(* * Copyright (c) Facebook, Inc. and its affiliates. * * This source code is licensed under the MIT license found in the * LICENSE file in the root directory of this source tree. *) (* A mini-LLVM model, focussing on the semantics of the parts of the IR that * are relevant for the LLVM -> LLAIR translation, especially exceptions. *) open HolKernel boolLib bossLib Parse; open llistTheory pathTheory; open settingsTheory memory_modelTheory; new_theory "llvm"; numLib.prefer_num (); (* ----- Abstract syntax ----- *) (* Only support 1, 8, 32, and 64 bit words for now *) Datatype: size = W1 | W8 | W32 | W64 End Datatype: ty = | FunT ty (ty list) | IntT size | PtrT ty | ArrT num ty | StrT (ty list) End Datatype: label = Lab string End Datatype: reg = Reg string End Datatype: glob_var = Glob_var string End Datatype: fun_name = Fn string End Datatype: const = | IntC size int | StrC ((ty # const) list) | ArrC ((ty # const) list) | GepC ty const (ty # const) ((ty # const) list) | GlobalC glob_var | UndefC End Datatype: arg = Constant const | Variable reg End Type targ = ``:ty # arg`` Datatype: cond = Eq | Ult | Slt End Datatype: phi = Phi reg ty ((label option, arg) alist) End Datatype: cast_op = Trunc | Zext | Sext | Ptrtoint | Inttoptr End (* * The Exit instruction below models a system/libc call to exit the program. The * semantics needs some way to tell the difference between normally terminated * programs and stuck states, and this lets it do that. From a C++ perspective, * a program could call this directly, in which case it's good to model, or it * might simply return from main and then the code in libc that called main will * call exit. However, adding special handling for main in the semantics will * cruft things up a bit, and it's not very satisfying, because it's not really * an LLVM concept. *) Datatype: instr = (* Terminators *) | Ret targ | Br arg label label | Invoke reg ty arg (targ list) label label | Unreachable | Exit arg (* Non-terminators *) | Sub reg bool bool ty arg arg | Extractvalue reg targ (const list) | Insertvalue reg targ targ (const list) | Alloca reg ty targ | Load reg ty targ | Store targ targ | Gep reg ty targ (targ list) | Cast reg cast_op targ ty | Icmp reg cond ty arg arg | Call reg ty fun_name (targ list) (* C++ runtime functions *) | Cxa_allocate_exn reg arg | Cxa_throw arg arg arg | Cxa_begin_catch reg arg | Cxa_end_catch | Cxa_get_exception_ptr reg arg End Datatype: clause = Catch targ End Datatype: landingpad = Landingpad ty bool (clause list) End Datatype: blockHeader = | Entry | Head (phi list) (landingpad option) End Datatype: block = <| h : blockHeader; body : instr list |> End Datatype: def = <| r : ty; params : (ty # reg) list; (* None -> entry block, and Some name -> non-entry block *) blocks : (label option, block) alist |> End Type prog = ``:(fun_name, def) alist`` Definition terminator_def: (terminator (Ret _) ⇔ T) ∧ (terminator (Br _ _ _) ⇔ T) ∧ (terminator (Invoke _ _ _ _ _ _) ⇔ T) ∧ (terminator Unreachable ⇔ T) ∧ (terminator (Exit _) ⇔ T) ∧ (terminator (Cxa_throw _ _ _) ⇔ T) ∧ (terminator _ ⇔ F) End (* ----- Semantic states ----- *) Definition pointer_size_def: pointer_size = 8 End Datatype: flat_v = | W1V word1 | W8V word8 | W32V word32 | W64V word64 (* LLVM guarantees that 64 bits is enough to hold a pointer *) | PtrV word64 | UndefV End Type v = ``:flat_v reg_v`` Datatype: pv = <| poison : bool; value : v |> End (* Instruction pointer into a block. Phi_ip indicates to do the phi instruction, * coming from the given label. Offset points to a normal (non-phi) instruction. * *) Datatype: bip = | Phi_ip (label option) | Offset num End Datatype: pc = <| f : fun_name; b : label option; i : bip |> End Datatype: frame = <| ret : pc; saved_locals : reg |-> pv; result_var : reg; stack_allocs : addr list |> End Datatype: state = <| ip : pc; (* Keep the size of the global with its memory address *) globals : glob_var |-> (num # word64); locals : reg |-> pv; stack : frame list; heap : bool heap; status : trace_type |> End (* ----- Things about types ----- *) (* Given a number n that fits into pointer_size number of bytes, create the * pointer value. Since the pointer is represented as a 64-bit word, * pointer_size must be 8 or less, which LLVM guarantees *) Definition mk_ptr_def: mk_ptr n = if n < 256 ** pointer_size then Some (FlatV (PtrV (n2w n))) else None End (* How many bytes a value of the given type occupies *) Definition sizeof_def: (sizeof (IntT W1) = 1) ∧ (sizeof (IntT W8) = 1) ∧ (sizeof (IntT W32) = 4) ∧ (sizeof (IntT W64) = 8) ∧ (sizeof (PtrT _) = pointer_size) ∧ (sizeof (ArrT n t) = n * sizeof t) ∧ (sizeof (StrT ts) = sum (map sizeof ts)) Termination WF_REL_TAC `measure ty_size` >> simp [] >> Induct >> rw [definition "ty_size_def"] >> simp [] >> first_x_assum drule >> decide_tac End Definition first_class_type_def: (first_class_type (IntT _) ⇔ T) ∧ (first_class_type (PtrT _) ⇔ T) ∧ (first_class_type (ArrT _ t) ⇔ first_class_type t) ∧ (first_class_type (StrT ts) ⇔ every first_class_type ts) ∧ (first_class_type _ ⇔ F) Termination WF_REL_TAC `measure ty_size` >> rw [] >> Induct_on `ts` >> rw [definition "ty_size_def"] >> res_tac >> decide_tac End (* Are the indices all in bounds? *) Definition indices_ok_def: (indices_ok _ [] ⇔ T) ∧ (indices_ok (ArrT n t) (i::indices) ⇔ i < n ∧ indices_ok t indices) ∧ (indices_ok (StrT ts) (i::indices) ⇔ i < length ts ∧ indices_ok (el i ts) indices) ∧ (indices_ok _ _ ⇔ F) End (* Which values have which types *) Inductive value_type: (∀w1. value_type (IntT W1) (FlatV (W1V w1))) ∧ (∀w8. value_type (IntT W8) (FlatV (W8V w8))) ∧ (∀w32. value_type (IntT W32) (FlatV (W32V w32))) ∧ (∀w64. value_type (IntT W64) (FlatV (W64V w64))) ∧ (∀t ptr. value_type (PtrT t) (FlatV (PtrV ptr))) ∧ (∀t vs n. every (value_type t) vs ∧ length vs = n ∧ first_class_type t ⇒ value_type (ArrT n t) (AggV vs)) ∧ (∀ts vs. list_rel value_type ts vs ⇒ value_type (StrT ts) (AggV vs)) End (* Get the component of a type referred by the indices *) Definition extract_type_def: (extract_type t [] = Some t) ∧ (extract_type (ArrT n t) (i::idx) = if i < n then extract_type t idx else None) ∧ (extract_type (StrT ts) (i::idx) = if i < length ts then extract_type (el i ts) idx else None) ∧ (extract_type _ _ = None) End (* Calculate the offset given by a list of indices *) Definition get_offset_def: (get_offset _ [] = Some 0) ∧ (get_offset (ArrT _ t) (i::is) = case get_offset t is of | None => None | Some off => Some (i * sizeof t + off)) ∧ (get_offset (StrT ts) (i::is) = if i < length ts then case get_offset (el i ts) is of | None => None | Some off => Some (sum (map sizeof (take i ts)) + off) else None) ∧ (get_offset _ _ = Some 0) End (* ----- Semantic transitions ----- *) (* Put a 64-bit word into a smaller value, truncating if necessary *) Definition w64_cast_def: (w64_cast w (IntT W1) = Some (FlatV (W1V (w2w w)))) ∧ (w64_cast w (IntT W8) = Some (FlatV (W8V (w2w w)))) ∧ (w64_cast w (IntT W32) = Some (FlatV (W32V (w2w w)))) ∧ (w64_cast w (IntT W64) = Some (FlatV (W64V w))) ∧ (w64_cast _ _ = None) End Definition bool_to_v_def: bool_to_v b = if b then FlatV (W1V 1w) else FlatV (W1V 0w) End (* Convert a word value into an integer, interpreting the word in 2's complement *) Definition signed_v_to_int_def: (signed_v_to_int (FlatV (W1V w)) = Some (w2i w)) ∧ (signed_v_to_int (FlatV (W8V w)) = Some (w2i w)) ∧ (signed_v_to_int (FlatV (W32V w)) = Some (w2i w)) ∧ (signed_v_to_int (FlatV (W64V w)) = Some (w2i w)) ∧ (signed_v_to_int _ = None) End (* Convert a non-negative word value (interpreted as 2's complement) into a natural number *) Definition signed_v_to_num_def: signed_v_to_num v = option_join (option_map (\i. if i < 0 then None else Some (Num i)) (signed_v_to_int v)) End (* Convert a word value into a natural number, interpreting the word as unsigned *) Definition unsigned_v_to_num_def: (unsigned_v_to_num (FlatV (W1V w)) = Some (w2n w)) ∧ (unsigned_v_to_num (FlatV (W8V w)) = Some (w2n w)) ∧ (unsigned_v_to_num (FlatV (W32V w)) = Some (w2n w)) ∧ (unsigned_v_to_num (FlatV (W64V w)) = Some (w2n w)) ∧ (unsigned_v_to_num _ = None) End Inductive eval_const: (∀g i. eval_const g (IntC W1 i) (FlatV (W1V (i2w i)))) ∧ (∀g i. eval_const g (IntC W8 i) (FlatV (W8V (i2w i)))) ∧ (∀g i. eval_const g (IntC W32 i) (FlatV (W32V (i2w i)))) ∧ (∀g i. eval_const g (IntC W64 i) (FlatV (W64V (i2w i)))) ∧ (∀g tconsts rs. list_rel (eval_const g) (map snd tconsts) rs ⇒ eval_const g (StrC tconsts) (AggV rs)) ∧ (∀g tconsts rs. list_rel (eval_const g) (map snd tconsts) rs ⇒ eval_const g (ArrC tconsts) (AggV rs)) ∧ (∀g ty ptr t idx indices ptr' n ns off vs v. eval_const g ptr (FlatV (PtrV ptr')) ∧ eval_const g idx v ∧ signed_v_to_num v = Some n ∧ list_rel (λ(t, ci) v. eval_const g ci v) indices vs ∧ map signed_v_to_num vs = map Some ns ∧ get_offset ty ns = Some off ⇒ eval_const g (GepC ty ptr (t, idx) indices) (FlatV (PtrV (n2w ((w2n ptr') + (sizeof ty) * n + off))))) ∧ (∀g var s w. flookup g var = Some (s, w) ⇒ eval_const g (GlobalC var) (FlatV (PtrV w))) End Inductive eval: (∀s x v. flookup s.locals x = Some v ⇒ eval s (Variable x) v) ∧ (∀s c v. eval_const s.globals c v ⇒ eval s (Constant c) <| poison := F; value := v |>) End (* BEGIN Functions to interface to the generic memory model *) Definition type_to_shape_def: (type_to_shape (IntT s) = Flat (sizeof (IntT s)) (IntT s)) ∧ (type_to_shape (PtrT t) = Flat (sizeof (PtrT t)) (PtrT t)) ∧ (type_to_shape (ArrT n t) = Array (type_to_shape t) n) ∧ (type_to_shape (StrT ts) = Tuple (map type_to_shape ts)) Termination WF_REL_TAC `measure ty_size` >> rw [] >> Induct_on `ts` >> rw [definition "ty_size_def"] >> res_tac >> simp [] End Definition convert_value_def: (convert_value (IntT W1) n = W1V (if n = 0 then 0w else 1w)) ∧ (convert_value (IntT W8) n = W8V (n2w n)) ∧ (convert_value (IntT W32) n = W32V (n2w n)) ∧ (convert_value (IntT W64) n = W64V (n2w n)) ∧ (convert_value (PtrT _) n = PtrV (n2w n)) End Definition bytes_to_llvm_value_def: bytes_to_llvm_value t bs = (bytes_to_value (λn t w. convert_value t w) (type_to_shape t) bs) End Definition unconvert_value_def: (unconvert_value (W1V w) = (1, w2n w)) ∧ (unconvert_value (W8V w) = (1, w2n w)) ∧ (unconvert_value (W32V w) = (4, w2n w)) ∧ (unconvert_value (W64V w) = (8, w2n w)) ∧ (unconvert_value (PtrV w) = (pointer_size, w2n w)) End Definition llvm_value_to_bytes_def: llvm_value_to_bytes v = value_to_bytes unconvert_value v End (* END Functions to interface to the generic memory model *) Definition do_sub_def: do_sub (nuw:bool) (nsw:bool) (v1:pv) (v2:pv) t = let diff = case (v1.value, v2.value, t) of | (FlatV (W1V w1), FlatV (W1V w2), IntT W1) => Some ((FlatV o W1V ## I) (add_with_carry (w1, ¬w2, T))) | (FlatV (W8V w1), FlatV (W8V w2), IntT W8) => Some ((FlatV o W8V ## I) (add_with_carry (w1, ¬w2, T))) | (FlatV (W32V w1), FlatV (W32V w2), IntT W32) => Some ((FlatV o W32V ## I) (add_with_carry (w1, ¬w2, T))) | (FlatV (W64V w1), FlatV (W64V w2), IntT W64) => Some ((FlatV o W64V ## I) (add_with_carry (w1, ¬w2, T))) | _ => None in option_map (\(diff, u_overflow, s_overflow). let p = ((nuw ∧ u_overflow) ∨ (nsw ∧ s_overflow) ∨ v1.poison ∨ v2.poison) in <| poison := p; value := diff |>) diff End Definition get_comp_def: (get_comp Eq = $=) ∧ (get_comp Slt = $<) ∧ (get_comp Ult = $<+) End Definition do_cast_def: (do_cast Trunc v t = option_join (option_map (λw. w64_cast (n2w w) t) (unsigned_v_to_num v))) ∧ (do_cast Zext v t = option_join (option_map (λw. w64_cast (n2w w) t) (unsigned_v_to_num v))) ∧ (do_cast Sext v t = option_join (option_map (λi. w64_cast (i2w i) t) (signed_v_to_int v))) ∧ (do_cast Ptrtoint v t = case v of | FlatV (PtrV w) => w64_cast w t | _ => None) ∧ (do_cast Inttoptr v t = option_join (option_map mk_ptr (unsigned_v_to_num v))) End (* EVAL ``do_cast Trunc (FlatV (W32V 4294967295w)) (IntT W8) = Some (FlatV (W8V 255w))`` EVAL ``do_cast Trunc (FlatV (W32V 511w)) (IntT W8) = Some (FlatV (W8V 255w))`` EVAL ``do_cast Trunc (FlatV (W32V 255w)) (IntT W8) = Some (FlatV (W8V 255w))`` EVAL ``do_cast Trunc (FlatV (W32V 4294967166w)) (IntT W8) = Some (FlatV (W8V 126w))`` EVAL ``do_cast Trunc (FlatV (W32V 257w)) (IntT W8) = Some (FlatV (W8V 1w))`` EVAL ``do_cast Zext (FlatV (W8V 127w)) (IntT W32) = Some (FlatV (W32V 127w))`` EVAL ``do_cast Zext (FlatV (W8V 129w)) (IntT W32) = Some (FlatV (W32V 129w))`` EVAL ``do_cast Sext (FlatV (W8V 127w)) (IntT W32) = Some (FlatV (W32V 127w))`` EVAL ``do_cast Sext (FlatV (W8V 129w)) (IntT W32) = Some (FlatV (W32V (n2w (2 ** 32 - 1 - 255 + 129))))`` *) Definition do_icmp_def: do_icmp c v1 v2 = option_map (\b. <| poison := (v1.poison ∨ v2.poison); value := bool_to_v b |>) (case (v1.value, v2.value) of | (FlatV (W1V w1), FlatV (W1V w2)) => Some ((get_comp c) w1 w2) | (FlatV (W8V w1), FlatV (W8V w2)) => Some ((get_comp c) w1 w2) | (FlatV (W32V w1), FlatV (W32V w2)) => Some ((get_comp c) w1 w2) | (FlatV (W64V w1), FlatV (W64V w2)) => Some ((get_comp c) w1 w2) | (FlatV (PtrV w1), FlatV (PtrV w2)) => Some ((get_comp c) w1 w2) | _ => None) End Inductive do_phi: (∀from_l s id lands entries e v. alookup entries from_l = Some e ∧ eval s e v ⇒ do_phi from_l s (Phi id lands entries) (id, v)) End Definition extract_value_def: (extract_value v [] = Some v) ∧ (extract_value (AggV vs) (i::indices) = if i < length vs then extract_value (el i vs) indices else None) ∧ (extract_value _ _ = None) End Definition insert_value_def: (insert_value _ v [] = Some v) ∧ (insert_value (AggV vs) v (i::indices) = if i < length vs then case insert_value (el i vs) v indices of | None => None | Some v => Some (AggV (list_update v i vs)) else None) ∧ (insert_value _ _ _ = None) End Definition update_result_def: update_result x v s = s with locals := s.locals |+ (x, v) End Definition inc_bip_def: (inc_bip (Phi_ip _) = Offset 0) ∧ (inc_bip (Offset i) = Offset (i + 1)) End Definition inc_pc_def: inc_pc s = s with ip := (s.ip with i := inc_bip s.ip.i) End Inductive get_obs: (∀s w bytes x n. flookup s.globals x = Some (n, w) ⇒ get_obs s w bytes (W x bytes)) ∧ (∀s w bytes. (∀n. (n, w) ∉ FRANGE s.globals) ⇒ get_obs s w bytes Tau) End (* NB, the semantics tracks the poison values, but not much thought has been put * into getting it exactly right, so we don't have much confidence that it is * exactly right. We also are currently ignoring the undefined value. *) Inductive step_instr: (∀prog s t a fr v st new_h. s.stack = fr::st ∧ deallocate fr.stack_allocs s.heap = new_h ∧ eval s a v ⇒ step_instr prog s (Ret (t, a)) Tau (update_result fr.result_var v <| ip := fr.ret; globals := s.globals; locals := fr.saved_locals; stack := st; heap := new_h; status := s.status |>)) ∧ (∀prog s a l1 l2 tf l p. eval s a <| poison := p; value := FlatV (W1V tf) |> ∧ l = Some (if tf = 0w then l2 else l1) ⇒ step_instr prog s (Br a l1 l2) Tau (s with ip := <| f := s.ip.f; b := l; i := Phi_ip s.ip.b |>)) ∧ (* TODO *) (∀prog s r t a args l1 l2. step_instr prog s (Invoke r t a args l1 l2) Tau s) ∧ (∀prog s a exit_code v1. eval s a v1 ∧ signed_v_to_int v1.value = Some exit_code ⇒ step_instr prog s (Exit a) (Exit exit_code) (s with status := Complete exit_code)) ∧ (∀prog s r nuw nsw t a1 a2 v3 v1 v2. eval s a1 v1 ∧ eval s a2 v2 ∧ do_sub nuw nsw v1 v2 t = Some v3 ⇒ step_instr prog s (Sub r nuw nsw t a1 a2) Tau (inc_pc (update_result r v3 s))) ∧ (∀prog s r t a const_indices v vs ns result. eval s a v ∧ list_rel (eval_const s.globals) const_indices vs ∧ (* The manual implies (but does not explicitly state) that the indices are * interpreted as signed numbers *) map signed_v_to_num vs = map Some ns ∧ extract_value v.value ns = Some result ⇒ step_instr prog s (Extractvalue r (t, a) const_indices) Tau (inc_pc (update_result r <| poison := v.poison; value := result |> s))) ∧ (∀prog s r t1 a1 t2 a2 const_indices result v1 v2 ns vs. eval s a1 v1 ∧ eval s a2 v2 ∧ list_rel (eval_const s.globals) const_indices vs ∧ (* The manual implies (but does not explicitly state) that the indices are * interpreted as signed numbers *) map signed_v_to_num vs = map Some ns ∧ insert_value v1.value v2.value ns = Some result ⇒ step_instr prog s (Insertvalue r (t1, a1) (t2, a2) const_indices) Tau (inc_pc (update_result r <| poison := (v1.poison ∨ v2.poison); value := result |> s))) ∧ (∀prog s r t t1 a1 ptr new_h v n n2. eval s a1 v ∧ (* TODO Question is the number to allocate interpreted as a signed or * unsigned quantity. E.g., if we allocate i8 0xFF does that do 255 or -1? *) signed_v_to_num v.value = Some n ∧ allocate s.heap (n * sizeof t) v.poison (n2, new_h) ∧ mk_ptr n2 = Some ptr ⇒ step_instr prog s (Alloca r t (t1, a1)) Tau (inc_pc (update_result r <| poison := v.poison; value := ptr |> (s with heap := new_h)))) ∧ (∀prog s r t t1 a1 pbytes w interval freeable p1. eval s a1 <| poison := p1; value := FlatV (PtrV w) |> ∧ interval = Interval freeable (w2n w) (w2n w + sizeof t) ∧ is_allocated interval s.heap ∧ pbytes = get_bytes s.heap interval ∧ first_class_type t ⇒ step_instr prog s (Load r t (t1, a1)) Tau (inc_pc (update_result r <| poison := (T ∈ set (map fst pbytes)); value := fst (bytes_to_llvm_value t (map snd pbytes)) |> s))) ∧ (∀prog s t1 a1 t2 a2 obs p2 bytes w v1 freeable interval. eval s a2 <| poison := p2; value := FlatV (PtrV w) |> ∧ eval s a1 v1 ∧ interval = Interval freeable (w2n w) (w2n w + sizeof t1) ∧ is_allocated interval s.heap ∧ bytes = llvm_value_to_bytes v1.value ∧ length bytes = sizeof t1 ∧ get_obs s w bytes obs ⇒ step_instr prog s (Store (t1, a1) (t2, a2)) obs (inc_pc (s with heap := set_bytes p2 bytes (w2n w) s.heap))) ∧ (∀prog s r t t1 a1 tindices v1 i1 indices v w1 i is off ptr. list_rel (eval s o snd) tindices (i1::indices) ∧ eval s a1 v ∧ v.value = FlatV (PtrV w1) ∧ (* The manual states that the indices are interpreted as signed numbers *) signed_v_to_num i1.value = Some i ∧ map (λx. signed_v_to_num x.value) indices = map Some is ∧ get_offset t1 is = Some off ∧ mk_ptr (w2n w1 + sizeof t1 * i + off) = Some ptr ⇒ step_instr prog s (Gep r t ((PtrT t1), a1) tindices) Tau (inc_pc (update_result r <| poison := (v1.poison ∨ i1.poison ∨ exists (λv. v.poison) indices); value := ptr |> s))) ∧ (∀prog s cop r t1 a1 t v1 v2. eval s a1 v1 ∧ do_cast cop v1.value t = Some v2 ⇒ step_instr prog s (Cast r cop (t1, a1) t) Tau (inc_pc (update_result r <| poison := v1.poison; value := v2 |> s))) ∧ (∀prog s r c t a1 a2 v3 v1 v2. eval s a1 v1 ∧ eval s a2 v2 ∧ do_icmp c v1 v2 = Some v3 ⇒ step_instr prog s (Icmp r c t a1 a2) Tau (inc_pc (update_result r v3 s))) ∧ (∀prog s r t fname targs d vs. alookup prog fname = Some d ∧ list_rel (eval s o snd) targs vs ⇒ step_instr prog s (Call r t fname targs) Tau (* Jump to the entry block of the function which has no phis *) <| ip := <| f := fname; b := None; i := Offset 0 |>; locals := alist_to_fmap (zip (map snd d.params, vs)); globals := s.globals; stack := <| ret := s.ip with i := inc_bip s.ip.i; saved_locals := s.locals; result_var := r; stack_allocs := [] |> :: s.stack; heap := s.heap; status := s.status |>)(* ∧ (* TODO *) (step_instr prog s (Cxa_allocate_exn r a) Tau s) ∧ (* TODO *) (step_instr prog s (Cxa_throw a1 a2 a3) Tau s) ∧ (* TODO *) (step_instr prog s (Cxa_begin_catch r a) Tau s) ∧ (* TODO *) (step_instr prog s (Cxa_end_catch) Tau s) ∧ (* TODO *) (step_instr prog s (Cxa_get_exception_ptr r a) Tau s) *) End Inductive get_instr: (∀prog ip idx b d. alookup prog ip.f = Some d ∧ alookup d.blocks ip.b = Some b ∧ ip.i = Offset idx ∧ idx < length b.body ⇒ get_instr prog ip (Inl (el idx b.body))) ∧ (∀prog ip from_l phis d b landing. alookup prog ip.f = Some d ∧ alookup d.blocks ip.b = Some b ∧ ip.i = Phi_ip from_l ∧ b.h = Head phis landing ⇒ get_instr prog ip (Inr (from_l, phis))) End Inductive step: (∀p s l s' i. get_instr p s.ip (Inl i) ∧ step_instr p s i l s' ⇒ step p s l s') ∧ (* Do the phi assignments in parallel. The manual says "For the purposes of the * SSA form, the use of each incoming value is deemed to occur on the edge from * the corresponding predecessor block to the current block (but after any * definition of an 'invoke' instruction's return value on the same edge)". * So treat these two as equivalent * %r1 = phi [0, %l] * %r2 = phi [%r1, %l] * and * %r2 = phi [%r1, %l] * %r1 = phi [0, %l] *) (∀p s updates from_l phis. get_instr p s.ip (Inr (from_l, phis)) ∧ list_rel (do_phi from_l s) phis updates ⇒ step p s Tau (inc_pc (s with locals := s.locals |++ updates))) End Inductive sem_step: (∀p s1 l s2. step p s1 l s2 ∧ s1.status = Partial ⇒ sem_step p s1 l s2) ∧ (∀p s1. (¬∃l s2. step p s1 l s2) ∧ s1.status = Partial ⇒ sem_step p s1 Error (s1 with status := Stuck)) End (* The semantics of a program will be the finite traces of stores to global * variables. * *) Definition sem_def: sem p s1 = { ((last path).status, filter ($≠ Tau) l) | (path, l) | toList (labels path) = Some l ∧ finite path ∧ okpath (sem_step p) path ∧ first path = s1 } End (* ----- Invariants on state ----- *) (* All global variables are allocated in non-freeable memory *) Definition globals_ok_def: globals_ok s ⇔ ∀g n w. flookup s.globals g = Some (n, w) ⇒ is_allocated (Interval F (w2n w) (w2n w + n)) s.heap End (* Instruction pointer points to an instruction *) Definition ip_ok_def: ip_ok p ip ⇔ ∃dec block. alookup p ip.f = Some dec ∧ alookup dec.blocks ip.b = Some block ∧ ((∃idx. ip.i = Offset idx ∧ idx < length block.body) ∨ (∃from_l. ip.i = Phi_ip from_l ∧ block.h ≠ Entry ∧ alookup dec.blocks from_l ≠ None)) End Definition instr_to_labs_def: (instr_to_labs (Br _ l1 l2) = [l1; l2]) ∧ (instr_to_labs _ = []) End Definition phi_contains_label_def: phi_contains_label l (Phi _ _ ls) ⇔ alookup ls l ≠ None End Definition prog_ok_def: prog_ok p ⇔ ((* All blocks end with terminators and terminators only appear at the end. * All labels mentioned in branches actually exist, and target non-entry * blocks, whose phi nodes have entries for the label of the block that the * branch is from. *) ∀fname dec bname block. alookup p fname = Some dec ∧ alookup dec.blocks bname = Some block ⇒ block.body ≠ [] ∧ terminator (last block.body) ∧ every (λi. ¬terminator i) (front block.body) ∧ every (λlab. ∃b phis land. alookup dec.blocks (Some lab) = Some b ∧ b.h = Head phis land ∧ every (phi_contains_label bname) phis) (instr_to_labs (last block.body))) ∧ ((* All functions have an entry block *) ∀fname dec. alookup p fname = Some dec ⇒ ∃block. alookup dec.blocks None = Some block ∧ block.h = Entry) ∧ ((* All non-entry blocks have a proper header, and entry blocks don't *) ∀fname dec. alookup p fname = Some dec ⇒ (every (\b. fst b = None ⇔ (snd b).h = Entry) dec.blocks)) ∧ (* There is a main function *) ∃dec. alookup p (Fn "main") = Some dec End (* All call frames have a good return address, and the stack allocations of the * frame are all in freeable memory *) Definition frame_ok_def: frame_ok p s f ⇔ ip_ok p f.ret ∧ every (λn. ∃start stop. n = A start ∧ Interval T start stop ∈ s.heap.allocations) f.stack_allocs End (* The frames are all of, and no two stack allocations have the same address *) Definition stack_ok_def: stack_ok p s ⇔ every (frame_ok p s) s.stack ∧ all_distinct (flat (map (λf. f.stack_allocs) s.stack)) End Definition state_invariant_def: state_invariant p s ⇔ ip_ok p s.ip ∧ heap_ok s.heap ∧ globals_ok s ∧ stack_ok p s End (* ----- Initial state ----- *) (* The initial state contains allocations for the initialised global variables *) Definition is_init_state_def: is_init_state s (global_init : glob_var |-> ty # v) ⇔ s.ip.f = Fn "main" ∧ s.ip.b = None ∧ s.ip.i = Offset 0 ∧ s.locals = fempty ∧ s.stack = [] ∧ s.status = Partial ∧ globals_ok s ∧ heap_ok s.heap ∧ fdom s.globals = fdom global_init ∧ s.heap.valid_addresses = { A n | n < 256 ** pointer_size } ∧ (* The initial allocations for globals are not freeable *) s.heap.allocations ⊆ { Interval F start stop | T } ∧ (* The heap starts with the initial values of the globals written to their * addresses *) ∀g w t v n. flookup s.globals g = Some (n, w) ∧ flookup global_init g = Some (t,v) ⇒ ∃bytes. get_bytes s.heap (Interval F (w2n w) (w2n w + sizeof t)) = map (λb. (F,b)) bytes ∧ bytes_to_llvm_value t bytes = (v, []) End export_theory();