comment (_:String)⇒None jump_length
+  |Cost (_:costlabel)⇒None jump_length
+  |Jmp (j:Identifier)⇒
+   Some jump_length
+   (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+  |Call (c:Identifier)⇒
+   Some jump_length
+   (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+  |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+ inc_pc : ℕ
+ inc_sigma : (BitVectorTrie (ℕ×jump_length) 16)
+ Hips : (inc_pc_sigma=〈inc_pc,inc_sigma〉)
+ old_pc : ℕ
+ old_length : jump_length
+ Holdeq :
+  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) (\snd  old_sigma)
+   〈O,short_jump〉
+   =〈old_pc,old_length〉)
+ Hpolicy :
+  (not_jump_default prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) inc_sigma
+                〈O,short_jump〉)
+    =O
+   ∧inc_pc
+    =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                 〈O,short_jump〉)
+   ∧jump_increase prefix old_sigma 〈inc_pc,inc_sigma〉
+   ∧sigma_compact_unsafe prefix labels 〈inc_pc,inc_sigma〉
+   ∧(sigma_jump_equal prefix old_sigma 〈inc_pc,inc_sigma〉→inc_added=O)
+   ∧(inc_added=O→sigma_pc_equal prefix old_sigma 〈inc_pc,inc_sigma〉)
+   ∧out_of_program_none prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                〈O,short_jump〉)
+    =old_pc+inc_added
+   ∧sigma_safe prefix labels inc_added old_sigma 〈inc_pc,inc_sigma〉)*)
+ ∀added : ℕ.
+ ∀policy : ppc_pc_map.(*
+ new_length : jump_length
+ isize : ℕ
+ Heq1 :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_:String)⇒None jump_length
+   |Cost (_:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).(jump_length×ℕ)
+    with
+   [None⇒〈short_jump,instruction_size_jmplen short_jump instr〉
+   |Some (pl:jump_length)⇒
+    〈max_length old_length pl,
+    instruction_size_jmplen (max_length old_length pl) instr〉]
+   =〈new_length,isize〉)
+ prefix_ok1 : (S (|prefix|)< 2 \sup 16 )
+ prefix_ok : (|prefix|< 2 \sup 16 )
+ Heq2a :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_0:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_0:String)⇒None jump_length
+   |Cost (_0:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_0:[[dptr]])   (_00:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).ℕ
+    with
+   [None⇒inc_added
+   |Some (x0:jump_length)⇒
+    inc_added+(isize-instruction_size_jmplen old_length instr)]
+   =added)
+ Heq2b :
+  (〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   =policy)
+*)
+   \fst  (lookup (ℕ×jump_length) 16
+              (bitvector_of_nat 16 (|(prefix@[〈label,instr〉])|)) (\snd  policy)
+              〈O,short_jump〉)
+  =\fst  (lookup (ℕ×jump_length) 16
+               (bitvector_of_nat 16 (|(prefix@[〈label,instr〉])|)) (\snd  old_sigma)
+               〈O,short_jump〉)
+   +added.
+cases daemon(*
+    <(proj2 ?? (pair_destruct ?????? Heq2)) >append_length <plus_n_Sm <plus_n_O
     >lookup_insert_hit
     <(proj1 ?? (pair_destruct ?????? Heq2)) cases instr in p1 Heq1;
 …
+        ]
+      ]
+    ] *)
+  | (* sigma_safe *) cases daemon (*#i >append_length >commutative_plus #Hi normalize in Hi;
+    ]*)
+qed.
+lemma jump_expansion_step9:
+(*
+ program :
+  (Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l)*)
+ ∀labels : label_map.(*
+  (Σlm:label_map
+   .(∀l:identifier ASMTag
+     .occurs_exactly_once ASMTag pseudo_instruction l program
+      →bitvector_of_nat 16 (lookup_def ASMTag ℕ lm l O)
+       =address_of_word_labels_code_mem program l))*)
+ ∀old_sigma : ppc_pc_map.(*
+  (Σpolicy:ppc_pc_map
+   .not_jump_default program policy
+    ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                 〈O,short_jump〉)
+     =O
+    ∧\fst  policy
+     =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|program|))
+                  (\snd  policy) 〈O,short_jump〉)
+    ∧sigma_compact_unsafe program labels policy
+    ∧\fst  policy≤ 2 \sup 16 )*)
+ ∀prefix : list (option Identifier×pseudo_instruction).(*
+ x : (option Identifier×pseudo_instruction)
+ tl : (list (option Identifier×pseudo_instruction))
+ prf : (program=prefix@[x]@tl)
+ acc :
+  (Σx0:ℕ×ppc_pc_map
+   .(let 〈added,policy〉 ≝x0 in
+     not_jump_default prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                  〈O,short_jump〉)
+      =O
+     ∧\fst  policy
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  policy) 〈O,short_jump〉)
+     ∧jump_increase prefix old_sigma policy
+     ∧sigma_compact_unsafe prefix labels policy
+     ∧(sigma_jump_equal prefix old_sigma policy→added=O)
+     ∧(added=O→sigma_pc_equal prefix old_sigma policy)
+     ∧out_of_program_none prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                  (\snd  policy) 〈O,short_jump〉)
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  old_sigma) 〈O,short_jump〉)
+       +added
+     ∧sigma_safe prefix labels added old_sigma policy))
+ inc_added : ℕ
+ inc_pc_sigma : ppc_pc_map
+ p : (acc≃〈inc_added,inc_pc_sigma〉)*)
+ ∀label : option Identifier.
+ ∀instr : pseudo_instruction.(*
+ p1 : (x≃〈label,instr〉)
+ add_instr ≝
+  match instr
+   in pseudo_instruction
+   return λ_:pseudo_instruction.(option jump_length)
+   with
+  [Instruction (i:(preinstruction Identifier))⇒
+   jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+   (|prefix|) i
+  |Comment (_:String)⇒None jump_length
+  |Cost (_:costlabel)⇒None jump_length
+  |Jmp (j:Identifier)⇒
+   Some jump_length
+   (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+  |Call (c:Identifier)⇒
+   Some jump_length
+   (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+  |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+ inc_pc : ℕ
+ inc_sigma : (BitVectorTrie (ℕ×jump_length) 16)
+ Hips : (inc_pc_sigma=〈inc_pc,inc_sigma〉)
+ old_pc : ℕ
+ old_length : jump_length
+ Holdeq :
+  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) (\snd  old_sigma)
+   〈O,short_jump〉
+   =〈old_pc,old_length〉)
+ Hpolicy :
+  (not_jump_default prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) inc_sigma
+                〈O,short_jump〉)
+    =O
+   ∧inc_pc
+    =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                 〈O,short_jump〉)
+   ∧jump_increase prefix old_sigma 〈inc_pc,inc_sigma〉
+   ∧sigma_compact_unsafe prefix labels 〈inc_pc,inc_sigma〉
+   ∧(sigma_jump_equal prefix old_sigma 〈inc_pc,inc_sigma〉→inc_added=O)
+   ∧(inc_added=O→sigma_pc_equal prefix old_sigma 〈inc_pc,inc_sigma〉)
+   ∧out_of_program_none prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                〈O,short_jump〉)
+    =old_pc+inc_added
+   ∧sigma_safe prefix labels inc_added old_sigma 〈inc_pc,inc_sigma〉)*)
+ ∀added : ℕ.
+ ∀policy : ppc_pc_map.(*
+ new_length : jump_length
+ isize : ℕ
+ Heq1 :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_:String)⇒None jump_length
+   |Cost (_:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).(jump_length×ℕ)
+    with
+   [None⇒〈short_jump,instruction_size_jmplen short_jump instr〉
+   |Some (pl:jump_length)⇒
+    〈max_length old_length pl,
+    instruction_size_jmplen (max_length old_length pl) instr〉]
+   =〈new_length,isize〉)
+ prefix_ok1 : (S (|prefix|)< 2 \sup 16 )
+ prefix_ok : (|prefix|< 2 \sup 16 )
+ Heq2a :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_0:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_0:String)⇒None jump_length
+   |Cost (_0:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_0:[[dptr]])   (_00:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).ℕ
+    with
+   [None⇒inc_added
+   |Some (x0:jump_length)⇒
+    inc_added+(isize-instruction_size_jmplen old_length instr)]
+   =added)
+ Heq2b :
+  (〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   =policy)
+*)
+ sigma_safe (prefix@[〈label,instr〉]) labels added old_sigma policy.
+cases daemon(*
+    #i >append_length >commutative_plus #Hi normalize in Hi;
     elim (le_to_or_lt_eq … (le_S_S_to_le … Hi)) -Hi #Hi
     [ >nth_append_first [2: @Hi]
 …
                   #Hind #dest #Hj lapply (Hind dest Hj) -Hind -Hj lapply (proj1 ?? (pair_destruct ?????? Heq2)) cases instr
                   [2,3,6: [3: #x] #y normalize nodelta #EQ <EQ cases j normalize nodelta
+                    [1,4,7: *)
+  ]
+                    [1,4,7:
+*)
+qed.
+(* One step in the search for a jump expansion fixpoint. *)
+definition jump_expansion_step: ∀program:(Σl:list labelled_instruction.
+  S (|l|) < 2^16 ∧ is_well_labelled_p l).
+  ∀labels:(Σlm:label_map.∀l.
+    occurs_exactly_once ?? l program →
+    bitvector_of_nat ? (lookup_def … lm l 0) =
+    address_of_word_labels_code_mem program l).
+  ∀old_policy:(Σpolicy:ppc_pc_map.
+    (* out_of_program_none program policy *)
+    And (And (And (And (not_jump_default program policy)
+    (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd policy) 〈0,short_jump〉) = 0))
+    (\fst policy = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd policy) 〈0,short_jump〉)))
+    (sigma_compact_unsafe program labels policy))
+    (\fst policy ≤ 2^16)).
+  (Σx:bool × (option ppc_pc_map).
+    let 〈no_ch,y〉 ≝ x in
+    match y with
+    [ None ⇒ nec_plus_ultra program old_policy
+    | Some p ⇒ And (And (And (And (And (And (And
+       (not_jump_default program p)
+       (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd p) 〈0,short_jump〉) = 0))
+       (\fst p = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd p) 〈0,short_jump〉)))
+       (jump_increase program old_policy p))
+       (sigma_compact_unsafe program labels p))
+       (sigma_jump_equal program old_policy p → no_ch = true))
+       (no_ch = true → sigma_pc_equal program old_policy p))
+       (\fst p ≤ 2^16)
+    ])
+    ≝
+  λprogram.λlabels.λold_sigma.
+  let 〈final_added, final_policy〉 ≝
+    pi1 ?? (foldl_strong (option Identifier × pseudo_instruction)
+    (λprefix.Σx:ℕ × ppc_pc_map.
+      let 〈added,policy〉 ≝ x in
+      And (And (And (And (And (And (And (And (And (not_jump_default prefix policy)
+      (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd policy) 〈0,short_jump〉) = 0))
+      (\fst policy = \fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd policy) 〈0,short_jump〉)))
+      (jump_increase prefix old_sigma policy))
+      (sigma_compact_unsafe prefix labels policy))
+      (sigma_jump_equal prefix old_sigma policy → added = 0))
+      (added = 0 → sigma_pc_equal prefix old_sigma policy))
+      (out_of_program_none prefix policy))
+      (\fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd policy) 〈0,short_jump〉) =
+       \fst (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd old_sigma) 〈0,short_jump〉) + added))
+      (sigma_safe prefix labels added old_sigma policy))
+    program
+    (λprefix.λx.λtl.λprf.λacc.
+      let 〈inc_added, inc_pc_sigma〉 ≝ (pi1 ?? acc) in
+      let 〈label,instr〉 ≝ x in
+      (* Now, we must add the current ppc and its pc translation.
+       * Three possibilities:
+       *   - Instruction is not a jump; i.e. constant size whatever the sigma we use;
+       *   - Instruction is a backward jump; we can use the sigma we're constructing,
+       *     since it will already know the translation of its destination;
+       *   - Instruction is a forward jump; we must use the old sigma (the new sigma
+       *     does not know the translation yet), but compensate for the jumps we
+       *     have lengthened.
+       *)
+      let add_instr ≝ match instr with
+      [ Jmp  j        ⇒ Some ? (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+      | Call c        ⇒ Some ? (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+      | Instruction i ⇒ jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added (|prefix|) i
+      | _             ⇒ None ?
+      ] in
+      let 〈inc_pc, inc_sigma〉 ≝ inc_pc_sigma in
+      let old_length ≝
+        \snd (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉) in
+      let old_size ≝ instruction_size_jmplen old_length instr in
+      let 〈new_length, isize〉 ≝ match add_instr with
+      [ None    ⇒ 〈short_jump, instruction_size_jmplen short_jump instr〉
+      | Some pl ⇒ 〈max_length old_length pl, instruction_size_jmplen (max_length old_length pl) instr〉
+      ] in
+      let new_added ≝ match add_instr with
+      [ None   ⇒ inc_added
+      | Some x ⇒ plus inc_added (minus isize old_size)
+      ] in
+      let old_Slength ≝
+        \snd (bvt_lookup … (bitvector_of_nat ? (S (|prefix|))) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉) in
+      let updated_sigma ≝
+        (* we add the new PC to the next position and the new jump length to this one *)
+        bvt_insert … (bitvector_of_nat ? (S (|prefix|))) 〈inc_pc + isize, old_Slength〉
+        (bvt_insert … (bitvector_of_nat ? (|prefix|)) 〈inc_pc, new_length〉 inc_sigma) in
+      〈new_added, 〈plus inc_pc isize, updated_sigma〉〉
+    ) 〈0, 〈0,
+      bvt_insert …
+        (bitvector_of_nat ? 0)
+        〈0, \snd (bvt_lookup … (bitvector_of_nat ? 0) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉)〉
+        (Stub ??)〉〉
+    ) in
+    if gtb (\fst final_policy) 2^16 then
+      〈eqb final_added 0, None ?〉
+    else
+      〈eqb final_added 0, Some ? final_policy〉.
+[ normalize nodelta @nmk #Habs lapply p -p cases (foldl_strong ? (λ_.Σx.?) ???)
+  #x #H #Heq >Heq in H; normalize nodelta -Heq -x #Hind
+  (* USE: inc_pc = fst of policy (from fold) *)
+  >(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) in p1;
+  (* USE: fst policy < 2^16, inc_pc = fst of policy (old_sigma) *)
+  lapply (proj2 ?? (pi2 ?? old_sigma)) >(proj2 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma))))
+  #Hsig #Hge
+  (* USE: added = 0 → policy_pc_equal (from fold) *)
+  lapply ((proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))) ? (|program|) (le_n (|program|)))
+  [ (* USE: policy_jump_equal → added = 0 (from fold) *)
+    @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind))))) #i #Hi
+    inversion (is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
+    [ #Hj
+      (* USE: policy_increase (from fold) *)
+      lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))) i (le_S_to_le … Hi))
+      lapply (Habs i Hi ?) [ >Hj %]
+      cases (bvt_lookup … (bitvector_of_nat ? i) (\snd old_sigma) 〈0,short_jump〉)
+      #opc #oj
+      cases (bvt_lookup … (bitvector_of_nat ? i) (\snd final_policy) 〈0,short_jump〉)
+      #pc #j normalize nodelta #Heq >Heq cases j
+      [1,2: #abs cases abs #abs2 try (cases abs2) @refl
+      |3: #_ @refl
+      ]
+    | #Hnj
+      (* USE: not_jump_default (from fold and old_sigma) *)
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) i Hi ?)
+      [2: >Hnj %]
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) i Hi ?) try %
+      >Hnj %
+    ]
+  | #abs >abs in Hsig; #Hsig
+    @(absurd ? Hsig) @lt_to_not_le @ltb_true_to_lt @Hge
+  ]
+| normalize nodelta lapply p -p cases (foldl_strong ? (λ_.Σx.?)???) in ⊢ (% → ?); #x #H #H2
+  >H2 in H; normalize nodelta -H2 -x #H @conj
+  [ @conj [ @conj
+  [ (* USE[pass]: not_jump_default, 0 ↦ 0, inc_pc = fst policy,
+     * jump_increase, sigma_compact_unsafe (from fold) *)
+    @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? H)))))
+  | #H2 (* USE[pass]: sigma_jump_equal → added = 0 (from fold) *)
+    @eq_to_eqb_true @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? H))))) @H2
+  ]
+  | (* USE[pass]: added = 0 → sigma_pc_equal (from fold) *)
+     #H2 @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? H)))) @eqb_true_to_eq @H2
+  ]
+  | @not_lt_to_le @ltb_false_to_not_lt @p1
+  ]
+|4: lapply (pi2 ?? acc) >p lapply (refl ? (inc_pc_sigma)) cases inc_pc_sigma in ⊢ (???% → %);
+  #inc_pc #inc_sigma #Hips
+  inversion (bvt_lookup … (bitvector_of_nat ? (|prefix|)) (\snd (pi1 ?? old_sigma)) 〈0,short_jump〉)
+  #old_pc #old_length #Holdeq #Hpolicy normalize nodelta in Hpolicy; @pair_elim
+  #added #policy normalize nodelta @pair_elim #new_length #isize normalize nodelta
+  #Heq1 #Heq2
+ cut (S (|prefix|) < 2^16)
+ [ @(transitive_lt … (proj1 … (pi2 ?? program))) @le_S_S >prf >append_length
+   <plus_n_Sm @le_S_S @le_plus_n_r ] #prefix_ok1
+ cut (|prefix| < 2^16) [ @(transitive_lt … prefix_ok1) %] #prefix_ok
+ cases (pair_destruct ?????? Heq2) -Heq2 #Heq2a #Heq2b
+  % [ % [ % [ % [ % [ % [ % [ % [ % ]]]]]]]]
+  (* NOTE: to save memory and speed up work, there's cases daemon here. They can be
+   * commented out for full proofs, but this needs a lot of memory and time *)
+  [ (* not_jump_default *)
+    @(jump_expansion_step1 … Heq1 Heq2b) try assumption
+    @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+  | (* 0 ↦ 0 *)
+    @(jump_expansion_step2 … Heq2b) try assumption
+    [ @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+    | @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))) ]
+  | (* inc_pc = fst of policy *)
+    <Heq2b >append_length >(commutative_plus (|prefix|)) >lookup_insert_hit @refl
+  | (* jump_increase *)
+    @(jump_expansion_step3 … (pi1 ?? old_sigma) … prf … p1 ??? old_length Holdeq
+      … Heq1 prefix_ok1 prefix_ok Heq2b)
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))
+    cases (pi2 … old_sigma) * * * #H #_ #_ #_ #_ @H
+  | (* sigma_compact_unsafe *)
+    @(jump_expansion_step4 … Heq1 … Heq2b) try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))
+    @(proj2 ?? (proj1 ?? (proj1 ?? Hpolicy)))
+  | (* policy_jump_equal → added = 0 *)
+    @(jump_expansion_step5 … Holdeq … Heq1 … Heq2b) try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))
+    @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+  | (* added = 0 → policy_pc_equal *) cases daemon (*
+    @(jump_expansion_step6 … Heq1 … Heq2b) try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))
+    @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+    *)
+  | (* out_of_program_none *) cases daemon(*
+    @jump_expansion_step7 try assumption
+    @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))))
+    *)
+  | (* lookup p = lookup old_sigma + added *) cases daemon(*
+    @jump_expansion_step8 try assumption
+    try @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))
+    @(proj2 ?? (proj1 ?? Hpolicy)) *)
+  | (* sigma_safe *) cases daemon (*
+    @jump_expansion_step9 try assumption
+    @(proj2 ?? Hpolicy) *)
+  ]
 | normalize nodelta % [ % [ % [ % [ % [ % [ % [ % [ % ]]]]]]]]
   [ #i cases i

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2240 for src/ASM

Legend:

src/ASM/PolicyStep.ma

Download in other formats: