(*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*)
(* Properties of the llair model *)
open HolKernel boolLib bossLib Parse;
open arithmeticTheory integerTheory integer_wordTheory wordsTheory listTheory;
open pred_setTheory finite_mapTheory;
open settingsTheory miscTheory llairTheory;
new_theory "llair_prop";
numLib.prefer_num ();
Theorem signed2unsigned_fits:
0 < n ∧ ifits i n ⇒ ifits (&signed2unsigned i n) (n + 1)
Proof
rw [signed2unsigned_def, ifits_def]
>- (
`?j. i = -&j` by intLib.COOPER_TAC >>
rw [] >> fs [] >>
rfs [EXP_SUB] >>
`j ≤ 2 ** n` by intLib.COOPER_TAC >>
rw [INT_SUB, GSYM int_sub])
>- (
`?j. i = &j` by intLib.COOPER_TAC >>
rw [] >> fs [] >>
rw [INT_SUB, GSYM int_sub] >>
rfs [EXP_SUB] >>
intLib.COOPER_TAC)
QED
Theorem i2n_n2i:
∀n size. 0 < size ⇒ (nfits n size ⇔ (i2n (n2i n size) = n))
Proof
rw [nfits_def, n2i_def, i2n_def, signed2unsigned_def] >> rw []
>- intLib.COOPER_TAC
>- (
`2 ** size ≤ n` by intLib.COOPER_TAC >> simp [INT_SUB] >>
Cases_on `n = 0` >> fs [] >>
`n - 2 ** size < n` suffices_by intLib.COOPER_TAC >>
irule SUB_LESS >> simp [])
>- (
`2 ** (size - 1) < 2 ** size` suffices_by intLib.COOPER_TAC >>
fs [])
QED
Theorem n2i_i2n:
∀i size. 0 < size ⇒ (ifits i size ⇔ (n2i (i2n (IntV i size)) size) = IntV i size)
Proof
rw [ifits_def, n2i_def, i2n_def, signed2unsigned_def] >> rw [] >> fs []
>- (
eq_tac >> rw []
>- (
simp [intLib.COOPER_PROVE ``∀(x:int) y z. x - y = z ⇔ x = y + z``] >>
`2 ** (size - 1) < 2 ** size` suffices_by intLib.COOPER_TAC >>
fs [INT_OF_NUM])
>- (
fs [intLib.COOPER_PROVE ``∀(x:int) y z. x - y = z ⇔ x = y + z``] >>
fs [INT_OF_NUM] >>
`∃j. i = -j` by intLib.COOPER_TAC >> rw [] >> fs [] >>
qpat_x_assum `_ ≤ Num _` mp_tac >>
fs [GSYM INT_OF_NUM] >>
ASM_REWRITE_TAC [GSYM INT_LE] >> rw [] >>
`2 ** size = 2 * 2 ** (size - 1)` by rw [GSYM EXP, ADD1] >> fs [] >>
intLib.COOPER_TAC)
>- intLib.COOPER_TAC)
>- (
eq_tac >> rw []
>- intLib.COOPER_TAC
>- intLib.COOPER_TAC >>
`0 ≤ i` by intLib.COOPER_TAC >>
fs [GSYM INT_OF_NUM] >>
`&(2 ** size) = 0` by intLib.COOPER_TAC >>
fs [])
>- (
eq_tac >> rw []
>- (
`2 ** size = 2 * 2 ** (size - 1)` by rw [GSYM EXP, ADD1] >> fs [] >>
intLib.COOPER_TAC)
>- intLib.COOPER_TAC
>- intLib.COOPER_TAC)
>- intLib.COOPER_TAC
QED
Theorem w2n_signed2unsigned:
∀w. w2n (w : 'a word) = signed2unsigned (w2i w) (dimindex (:'a))
Proof
rw [signed2unsigned_def] >> Cases_on `w` >> fs []
>- (
`INT_MIN (:α) ≤ n`
by (
fs [w2i_def] >> rw [] >>
BasicProvers.EVERY_CASE_TAC >> fs [word_msb_n2w_numeric] >>
rfs []) >>
rw [w2i_n2w_neg, dimword_def, int_arithTheory.INT_NUM_SUB])
>- (
`n < INT_MIN (:'a)`
by (
fs [w2i_def] >> rw [] >>
BasicProvers.EVERY_CASE_TAC >> fs [word_msb_n2w_numeric] >>
rfs []) >>
rw [w2i_n2w_pos])
QED
Theorem w2n_i2n:
∀w. w2n (w : 'a word) = i2n (IntV (w2i w) (dimindex (:'a)))
Proof
rw [i2n_def] >> metis_tac [w2n_signed2unsigned]
QED
Theorem w2i_n2w:
∀n. n < dimword (:'a) ⇒ IntV (w2i (n2w n : 'a word)) (dimindex (:'a)) = n2i n (dimindex (:'a))
Proof
rw [n2i_def]
>- (
qspec_then `n` mp_tac w2i_n2w_neg >>
fs [dimword_def, INT_MIN_def] >> rw [GSYM INT_SUB])
>- (irule w2i_n2w_pos >> rw [INT_MIN_def])
QED
Theorem eval_exp_ignores_lem:
∀s1 e v. eval_exp s1 e v ⇒ ∀s2. s1.locals = s2.locals ∧ s1.glob_addrs = s2.glob_addrs ⇒ eval_exp s2 e v
Proof
ho_match_mp_tac eval_exp_ind >>
rw [] >> simp [Once eval_exp_cases] >>
TRY (qexists_tac `vals` >> rw [] >> fs [LIST_REL_EL_EQN] >> NO_TAC) >>
TRY (fs [LIST_REL_EL_EQN] >> NO_TAC) >>
metis_tac []
QED
Theorem eval_exp_ignores:
∀s1 e v s2. s1.locals = s2.locals ∧ s1.glob_addrs = s2.glob_addrs ⇒ (eval_exp s1 e v ⇔ eval_exp s2 e v)
Proof
metis_tac [eval_exp_ignores_lem]
QED
Definition exp_uses_def:
(exp_uses (Var x T) = {}) ∧
(exp_uses (Var x F) = {x}) ∧
(exp_uses Nondet = {}) ∧
(exp_uses (Label _) = {}) ∧
(exp_uses (Splat e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Memory e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Concat es) = bigunion (set (map exp_uses es))) ∧
(exp_uses (Integer _ _) = {}) ∧
(exp_uses (Eq e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Lt e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Ult e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Sub _ e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Record es) = bigunion (set (map exp_uses es))) ∧
(exp_uses (Select e1 e2) = exp_uses e1 ∪ exp_uses e2) ∧
(exp_uses (Update e1 e2 e3) = exp_uses e1 ∪ exp_uses e2 ∪ exp_uses e3) ∧
(exp_uses (Unsigned _ e _) = exp_uses e) ∧
(exp_uses (Signed _ e _) = exp_uses e)
Termination
WF_REL_TAC `measure exp_size` >> rw [] >>
Induct_on `es` >> rw [exp_size_def] >> res_tac >> rw []
End
Theorem eval_exp_ignores_unused_lem:
∀s1 e v.
eval_exp s1 e v ⇒
∀s2. DRESTRICT s1.locals (exp_uses e) = DRESTRICT s2.locals (exp_uses e) ∧
s1.glob_addrs = s2.glob_addrs ⇒
eval_exp s2 e v
Proof
ho_match_mp_tac eval_exp_ind >>
rw [exp_uses_def] >> simp [Once eval_exp_cases]
>- (
fs [DRESTRICT_EQ_DRESTRICT, EXTENSION, FDOM_DRESTRICT] >>
imp_res_tac FLOOKUP_SUBMAP >>
fs [FLOOKUP_DRESTRICT]) >>
fs [drestrict_union_eq]
>- metis_tac []
>- metis_tac []
>- (
rpt (pop_assum mp_tac) >>
qid_spec_tac `vals` >>
Induct_on `es` >> rw [] >> Cases_on `vals` >> rw [PULL_EXISTS] >> fs [] >>
rw [] >> fs [drestrict_union_eq] >>
rename [`v1++flat vs`] >>
first_x_assum (qspec_then `vs` mp_tac) >> rw [] >>
qexists_tac `v1 :: vals'` >> rw [])
>- metis_tac []
>- metis_tac []
>- metis_tac []
>- metis_tac []
>- (
rpt (pop_assum mp_tac) >>
qid_spec_tac `vals` >>
Induct_on `es` >> rw [] >> fs [drestrict_union_eq])
>- metis_tac []
>- metis_tac []
>- metis_tac []
>- metis_tac []
QED
Theorem eval_exp_ignores_unused:
∀s1 e v s2.
DRESTRICT s1.locals (exp_uses e) = DRESTRICT s2.locals (exp_uses e) ∧
s1.glob_addrs = s2.glob_addrs
⇒
(eval_exp s1 e v ⇔ eval_exp s2 e v)
Proof
metis_tac [eval_exp_ignores_unused_lem]
QED
Triviality num_mod_to_int_mod:
y ≠ 0 ⇒ x MOD y = Num (&x % &y)
Proof
fs [INT_MOD]
QED
Triviality int_of_num2:
0 ≤ x ⇒ &Num x = x
Proof
metis_tac [INT_OF_NUM]
QED
Theorem int_sub_mod:
∀i j. j ≠ 0 ⇒ (i - j) % j = i % j
Proof
rw [int_mod] >>
`-j % j = 0 ∧ -j / j = -1`
by (
ONCE_REWRITE_TAC [INT_NEG_MINUS1] >> rw [] >>
rw [INT_MUL_DIV]) >>
rw [INT_ADD_DIV, int_sub, INT_RDISTRIB] >>
rw [] >>
intLib.COOPER_TAC
QED
Theorem mod_halfway:
∀i b. 0 < b ⇒ ((i + b) % (2 * b) - b < 0 ⇔ 0 ≤ i % (2 * b) - b)
Proof
rw [] >> `b ≠ 0` by intLib.COOPER_TAC >>
rw [Once (GSYM INT_MOD_PLUS)] >>
`b < 2 * b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD] >>
`0 ≤ i % (2 * b) ∧ i % (2 * b) < 2 * b`
by (
`~(2 * b < 0) ∧ 2 * b ≠ 0` by intLib.COOPER_TAC >>
drule INT_MOD_BOUNDS >>
rw []) >>
`0 ≤ i % (2 * b) + b` by intLib.COOPER_TAC >>
Cases_on `i % (2 * b) + b < 2 * b` >> rw [INT_LESS_MOD]
>- intLib.COOPER_TAC >>
simp [Once (GSYM int_sub_mod)] >>
rw [intLib.COOPER_PROVE ``∀x (b:int). x + b - (2 * b) = x - b``] >>
`i % (2 * b) − b < 2 * b` by intLib.COOPER_TAC >>
`0 ≤ i % (2 * b) − b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD] >>
intLib.COOPER_TAC
QED
Theorem unsigned_truncate:
∀m n i.
0 < m ∧ m ≤ n ∧ -i ≤ 2 ** n
⇒
signed2unsigned (truncate_2comp i m) m = signed2unsigned i n MOD (2 ** m)
Proof
rw [signed2unsigned_def, truncate_2comp_def] >>
qabbrev_tac `b = &(2 ** (m - 1))` >>
`&((2:num) ** m) = 2 * b`
by (rw [Abbr `b`] >> Cases_on `m` >> fs [ADD1, EXP_ADD]) >>
`0 < b` by rw [Abbr `b`] >>
`0 < 2 * b ∧ 0 ≠ 2 * b ∧ b < 2 * b` by (rw [Abbr `b`] >> intLib.COOPER_TAC) >>
asm_simp_tac std_ss [num_mod_to_int_mod] >>
fs [mod_halfway] >>
`∃x. &(2 ** n) = 2 * b * 2 ** x`
by (
rw [Abbr `b`, GSYM EXP_ADD] >>
`2 = 2 ** 1` by rw [] >>
`∀x. 2 * 2 ** (m + x - 1) = 2 ** (1 + (m + x - 1))` by metis_tac [EXP_ADD] >>
rw [] >>
qexists_tac `n - m` >> rw []) >>
irule (METIS_PROVE [] ``x = y ⇒ f x = f y``) >>
fs [GSYM int_le] >>
rw [int_of_num2] >>
rw [intLib.COOPER_PROVE ``∀(x:int) b. 2 * b + (x - b) = b + x``] >>
`0 ≤ i % (2 * b) ∧ i % (2 * b) < 2 * b`
by (
`~(2 * b < 0) ∧ 2 * b ≠ 0` by intLib.COOPER_TAC >>
drule INT_MOD_BOUNDS >>
rw [])
>- (
`0 ≤ 2 * b * &(2 ** x) + i` by intLib.COOPER_TAC >>
rw [int_of_num2] >>
`2 * b ≠ 0` by intLib.COOPER_TAC >>
drule INT_MOD_ADD_MULTIPLES >>
rw [Once INT_MUL_COMM] >>
rw [Once (GSYM INT_MOD_PLUS)] >>
rw [INT_LESS_MOD] >>
simp [Once (GSYM int_sub_mod)] >>
rw [intLib.COOPER_PROVE ``∀x (b:int). x + b - (2 * b) = x - b``] >>
`i % (2 * b) − b < 2 * b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD])
>- (
rw [Once (GSYM INT_MOD_PLUS)] >>
rw [INT_LESS_MOD] >>
simp [Once (GSYM int_sub_mod)] >>
rw [intLib.COOPER_PROVE ``∀x (b:int). x + b - (2 * b) = x - b``] >>
`i % (2 * b) − b < 2 * b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD])
>- (
`0 ≤ 2 * b * &(2 ** x) + i` by intLib.COOPER_TAC >>
rw [int_of_num2] >>
`2 * b ≠ 0` by intLib.COOPER_TAC >>
drule INT_MOD_ADD_MULTIPLES >>
rw [Once INT_MUL_COMM] >>
rw [Once (GSYM INT_MOD_PLUS)] >>
rw [INT_LESS_MOD] >>
`i % (2 * b) + b < 2 * b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD] >>
intLib.COOPER_TAC)
>- (
rw [Once (GSYM INT_MOD_PLUS)] >>
rw [INT_LESS_MOD] >>
`i % (2 * b) + b < 2 * b` by intLib.COOPER_TAC >>
rw [INT_LESS_MOD] >>
intLib.COOPER_TAC)
QED
(* Relate the semantics of Convert to something more closely following the
* implementation *)
Definition Zextract_def:
Zextract (:'a) z off len = &w2n ((len+off-1 -- off) (i2w z : 'a word))
End
Definition Zsigned_extract_def:
Zsigned_extract (:'a) z off len = w2i ((len+off-1 --- off) (i2w z : 'a word))
End
(*
* Some tests of extract and signed_extract in both HOL and OCaml to check that
* we are defining the same thing *)
(*
EVAL ``
let bp1 = 0b11001100w : word8 in
let bp2 = 0b01011011w : word8 in
let i1 = &(w2n bp1) in
let i2 = w2i bp1 in
let i3 = &(w2n bp2) in
Zextract (:128) i1 0 8 = i1 ∧
Zextract (:128) i2 0 8 = i1 ∧
Zextract (:128) i3 0 8 = i3 ∧
Zsigned_extract (:128) i1 0 8 = i2 ∧
Zsigned_extract (:128) i2 0 8 = i2 ∧
Zsigned_extract (:128) i3 0 8 = i3 ∧
Zextract (:128) i1 2 4 = 3 ∧
Zextract (:128) i2 2 4 = 3 ∧
Zextract (:128) i1 2 5 = 19 ∧
Zextract (:128) i2 2 5 = 19 ∧
Zextract (:128) i3 1 2 = 1 ∧
Zextract (:128) i3 1 3 = 5 ∧
Zsigned_extract (:128) i1 2 4 = 3 ∧
Zsigned_extract (:128) i2 2 4 = 3 ∧
Zsigned_extract (:128) i1 2 5 = -13 ∧
Zsigned_extract (:128) i2 2 5 = -13 ∧
Zsigned_extract (:128) i3 1 2 = 1 ∧
Zsigned_extract (:128) i3 1 3 = -3``
let i1 = Z.of_int 0b11001100 in
let i2 = Z.of_int (-52) in
let i3 = Z.of_int 0b01011011 in
Z.extract i1 0 8 = i1 &&
Z.extract i2 0 8 = i1 &&
Z.extract i3 0 8 = i3 &&
Z.signed_extract i1 0 8 = i2 &&
Z.signed_extract i2 0 8 = i2 &&
Z.signed_extract i3 0 8 = i3 &&
Z.extract i1 2 4 = Z.of_int 3 &&
Z.extract i2 2 4 = Z.of_int 3 &&
Z.extract i1 2 5 = Z.of_int 19 &&
Z.extract i2 2 5 = Z.of_int 19 &&
Z.extract i3 1 2 = Z.of_int 1 &&
Z.extract i3 1 3 = Z.of_int 5 &&
Z.signed_extract i1 2 4 = Z.of_int 3 &&
Z.signed_extract i2 2 4 = Z.of_int 3 &&
Z.signed_extract i1 2 5 = Z.of_int (-13) &&
Z.signed_extract i2 2 5 = Z.of_int (-13) &&
Z.signed_extract i3 1 2 = Z.of_int 1 &&
Z.signed_extract i3 1 3 = Z.of_int (-3);;
*)
Theorem Zextract0:
dimindex (:'b) ≤ dimindex (:'a)
⇒
Zextract (:'a) i 0 (dimindex (:'b)) = &w2n (i2w i : 'b word)
Proof
rw [Zextract_def] >>
`w2n ((dimindex (:β) − 1 -- 0) (i2w i : 'a word)) =
w2n (w2w (i2w i : 'a word) : 'b word)`
by (
rw [w2n_w2w] >>
`dimindex (:'b) = dimindex (:'a)` by decide_tac >>
fs [WORD_ALL_BITS]) >>
rw [w2w_i2w]
QED
Theorem Zsigned_extract0:
dimindex (:'b) ≤ dimindex (:'a)
⇒
Zsigned_extract (:'a) i 0 (dimindex (:'b)) = w2i (i2w i : 'b word)
Proof
rw [Zsigned_extract_def] >>
rw [word_sign_extend_bits, word_sign_extend_def, ADD1] >>
`0 < dimindex (:'b) ⇒ dimindex (:'b) - 1 + 1 = dimindex (:'b)` by decide_tac >>
`min (dimindex (:β)) (dimindex (:α)) = dimindex (:β)` by fs [MIN_DEF] >>
rw [] >>
`w2n ((dimindex (:β) − 1 -- 0) (i2w i : 'a word)) =
w2n (w2w (i2w i : 'a word) : 'b word)`
by (
rw [w2n_w2w] >>
`dimindex (:'b) = dimindex (:'a)` by decide_tac >>
fs [WORD_ALL_BITS]) >>
rw [GSYM sw2sw_def, w2w_i2w] >>
rw [w21_sw2sw_extend]
QED
Theorem signed_extract_truncate_2comp:
dimindex (:'b) ≤ dimindex (:'a)
⇒
Zsigned_extract (:'a) i 0 (dimindex (:'b)) = truncate_2comp i (dimindex (:'b))
Proof
rw [] >>
drule Zsigned_extract0 >> rw [] >>
metis_tac [truncate_2comp_i2w_w2i]
QED
Theorem unsigned_extract_truncate_2comp:
dimindex (:'b) ≤ dimindex (:'a)
⇒
Zextract (:'a) i 0 (dimindex (:'b)) = &signed2unsigned (truncate_2comp i (dimindex (:'b))) (dimindex (:'b))
Proof
rw [] >> drule Zextract0 >> rw [w2n_i2w] >>
`∃n. -i ≤ 2 ** n ∧ dimindex (:'b) ≤ n`
by (
Cases_on `i < 0` >> rw []
>- (
`∃j. i = -&j` by intLib.COOPER_TAC >>
rw [] >>
`1 < 2` by decide_tac >>
drule EXP_ALWAYS_BIG_ENOUGH >>
disch_then (qspec_then `j` mp_tac) >>
rw [] >>
qexists_tac `MAX m (dimindex (:'b))` >>
rw [MAX_DEF] >>
drule bitTheory.TWOEXP_MONO >>
intLib.COOPER_TAC)
>- (
`∃j. i = &j` by intLib.COOPER_TAC >>
rw [] >>
metis_tac [])) >>
`0 < dimword (:'b) ∧ 0 < dimindex (:'b)` by rw [DIMINDEX_GT_0, ZERO_LT_dimword] >>
`0 ≠ dimindex (:'b) ∧ 0 ≠ dimword (:'b)` by decide_tac >>
drule unsigned_truncate >>
ntac 2 (disch_then drule) >>
rw [GSYM dimword_def] >>
rw [signed2unsigned_def]
>- (
asm_simp_tac std_ss [GSYM INT_MOD] >>
`0 ≤ &(2 ** n) + i`
by (fs [INT_EXP] >> intLib.COOPER_TAC) >>
asm_simp_tac std_ss [int_of_num2] >>
`∃j. i = -&j` by intLib.COOPER_TAC >>
rw [] >>
`∃x. &(2 ** n) = dimword (:'b) * 2 ** x`
by (
rw [GSYM EXP_ADD, dimword_def] >>
qexists_tac `n - dimindex (:'b)` >> rw []) >>
rw [] >>
`&dimword (:β) ≠ 0` by intLib.COOPER_TAC >>
drule INT_MOD_ADD_MULTIPLES >>
simp_tac std_ss [Once INT_MUL_COMM, GSYM INT_MUL])
>- (
`∃j. i = &j` by intLib.COOPER_TAC >>
rw [])
QED
Definition simp_signed_def:
simp_signed (:'a) bits arg to_t =
case arg of
| Integer data _ => Integer (Zsigned_extract (:'a) data 0 bits) to_t
| _ => Signed bits arg to_t
End
Definition simp_unsigned_def:
simp_unsigned (:'a) bits arg to_t =
case arg of
| Integer data _ => Integer (Zextract (:'a) data 0 bits) to_t
| _ => Signed bits arg to_t
End
Theorem signed_implementation_fits:
∀const i to_t from_t.
dimindex (:'b) ≤ sizeof_bits to_t ∧
dimindex (:'b) ≤ dimindex (:'a)
⇒
∃i2.
simp_signed (:'a) (dimindex (:'b)) (Integer i from_t) to_t =
Integer i2 to_t ∧ ifits i2 (sizeof_bits to_t)
Proof
rw [simp_signed_def] >>
drule Zsigned_extract0 >> rw [] >>
`ifits (w2i (i2w i : 'b word)) (dimindex (:'b))` by metis_tac [ifits_w2i] >>
metis_tac [ifits_mono]
QED
Theorem unsigned_implementation_fits:
∀const i to_t from_t.
dimindex (:'b) < sizeof_bits to_t ∧
dimindex (:'b) ≤ dimindex (:'a)
⇒
∃i2.
simp_unsigned (:'a) (dimindex (:'b)) (Integer i from_t) to_t =
Integer i2 to_t ∧ ifits i2 (sizeof_bits to_t)
Proof
rw [simp_unsigned_def] >>
drule Zextract0 >> rw [] >> rw [w2n_i2w] >>
fs [ifits_def, dimword_def] >> rw [] >>
qspecl_then [`i`, `&(2 ** dimindex (:β))`] mp_tac INT_MOD_BOUNDS >>
rw []
>- (
`0 <= (2:num) ** (sizeof_bits to_t − 1)` by intLib.COOPER_TAC >>
intLib.COOPER_TAC)
>- (
`2 ** dimindex (:'b) ≤ 2 ** (sizeof_bits to_t - 1)` suffices_by intLib.COOPER_TAC >>
rw [])
QED
Theorem signed_implementation:
∀to_t i from_t h m n.
dimindex (:'b) ≤ sizeof_bits to_t ∧
dimindex (:'b) ≤ dimindex (:'a) ∧
from_t = IntegerT m ∧
to_t = IntegerT n ∧
0 < m ∧
ifits i m
⇒
eval_exp h (Signed (dimindex (:'b)) (Integer i from_t) to_t) =
eval_exp h (simp_signed (:'a) (dimindex (:'b)) (Integer i from_t) to_t)
Proof
rw [EXTENSION, IN_DEF] >> simp [simp_signed_def] >>
ONCE_REWRITE_TAC [eval_exp_cases] >>
fs [] >>
ONCE_REWRITE_TAC [eval_exp_cases] >> rw [] >>
`0 < m` by decide_tac >>
`truncate_2comp i m = i` by metis_tac [fits_ident] >>
rw [] >> fs [sizeof_bits_def] >>
irule (METIS_PROVE [] ``y = z ⇒ (x = y ⇔ x = z)``) >> rw [] >>
rw [signed_extract_truncate_2comp] >>
`0 < dimindex (:'b)` by metis_tac [DIMINDEX_GT_0] >>
`0 < n` by decide_tac >>
`ifits (truncate_2comp i (dimindex (:β))) n` suffices_by metis_tac [fits_ident] >>
metis_tac [truncate_2comp_fits, ifits_mono]
QED
Theorem unsigned_implementation:
∀to_t i from_t h m n.
dimindex (:'b) < sizeof_bits to_t ∧
dimindex (:'b) ≤ dimindex (:'a) ∧
from_t = IntegerT m ∧
to_t = IntegerT n ∧
0 < m ∧
ifits i m
⇒
eval_exp h (Unsigned (dimindex (:'b)) (Integer i from_t) to_t) =
eval_exp h (simp_unsigned (:'a) (dimindex (:'b)) (Integer i from_t) to_t)
Proof
rw [EXTENSION, IN_DEF] >> simp [simp_unsigned_def] >>
ONCE_REWRITE_TAC [eval_exp_cases] >>
fs [] >>
ONCE_REWRITE_TAC [eval_exp_cases] >> rw [] >>
`0 < m` by decide_tac >>
`truncate_2comp i m = i` by metis_tac [fits_ident] >>
rw [] >> fs [sizeof_bits_def] >>
irule (METIS_PROVE [] ``y = z ⇒ (x = y ⇔ x = z)``) >> rw [] >>
rw [unsigned_extract_truncate_2comp] >>
`0 < dimindex (:'b)` by metis_tac [DIMINDEX_GT_0] >>
`0 < n` by decide_tac >>
`ifits (&signed2unsigned (truncate_2comp i (dimindex (:β))) (dimindex (:'b))) n` suffices_by metis_tac [fits_ident] >>
irule ifits_mono >>
qexists_tac `dimindex (:'b) + 1` >> rw [] >>
metis_tac [truncate_2comp_fits, signed2unsigned_fits]
QED
export_theory ();