e0 one_not_zero); 25 nqed.26 27 nlemma bool_of: ∀v,ty,b. bool_of_val v ty (of_bool b) →7 #v #ty #r 8 cases v; [  #i  #f  #r1  #r #b #of ] 9 cases ty; [ 2,11,20,29,38: #sz #sg  3,12,21,30,39: #sz  4,13,22,31,40: #r #ty  5,14,23,32,41: #r #ty #n  6,15,24,33,42: #args #rty  7,8,16,17,25,26,34,35,43,44: #id #fs  9,18,27,36,45: #r #id ] 10 #H whd in H:(??%?); destruct; 11 [ lapply (eq_spec i zero); elim (eq i zero); 12 [ #e >e @bool_of_val_false //; 13  #ne @bool_of_val_true /2/; 14 ] 15  elim (eq_dec f Fzero); 16 [ #e >e >(Feq_zero_true …) @bool_of_val_false //; 17  #ne >(Feq_zero_false …) //; @bool_of_val_true /2/; 18 ] 19  @bool_of_val_false // 20  @bool_of_val_true // 21 ] qed. 22 23 lemma bool_val_distinct: Vtrue ≠ Vfalse. 24 % #H whd in H:(??%%); destruct; @(absurd ? e0 one_not_zero) 25 qed. 26 27 lemma bool_of: ∀v,ty,b. bool_of_val v ty (of_bool b) → 28 28 if b then is_true v ty else is_false v ty. 29 #v ty b; ncases b; #H; ninversion H; #v' ty' H' ev et ev;//;30 napply False_ind; napply (absurd ? → ?);63 nlapply (try_cast_null_sound m i (Tint sz1 si1) t v');64 ncases (try_cast_null m i (Tint sz1 si1) t);65 ##[ ##1,3,5: #v''; #H' e; napply H'; napply e;66 ## ##*: #_; nwhd in ⊢ (??%? → ?); #H; ndestruct (H);67 ##]68 ##]69 ## ##*: ##[ #sp ty''; nletin t ≝ (Tpointer sp ty'')70 ## #sp ty'' n; nletin t ≝ (Tarray sp ty'' n)71 ## #args rty; nletin t ≝ (Tfunction args rty) ##]72 nwhd in ⊢ (??%? → ?);73 nlapply (try_cast_null_sound m i t ty' v');74 ncases (try_cast_null m i t ty');75 ##[ ##1,3,5: #v''; #H' e; napply H'; napply e;76 ## ##*: #_; nwhd in ⊢ (??%? → ?); #H; ndestruct (H);77 ##]78 ##]79 ## #f; ncases ty; ##[ ##3: #x; ## ##2,4,6,7,8,9: #x y; ## ##5: #x y z; ##]80 ##[ ncases ty'; ##[ #e; ## ##3: #a e; ## ##2,4,6,7,8,9: #a b e; ## #a b c e; ##]81 nwhd in e:(??%?); ndestruct; //;82 ## ##*: #e; nwhd in e:(??%?); ndestruct83 ##]84 ## #r; ncases ty; ##[ ##3: #x; ## ##2,4,6,7,8,9: #x y; ## ##5: #x y z; ##]85 nwhd in ⊢ (??%? → ?); #H; ndestruct; ncases (eq_region_dec r ?) in H;86 nwhd in ⊢ (? ev ?) 31 [ 2: @sym_neq ] @bool_val_distinct 32 qed. 33 34 lemma try_cast_null_sound: ∀m,i,ty,ty',v'. try_cast_null m i ty ty' = OK ? v' → cast m (Vint i) ty ty' v'. 35 #m #i #ty #ty' #v' 36 whd in ⊢ (??%? → ?); 37 lapply (eq_spec i zero); cases (eq i zero); 38 [ #e >e 39 cases ty; [  #sz #sg  #fs  #sp #ty  #sp #ty #n  #args #rty  #id #fs  #id #fs  #r #id ] 40 whd in ⊢ (??%? → ?); #H destruct; 41 cases ty' in H ⊢ %; [  #sz #sg  #fs  #sp #ty  #sp #ty #n  #args #rty  #id #fs  #id #fs  #r #id ] 42 whd in ⊢ (??%? → ?); #H destruct (H); @cast_ip_z //; 43  #_ whd in ⊢ (??%? → ?); #H destruct 44 ] 45 qed. 46 47 definition exec_cast_sound : ∀m:mem. ∀v:val. ∀ty:type. ∀ty':type. ∀v':val. exec_cast m v ty ty' = OK ? v' → cast m v ty ty' v'. 48 #m #v #ty #ty' #v' 49 cases v; 50 [ #H whd in H:(??%?); destruct; 51  #i cases ty; 52 [ #H whd in H:(??%?); destruct; 53  3: #a #H whd in H:(??%?); destruct; 54  7,8,9: #a #b #H whd in H:(??%?); destruct; 55  #sz1 #si1 cases ty'; 56 [ #H whd in H:(??%?); destruct; 57  3: #a #H whd in H:(??%?); destruct; // 58  2,7,8,9: #a #b #H whd in H:(??%?); destruct; // 59  4,5,6: [ #sp #ty'' letin t ≝ (Tpointer sp ty'') 60  #sp #ty'' #n letin t ≝ (Tarray sp ty'' n) 61  #args #rty letin t ≝ (Tfunction args rty) ] 62 whd in ⊢ (??%? → ?); #e 90 elim (bind_inversion ????? e); #s *; #es #e' 91 elim (bind_inversion ????? e'); #u *; #eu #e'' 92 elim (bind_inversion ????? e''); #s' *; #es' #e''' 93 cut (type_region ty s); 94 [ cases ty in es:(??%?) ⊢ %; [ #e  3: #a #e  2,4,6,7,8,9: #a #b #e  #a #b #c #e ] 95 whd in e:(??%?); destruct; //; 96  #Hty 97 cut (type_region ty' s'); 98 [ cases ty' in es' ⊢ %; [ #e  3: #a #e  2,4,6,7,8,9: #a #b #e  #a #b #c #e ] 99 whd in e:(??%?); destruct; //; 100  #Hty' 101 cut (s = sp). elim (eq_region_dec sp s) in eu; //; normalize; #_ #e destruct. 102 #e <e 103 whd in match (is_pointer_compat ??) in e'''; 104 cases (pointer_compat_dec (block_space m b) s') in e'''; #Hcompat #e''' 105 whd in e''':(??%?); destruct (e'''); /2/ 106 ] 107 ] 108 ] qed. 109 110 let rec expr_lvalue_ind 111 111 (P:expr → Prop) 112 112 (Q:expr_descr → type → Prop) … … 172 172  Efield e' i ⇒ match e' return λe1.Q (Efield e1 i) ty with [ Expr e'' ty'' ⇒ fl ty e'' ty'' i (lvalue_expr_ind P Q ci cf lv vr dr ao uo bo ca cd ab ob sz fl co xx e'' ty'') ] 173 173  _ ⇒ xx ? (λx.eval_expr ge en m e (\fst x) (\snd x)) (exec_expr ge en m e)). 179 #ge en m e; napply (expr_lvalue_ind ? (λe',ty.P_res ? (λr.eval_lvalue ge en m (Expr e' ty) (\fst (\fst (\fst r))) (\snd (\fst (\fst r))) (\snd (\fst r)) (\snd r)) (exec_lvalue' ge en m e' ty)) … e); 180 ##[ ##1,2: #ty c; nwhd; //; 179 #ge #en #m #e @(expr_lvalue_ind ? (λe',ty.P_res ? (λr.eval_lvalue ge en m (Expr e' ty) (\fst (\fst (\fst r))) (\snd (\fst (\fst r))) (\snd (\fst r)) (\snd r)) (exec_lvalue' ge en m e' ty)) … e) 180 (* XXX // fails [ 1,2: #ty #c whd // *) 181 [ #ty #c whd % 182  #ty #c whd %2 181 183 (* expressions that are lvalues *) 182 ## #e' ty; ncases e'; //; ##[ #i He' ## #e He' ## #e i He' ##] nwhd in He' ⊢ %; 183 napply bind2_OK; #x; ncases x; #y; ncases y; #sp loc ofs tr H; 184 napply opt_bind_OK; #vl evl; nwhd in evl:(??%?); napply (eval_Elvalue … evl); 185 nrewrite > H in He'; #He'; napply He'; 186 ## #v ty; 187 nwhd in ⊢ (???%); 188 nlapply (refl ? He2); napply (bool_of ??? Hb); 220 ## nrewrite > Hv in He3; #He3; nwhd in He3 Hv:(??%?) ⊢%; 221 napply (eval_Econdition_false … He1 ? He3); napply (bool_of ??? Hdelta); 246 ## #id fs He'; napply bind2_OK; #x; ncases x; #sp l ofs H; 247 nrewrite > H in He'; #He'; 248 napply (eval_Efield_union … He' (refl ??)); 249 ##] 250 ## #ty l e' He'; napply bind2_OK; #v tr1 H; nrewrite > H in He'; #He'; 251 napply (eval_Ecost … He'); 184  #e' #ty cases e'; //; [ #i #He'  #e #He'  #e #i #He' ] whd in He' ⊢ %; 185 @bind2_OK #x cases x; #y cases y; #sp #loc #ofs #tr #H 186 @opt_bind_OK #vl #evl whd in evl:(??%?); @(eval_Elvalue … evl) 187 >H in He' #He' @He' 188  #v #ty 189 whd in ⊢ (???%); 190 lapply (refl ? He2) @(bool_of ??? Hb) 223  >Hv in He3 #He3 whd in He3 Hv:(??%?) ⊢%; 224 @(eval_Econdition_false … He1 ? He3) @(bool_of ??? Hdelta) 249  #id #fs #He' @bind2_OK #x cases x; #sp #l #ofs #H 250 >H in He' #He' 251 @(eval_Efield_union … He' (refl ??)) 252 ] 253  #ty #l #e' #He' @bind2_OK #v #tr1 #H >H in He' #He' 254 @(eval_Ecost … He') 252 255 (* exec_lvalue fails on nonlvalues. *) 253 ## #e' ty; ncases e';254 ##[ ##1,2,5,12: #a H ## ##3,4: #a; * ## ##13,14: #a b; * ## ##6,8,10,11: #a b H ## ##7,9: #a b c H ##]255 napply I;256 ##] nqed.257 258 nlemma addrof_eval_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.256  #e' #ty cases e'; 257 [ 1,2,5,12: #a #H  3,4: #a *  13,14: #a #b *  6,8,10,11: #a #b #H  7,9: #a #b #c #H ] 258 @I 259 ] qed. 260 261 lemma addrof_eval_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty. 259 262 eval_expr ge en m (Expr (Eaddrof e) ty) (Vptr sp loc off) tr → 260 263 eval_lvalue ge en m e sp loc off tr. 261 #ge en m e sp loc off tr ty H; ninversion H;262 ##[ ##1,2,5: #a b H; napply False_ind; ndestruct (H);263 ## #a b c d e f g H1 i H2; nrewrite < H2 in H1; #H1; napply False_ind; 264 napply (eval_lvalue_inv_ind … H1);265 ##[ #a b c d bad; ndestruct (bad);266 ## #a b c d e f bad; ndestruct (bad);267 ## #a b c d e f g bad; ndestruct (bad);268 ## #a b c d e f g h i j k l m n bad; napply False_ind; ndestruct (bad);269 ## #a b c d e f g h i j k l bad; ndestruct (bad);270 ##]271 ## #e' ty' sp' loc' ofs' tr' H e1 e2 e3; ndestruct (e1 e2 e3); napply H; 272 ## #a b c d e f g h i bad; ndestruct (bad);273 ## #a b c d e f g h i j k l k l bad; ndestruct (bad);274 ## #a b c d e f g h i j k l m bad; ndestruct (bad);275 ## #a b c d e f g h i j k l m bad; ndestruct (bad);276 ## #a b c d e f g h bad; ndestruct (bad);277 ## #a b c d e f g h i j k l m n bad; ndestruct (bad);278 ## #a b c d e f g h bad; ndestruct (bad);279 ## #a b c d e f g h i j k l m n bad; ndestruct (bad);280 ## #a b c d e f g h i bad; ndestruct (bad);281 ## #a b c d e f g bad; ndestruct (bad);282 ##] nqed.283 284 nlemma addrof_exec_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.264 #ge #en #m #e #sp #loc #off #tr #ty #H inversion H; 265 [ 1,2,5: #a #b #H @False_ind destruct (H); 266  #a #b #c #d #e #f #g #H1 #i #H2 <H2 in H1 #H1 @False_ind 267 @(eval_lvalue_inv_ind … H1) 268 [ #a #b #c #d #bad destruct (bad); 269  #a #b #c #d #e #f #bad destruct (bad); 270  #a #b #c #d #e #f #g #bad destruct (bad); 271  #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad @False_ind destruct (bad); 272  #a #b #c #d #e #f #g #h #i #j #k #l #bad destruct (bad); 273 ] 274  #e' #ty' #sp' #loc' #ofs' #tr' #H #e1 #e2 #e3 destruct (e1 e2 e3); @H 275  #a #b #c #d #e #f #g #h #i #bad destruct (bad); 276  #a #b #c #d #e #f #g #h #i #j #k #l #k #l #bad destruct (bad); 277  #a #b #c #d #e #f #g #h #i #j #k #l #m #bad destruct (bad); 278  #a #b #c #d #e #f #g #h #i #j #k #l #m #bad destruct (bad); 279  #a #b #c #d #e #f #g #h #bad destruct (bad); 280  #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad destruct (bad); 281  #a #b #c #d #e #f #g #h #bad destruct (bad); 282  #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad destruct (bad); 283  #a #b #c #d #e #f #g #h #i #bad destruct (bad); 284  #a #b #c #d #e #f #g #bad destruct (bad); 285 ] qed. 286 287 lemma addrof_exec_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty. 285 288 exec_lvalue ge en m e = OK ? 〈〈〈sp,loc〉,off〉,tr〉 → 286 289 exec_expr ge en m (Expr (Eaddrof e) ty) = OK ? 〈Vptr sp loc off, tr〉. 287 #ge en m e sp loc off tr ty H; nwhd in ⊢ (??%?);288 nrewrite > H;//;289 nqed.290 291 ntheorem exec_lvalue_sound: ∀ge,en,m,e.290 #ge #en #m #e #sp #loc #off #tr #ty #H whd in ⊢ (??%?); 291 >H //; 292 qed. 293 294 theorem exec_lvalue_sound: ∀ge,en,m,e. 292 295 P_res ? (exec_lvalue ge en m e)); 297 cases (exec_lvalue ge en m e) in ⊢ (???% → %); 298 [ #x cases x; #y cases y; #z cases z; #sp #loc #off #tr #H whd; 299 @(addrof_eval_lvalue … Tvoid) 300 lapply (addrof_exec_lvalue … Tvoid H); #H' 301 lapply (exec_expr_sound ge en m (Expr (Eaddrof e) Tvoid)); 302 >H' #H'' @H'' 303  #_ whd; @I 304 ] qed. 302 305 303 306 (* Plain equality versions of the above *) 304 307 305 ndefinition exec_expr_sound' ≝ λge,en,m,e,v.308 definition exec_expr_sound' ≝ λge,en,m,e,v. 306 309 λH:exec_expr ge en m e = OK ? v. 307 310 P_res_to_P ???? (exec_expr_sound ge en m e) H. 308 311 309 ndefinition exec_lvalue_sound' ≝ λge,en,m,e,sp,loc,off,tr.312 definition exec_lvalue_sound' ≝ λge,en,m,e,sp,loc,off,tr. 310 313 λH:exec_lvalue ge en m e = OK ? 〈〈〈sp,loc〉,off〉,tr〉. 311 314 P_res_to_P ???? (exec_lvalue_sound ge en m e) H. 312 315 313 nlemma exec_exprlist_sound: ∀ge,e,m,l. P_res ? (λvltr:list val×trace. eval_exprlist ge e m l (\fst vltr) (\snd vltr)) (exec_exprlist ge e m l). 317 #ge #e #m #l elim l; 318 whd; (* XXX //; *) 319 [ % 320  #e1 #es #IH 321 @bind2_OK #v #tr1 #Hv 322 @bind2_OK #vs #tr2 #Hvs 323 whd; @eval_Econs 324 [ @(P_res_to_P … (exec_expr_sound ge e m e1) Hv) 325  @(P_res_to_P … IH Hvs) 326 ] 327 ] qed. 328 329 lemma exec_alloc_variables_sound : ∀l,en,m,en',m'. 330 exec_alloc_variables en m l = 〈en',m'〉 → 331 alloc_variables en m l en' m'. 332 #l elim l 333 [ #en #m #en' #m' #EXEC whd in EXEC:(??%?); destruct % 334  * #id #ty #t #IH #en #m #en' #m' 335 lapply (refl ? (alloc m O (sizeof ty) Any)) #ALLOC #EXEC 336 whd in EXEC:(??%?) ALLOC:(???%) 337 @(alloc_variables_cons … ALLOC) 338 @IH @EXEC 339 qed. 340 341 lemma exec_bind_parameters_sound : ∀ps,vs,en,m. 342 P_res ? (λr. step ge st (\fst r) (\snd r)) (exec_step ge st). 326 #ge st; ncases st; 327 ##[ #f s k e m; ncases s; 328 ##[ ncases k; 329 ##[ nwhd in ⊢ (?????%); 330 nlapply (refl ? (fn_return f)); ncases (fn_return f) in ⊢ (???% → %); 354 //; #H; nwhd; 355 napply step_skip_call; //; 356 ##] 357 ## #ex1 ex2; 358 napply res_bindIO2_OK; #x; ncases x; #y; ncases y; #pcl loc ofs tr1 Hlval; 359 napply res_bindIO2_OK; #v2 tr2 Hv2; 360 napply opt_bindIO_OK; #m' em'; 361 nwhd; napply (step_assign … (exec_lvalue_sound' … Hlval) (exec_expr_sound' … Hv2) em'); 362 ## #lex fex args; 363 napply res_bindIO2_OK; #vf tr1 Hvf0; nlapply (exec_expr_sound' … Hvf0); #Hvf; 364 napply res_bindIO2_OK; #vargs tr2 Hvargs0; nlapply (P_res_to_P ???? (fn_return f)); ncases (fn_return f) in ⊢ (???% → %); //; #H; 427 napply step_return_0; napply H; 428 ## #ex; ncases (type_eq_dec (fn_return f) Tvoid); //; nwhd in ⊢ (% → ?????%); #Hnotvoid; 429 napply res_bindIO2_OK; #v tr Hv; 430 nwhd; napply (step_return_1 … Hnotvoid (exec_expr_sound' … Hv)); 431 ##] 432 ## #ex ls; napply res_bindIO2_OK; #v; ncases v; //; #n tr Hv; 433 napply step_switch; napply (exec_expr_sound' … Hv); 434 ## #l s'; nwhd; //; 435 ## #l; nwhd in ⊢ (?????%); nlapply (refl ? (\fst gs) ∧ initial_state p (\snd gs)) (make_initial_state p). 460 #p; ncases p; #fns main vars; 461 nwhd in ⊢ (???%); 462 napply bind_OK; #ge Ege; 463 napply bind_OK; #m Em; 464 napply opt_bind_OK; #x; ncases x; #sp b esb; 465 napply opt_bind_OK; #u ecode; 466 napply opt_bind_OK; #f ef; 467 ncases sp in esb ecode; #esb ecode; nwhd in ecode:(??%%); ##[ ##1,2,3,4,5: ndestruct (ecode); ##] 468 nwhd; @; //; napply (initial_state_intro … Ege Em esb ef); 469 nqed. 470 471 ntheorem exec_steps_sound: ∀ge,n,st. 373 #ge #st cases st; 374 [ #f #s #k #e #m cases s; 375 [ cases k; 376 [ whd in ⊢ (?????%); 377 lapply (refl ? (fn_return f)); cases (fn_return f) in ⊢ (???% → %); 401 //; #H whd; 402 @step_skip_call //; 403 ] 404  #ex1 #ex2 405 @res_bindIO2_OK #x cases x; #y cases y; #pcl #loc #ofs #tr1 #Hlval 406 @res_bindIO2_OK #v2 #tr2 #Hv2 407 @opt_bindIO_OK #m' #em' 408 whd; @(step_assign … (exec_lvalue_sound' … Hlval) (exec_expr_sound' … Hv2) em') 409  #lex #fex #args 410 @res_bindIO2_OK #vf #tr1 #Hvf0 lapply (exec_expr_sound' … Hvf0); #Hvf 411 @res_bindIO2_OK #vargs #tr2 #Hvargs0 lapply (P_res_to_P ???? (fn_return f)); cases (fn_return f) in ⊢ (???% → %); //; #H 474 @step_return_0 @H 475  #ex cases (type_eq_dec (fn_return f) Tvoid); //; whd in ⊢ (% → ?????%); #Hnotvoid 476 @res_bindIO2_OK #v #tr #Hv 477 whd; @(step_return_1 … Hnotvoid (exec_expr_sound' … Hv)) 478 ] 479  #ex #ls @res_bindIO2_OK #v cases v; //; #n #tr #Hv 480 @step_switch @(exec_expr_sound' … Hv) 481  #l #s' whd; @step_label (* XXX //; *) 482  #l whd in ⊢ (?????%); lapply (refl ? (find_label l (fn_body f) (call_cont k))); 483 cases (find_label l (fn_body f) (call_cont k)) in ⊢ (???% → %); //; 484 #sk cases sk; #s' #k' #H 485 @(step_goto … H) 486  #l #s' whd; (* XXX //; *) @step_cost 487 ] 488  #f0 #vargs #k #m whd in ⊢ (?????%); cases f0; 489 [ #fn whd in ⊢ (?????%) 490 lapply (refl ? (\fst gs) ∧ initial_state p (\snd gs)) (make_initial_state p). 511 #p cases p; #fns #main #vars 512 whd in ⊢ (???%); 513 @bind_OK #ge #Ege 514 @bind_OK #m #Em 515 @opt_bind_OK #x cases x; #sp #b #esb 516 @opt_bind_OK #u #ecode 517 @opt_bind_OK #f #ef 518 cases sp in esb ecode; #esb #ecode whd in ecode:(??%%); [ 1,2,3,4,5: destruct (ecode); ] 519 whd; % [ whd in ⊢ (???(??%)) //  @(initial_state_intro … Ege Em esb ef) ] 520 qed. 521 522 theorem exec_steps_sound: ∀ge,n,st. 472 523 P_io ??? (λts:trace×state. star (mk_transrel ?? step) ge st (\fst ts) (\snd ts)) 473 524 (exec_steps n ge st). 474 #ge n; nelim n;475 ##[ #st; nwhd in ⊢ (?????%); nelim (is_final_state st); #H; nwhd; //; 476 ## #n' IH st; nwhd in ⊢ (?????%); nelim (is_final_state st); #H; 477 ##[ nwhd; //;478 ## napply (P_bindIO2_OK ????????? 