Context Navigation

← Previous Change
Next Change →

AssemblyProof.ma

Timestamp:

Jun 16, 2011, 4:50:23 PM (10 years ago)

Author:

sacerdot

Message:

1) Major refactoring: proofs moved where they should be.
2) New build_map that never fails.

File:

: 1 edited

src/ASM/AssemblyProof.ma (modified) (29 diffs)

Legend:

: Unmodified
: Added
: Removed

src/ASM/AssemblyProof.ma

-                      r982
+                      r985
 include "ASM/Assembly.ma".
 include "ASM/Interpret.ma".
 definition bit_elim_prop: ∀P: bool → Prop. Prop ≝
 …
 qed.
-lemma eq_b_eq:
-  ∀b, c.
-    eq_b b c = true → b = c.
-  #b #c
-  cases b
-  cases c
-  normalize //
-qed.
-lemma BitVector_O: ∀v:BitVector 0. v ≃ VEmpty bool.
- #v generalize in match (refl … 0) cases v in ⊢ (??%? → ?%%??) //
- #n #hd #tl #abs @⊥ //
-qed.
-lemma BitVector_Sn: ∀n.∀v:BitVector (S n).
- ∃hd.∃tl.v ≃ VCons bool n hd tl.
- #n #v generalize in match (refl … (S n)) cases v in ⊢ (??%? → ??(λ_.??(λ_.?%%??)))
- [ #abs @⊥ //
- | #m #hd #tl #EQ <(injective_S … EQ) %[@hd] %[@tl] // ]
-qed.
-lemma eq_bv_eq:
-  ∀n, v, q.
-    eq_bv n v q = true → v = q.
-  #n #v #q generalize in match v
-  elim q
-  [ #v #h @BitVector_O
-  | #n #hd #tl #ih #v' #h
-    cases (BitVector_Sn ? v')
-    #hd' * #tl' #jmeq >jmeq in h;
-    #new_h
-    change in new_h with ((andb ? ?) = ?);
-    cases(conjunction_true … new_h)
-    #eq_heads #eq_tails
-    whd in eq_heads:(??(??(%))?);
-    cases(eq_b_eq … eq_heads)
-    whd in eq_tails:(??(?????(%))?);
-    change in eq_tails with (eq_bv ??? = ?);
-    <(ih tl') //
+  ]
-qed.
 lemma bool_eq_internal_eq:
   ∀b, c.
 …
     | normalize //
+    ]
+  ]
-qed.
-lemma eq_bv_refl:
-  ∀n,v. eq_bv n v v = true.
-  #n #v
-  elim v
-  [ //
-  | #n #hd #tl #ih
-    normalize
-    cases hd
-    [ normalize
-      @ ih
-    | normalize
-      @ ih
+    ]
+  ]
-qed.
-lemma eq_eq_bv:
-  ∀n, v, q.
-    v = q → eq_bv n v q = true.
-  #n #v
-  elim v
-  [ #q #h <h normalize %
-  | #n #hd #tl #ih #q #h >h //
+  ]
 qed.
 …
 qed.
 *)
-(*
-lemma test:
-  let i ≝ SJMP (RELATIVE (bitvector_of_nat 8 255)) in
-      (let assembled ≝ assembly1 i in
-      let code_memory ≝ load_code_memory assembled in
-      let fetched ≝ fetch code_memory ? in
-      let 〈instr_pc, ticks〉 ≝ fetched in
-        eq_instruction (\fst instr_pc)) i = true.
- [2: @ zero
- | normalize
- ]*)
-lemma BitVectorTrie_O:
- ∀A:Type[0].∀v:BitVectorTrie A 0.(∃w. v ≃ Leaf A w) ∨ v ≃ Stub A 0.
- #A #v generalize in match (refl … O) cases v in ⊢ (??%? → (?(??(λ_.?%%??)))(?%%??))
-  [ #w #_ %1 %[@w] %
-  | #n #l #r #abs @⊥ //
-  | #n #EQ %2 >EQ %]
-qed.
-lemma BitVectorTrie_Sn:
- ∀A:Type[0].∀n.∀v:BitVectorTrie A (S n).(∃l,r. v ≃ Node A n l r) ∨ v ≃ Stub A (S n).
- #A #n #v generalize in match (refl … (S n)) cases v in ⊢ (??%? → (?(??(λ_.??(λ_.?%%??))))%)
-  [ #m #abs @⊥ //
-  | #m #l #r #EQ %1 <(injective_S … EQ) %[@l] %[@r] //
-  | #m #EQ %2 // ]
-qed.
-lemma lookup_prepare_trie_for_insertion_hit:
- ∀A:Type[0].∀a,v:A.∀n.∀b:BitVector n.
-  lookup … b (prepare_trie_for_insertion … b v) a = v.
- #A #a #v #n #b elim b // #m #hd #tl #IH cases hd normalize //
-qed.
-lemma lookup_insert_hit:
- ∀A:Type[0].∀a,v:A.∀n.∀b:BitVector n.∀t:BitVectorTrie A n.
-  lookup … b (insert … b v t) a = v.
- #A #a #v #n #b elim b -b -n //
- #n #hd #tl #IH #t cases(BitVectorTrie_Sn … t)
-  [ * #l * #r #JMEQ >JMEQ cases hd normalize //
-  | #JMEQ >JMEQ cases hd normalize @lookup_prepare_trie_for_insertion_hit ]
-qed.
-coercion bool_to_Prop: ∀b:bool. Prop ≝ bool_to_Prop on _b:bool to Type[0].
-lemma lookup_prepare_trie_for_insertion_miss:
- ∀A:Type[0].∀a,v:A.∀n.∀c,b:BitVector n.
-  (notb (eq_bv ? b c)) → lookup … b (prepare_trie_for_insertion … c v) a = a.
- #A #a #v #n #c elim c
-  [ #b >(BitVector_O … b) normalize #abs @⊥ //
-  | #m #hd #tl #IH #b cases(BitVector_Sn … b) #hd' * #tl' #JMEQ >JMEQ
-    cases hd cases hd' normalize
-    [2,3: #_ cases tl' //
-    |*: change with (bool_to_Prop (notb (eq_bv ???)) → ?) /2/ ]]
-qed.
-lemma lookup_insert_miss:
- ∀A:Type[0].∀a,v:A.∀n.∀c,b:BitVector n.∀t:BitVectorTrie A n.
-  (notb (eq_bv ? b c)) → lookup … b (insert … c v t) a = lookup … b t a.
- #A #a #v #n #c elim c -c -n
-  [ #b #t #DIFF @⊥ whd in DIFF; >(BitVector_O … b) in DIFF //
-  | #n #hd #tl #IH #b cases(BitVector_Sn … b) #hd' * #tl' #JMEQ >JMEQ
-    #t cases(BitVectorTrie_Sn … t)
-    [ * #l * #r #JMEQ >JMEQ cases hd cases hd' #H normalize in H;
-     [1,4: change in H with (bool_to_Prop (notb (eq_bv ???))) ] normalize // @IH //
-    | #JMEQ >JMEQ cases hd cases hd' #H normalize in H;
-     [1,4: change in H with (bool_to_Prop (notb (eq_bv ???))) ] normalize
-     [3,4: cases tl' // | *: @lookup_prepare_trie_for_insertion_miss //]]]
-qed.
 definition load_code_memory_aux ≝
 …
   (∀vl,vm. v = vl@@vm → P 〈vl,vm〉) → P (split A l m v).
 axiom half_add_SO:
+example half_add_SO:
  ∀pc.
  \snd (half_add 16 (bitvector_of_nat … pc) (bitvector_of_nat … 1)) = bitvector_of_nat … (S pc).
+ cases daemon.
+qed.
 (*
 …
 qed.
 *)
 (*
 …
 qed.
-axiom eq_bv_to_eq: ∀n.∀v1,v2: BitVector n. eq_bv … v1 v2 = true → v1=v2.
 axiom eq_instruction_to_eq: ∀i1,i2. eq_instruction i1 i2 = true → i1 = i2.
 …
     cases (fetch code_memory (bitvector_of_nat … pc)) #newi_pc #ticks whd in ⊢ (% → %)
     cases newi_pc #newi #newpc whd in ⊢ (% → %) #K cases (conjunction_true … K) -K; #K1
+    cases (conjunction_true … K1) -K1; #K1 #K2 #K3 % try % //
+    [ @eqb_true_to_eq <(eq_instruction_to_eq … K1) // | >(eq_bv_to_eq … K3) @IH @H2 ]
+qed.
+(* This establishes the correspondence between pseudo program counters and
+   program counters. It is at the heart of the proof. *)
+(*CSC: code taken from build_maps *)
+definition sigma00: pseudo_assembly_program → list ? → option (nat × (nat × (BitVectorTrie Word 16))) ≝
+ λinstr_list.λl:list labelled_instruction.
+  foldl ??
+   (λt,i.
+       match t with
+       [ None ⇒ None ?
+       | Some ppc_pc_map ⇒
+         let 〈ppc,pc_map〉 ≝ ppc_pc_map in
+         let 〈program_counter, sigma_map〉 ≝ pc_map in
+         let 〈label, i〉 ≝ i in
+          match construct_costs instr_list ppc program_counter (λx. zero ?) (λx. zero ?) (Stub …) i with
+           [ None ⇒ None ?
+           | Some pc_ignore ⇒
+              let 〈pc,ignore〉 ≝ pc_ignore in
+              Some … 〈S ppc,〈pc, insert ? ? (bitvector_of_nat ? ppc) (bitvector_of_nat ? pc) sigma_map〉〉 ]
+       ]) (Some ? 〈0, 〈0, (Stub ? ?)〉〉) l.
+definition sigma0: pseudo_assembly_program → option (nat × (nat × (BitVectorTrie Word 16)))
+ ≝ λprog.sigma00 prog (\snd prog).
+definition tech_pc_sigma00: pseudo_assembly_program → list labelled_instruction → option (nat × nat) ≝
+ λprogram,instr_list.
+  match sigma00 program instr_list with
+   [ None ⇒ None …
+   | Some result ⇒
+      let 〈ppc,pc_sigma_map〉 ≝ result in
+      let 〈pc,map〉 ≝ pc_sigma_map in
+       Some … 〈ppc,pc〉 ].
+definition sigma_safe: pseudo_assembly_program → option (Word → Word) ≝
+ λinstr_list.
+  match sigma0 instr_list with
+  [ None ⇒ None ?
+  | Some result ⇒
+    let 〈ppc,pc_sigma_map〉 ≝ result in
+    let 〈pc, sigma_map〉 ≝ pc_sigma_map in
+      if gtb pc (2^16) then
+        None ?
+      else
+        Some ? (λx.lookup ?? x sigma_map (zero …)) ].
+(* stuff about policy *)
+lemma policy_ok: ∀p. sigma_safe p ≠ None ….
+ #instr_list whd in match (sigma_safe ?) whd in match (sigma0 ?)
+definition sigma: pseudo_assembly_program → Word → Word ≝
+ λp.
+  match sigma_safe p return λr:option (Word → Word). r ≠ None … → Word → Word with
+   [ None ⇒ λabs. ⊥
+   | Some r ⇒ λ_.r] (policy_ok p).
+ cases abs //
+qed.
+lemma length_append:
+ ∀A.∀l1,l2:list A.
+  |l1 @ l2| = |l1| + |l2|.
+ #A #l1 elim l1
+  [ //
+  | #hd #tl #IH #l2 normalize <IH //]
+qed.
+let rec does_not_occur (id:Identifier) (l:list labelled_instruction) on l: bool ≝
+ match l with
+  [ nil ⇒ true
+  | cons hd tl ⇒ notb (instruction_matches_identifier id hd) ∧ does_not_occur id tl].
+lemma does_not_occur_None:
+ ∀id,i,list_instr.
+  does_not_occur id (list_instr@[〈None …,i〉]) =
+  does_not_occur id list_instr.
+ #id #i #list_instr elim list_instr
+  [ % | #hd #tl #IH whd in ⊢ (??%%) >IH %]
+qed.
+lemma does_not_occur_Some:
+ ∀id,id',i,list_instr.
+  eq_bv ? id' id = false →
+   does_not_occur id (list_instr@[〈Some ? id',i〉]) =
+    does_not_occur id list_instr.
+ #id #id' #i #list_instr elim list_instr
+  [ #H normalize in H ⊢ %; >H %
+  | * #x #i' #tl #IH #H whd in ⊢ (??%%) >(IH H) %]
+qed.
+lemma does_not_occur_absurd:
+ ∀id,i,list_instr.
+  does_not_occur id (list_instr@[〈Some ? id,i〉]) = false.
+ #id #i #list_instr elim list_instr
+  [ normalize change with (if (if eq_bv ??? then ? else ?) then ? else ? = ?)
+    >eq_bv_refl %
+  | * #x #i' #tl #IH whd in ⊢ (??%%) >IH cases (notb ?) %]
+qed.
+let rec occurs_exactly_once (id:Identifier) (l:list labelled_instruction) on l : bool ≝
+ match l with
+  [ nil ⇒ false
+  | cons hd tl ⇒
+     if instruction_matches_identifier id hd then
+      does_not_occur id tl
+     else
+      occurs_exactly_once id tl ].
+lemma occurs_exactly_once_None:
+ ∀id,i,list_instr.
+  occurs_exactly_once id (list_instr@[〈None …,i〉]) =
+  occurs_exactly_once id list_instr.
+ #id #i #list_instr elim list_instr
+  [ % | #hd #tl #IH whd in ⊢ (??%%) >IH >does_not_occur_None %]
+qed.
+lemma occurs_exactly_once_Some:
+ ∀id,id',i,prefix.
+  occurs_exactly_once id (prefix@[〈Some ? id',i〉]) → eq_bv ? id' id ∨ occurs_exactly_once id prefix.
+ #id #id' #i #prefix elim prefix
+  [ whd in ⊢ (?% → ?) whd in ⊢ (?(match % with [_ ⇒ ? | _ ⇒ ?]) → ?)
+    change with (? → eq_v ?? eq_b id' id ∨ ?) cases (eq_v ?????) normalize nodelta; /2/
+  | *; #he #i' #tl #IH whd in ⊢ (?% → ?) whd in ⊢ (?(match % with [_ ⇒ ? | _ ⇒ ?]) → ?)
+    cases he; normalize nodelta
+     [ #H @ (IH H)
+     | #x whd in ⊢ (? → ?(??%)) whd in match (instruction_matches_identifier ??)
+       change in match (eq_v ???x id) with (eq_bv ? x id) cases (eq_bv ???) normalize nodelta;
+       [generalize in match (refl … (eq_bv 16 id' id)) cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta;
+        /2/ #H >does_not_occur_Some //
+       | #H @IH @H]]]
+qed.
+lemma index_of_internal_None: ∀i,id,instr_list,n.
+ occurs_exactly_once id (instr_list@[〈None …,i〉]) →
+  index_of_internal ? (instruction_matches_identifier id) instr_list n =
+   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈None …,i〉]) n.
+ #i #id #instr_list elim instr_list
+  [ #n #abs whd in abs; cases abs
+  | #hd #tl #IH #n whd in ⊢ (% → ??%%); whd in ⊢ (match % with [_ ⇒ ? | _ ⇒ ?] → ?)
+    cases (instruction_matches_identifier id hd) whd in ⊢ (match % with [_ ⇒ ? | _ ⇒ ?] → ??%%)
+    [ #H %
+    | #H @IH whd in H; cases (occurs_exactly_once ??) in H ⊢ %
+      [ #_ % | #abs cases abs ]]]
+qed.
+lemma index_of_internal_Some_miss: ∀i,id,id'.
+ eq_bv ? id' id = false →
+ ∀instr_list,n.
+ occurs_exactly_once id (instr_list@[〈Some ? id',i〉]) →
+  index_of_internal ? (instruction_matches_identifier id) instr_list n =
+   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈Some ? id',i〉]) n.
+ #i #id #id' #EQ #instr_list #n #H generalize in match (occurs_exactly_once_Some … H) in ⊢ ?; >EQ
+ change with (occurs_exactly_once ?? → ?) generalize in match n; -n H; elim instr_list
+  [ #n #abs cases abs
+  | #hd #tl #IH #n whd in ⊢ (?% → ??%%) cases (instruction_matches_identifier id hd) normalize nodelta;
+    [ // | #K @IH //]]
+qed.
+lemma index_of_internal_Some_hit: ∀i,id.
+ ∀instr_list,n.
+  occurs_exactly_once id (instr_list@[〈Some ? id,i〉]) →
+   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈Some ? id,i〉]) n
+  = |instr_list| + n.
+ #i #id #instr_list elim instr_list
+  [ #n #_ whd in ⊢ (??%%) change with (if eq_bv … id id then ? else ? = ?) >eq_bv_refl %
+  | #hd #tl #IH #n whd in ⊢ (?% → ??%%) cases (instruction_matches_identifier id hd) normalize nodelta;
+    [ >does_not_occur_absurd #abs cases abs | #H applyS (IH (S n)) //]]
+qed.
+lemma address_of_word_labels_code_mem_None: ∀i,id,instr_list.
+ occurs_exactly_once id (instr_list@[〈None …,i〉]) →
+  address_of_word_labels_code_mem instr_list id =
+  address_of_word_labels_code_mem (instr_list@[〈None …,i〉]) id.
+ #i #id #instr_list #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)(??%?))
+ >(index_of_internal_None … H) %
+qed.
+lemma address_of_word_labels_code_mem_Some_miss: ∀i,id,id',instr_list.
+ eq_bv ? id' id = false →
+  occurs_exactly_once id (instr_list@[〈Some ? id',i〉]) →
+   address_of_word_labels_code_mem instr_list id =
+   address_of_word_labels_code_mem (instr_list@[〈Some … id',i〉]) id.
+ #i #id #id' #instr_list #EQ #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)(??%?))
+ >(index_of_internal_Some_miss … H) //
+qed.
+lemma address_of_word_labels_code_mem_Some_hit: ∀i,id,instr_list.
+  occurs_exactly_once id (instr_list@[〈Some ? id,i〉]) →
+   address_of_word_labels_code_mem (instr_list@[〈Some … id,i〉]) id
+   = bitvector_of_nat … (|instr_list|).
+ #i #id #instr_list #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)?)
+ >(index_of_internal_Some_hit … H) //
+qed.
+axiom tech_pc_sigma00_append_Some:
+ ∀program,prefix,costs,label,i,pc',code,ppc,pc.
+  tech_pc_sigma00 program prefix = Some … 〈ppc,pc〉 →
+   construct_costs program … ppc pc (λx.zero 16) (λx. zero 16) costs i = Some … 〈pc',code〉 →
+    tech_pc_sigma00 program (prefix@[〈label,i〉]) = Some … 〈S ppc,pc'〉.
+axiom tech_pc_sigma00_append_None:
+ ∀program,prefix,i,ppc,pc,costs.
+  tech_pc_sigma00 program prefix = Some … 〈ppc,pc〉 →
+   construct_costs program … ppc pc (λx.zero 16) (λx. zero 16) costs i = None …
+    → False.
+lemma eq_false_to_notb: ∀b. b = false → ¬ b.
+ *; //
+qed.
+lemma eq_bv_sym: ∀n,v1,v2. eq_bv n v1 v2 = eq_bv n v2 v1.
+ #n #v1 #v2 @(eq_bv_elim … v1 v2) [// | #H >eq_bv_false /2/]
+qed.
+example sigma_0: ∀p. sigma p (bitvector_of_nat ? 0) = bitvector_of_nat ? 0.
+ cases daemon.
+qed.
+axiom construct_costs_sigma:
+ ∀p,ppc,pc,pc',costs,costs',i.
+  bitvector_of_nat ? pc = sigma p (bitvector_of_nat ? ppc) →
+   Some … 〈pc',costs'〉 = construct_costs p ppc pc (λx.zero 16) (λx.zero 16) costs i →
+    bitvector_of_nat ? pc' = sigma p (bitvector_of_nat 16 (S ppc)).
+definition build_maps' ≝
+  λpseudo_program.
+  let result ≝
+   foldl_strong
+    (option Identifier × pseudo_instruction)
+    (λpre. Σres:((BitVectorTrie Word 16) × (nat × (nat × (BitVectorTrie Word 16)))).
+      let 〈labels,ppc_pc_costs〉 ≝ res in
+      let 〈ppc',pc_costs〉 ≝ ppc_pc_costs in
+      let 〈pc',costs〉 ≝ pc_costs in
+       bitvector_of_nat ? pc' = sigma pseudo_program (bitvector_of_nat ? ppc') ∧
+       ppc' = length … pre ∧
+       tech_pc_sigma00 pseudo_program pre = Some ? 〈ppc',pc'〉 ∧
+       ∀id. occurs_exactly_once id pre →
+        lookup ?? id labels (zero …) = sigma pseudo_program (address_of_word_labels_code_mem pre id))
+    (\snd pseudo_program)
+    (λprefix,i,tl,prf,t.
+      let 〈labels, ppc_pc_costs〉 ≝ t in
+      let 〈ppc, pc_costs〉 ≝ ppc_pc_costs in
+      let 〈pc,costs〉 ≝ pc_costs in
+       let 〈label, i'〉 ≝ i in
+       let labels ≝
+         match label with
+         [ None ⇒ labels
+         | Some label ⇒
+           let program_counter_bv ≝ bitvector_of_nat ? pc in
+             insert ? ? label program_counter_bv labels
+         ]
+       in
+         match construct_costs pseudo_program ppc pc (λx. zero ?) (λx. zero ?) costs i' with
+         [ None ⇒
+            let dummy ≝ 〈labels,ppc_pc_costs〉 in
+             dummy
+         | Some construct ⇒ 〈labels, 〈S ppc,construct〉〉
+         ]
+    ) 〈(Stub ? ?), 〈0, 〈0, Stub ? ?〉〉〉
+  in
+   let 〈labels, ppc_pc_costs〉 ≝ result in
+   let 〈ppc,pc_costs〉 ≝ ppc_pc_costs in
+   let 〈pc, costs〉 ≝ pc_costs in
+    〈labels, costs〉.
+ [3: whd % [% [%]] // [>sigma_0//] #id normalize in ⊢ (% → ?) #abs @⊥ //
+ | whd generalize in match (sig2 … t) >p >p1 >p2 >p3 * * * #IHn1 #IH0 #IH1 #IH2
+   cases construct in p4 #PC #CODE #JMEQ % [% [%]]
+   [ @(construct_costs_sigma … IHn1) [4: <JMEQ % |*: skip]
+   | >length_append <IH0 normalize; -IHn1; (*CSC: otherwise it diverges!*) //
+   | @(tech_pc_sigma00_append_Some … IH1 (jmeq_to_eq … JMEQ))
+   | #id normalize nodelta; -labels1; cases label; normalize nodelta
+     [ #K <address_of_word_labels_code_mem_None [2:@K] @IH2 -IHn1; (*CSC: otherwise it diverges!*) //
+     | #l #H generalize in match (occurs_exactly_once_Some ???? H) in ⊢ ?;
+       generalize in match (refl … (eq_bv ? l id)); cases (eq_bv … l id) in ⊢ (???% → %)
+        [ #EQ #_ <(eq_bv_to_eq … EQ) >lookup_insert_hit >address_of_word_labels_code_mem_Some_hit
+          <IH0 [@IHn1 | <(eq_bv_to_eq … EQ) in H #H @H]
+        | #EQ change with (occurs_exactly_once ?? → ?) #K >lookup_insert_miss [2: -IHn1; /2/]
+          <(address_of_word_labels_code_mem_Some_miss … EQ … H) @IH2 -IHn1; //]]]
+ | (* dummy case *) @⊥ generalize in match (sig2 … t) >p >p1 >p2 >p3 * *; #IH0 #IH1 #IH2
+   @(tech_pc_sigma00_append_None … IH1 (jmeq_to_eq ??? p4)) ]
+qed.
+lemma build_maps_ok:
+ ∀p:pseudo_assembly_program.
+  let 〈labels,costs〉 ≝ build_maps' p in
+   ∀pc.
+    (nat_of_bitvector … pc) < length … (\snd p) →
+     lookup ?? pc labels (zero …) = sigma p (\snd (fetch_pseudo_instruction (\snd p) pc)).
+ #p cases p #preamble #instr_list
+  elim instr_list
+   [ whd #pc #abs normalize in abs; cases (not_le_Sn_O ?) [#H cases (H abs) ]
+   | #hd #tl #IH
+    whd in ⊢ (match % with [ _ ⇒ ?])
+   ]
+qed.
+*)
+    cases (conjunction_true … K1) -K1; #K1 #K2 #K3 % try %
+    [ @K1 | @eqb_true_to_eq <(eq_instruction_to_eq … K1) @K2 | >(eq_bv_eq … K3) @IH @H2 ]
+qed.
 (*
 …
 lemma app_assoc: ∀A,l1,l2,l3. app A (app A l1 l2) l3 = app A l1 (l2@l3).
  #A * #l1 normalize //
-qed.
-let rec foldli (A: Type[0]) (B: Propify (list A) → Type[0])
- (f: ∀prefix. B prefix → ∀x.B (app … prefix [x]))
- (prefix: Propify (list A)) (b: B prefix) (l: list A) on l :
- B (app … prefix l) ≝
-  match l with
-  [ nil ⇒ ? (* b *)
-  | cons hd tl ⇒ ? (*foldli A B f (prefix@[hd]) (f prefix b hd) tl*)
-  ].
- [ applyS b
- | <(app_assoc ?? [hd]) @(foldli A B f (app … prefix [hd]) (f prefix b hd) tl) ]
-qed.
-(*
-let rec foldli (A: Type[0]) (B: list A → Type[0]) (f: ∀prefix. B prefix → ∀x. B (prefix@[x]))
- (prefix: list A) (b: B prefix) (l: list A) on l : B (prefix@l) ≝
-  match l with
-  [ nil ⇒ ? (* b *)
-  | cons hd tl ⇒
-     ? (*foldli A B f (prefix@[hd]) (f prefix b hd) tl*)
-  ].
- [ applyS b
- | applyS (foldli A B f (prefix@[hd]) (f prefix b hd) tl) ]
 qed.
 *)
-definition foldll:
- ∀A:Type[0].∀B: Propify (list A) → Type[0].
-  (∀prefix. B prefix → ∀x. B (app … prefix [x])) →
-   B (mk_Propify … []) → ∀l: list A. B (mk_Propify … l)
- ≝ λA,B,f. foldli A B f (mk_Propify … [ ]).
-axiom is_pprefix: ∀A:Type[0]. Propify (list A) → list A → Prop.
-axiom pprefix_of_append:
- ∀A:Type[0].∀l,l1,l2.
-  is_pprefix A l l1 → is_pprefix A l (l1@l2).
-axiom pprefix_reflexive: ∀A,l. is_pprefix A (mk_Propify … l) l.
-axiom nil_pprefix: ∀A,l. is_pprefix A (mk_Propify … [ ]) l.
-axiom foldll':
- ∀A:Type[0].∀l: list A.
-  ∀B: ∀prefix:Propify (list A). is_pprefix ? prefix l → Type[0].
-  (∀prefix,proof. B prefix proof → ∀x,proof'. B (app … prefix [x]) proof') →
-   B (mk_Propify … [ ]) (nil_pprefix …) → B (mk_Propify … l) (pprefix_reflexive … l).
- #A #l #B
- generalize in match (foldll A (λprefix. is_pprefix ? prefix l)) #HH
-  #H #acc
- @foldll
+  [
+  |
+  ]
- ≝ λA,B,f. foldli A B f (mk_Propify … [ ]).
-(*
-record subset (A:Type[0]) (P: A → Prop): Type[0] ≝
- { subset_wit:> A;
-   subset_proof: P subset_wit
- }.
-*)
-definition build_maps' ≝
-  λpseudo_program.
-  let 〈preamble,instr_list〉 ≝ pseudo_program in
-  let result ≝
-   foldll
-    (option Identifier × pseudo_instruction)
-    (λprefix.
-      Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
-       match prefix return λ_.Prop with [mk_Propify prefix ⇒ tech_pc_sigma0 〈preamble,prefix〉 ≠ None ?])
-    (λprefix,t,i.
-      let 〈labels, pc_costs〉 ≝ t in
-      let 〈program_counter, costs〉 ≝ pc_costs in
-       let 〈label, i'〉 ≝ i in
-       let labels ≝
-         match label with
-         [ None ⇒ labels
-         | Some label ⇒
-           let program_counter_bv ≝ bitvector_of_nat ? program_counter in
-             insert ? ? label program_counter_bv labels
+         ]
-       in
-         match construct_costs pseudo_program program_counter (λx. zero ?) (λx. zero ?) costs i' with
-         [ None ⇒
-            let dummy ≝ 〈labels,pc_costs〉 in
-              dummy
-         | Some construct ⇒ 〈labels, construct〉
+         ]
-    ) 〈(Stub ? ?), 〈0, (Stub ? ?)〉〉 instr_list
-  in
-   let 〈labels, pc_costs〉 ≝ result in
-   let 〈pc, costs〉 ≝ pc_costs in
-    〈labels, costs〉.
+ [
- | @⊥
- | normalize % //
+ ]
-qed.
-definition build_maps' ≝
-  λpseudo_program.
-  let 〈preamble,instr_list〉 ≝ pseudo_program in
-  let result ≝
-   foldl
-    (Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
-          ∃instr_list_prefix. is_prefix ? instr_list_prefix instr_list ∧
-           tech_pc_sigma0 〈preamble,instr_list_prefix〉 = Some ? (\fst (\snd t)))
-    (Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
-          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
-           is_prefix ? instr_list_prefix' instr_list →
-           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ?)
-    (λt: Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
-          ∃instr_list_prefix. is_prefix ? instr_list_prefix instr_list ∧
-           tech_pc_sigma0 〈preamble,instr_list_prefix〉 = Some ? (\fst (\snd t)).
-     λi: Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
-          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
-           is_prefix ? instr_list_prefix' instr_list →
-           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ? .
-      let 〈labels, pc_costs〉 ≝ t in
-      let 〈program_counter, costs〉 ≝ pc_costs in
-       let 〈label, i'〉 ≝ i in
-       let labels ≝
-         match label with
-         [ None ⇒ labels
-         | Some label ⇒
-           let program_counter_bv ≝ bitvector_of_nat ? program_counter in
-             insert ? ? label program_counter_bv labels
+         ]
-       in
-         match construct_costs pseudo_program program_counter (λx. zero ?) (λx. zero ?) costs i' with
-         [ None ⇒
-            let dummy ≝ 〈labels,pc_costs〉 in
-              dummy
-         | Some construct ⇒ 〈labels, construct〉
+         ]
-    ) 〈(Stub ? ?), 〈0, (Stub ? ?)〉〉 ?(*instr_list*)
-  in
-   let 〈labels, pc_costs〉 ≝ result in
-   let 〈pc, costs〉 ≝ pc_costs in
-    〈labels, costs〉.
- [4: @(list_elim_rev ?
-       (λinstr_list. list (
-        (Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
-          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
-           is_prefix ? instr_list_prefix' instr_list →
-           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ?)))
-       ?? instr_list) (* CSC: BAD ORDER FOR CODE EXTRACTION *)
-      [ @[ ]
-      | #l' #a #limage %2
-        [ %[@a] #PREFIX #PREFIX_OK
-        | (* CSC: EVEN WORST CODE FOR EXTRACTION: WE SHOULD STRENGTHEN
-             THE INDUCTION HYPOTHESIS INSTEAD *)
-          elim limage
-           [ %1
-           | #HD #TL #IH @(?::IH) cases HD #ELEM #K1 %[@ELEM] #K2 #K3
-             @K1 @(prefix_of_append ???? K3)
+           ]
+        ]
-  cases t in c2 ⊢ % #t' * #LIST_PREFIX * #H1t' #H2t' #HJMt'
-     % [@ (LIST_PREFIX @ [i])] %
-      [ cases (sig2 … i LIST_PREFIX) #K1 #K2 @K1
-      | (* DOABLE IN PRINCIPLE *)
+      ]
- | (* assert false case *)
- |3: % [@ ([ ])] % [2: % | (* DOABLE *)]
+ |
-*)
 axiom assembly_ok:
  ∀program,assembled,costs,labels.
   Some … 〈labels,costs〉 = build_maps program →
+ ∀program,assembled.
+  let 〈labels,costs〉 ≝ build_maps program in
   Some … 〈assembled,costs〉 = assembly program →
   let code_memory ≝ load_code_memory assembled in
 …
       Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi.
+axiom pair_elim':
+  ∀A,B,C: Type[0].
+  ∀T: A → B → C.
+  ∀p.
+  ∀P: A×B → C → Prop.
+    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt)) →
+      P p (let 〈lft, rgt〉 ≝ p in T lft rgt).
+axiom pair_elim'':
+  ∀A,B,C,C': Type[0].
+  ∀T: A → B → C.
+  ∀T': A → B → C'.
+  ∀p.
+  ∀P: A×B → C → C' → Prop.
+    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt) (T' lft rgt)) →
+      P p (let 〈lft, rgt〉 ≝ p in T lft rgt) (let 〈lft, rgt〉 ≝ p in T' lft rgt).
+axiom split_elim':
+  ∀A: Type[0].
+  ∀B: Type[1].
+  ∀l, m, v.
+  ∀T: Vector A l → Vector A m → B.
+  ∀P: B → Prop.
+    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt)) →
+      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt).
+axiom split_elim'':
+  ∀A: Type[0].
+  ∀B,B': Type[1].
+  ∀l, m, v.
+  ∀T: Vector A l → Vector A m → B.
+  ∀T': Vector A l → Vector A m → B'.
+  ∀P: B → B' → Prop.
+    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt) (T' lft rgt)) →
+      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt)
+        (let 〈lft, rgt〉 ≝ split A l m v in T' lft rgt).
 lemma fetch_assembly_pseudo2:
  ∀program,assembled,costs,labels.
   Some … 〈labels,costs〉 = build_maps program →
+ ∀program,assembled.
+  let 〈labels,costs〉 ≝ build_maps program in
   Some … 〈assembled,costs〉 = assembly program →
    ∀ppc.
 …
       Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi ∧
        fetch_many code_memory (sigma program newppc) (sigma program ppc) instructions.
  #program #assembled #costs #labels #BUILD_MAPS #ASSEMBLY #ppc
+ #program #assembled @pair_elim' #labels #costs #BUILD_MAPS #ASSEMBLY #ppc
  generalize in match (assembly_ok_to_expand_pseudo_instruction_ok program assembled costs ASSEMBLY ppc)
  letin code_memory ≝ (load_code_memory assembled)
 …
  letin lookup_labels ≝ (λx. sigma program (address_of_word_labels_code_mem (\snd program) x))
  letin lookup_datalabels ≝ (λx. lookup ? ? x data_labels (zero ?))
+ whd in ⊢ (% → %)
+ generalize in match (assembly_ok … BUILD_MAPS ASSEMBLY ppc)
+ whd in ⊢ (% → %) generalize in match (assembly_ok program assembled) >BUILD_MAPS #XX generalize in match (XX ASSEMBLY ppc) -XX;
  cases (fetch_pseudo_instruction (\snd program) ppc) #pi #newppc
  generalize in match (fetch_assembly_pseudo program ppc
 …
 qed.
-axiom pair_elim':
-  ∀A,B,C: Type[0].
-  ∀T: A → B → C.
-  ∀p.
-  ∀P: A×B → C → Prop.
-    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt)) →
-      P p (let 〈lft, rgt〉 ≝ p in T lft rgt).
-axiom pair_elim'':
-  ∀A,B,C,C': Type[0].
-  ∀T: A → B → C.
-  ∀T': A → B → C'.
-  ∀p.
-  ∀P: A×B → C → C' → Prop.
-    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt) (T' lft rgt)) →
-      P p (let 〈lft, rgt〉 ≝ p in T lft rgt) (let 〈lft, rgt〉 ≝ p in T' lft rgt).
-axiom split_elim':
-  ∀A: Type[0].
-  ∀B: Type[1].
-  ∀l, m, v.
-  ∀T: Vector A l → Vector A m → B.
-  ∀P: B → Prop.
-    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt)) →
-      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt).
-axiom split_elim'':
-  ∀A: Type[0].
-  ∀B,B': Type[1].
-  ∀l, m, v.
-  ∀T: Vector A l → Vector A m → B.
-  ∀T': Vector A l → Vector A m → B'.
-  ∀P: B → B' → Prop.
-    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt) (T' lft rgt)) →
-      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt)
-        (let 〈lft, rgt〉 ≝ split A l m v in T' lft rgt).
 axiom split_append:
   ∀A: Type[0].
 …
     ((get_index_v A ? v 0 prf) ::: rest) = v.
 axiom sub_minus_one_seven_eight:
+example sub_minus_one_seven_eight:
   ∀v: BitVector 7.
   false ::: (\fst (sub_7_with_carry v (bitvector_of_nat ? 1) false)) =
   \fst (sub_8_with_carry (false ::: v) (bitvector_of_nat ? 1) false).
+ cases daemon.
+qed.
 lemma pair_destruct_1:
 …
  generalize in match (assembly (code_memory … ps)) in ⊢ (??%? → %) #ASS whd in ⊢ (???% → ?)
  cases (build_maps (code_memory … ps))
+  [ cases (code_memory … ps) #preamble #instr_list whd in ⊢ (???% → ?) #EQ >EQ #H #MAP
+    #abs @⊥ normalize in abs; destruct (abs) ]
+ * #labels #costs change in ⊢ (? → ? → ??%? → ?) with (next_internal_pseudo_address_map0 ? ? ? ?)
+ #labels #costs change in ⊢ (? → ? → ??%? → ?) with (next_internal_pseudo_address_map0 ? ? ? ?)
  generalize in match (refl … (code_memory … ps)) cases (code_memory … ps) in ⊢ (???% → %) #preamble #instr_list #EQ0 normalize nodelta;
  generalize in ⊢ (???(match % with [_ ⇒ ? | _ ⇒ ?]) → ?) *; normalize nodelta;
   [ #EQ >EQ #_ #_ #abs @⊥ normalize in abs; destruct (abs) ]
  * #final_ppc * #final_pc #assembled #EQ >EQ -EQ ASS; normalize nodelta;
  #H generalize in match (H ??? (refl …) (refl …)) -H; #H;
+ #H generalize in match (H ? (refl …)) -H; #H;
  #MAP
  #H1 generalize in match (option_destruct_Some ??? H1) -H1; #H1 <H1 -H1;
 …
     generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP <MAP -MAP M';
     normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
     #H2 >(eq_bv_to_eq … H2) >EQ %
+    #H2 >(eq_bv_eq … H2) >EQ %
 (*  |6: (* Mov *) #arg1 #arg2
        #H1 #H2 #EQ %[@1]
 …
        [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
        #result #flags
        #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) % *)
+       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) % *)
   |5: (* Call *) #label #MAP
       generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP <MAP -MAP;
 …
            whd in ⊢ (???% → ??%?);
            generalize in match (refl … (half_add 8 (get_8051_sfr ? ps SFR_SP) (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry #new_sp #EQ1 normalize nodelta;
            >(eq_bv_to_eq … H2c)
+           >(eq_bv_eq … H2c)
            change with
             ((?=let 〈ppc_bu,ppc_bl〉 ≝ split bool 8 8 newppc in ?) →
 …
            >get_8051_sfr_set_8051_sfr >get_8051_sfr_set_8051_sfr
            generalize in match (refl … (half_add ? new_sp (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry' #new_sp' #EQ2 normalize nodelta;
            #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
+           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
            @split_eq_status;
             [ >code_memory_write_at_stack_pointer whd in ⊢ (??%?)
 …
               >clock_write_at_stack_pointer whd in ⊢ (???%)
               >clock_write_at_stack_pointer %]
        | (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
+       (*| (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
          @pair_elim' #fst_5_addr #rest_addr #EQ1
          @pair_elim' #fst_5_pc #rest_pc #EQ2
 …
          @pair_elim' * #instr #newppc' #ticks #EQn
           * * #H2a #H2b whd in ⊢ (% → ?) #H2c >H2b >(eq_instruction_to_eq … H2a) whd in ⊢ (??%?)
           generalize in match EQ; -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
+          generalize in match EQ; -EQ; normalize nodelta; >(eq_bv_eq … H2c)
           @pair_elim' #carry #new_sp change with (half_add ? (get_8051_sfr ? ps ?) ? = ? → ?) #EQ4
           @split_elim' #pc_bu #pc_bl >program_counter_set_8051_sfr XXX change with (newppc = ?) #EQ5
 …
           >get_8051_sfr_set_8051_sfr
           whd in EQ:(???%) ⊢ ? >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) whd in ⊢ (??%?)
+          whd in EQ:(???%) ⊢ ? >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) whd in ⊢ (??%?)
            change with ((let 〈pc_bu,pc_bl〉 ≝ split bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
            generalize in match (refl … (split bool 8 8 (sigma 〈preamble,instr_list〉 newppc)))
 …
               (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
             | whd in ⊢ (??%%) whd in ⊢ (??(?%?)?) whd in ⊢ (??(?(match ?(?%)? with [_ ⇒ ?])?)?)
               @(bitvector_3_elim_prop … (\fst (split bool 3 8 rest_addr))) %]] *)
+              @(bitvector_3_elim_prop … (\fst (split bool 3 8 rest_addr))) %]] *)]
   |4: (* Jmp *) #label #MAP
       generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP >MAP -MAP;
 …
            >H2b >(eq_instruction_to_eq … H2a)
            generalize in match EQ; -EQ;
            #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
+           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
            cases ps in EQ0 ⊢ %; #A1 #A2 #A3 #A4 #A5 #A6 #A7 #A8 #A9 #A10 #XXXX >XXXX %
        |1: (* short *) #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
 …
            generalize in match EQ; -EQ;
            whd in ⊢ (???% → ?);
            #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
+           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c)
            change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma ??) ? in ?) = ?)
            generalize in match (refl … (half_add 16 (sigma 〈preamble,instr_list〉 newppc) (sign_extension lower)))
 …
            generalize in match EQ; -EQ;
            whd in ⊢ (???% → ?);
            #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) whd in ⊢ (??%?)
+           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) whd in ⊢ (??%?)
            change with ((let 〈pc_bu,pc_bl〉 ≝ split bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
            generalize in match (refl … (split bool 8 8 (sigma 〈preamble,instr_list〉 newppc)))
 …
              (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
              false (DIRECT ARG2))
            ? in ?) = ?)
+           ? in ?) = ?) //
        [1,2: cut (addressing_mode_ok M ps (DIRECT ARG2) = true) [2:
         [1,2:whd in MAP:(??(match % with [ _ ⇒ ? | _ ⇒ ?])?)]
        [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
        #result #flags
        #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) %
     | (* INC *) #arg1 #H1 #H2 #EQ %[@1]
+       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) %
+    (*| (* INC *) #arg1 #H1 #H2 #EQ %[@1]
        normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
        change in ⊢ (? → ??%?) with (execute_1_0 ??)
 …
        | cases (half_add ???) #carry #bl normalize nodelta;
          cases (full_add ????) #carry' #bu normalize nodelta ]
         #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) -newppc';
+        #EQ >EQ -EQ; normalize nodelta; >(eq_bv_eq … H2c) -newppc';
         [5: %
         |1: <(set_arg_8_set_code_memory 0 [[direct]] ? ? ? (set_clock pseudo_assembly_program
 …
             [ normalize nodelta (* HERE *) whd in ⊢ (??%%) %
+            |
+            ]
+            ] *)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 985 for src/ASM/AssemblyProof.ma

Legend:

src/ASM/AssemblyProof.ma

Download in other formats: