|  |  | (*
 | 
						
						
						
							|  |  |  * Copyright (c) Facebook, Inc. and its affiliates.
 | 
						
						
						
							|  |  |  *
 | 
						
						
						
							|  |  |  * This source code is licensed under the MIT license found in the
 | 
						
						
						
							|  |  |  * LICENSE file in the root directory of this source tree.
 | 
						
						
						
							|  |  |  *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* Properties of the mini-LLVM model *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | open HolKernel boolLib bossLib Parse;
 | 
						
						
						
							|  |  | open pairTheory listTheory rich_listTheory arithmeticTheory wordsTheory;
 | 
						
						
						
							|  |  | open pred_setTheory finite_mapTheory relationTheory llistTheory pathTheory;
 | 
						
						
						
							|  |  | open optionTheory;
 | 
						
						
						
							|  |  | open logrootTheory numposrepTheory;
 | 
						
						
						
							|  |  | open settingsTheory miscTheory memory_modelTheory llvmTheory;
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | new_theory "llvm_prop";
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | numLib.prefer_num();
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* ----- Theorems about converting between values and byte lists ----- *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem value_type_is_fc:
 | 
						
						
						
							|  |  |   ∀t v. value_type t v ⇒ first_class_type t
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac value_type_ind >> rw [first_class_type_def] >>
 | 
						
						
						
							|  |  |   fs [LIST_REL_EL_EQN, EVERY_EL]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem sizeof_type_to_shape:
 | 
						
						
						
							|  |  |   ∀t. first_class_type t ⇒ sizeof (type_to_shape t) = sizeof t
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct type_to_shape_ind >>
 | 
						
						
						
							|  |  |   rw [type_to_shape_def, memory_modelTheory.sizeof_def, llvmTheory.sizeof_def,
 | 
						
						
						
							|  |  |       first_class_type_def, EVERY_MEM] >>
 | 
						
						
						
							|  |  |     qid_spec_tac `vs` >> Induct_on `ts` >> rw [] >> fs []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem value_type_to_shape:
 | 
						
						
						
							|  |  |   ∀t v.
 | 
						
						
						
							|  |  |     value_type t v ⇒
 | 
						
						
						
							|  |  |     ∀s.
 | 
						
						
						
							|  |  |     value_shape (\n t x. n = fst (unconvert_value x) ∧ value_type t (FlatV x)) (type_to_shape t) v
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac value_type_ind >>
 | 
						
						
						
							|  |  |   rw [memory_modelTheory.sizeof_def, llvmTheory.sizeof_def, type_to_shape_def,
 | 
						
						
						
							|  |  |       unconvert_value_def, value_shape_def] >>
 | 
						
						
						
							|  |  |   fs [value_shapes_list_rel, LIST_REL_CONJ, ETA_THM, EVERY2_MAP] >>
 | 
						
						
						
							|  |  |   metis_tac [value_type_rules]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem llvm_v2b_size:
 | 
						
						
						
							|  |  |   ∀t v. value_type t v ⇒ length (llvm_value_to_bytes v) = sizeof t
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [llvm_value_to_bytes_def] >>
 | 
						
						
						
							|  |  |   drule value_type_to_shape >> rw [] >>
 | 
						
						
						
							|  |  |   drule value_type_is_fc >> rw [] >>
 | 
						
						
						
							|  |  |   drule sizeof_type_to_shape >>
 | 
						
						
						
							|  |  |   disch_then (mp_tac o GSYM) >> rw [] >>
 | 
						
						
						
							|  |  |   irule v2b_size >> rw [] >>
 | 
						
						
						
							|  |  |   qmatch_assum_abbrev_tac `value_shape f _ _` >>
 | 
						
						
						
							|  |  |   qexists_tac `f` >> rw [] >>
 | 
						
						
						
							|  |  |   unabbrev_all_tac >> fs []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem b2llvm_v_size:
 | 
						
						
						
							|  |  |   ∀t bs. first_class_type t ∧ sizeof t ≤ length bs ⇒
 | 
						
						
						
							|  |  |     ∃v. bytes_to_llvm_value t bs = (v, drop (sizeof t) bs)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [bytes_to_llvm_value_def] >>
 | 
						
						
						
							|  |  |   drule sizeof_type_to_shape >> disch_then (mp_tac o GSYM) >> rw [] >>
 | 
						
						
						
							|  |  |   fs [PAIR_MAP] >>
 | 
						
						
						
							|  |  |   metis_tac [SND, b2v_size]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem b2llvm_v_smaller:
 | 
						
						
						
							|  |  |    ∀t bs. first_class_type t ∧ sizeof t ≤ length bs ⇒
 | 
						
						
						
							|  |  |     length (snd (bytes_to_llvm_value t bs)) = length bs - sizeof t
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [bytes_to_llvm_value_def] >>
 | 
						
						
						
							|  |  |   metis_tac [b2v_smaller, sizeof_type_to_shape]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem b2llvm_v_append:
 | 
						
						
						
							|  |  |   ∀t bs bs'. first_class_type t ∧ sizeof t ≤ length bs ⇒
 | 
						
						
						
							|  |  |     bytes_to_llvm_value t (bs ++ bs') = (I ## (λx. x ++ bs')) (bytes_to_llvm_value t bs)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [bytes_to_llvm_value_def] >>
 | 
						
						
						
							|  |  |   drule sizeof_type_to_shape >> disch_then (mp_tac o GSYM) >> rw [] >> fs [] >>
 | 
						
						
						
							|  |  |   rw [PAIR_MAP, b2v_append]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem b2v_llvm_v2b:
 | 
						
						
						
							|  |  |   ∀v t bs. value_type t v ⇒ bytes_to_llvm_value t (llvm_value_to_bytes v ++ bs) = (v, bs)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [bytes_to_llvm_value_def, llvm_value_to_bytes_def] >>
 | 
						
						
						
							|  |  |   drule value_type_to_shape >> rw [] >>
 | 
						
						
						
							|  |  |   qmatch_assum_abbrev_tac `value_shape f _ _` >>
 | 
						
						
						
							|  |  |   irule b2v_v2b >>
 | 
						
						
						
							|  |  |   qexists_tac `f` >> rw [] >>
 | 
						
						
						
							|  |  |   unabbrev_all_tac >> fs [] >>
 | 
						
						
						
							|  |  |   fs [unconvert_value_def, convert_value_def, value_type_cases, pointer_size_def] >>
 | 
						
						
						
							|  |  |   wordsLib.WORD_DECIDE_TAC
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* ----- Theorems about insert/extract value and get_offset ----- *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem can_extract:
 | 
						
						
						
							|  |  |   ∀v indices t.
 | 
						
						
						
							|  |  |     indices_ok t indices ∧ value_type t v ⇒ extract_value v indices ≠ None
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct extract_value_ind >> rw [extract_value_def]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> rw [value_type_cases] >> fs [indices_ok_def] >>
 | 
						
						
						
							|  |  |     metis_tac [LIST_REL_LENGTH])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> rw [value_type_cases] >> fs [indices_ok_def] >>
 | 
						
						
						
							|  |  |     metis_tac [EVERY_EL, LIST_REL_EL_EQN]) >>
 | 
						
						
						
							|  |  |   Cases_on `t` >> fs [indices_ok_def] >> simp [value_type_cases]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem can_insert:
 | 
						
						
						
							|  |  |   ∀v v2 indices t.
 | 
						
						
						
							|  |  |     indices_ok t indices ∧ value_type t v ⇒ insert_value v v2 indices ≠ None
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct insert_value_ind >> rw [insert_value_def]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> rw [value_type_cases] >> fs [indices_ok_def] >>
 | 
						
						
						
							|  |  |     metis_tac [LIST_REL_LENGTH])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> rw [value_type_cases] >> fs [indices_ok_def] >>
 | 
						
						
						
							|  |  |     CASE_TAC >> fs [] >> rfs [] >>
 | 
						
						
						
							|  |  |     metis_tac [EVERY_EL, LIST_REL_EL_EQN]) >>
 | 
						
						
						
							|  |  |   Cases_on `t` >> fs [indices_ok_def] >> simp [value_type_cases]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem extract_insertvalue:
 | 
						
						
						
							|  |  |   ∀v1 v2 indices v3.
 | 
						
						
						
							|  |  |     insert_value v1 v2 indices = Some v3
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     extract_value v3 indices = Some v2
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct insert_value_ind >> rw [insert_value_def, extract_value_def] >>
 | 
						
						
						
							|  |  |   pop_assum mp_tac >> CASE_TAC >> fs [] >> rfs [] >>
 | 
						
						
						
							|  |  |   rw [] >> simp [extract_value_def, EL_LUPDATE]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem extract_insertvalue_other:
 | 
						
						
						
							|  |  |   ∀v1 v2 indices1 indices2 v3.
 | 
						
						
						
							|  |  |     insert_value v1 v2 indices1 = Some v3 ∧
 | 
						
						
						
							|  |  |     ¬(indices1 ≼ indices2) ∧ ¬(indices2 ≼ indices1)
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     extract_value v3 indices2 = extract_value v1 indices2
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct insert_value_ind >> rw [insert_value_def, extract_value_def] >>
 | 
						
						
						
							|  |  |   qpat_x_assum `_ = SOME _` mp_tac >> CASE_TAC >> rw [] >> rfs [] >>
 | 
						
						
						
							|  |  |   qpat_x_assum `¬case _ of [] => F | h::t => P h t` mp_tac >>
 | 
						
						
						
							|  |  |   CASE_TAC >> fs [] >> rename1 `idx::is` >>
 | 
						
						
						
							|  |  |   fs [extract_value_def] >> rw [EL_LUPDATE]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem insert_extractvalue:
 | 
						
						
						
							|  |  |   ∀v1 indices v2.
 | 
						
						
						
							|  |  |     extract_value v1 indices = Some v2
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     insert_value v1 v2 indices = Some v1
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct extract_value_ind >> rw [insert_value_def, extract_value_def] >> fs [] >>
 | 
						
						
						
							|  |  |   rw [LUPDATE_SAME]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Definition indices_in_range_def:
 | 
						
						
						
							|  |  |   (indices_in_range t [] ⇔ T) ∧
 | 
						
						
						
							|  |  |   (indices_in_range (ArrT n t) (i::is) ⇔
 | 
						
						
						
							|  |  |     i < n ∧ indices_in_range t is) ∧
 | 
						
						
						
							|  |  |   (indices_in_range (StrT ts) (i::is) ⇔
 | 
						
						
						
							|  |  |     i < length ts ∧ indices_in_range (el i ts) is) ∧
 | 
						
						
						
							|  |  |   (indices_in_range _ _ ⇔ F)
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* The strict inequality does not hold because of 0 length arrays *)
 | 
						
						
						
							|  |  | Theorem offset_size_leq:
 | 
						
						
						
							|  |  |   ∀t indices n.
 | 
						
						
						
							|  |  |     indices_in_range t indices ∧ get_offset t indices = Some n
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     n ≤ sizeof t
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct get_offset_ind >> rw [get_offset_def, llvmTheory.sizeof_def, indices_in_range_def] >>
 | 
						
						
						
							|  |  |   BasicProvers.EVERY_CASE_TAC >> fs [] >> rw [] >> rfs []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `x + i * sizeof t ≤ (i + 1) * sizeof t` by decide_tac >>
 | 
						
						
						
							|  |  |     `i + 1 ≤ v1` by decide_tac >>
 | 
						
						
						
							|  |  |     metis_tac [LESS_MONO_MULT, LESS_EQ_TRANS]) >>
 | 
						
						
						
							|  |  |   rw [MAP_TAKE, ETA_THM] >>
 | 
						
						
						
							|  |  |   `take (Suc i) (map sizeof ts) = take i (map sizeof ts) ++ [sizeof (el i ts)]`
 | 
						
						
						
							|  |  |   by rw [GSYM SNOC_EL_TAKE, EL_MAP] >>
 | 
						
						
						
							|  |  |   `take (Suc i) (map sizeof ts) ≼ (map sizeof ts)` by rw [take_is_prefix] >>
 | 
						
						
						
							|  |  |   drule sum_prefix >> rw [SUM_APPEND]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem extract_type_fc:
 | 
						
						
						
							|  |  |   ∀t is t'. extract_type t is = Some t' ∧ first_class_type t ⇒ first_class_type t'
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct extract_type_ind >> rw [extract_type_def, first_class_type_def] >>
 | 
						
						
						
							|  |  |   rw [] >> fs [] >> fs [EVERY_EL]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem extract_offset_size:
 | 
						
						
						
							|  |  |   ∀t indices n t'.
 | 
						
						
						
							|  |  |     extract_type t indices = Some t' ∧
 | 
						
						
						
							|  |  |     get_offset t indices = Some n
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     sizeof t' ≤ sizeof t - n
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct get_offset_ind >> rw [get_offset_def, extract_type_def] >>
 | 
						
						
						
							|  |  |   BasicProvers.EVERY_CASE_TAC >> fs [llvmTheory.sizeof_def] >> rfs [] >> rw [ETA_THM]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `sizeof t ≤ (v1  − i) * sizeof t` suffices_by decide_tac  >>
 | 
						
						
						
							|  |  |     `1 ≤ v1 - i` by decide_tac >>
 | 
						
						
						
							|  |  |     rw []) >>
 | 
						
						
						
							|  |  |   rw [MAP_TAKE] >>
 | 
						
						
						
							|  |  |   `sizeof (el i ts) ≤ sum (map sizeof ts) − (sum (take i (map sizeof ts)))`
 | 
						
						
						
							|  |  |   suffices_by decide_tac >>
 | 
						
						
						
							|  |  |   qpat_x_assum `_ < _` mp_tac >> rpt (pop_assum kall_tac) >> qid_spec_tac `i` >>
 | 
						
						
						
							|  |  |   Induct_on `ts` >> rw [TAKE_def, EL_CONS, PRE_SUB1]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem llvm_value_to_bytes_agg:
 | 
						
						
						
							|  |  |   ∀vs. llvm_value_to_bytes (AggV vs) = flat (map llvm_value_to_bytes vs)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Induct >> rw [] >> fs [llvm_value_to_bytes_def, value_to_bytes_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem read_from_offset_extract:
 | 
						
						
						
							|  |  |   ∀t indices n v t'.
 | 
						
						
						
							|  |  |     indices_in_range t indices ∧
 | 
						
						
						
							|  |  |     get_offset t indices = Some n ∧
 | 
						
						
						
							|  |  |     value_type t v ∧
 | 
						
						
						
							|  |  |     extract_type t indices = Some t'
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     extract_value v indices = Some (fst (bytes_to_llvm_value t' (drop n (llvm_value_to_bytes v))))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   recInduct get_offset_ind >>
 | 
						
						
						
							|  |  |   rw [extract_value_def, get_offset_def, extract_type_def, indices_in_range_def] >>
 | 
						
						
						
							|  |  |   simp [DROP_0]
 | 
						
						
						
							|  |  |   >- metis_tac [APPEND_NIL, FST, b2v_llvm_v2b] >>
 | 
						
						
						
							|  |  |   qpat_x_assum `value_type _ _` mp_tac >>
 | 
						
						
						
							|  |  |   simp [Once value_type_cases] >> rw [] >> simp [extract_value_def] >>
 | 
						
						
						
							|  |  |   qpat_x_assum `_ = Some n` mp_tac >> CASE_TAC >> rw [] >> rfs [] >>
 | 
						
						
						
							|  |  |   simp [llvm_value_to_bytes_agg]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `value_type t (el i vs)` by metis_tac [EVERY_EL] >>
 | 
						
						
						
							|  |  |     first_x_assum drule >>
 | 
						
						
						
							|  |  |     rw [] >> simp [GSYM DROP_DROP_T, ETA_THM] >>
 | 
						
						
						
							|  |  |     `i * sizeof t = length (flat (take i (map llvm_value_to_bytes vs)))`
 | 
						
						
						
							|  |  |     by (
 | 
						
						
						
							|  |  |       simp [LENGTH_FLAT, MAP_TAKE, MAP_MAP_o, combinTheory.o_DEF] >>
 | 
						
						
						
							|  |  |       `map (λx. length (llvm_value_to_bytes x)) vs = replicate (length vs) (sizeof t)`
 | 
						
						
						
							|  |  |       by (
 | 
						
						
						
							|  |  |         qpat_x_assum `every _ _` mp_tac >> rpt (pop_assum kall_tac) >>
 | 
						
						
						
							|  |  |         Induct_on `vs` >> rw [llvm_v2b_size]) >>
 | 
						
						
						
							|  |  |       rw [take_replicate, MIN_DEF]) >>
 | 
						
						
						
							|  |  |     rw [GSYM flat_drop, GSYM MAP_DROP] >>
 | 
						
						
						
							|  |  |     drule DROP_CONS_EL >> simp [DROP_APPEND] >> disch_then kall_tac >>
 | 
						
						
						
							|  |  |     `first_class_type t'` by metis_tac [value_type_is_fc, extract_type_fc] >>
 | 
						
						
						
							|  |  |     `sizeof t' ≤ length (drop x (llvm_value_to_bytes (el i vs)))`
 | 
						
						
						
							|  |  |     by (simp [LENGTH_DROP] >> drule llvm_v2b_size >> rw [] >> metis_tac [extract_offset_size]) >>
 | 
						
						
						
							|  |  |     simp [b2llvm_v_append])
 | 
						
						
						
							|  |  |   >- metis_tac [LIST_REL_LENGTH]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `value_type (el i ts) (el i vs)` by metis_tac [LIST_REL_EL_EQN] >>
 | 
						
						
						
							|  |  |     first_x_assum drule >>
 | 
						
						
						
							|  |  |     rw [] >> simp [GSYM DROP_DROP_T, ETA_THM] >>
 | 
						
						
						
							|  |  |     `sum (map sizeof (take i ts)) = length (flat (take i (map llvm_value_to_bytes vs)))`
 | 
						
						
						
							|  |  |     by (
 | 
						
						
						
							|  |  |       simp [LENGTH_FLAT, MAP_TAKE, MAP_MAP_o, combinTheory.o_DEF] >>
 | 
						
						
						
							|  |  |       `map sizeof ts = map (\x. length (llvm_value_to_bytes x)) vs`
 | 
						
						
						
							|  |  |       by (
 | 
						
						
						
							|  |  |         qpat_x_assum `list_rel _ _ _` mp_tac >> rpt (pop_assum kall_tac) >>
 | 
						
						
						
							|  |  |         qid_spec_tac `ts` >>
 | 
						
						
						
							|  |  |         Induct_on `vs` >> rw [] >> rw [llvm_v2b_size]) >>
 | 
						
						
						
							|  |  |       rw []) >>
 | 
						
						
						
							|  |  |     rw [GSYM flat_drop, GSYM MAP_DROP] >>
 | 
						
						
						
							|  |  |     `i < length vs` by metis_tac [LIST_REL_LENGTH] >>
 | 
						
						
						
							|  |  |     drule DROP_CONS_EL >> simp [DROP_APPEND] >> disch_then kall_tac >>
 | 
						
						
						
							|  |  |     `first_class_type t'` by metis_tac [value_type_is_fc, extract_type_fc] >>
 | 
						
						
						
							|  |  |     `sizeof t' ≤ length (drop x (llvm_value_to_bytes (el i vs)))`
 | 
						
						
						
							|  |  |     by (simp [LENGTH_DROP] >> drule llvm_v2b_size >> rw [] >> metis_tac [extract_offset_size]) >>
 | 
						
						
						
							|  |  |     simp [b2llvm_v_append])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* ----- Theorems about the step function ----- *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem w64_cast_some:
 | 
						
						
						
							|  |  |   ∀w t.
 | 
						
						
						
							|  |  |     (w64_cast w t = Some v)
 | 
						
						
						
							|  |  |     ⇔
 | 
						
						
						
							|  |  |     v = FlatV (W1V (w2w w)) ∧ t = IntT W1 ∨
 | 
						
						
						
							|  |  |     v = FlatV (W8V (w2w w)) ∧ t = IntT W8 ∨
 | 
						
						
						
							|  |  |     v = FlatV (W32V (w2w w)) ∧ t = IntT W32 ∨
 | 
						
						
						
							|  |  |     v = FlatV (W64V (w2w w)) ∧ t = IntT W64
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Cases_on `t` >> rw [w64_cast_def] >> Cases_on `s` >> rw [w64_cast_def] >>
 | 
						
						
						
							|  |  |   metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem unsigned_v_to_num_some:
 | 
						
						
						
							|  |  |   ∀v n.
 | 
						
						
						
							|  |  |     (unsigned_v_to_num v = Some n)
 | 
						
						
						
							|  |  |     ⇔
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W1V w) ∧ n = w2n w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W8V w) ∧ n = w2n w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W32V w) ∧ n = w2n w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W64V w) ∧ n = w2n w)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Cases_on `v` >> rw [unsigned_v_to_num_def] >>
 | 
						
						
						
							|  |  |   Cases_on `a` >> rw [unsigned_v_to_num_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem signed_v_to_int_some:
 | 
						
						
						
							|  |  |   ∀v n.
 | 
						
						
						
							|  |  |     (signed_v_to_int v = Some n)
 | 
						
						
						
							|  |  |     ⇔
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W1V w) ∧ n = w2i w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W8V w) ∧ n = w2i w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W32V w) ∧ n = w2i w) ∨
 | 
						
						
						
							|  |  |     (∃w. v = FlatV (W64V w) ∧ n = w2i w)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Cases_on `v` >> rw [signed_v_to_int_def] >>
 | 
						
						
						
							|  |  |   Cases_on `a` >> rw [signed_v_to_int_def] >>
 | 
						
						
						
							|  |  |   metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem signed_v_to_num_some:
 | 
						
						
						
							|  |  |   ∀v n.
 | 
						
						
						
							|  |  |     (signed_v_to_num v = Some n)
 | 
						
						
						
							|  |  |     ⇔
 | 
						
						
						
							|  |  |     ∃m. 0 ≤ m ∧ n = Num m ∧
 | 
						
						
						
							|  |  |       ((∃w. v = FlatV (W1V w) ∧ m = w2i w) ∨
 | 
						
						
						
							|  |  |        (∃w. v = FlatV (W8V w) ∧ m = w2i w) ∨
 | 
						
						
						
							|  |  |        (∃w. v = FlatV (W32V w) ∧ m = w2i w) ∨
 | 
						
						
						
							|  |  |        (∃w. v = FlatV (W64V w) ∧ m = w2i w))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [signed_v_to_num_def, OPTION_JOIN_EQ_SOME, signed_v_to_int_some] >>
 | 
						
						
						
							|  |  |   metis_tac [intLib.COOPER_PROVE ``!x:int. 0 ≤ x ⇔ ¬(x < 0)``]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem mk_ptr_some:
 | 
						
						
						
							|  |  |   ∀n p. mk_ptr n = Some p ⇔ n < 256 ** pointer_size ∧ p = FlatV (PtrV (n2w n))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [mk_ptr_def] >> metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* How many bytes a value of the given type occupies *)
 | 
						
						
						
							|  |  | Definition sizeof_bits_def:
 | 
						
						
						
							|  |  |   (sizeof_bits (IntT W1) = 1) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (IntT W8) = 8) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (IntT W32) = 32) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (IntT W64) = 64) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (PtrT _) = pointer_size) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (ArrT n t) = n * sizeof_bits t) ∧
 | 
						
						
						
							|  |  |   (sizeof_bits (StrT ts) = sum (map sizeof_bits ts))
 | 
						
						
						
							|  |  | Termination
 | 
						
						
						
							|  |  |   WF_REL_TAC `measure ty_size` >> simp [] >>
 | 
						
						
						
							|  |  |   Induct >> rw [ty_size_def] >> simp [] >>
 | 
						
						
						
							|  |  |   first_x_assum drule >> decide_tac
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem do_cast_zext:
 | 
						
						
						
							|  |  |   (∃t'. sizeof_bits t' < sizeof_bits t ∧ value_type t' v) ∧ do_cast Zext v t = Some v'
 | 
						
						
						
							|  |  |   ⇒
 | 
						
						
						
							|  |  |   unsigned_v_to_num v = unsigned_v_to_num v'
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [do_cast_def, OPTION_JOIN_EQ_SOME, w64_cast_some] >>
 | 
						
						
						
							|  |  |   fs [unsigned_v_to_num_def, unsigned_v_to_num_some, sizeof_bits_def, value_type_cases] >>
 | 
						
						
						
							|  |  |   rw [w2n_11, w2w_n2w]  >>
 | 
						
						
						
							|  |  |   fs [sizeof_bits_def]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:1)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:1)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:8)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:1)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:8)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `w2n w' < dimword (:32)` by metis_tac [w2n_lt] >>
 | 
						
						
						
							|  |  |     fs [dimword_1])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | val trunc_thms =
 | 
						
						
						
							|  |  |   LIST_CONJ (map (fn x => SIMP_RULE (srw_ss()) [] (INST_TYPE [``:'a`` |-> x] (GSYM truncate_2comp_i2w_w2i)))
 | 
						
						
						
							|  |  |                  [``:1``, ``:8``, ``:32``, ``:64``]);
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | val ifits_thms =
 | 
						
						
						
							|  |  |   LIST_CONJ (map (fn x => SIMP_RULE (srw_ss()) [] (INST_TYPE [``:'a`` |-> x] (ifits_w2i )))
 | 
						
						
						
							|  |  |                  [``:1``, ``:8``, ``:32``, ``:64``]);
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem do_cast_sext:
 | 
						
						
						
							|  |  |   (∃t'. sizeof_bits t' < sizeof_bits t ∧ value_type t' v) ∧ do_cast Sext v t = Some v'
 | 
						
						
						
							|  |  |   ⇒
 | 
						
						
						
							|  |  |   signed_v_to_int v = signed_v_to_int v'
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [do_cast_def, OPTION_JOIN_EQ_SOME, w64_cast_some] >>
 | 
						
						
						
							|  |  |   fs [signed_v_to_int_def, signed_v_to_num_some, sizeof_bits_def, value_type_cases] >>
 | 
						
						
						
							|  |  |   rw [] >>
 | 
						
						
						
							|  |  |   fs [sizeof_bits_def, signed_v_to_int_def] >> rw [integer_wordTheory.w2w_i2w] >>
 | 
						
						
						
							|  |  |   rw [trunc_thms, GSYM fits_ident] >>
 | 
						
						
						
							|  |  |   rw [ifits_thms] >>
 | 
						
						
						
							|  |  |   metis_tac [ifits_thms, ifits_mono, DECIDE ``1 ≤ 8 ∧ 1 ≤ 32 ∧ 8 ≤ 32 ∧ 1 ≤ 64 ∧ 8 ≤ 64 ∧ 32 ≤ 64``]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem get_instr_func:
 | 
						
						
						
							|  |  |   ∀p ip i1 i2. get_instr p ip i1 ∧ get_instr p ip i2 ⇒ i1 = i2
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [get_instr_cases] >> fs [] >> rw [] >> fs [] >> rw [] >> fs []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem inc_pc_invariant:
 | 
						
						
						
							|  |  |   ∀p s i. prog_ok p ∧ get_instr p s.ip (Inl i) ∧ ¬terminator i ∧ state_invariant p s ⇒ state_invariant p (inc_pc s)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [state_invariant_def, inc_pc_def, allocations_ok_def, globals_ok_def,
 | 
						
						
						
							|  |  |       stack_ok_def, frame_ok_def, heap_ok_def, EVERY_EL, ip_ok_def, inc_bip_def,
 | 
						
						
						
							|  |  |       METIS_PROVE [] ``x ∨ y ⇔ ~x ⇒ y``]
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `dec` >> qexists_tac `block'` >> rw [] >>
 | 
						
						
						
							|  |  |     fs [prog_ok_def, get_instr_cases] >> res_tac >> rw [] >>
 | 
						
						
						
							|  |  |     Cases_on `s.ip.i` >> fs [] >> rw [] >> fs [inc_bip_def] >>
 | 
						
						
						
							|  |  |     `idx ≠ length block'.body - 1` suffices_by decide_tac >>
 | 
						
						
						
							|  |  |     CCONTR_TAC >> fs [] >> rfs [LAST_EL, PRE_SUB1]) >>
 | 
						
						
						
							|  |  |   metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem get_instr_update:
 | 
						
						
						
							|  |  |   ∀p s i r v. get_instr p (update_result r v s).ip i <=> get_instr p s.ip i
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [get_instr_cases, update_result_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem update_invariant:
 | 
						
						
						
							|  |  |   ∀r v s. state_invariant p (update_result r v s) ⇔ state_invariant p s
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [update_result_def, state_invariant_def, ip_ok_def, allocations_ok_def,
 | 
						
						
						
							|  |  |       globals_ok_def, stack_ok_def, heap_ok_def, EVERY_EL, frame_ok_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem allocate_invariant:
 | 
						
						
						
							|  |  |   ∀p s1 v1 t v2 h2.
 | 
						
						
						
							|  |  |     state_invariant p s1 ∧ allocate s1.heap v1 t (v2,h2) ⇒ state_invariant p (s1 with heap := h2)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [state_invariant_def, ip_ok_def, globals_ok_def, stack_ok_def,
 | 
						
						
						
							|  |  |       METIS_PROVE [] ``x ∨ y ⇔ ~x ⇒ y``]
 | 
						
						
						
							|  |  |   >- metis_tac [allocate_heap_ok]
 | 
						
						
						
							|  |  |   >- (fs [is_allocated_def] >> metis_tac [allocate_unchanged, SUBSET_DEF])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     fs [EVERY_EL, frame_ok_def, allocate_unchanged] >> rw [] >>
 | 
						
						
						
							|  |  |     metis_tac [allocate_unchanged, SUBSET_DEF])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem set_bytes_invariant:
 | 
						
						
						
							|  |  |   ∀s poison bytes n prog b.
 | 
						
						
						
							|  |  |     state_invariant prog s ∧ is_allocated (Interval b n (n + length bytes)) s.heap
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     state_invariant prog (s with heap := set_bytes poison bytes n s.heap)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [state_invariant_def]
 | 
						
						
						
							|  |  |   >- metis_tac [set_bytes_heap_ok]
 | 
						
						
						
							|  |  |   >- (fs [globals_ok_def, is_allocated_def, set_bytes_unchanged] >> metis_tac [])
 | 
						
						
						
							|  |  |   >- (fs [stack_ok_def, EVERY_EL, frame_ok_def, set_bytes_unchanged])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Triviality not_none_eq:
 | 
						
						
						
							|  |  |   !x. x ≠ None ⇔ ∃y. x = Some y
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Cases >> rw []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem step_instr_invariant:
 | 
						
						
						
							|  |  |   ∀p s1 i l s2.
 | 
						
						
						
							|  |  |     step_instr p s1 i l s2 ⇒ prog_ok p ∧ get_instr p s1.ip (Inl i) ∧ state_invariant p s1
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     state_invariant p s2
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac step_instr_ind >> rw []
 | 
						
						
						
							|  |  |   >- ( (* Ret *)
 | 
						
						
						
							|  |  |     rw [update_invariant] >> fs [state_invariant_def] >> rw []
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [stack_ok_def] >> rfs [EVERY_EL, frame_ok_def] >>
 | 
						
						
						
							|  |  |       first_x_assum (qspec_then `0` mp_tac) >> simp [])
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [heap_ok_def, deallocate_def, allocations_ok_def] >> rw []
 | 
						
						
						
							|  |  |       >- metis_tac []
 | 
						
						
						
							|  |  |       >- metis_tac [] >>
 | 
						
						
						
							|  |  |       fs [deallocate_def, heap_ok_def] >> rw [flookup_fdiff] >>
 | 
						
						
						
							|  |  |       eq_tac >> rw []
 | 
						
						
						
							|  |  |       >- metis_tac [NOT_IS_SOME_EQ_NONE]
 | 
						
						
						
							|  |  |       >- metis_tac [NOT_IS_SOME_EQ_NONE] >>
 | 
						
						
						
							|  |  |       fs [allocations_ok_def, stack_ok_def, EXTENSION] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [globals_ok_def, deallocate_def] >> rw [] >>
 | 
						
						
						
							|  |  |       first_x_assum drule >> rw [] >> fs [is_allocated_def] >>
 | 
						
						
						
							|  |  |       qexists_tac `b2` >> rw [] >> CCONTR_TAC >> fs [interval_freeable_def])
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [stack_ok_def, EVERY_MEM, frame_ok_def, deallocate_def] >> rfs [] >>
 | 
						
						
						
							|  |  |       rw []
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         res_tac >> rw [] >> qexists_tac `stop` >> rw [] >>
 | 
						
						
						
							|  |  |         fs [ALL_DISTINCT_APPEND, MEM_FLAT, MEM_MAP] >>
 | 
						
						
						
							|  |  |         metis_tac [])
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         fs [ALL_DISTINCT_APPEND])))
 | 
						
						
						
							|  |  |   >- ( (* Br *)
 | 
						
						
						
							|  |  |     fs [state_invariant_def] >> rw []
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       rw [ip_ok_def] >> fs [prog_ok_def] >>
 | 
						
						
						
							|  |  |       qpat_x_assum `alookup _ (Fn "main") = _` kall_tac >>
 | 
						
						
						
							|  |  |       fs [get_instr_cases] >>
 | 
						
						
						
							|  |  |       last_x_assum drule >> disch_then drule >> fs [] >> rw [] >>
 | 
						
						
						
							|  |  |       `terminator (el idx b.body)` by metis_tac [terminator_def] >>
 | 
						
						
						
							|  |  |       `last b.body = el idx b.body`
 | 
						
						
						
							|  |  |       by (
 | 
						
						
						
							|  |  |         Cases_on `idx = PRE (length b.body)` >> fs [EL_PRE_LENGTH] >>
 | 
						
						
						
							|  |  |         `Suc idx < length b.body` by decide_tac >>
 | 
						
						
						
							|  |  |         drule mem_el_front >> rw [] >> fs [EVERY_MEM] >>
 | 
						
						
						
							|  |  |         metis_tac []) >>
 | 
						
						
						
							|  |  |       qpat_x_assum `Br _ _ _ = _` (assume_tac o GSYM) >> fs [] >>
 | 
						
						
						
							|  |  |       fs [instr_to_labs_def, not_none_eq] >>
 | 
						
						
						
							|  |  |       metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [globals_ok_def] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [stack_ok_def, frame_ok_def, EVERY_MEM] >> metis_tac []))
 | 
						
						
						
							|  |  |   >- ( (* Br *)
 | 
						
						
						
							|  |  |     fs [state_invariant_def] >> rw []
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       rw [ip_ok_def] >> fs [prog_ok_def] >>
 | 
						
						
						
							|  |  |       qpat_x_assum `alookup _ (Fn "main") = _` kall_tac >>
 | 
						
						
						
							|  |  |       fs [get_instr_cases] >>
 | 
						
						
						
							|  |  |       last_x_assum drule >> disch_then drule >> fs [] >> rw [] >>
 | 
						
						
						
							|  |  |       `terminator (el idx b.body)` by metis_tac [terminator_def] >>
 | 
						
						
						
							|  |  |       `last b.body = el idx b.body`
 | 
						
						
						
							|  |  |       by (
 | 
						
						
						
							|  |  |         Cases_on `idx = PRE (length b.body)` >> fs [EL_PRE_LENGTH] >>
 | 
						
						
						
							|  |  |         `Suc idx < length b.body` by decide_tac >>
 | 
						
						
						
							|  |  |         drule mem_el_front >> rw [] >> fs [EVERY_MEM] >>
 | 
						
						
						
							|  |  |         metis_tac []) >>
 | 
						
						
						
							|  |  |       qpat_x_assum `Br _ _ _ = _` (assume_tac o GSYM) >> fs [] >>
 | 
						
						
						
							|  |  |       fs [instr_to_labs_def, not_none_eq] >>
 | 
						
						
						
							|  |  |       metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [globals_ok_def] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [stack_ok_def, frame_ok_def, EVERY_MEM] >> metis_tac []))
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     fs [state_invariant_def, globals_ok_def, stack_ok_def, frame_ok_def,
 | 
						
						
						
							|  |  |         EVERY_MEM] >>
 | 
						
						
						
							|  |  |     metis_tac [])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant]>>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- ( (* Allocation *)
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant]
 | 
						
						
						
							|  |  |     >- metis_tac [allocate_invariant]
 | 
						
						
						
							|  |  |     >- (fs [get_instr_cases, allocate_cases] >> metis_tac [terminator_def]))
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     fs [get_instr_cases] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- ( (* Store *)
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant]
 | 
						
						
						
							|  |  |     >- (irule set_bytes_invariant >> rw [] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [get_instr_cases] >> metis_tac [terminator_def]))
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     irule inc_pc_invariant >> rw [get_instr_update, update_invariant] >>
 | 
						
						
						
							|  |  |     metis_tac [terminator_def])
 | 
						
						
						
							|  |  |   >- ( (* Call *)
 | 
						
						
						
							|  |  |     rw [state_invariant_def]
 | 
						
						
						
							|  |  |     >- (fs [prog_ok_def, ip_ok_def] >> metis_tac [NOT_NIL_EQ_LENGTH_NOT_0])
 | 
						
						
						
							|  |  |     >- (fs [state_invariant_def, heap_ok_def] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (fs [state_invariant_def, globals_ok_def] >> metis_tac [])
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [state_invariant_def, stack_ok_def] >> rw []
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         rw [frame_ok_def] >> fs [ip_ok_def, prog_ok_def, inc_bip_def] >>
 | 
						
						
						
							|  |  |         last_x_assum drule >> disch_then drule >> rw [] >>
 | 
						
						
						
							|  |  |         CCONTR_TAC >> fs [] >> rfs [LAST_EL] >>
 | 
						
						
						
							|  |  |         Cases_on `length block'.body = idx + 1` >> fs [PRE_SUB1] >>
 | 
						
						
						
							|  |  |         fs [get_instr_cases] >>
 | 
						
						
						
							|  |  |         metis_tac [terminator_def])
 | 
						
						
						
							|  |  |       >- (fs [EVERY_MEM, frame_ok_def] >> metis_tac [])))
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem step_invariant:
 | 
						
						
						
							|  |  |   ∀p s1 l s2.
 | 
						
						
						
							|  |  |     prog_ok p ∧ step p s1 l s2 ∧ state_invariant p s1
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     state_invariant p s2
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [step_cases]
 | 
						
						
						
							|  |  |   >- metis_tac [step_instr_invariant] >>
 | 
						
						
						
							|  |  |   fs [get_instr_cases, inc_pc_def, inc_bip_def, state_invariant_def] >>
 | 
						
						
						
							|  |  |   rw []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     fs [ip_ok_def, prog_ok_def] >>
 | 
						
						
						
							|  |  |     metis_tac [NOT_NIL_EQ_LENGTH_NOT_0])
 | 
						
						
						
							|  |  |   >- (fs [globals_ok_def] >> metis_tac [])
 | 
						
						
						
							|  |  |   >- (fs [stack_ok_def, frame_ok_def, EVERY_MEM] >> metis_tac [])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Definition is_call_def:
 | 
						
						
						
							|  |  |   (is_call (Call _ _ _ _) ⇔ T) ∧
 | 
						
						
						
							|  |  |   (is_call _ ⇔ F)
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem step_same_block:
 | 
						
						
						
							|  |  |   ∀p s1 l s2.
 | 
						
						
						
							|  |  |     get_instr p s1.ip i ∧ step p s1 l s2 ∧
 | 
						
						
						
							|  |  |     (∀i'. i = Inl i' ⇒ ¬terminator i' ∧ ¬is_call i') ⇒
 | 
						
						
						
							|  |  |     s1.ip.f = s2.ip.f ∧
 | 
						
						
						
							|  |  |     s1.ip.b = s2.ip.b ∧
 | 
						
						
						
							|  |  |     s2.ip.i = inc_bip s1.ip.i
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   simp [step_cases] >>
 | 
						
						
						
							|  |  |   rpt gen_tac >> disch_tac >> fs [inc_pc_def] >>
 | 
						
						
						
							|  |  |   `i = Inl i'` by metis_tac [get_instr_func] >>
 | 
						
						
						
							|  |  |   fs [step_instr_cases] >> rfs [] >>
 | 
						
						
						
							|  |  |   fs [terminator_def, is_call_def, inc_pc_def, update_result_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* ----- Initial state is ok ----- *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem init_invariant:
 | 
						
						
						
							|  |  |   ∀p s init. prog_ok p ∧ is_init_state s init ⇒ state_invariant p s
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [is_init_state_def, state_invariant_def]
 | 
						
						
						
							|  |  |   >- (rw [ip_ok_def] >> fs [prog_ok_def] >> metis_tac [NOT_NIL_EQ_LENGTH_NOT_0])
 | 
						
						
						
							|  |  |   >- rw [stack_ok_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* ----- A bigger-step semantics ----- *)
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Inductive last_step:
 | 
						
						
						
							|  |  |   (∀p s1 l s2 i.
 | 
						
						
						
							|  |  |     step p s1 l s2 ∧ get_instr p s1.ip i ∧
 | 
						
						
						
							|  |  |     ((∃x. i = Inr x) ∨ (∃i'. i = Inl i' ∧ (terminator i' ∨ is_call i')))
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     last_step p s1 l s2) ∧
 | 
						
						
						
							|  |  |   (∀p s1.
 | 
						
						
						
							|  |  |    (¬∃l s2. step p s1 l s2)
 | 
						
						
						
							|  |  |    ⇒
 | 
						
						
						
							|  |  |    last_step p s1 Error (s1 with status := Stuck))
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | (* Run all of the instructions up-to-and-including the next Call or terminator.
 | 
						
						
						
							|  |  |  * Stop after the phis too.
 | 
						
						
						
							|  |  |  * *)
 | 
						
						
						
							|  |  | Inductive multi_step:
 | 
						
						
						
							|  |  |   (∀p s1 s2 l.
 | 
						
						
						
							|  |  |    last_step p s1 l s2 ∧
 | 
						
						
						
							|  |  |    s1.status = Partial
 | 
						
						
						
							|  |  |    ⇒
 | 
						
						
						
							|  |  |    multi_step p s1 [l] s2) ∧
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  |   (∀p s1 s2 s3 i l ls.
 | 
						
						
						
							|  |  |    step p s1 l s2 ∧
 | 
						
						
						
							|  |  |    s1.status = Partial ∧
 | 
						
						
						
							|  |  |    get_instr p s1.ip (Inl i) ∧
 | 
						
						
						
							|  |  |    ¬(terminator i ∨ is_call i) ∧
 | 
						
						
						
							|  |  |    multi_step p s2 ls s3
 | 
						
						
						
							|  |  |    ⇒
 | 
						
						
						
							|  |  |    multi_step p s1 (l::ls) s3)
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Definition multi_step_sem_def:
 | 
						
						
						
							|  |  |   multi_step_sem p s1 =
 | 
						
						
						
							|  |  |     { l1 | ∃path l2. l1 ∈ observation_prefixes ((last path).status, flat l2) ∧
 | 
						
						
						
							|  |  |            toList (labels path) = Some l2 ∧
 | 
						
						
						
							|  |  |            finite path ∧ okpath (multi_step p) path ∧ first path = s1 }
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem multi_step_to_step_path:
 | 
						
						
						
							|  |  |   ∀p s1 l s2.
 | 
						
						
						
							|  |  |     multi_step p s1 l s2 ⇒
 | 
						
						
						
							|  |  |       ∃path.
 | 
						
						
						
							|  |  |         finite path ∧ okpath (sem_step p) path ∧ first path = s1 ∧ last path = s2 ∧
 | 
						
						
						
							|  |  |         toList (labels path) = Some l
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac multi_step_ind >> conj_tac
 | 
						
						
						
							|  |  |   >- (rw [] >> qexists_tac `pcons s1 l (stopped_at s2)` >> fs [sem_step_cases, toList_THM, last_step_cases]) >>
 | 
						
						
						
							|  |  |   rw [] >>
 | 
						
						
						
							|  |  |   qexists_tac `pcons s1 l path` >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |   `LFINITE (labels path)` by metis_tac [finite_labels] >>
 | 
						
						
						
							|  |  |   simp [sem_step_cases]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem expand_multi_step_path:
 | 
						
						
						
							|  |  |   ∀path. okpath (multi_step prog) path ∧ finite path ⇒
 | 
						
						
						
							|  |  |     !l. toList (labels path) = Some l ⇒
 | 
						
						
						
							|  |  |     ∃path'.
 | 
						
						
						
							|  |  |       toList (labels path') = Some (flat l) ∧ finite path' ∧
 | 
						
						
						
							|  |  |       okpath (sem_step prog) path' ∧ first path' = first path ∧ last path' = last path
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac finite_okpath_ind >> rw []
 | 
						
						
						
							|  |  |   >- (qexists_tac `stopped_at x` >> fs [toList_THM] >> rw []) >>
 | 
						
						
						
							|  |  |   fs [toList_THM] >> rw [] >>
 | 
						
						
						
							|  |  |   first_x_assum drule >> rw [] >>
 | 
						
						
						
							|  |  |   drule multi_step_to_step_path >> rw [] >>
 | 
						
						
						
							|  |  |   qexists_tac `plink path'' path'` >> rw [] >>
 | 
						
						
						
							|  |  |   simp [toList_THM, labels_plink] >>
 | 
						
						
						
							|  |  |   `LFINITE (LAPPEND (labels path'') (labels path'))` by metis_tac [LFINITE_APPEND, finite_labels] >>
 | 
						
						
						
							|  |  |   drule LFINITE_toList >> rw [] >> drule toList_LAPPEND_APPEND >> rw []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem contract_step_path:
 | 
						
						
						
							|  |  |   ∀path. okpath (sem_step prog) path ∧ finite path ⇒
 | 
						
						
						
							|  |  |     ∀l1 l s.
 | 
						
						
						
							|  |  |       last_step prog (last path) l s ∧
 | 
						
						
						
							|  |  |       (last path).status = Partial ∧
 | 
						
						
						
							|  |  |       toList (labels path) = Some l1
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     ∃path' l2.
 | 
						
						
						
							|  |  |       toList (labels path') = Some l2 ∧
 | 
						
						
						
							|  |  |       flat l2 = l1 ++ [l] ∧
 | 
						
						
						
							|  |  |       finite path' ∧
 | 
						
						
						
							|  |  |       okpath (multi_step prog) path' ∧ first path' = first path ∧ last path' = s
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac finite_okpath_ind >> rw []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `pcons x [l] (stopped_at s)` >> fs [] >> simp [toList_THM] >>
 | 
						
						
						
							|  |  |     simp [Once multi_step_cases] >>
 | 
						
						
						
							|  |  |     fs [toList_THM]) >>
 | 
						
						
						
							|  |  |   fs [toList_THM] >>
 | 
						
						
						
							|  |  |   first_x_assum drule >> disch_then drule >> rw [] >>
 | 
						
						
						
							|  |  |   Cases_on `last_step prog x r (first path)`
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `pcons x [r] path'` >> simp [] >>
 | 
						
						
						
							|  |  |     fs [sem_step_cases] >>
 | 
						
						
						
							|  |  |     simp [Once multi_step_cases, toList_THM] >>
 | 
						
						
						
							|  |  |     simp [last_step_cases])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qpat_x_assum `okpath (multi_step _) _` mp_tac >>
 | 
						
						
						
							|  |  |     simp [Once okpath_cases] >> rw [] >> fs [toList_THM] >> rw [] >> fs [] >>
 | 
						
						
						
							|  |  |     qexists_tac `pcons x (r::r') p` >> fs [toList_THM] >> rw [Once multi_step_cases] >>
 | 
						
						
						
							|  |  |     disj2_tac >> qexists_tac `first path` >> rw [] >> fs [sem_step_cases]
 | 
						
						
						
							|  |  |     >- (fs [last_step_cases, step_cases, get_instr_cases] >> metis_tac []) >>
 | 
						
						
						
							|  |  |     qpat_x_assum `okpath (sem_step _) _` mp_tac >>
 | 
						
						
						
							|  |  |     simp [Once okpath_cases, sem_step_cases] >> CCONTR_TAC >> fs [] >> rw [] >>
 | 
						
						
						
							|  |  |     fs [first_def, last_thm] >> rw [] >> fs [])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Definition get_next_step_def:
 | 
						
						
						
							|  |  |   get_next_step p s1 =
 | 
						
						
						
							|  |  |     some (s2, l). sem_step p s1 l s2 ∧ ¬last_step p s1 l s2
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Triviality finite_plink_trivial:
 | 
						
						
						
							|  |  |   ∀path. finite path ⇒ path = plink path (stopped_at (last path))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac finite_path_ind >> rw []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Definition instrs_left_def:
 | 
						
						
						
							|  |  |   instrs_left prog s =
 | 
						
						
						
							|  |  |     case alookup prog s.ip.f of
 | 
						
						
						
							|  |  |     | None => 0
 | 
						
						
						
							|  |  |     | Some d =>
 | 
						
						
						
							|  |  |       case alookup d.blocks s.ip.b of
 | 
						
						
						
							|  |  |       | None => 0
 | 
						
						
						
							|  |  |       | Some b =>
 | 
						
						
						
							|  |  |         case s.ip.i of
 | 
						
						
						
							|  |  |         | Phi_ip _ => length b.body + 1
 | 
						
						
						
							|  |  |         | Offset idx => length b.body - idx
 | 
						
						
						
							|  |  | End
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem sem_step_stuck:
 | 
						
						
						
							|  |  |   ∀p s1. (∀l s2. ¬sem_step p s1 l s2) ⇔ s1.status ≠ Partial
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [sem_step_cases] >> metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem sem_step_then_stuck:
 | 
						
						
						
							|  |  |   ∀p s1 l1 s2.
 | 
						
						
						
							|  |  |     sem_step p s1 l1 s2 ∧ (∀l2 s3. ¬sem_step p s2 l2 s3)
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     (l1 = Error ∧ s2 = s1 with status := Stuck ∧ ∀l2 s3. ¬step p s1 l2 s3) ∨
 | 
						
						
						
							|  |  |     (∃i e. l1 = Exit i ∧ s2 = s1 with status := Complete i ∧
 | 
						
						
						
							|  |  |       get_instr p s1.ip (Inl (Exit e)))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [sem_step_stuck] >>
 | 
						
						
						
							|  |  |   fs [sem_step_cases] >>
 | 
						
						
						
							|  |  |   disj2_tac >> fs [step_cases] >> rfs [inc_pc_def] >>
 | 
						
						
						
							|  |  |   fs [step_instr_cases] >> rfs [update_result_def, inc_pc_def] >>
 | 
						
						
						
							|  |  |   metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem sem_step_not_last:
 | 
						
						
						
							|  |  |   ∀p s1 l1 s2.
 | 
						
						
						
							|  |  |     sem_step p s1 l1 s2 ∧ ¬last_step p s1 l1 s2 ⇒
 | 
						
						
						
							|  |  |     ∃l2 s3. sem_step p s2 l2 s3
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [] >> CCONTR_TAC >> fs [] >> drule sem_step_then_stuck >>
 | 
						
						
						
							|  |  |   simp [] >>
 | 
						
						
						
							|  |  |   CCONTR_TAC >> fs [] >> rw []
 | 
						
						
						
							|  |  |   >- fs [last_step_cases] >>
 | 
						
						
						
							|  |  |   fs [last_step_cases, sem_step_cases] >> rw [] >>
 | 
						
						
						
							|  |  |   first_x_assum (qspec_then `Inl (Exit e)` mp_tac) >>
 | 
						
						
						
							|  |  |   rw [terminator_def]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Triviality some_lemma:
 | 
						
						
						
							|  |  |   ∀P a b. (some (x, y). P x y) = Some (a, b) ⇒ P a b
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [some_def] >>
 | 
						
						
						
							|  |  |   qmatch_assum_abbrev_tac `(@x. Q x) = _` >>
 | 
						
						
						
							|  |  |   `Q (@x. Q x)` suffices_by (rw [Abbr `Q`]) >>
 | 
						
						
						
							|  |  |   `∃x. Q x` suffices_by rw [SELECT_THM] >>
 | 
						
						
						
							|  |  |   unabbrev_all_tac >> rw [] >>
 | 
						
						
						
							|  |  |   pairarg_tac >> fs [] >> rw [EXISTS_PROD] >>
 | 
						
						
						
							|  |  |   metis_tac []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem extend_step_path:
 | 
						
						
						
							|  |  |   ∀path.
 | 
						
						
						
							|  |  |     okpath (sem_step p) path ∧ finite path
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     (∀s. path = stopped_at s ⇒ ∃s' l. sem_step p s l s') ⇒
 | 
						
						
						
							|  |  |     ∃path' l s n.
 | 
						
						
						
							|  |  |       finite path' ∧ okpath (sem_step p) path' ∧ (last path').status = Partial ∧
 | 
						
						
						
							|  |  |       last_step p (last path') l s ∧
 | 
						
						
						
							|  |  |       length path = Some (Suc n) ∧ n ∈ PL (pconcat path' l (stopped_at s)) ∧
 | 
						
						
						
							|  |  |       path = take n (pconcat path' l (stopped_at s))
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [] >>
 | 
						
						
						
							|  |  |   Cases_on `get_next_step p (last path) = None ∧ ∀s. path ≠ stopped_at s`
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     fs [get_next_step_def, some_def, FORALL_PROD, METIS_PROVE [] ``~x ∨ y ⇔ (x ⇒ y)``] >>
 | 
						
						
						
							|  |  |     Cases_on `∃l2 s2. sem_step p (last path) l2 s2` >> fs []
 | 
						
						
						
							|  |  |     >- ( (* Can take a last step from the end of the path *)
 | 
						
						
						
							|  |  |       first_x_assum drule >> rw [] >>
 | 
						
						
						
							|  |  |       qexists_tac `path` >> qexists_tac `l2` >> qexists_tac `s2` >> rw [] >>
 | 
						
						
						
							|  |  |       fs [finite_length] >>
 | 
						
						
						
							|  |  |       qexists_tac `n - 1` >>
 | 
						
						
						
							|  |  |       `n ≠ 0` by metis_tac [length_never_zero] >>
 | 
						
						
						
							|  |  |       rw [PL_def] >>
 | 
						
						
						
							|  |  |       `length (pconcat path l2 (stopped_at s2)) = Some (n + 1)`
 | 
						
						
						
							|  |  |       by metis_tac [length_pconcat, alt_length_thm] >>
 | 
						
						
						
							|  |  |       rw [take_pconcat]
 | 
						
						
						
							|  |  |       >- fs [sem_step_cases]
 | 
						
						
						
							|  |  |       >- metis_tac [take_all] >>
 | 
						
						
						
							|  |  |       fs [PL_def] >> rfs [])
 | 
						
						
						
							|  |  |     >- ( (* The path is stuck, so we need to extract the last step from it *)
 | 
						
						
						
							|  |  |       drule finite_path_end_cases >>
 | 
						
						
						
							|  |  |       rw [] >> fs [] >> rfs [] >>
 | 
						
						
						
							|  |  |       qexists_tac `p'` >> rw [] >>
 | 
						
						
						
							|  |  |       qexists_tac `l` >> qexists_tac `s` >> rw [] >>
 | 
						
						
						
							|  |  |       fs [finite_length] >>
 | 
						
						
						
							|  |  |       qexists_tac `n` >> rw [] >>
 | 
						
						
						
							|  |  |       `length (plink p' (pcons (last p') l (stopped_at s))) = Some (n + Suc 1 - 1)`
 | 
						
						
						
							|  |  |       by metis_tac [length_plink, alt_length_thm, OPTION_MAP_DEF] >>
 | 
						
						
						
							|  |  |       rw []
 | 
						
						
						
							|  |  |       >- fs [sem_step_cases]
 | 
						
						
						
							|  |  |       >- metis_tac [sem_step_not_last]
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         rw [PL_def] >> fs [finite_length] >>
 | 
						
						
						
							|  |  |         `length (pconcat p' l (stopped_at s)) = Some (n + 1)`
 | 
						
						
						
							|  |  |         by metis_tac [length_pconcat, alt_length_thm] >>
 | 
						
						
						
							|  |  |         fs [])
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         rw [take_pconcat]
 | 
						
						
						
							|  |  |         >- (fs [PL_def, finite_length] >> rfs []) >>
 | 
						
						
						
							|  |  |         metis_tac [finite_length, pconcat_to_plink_finite]))) >>
 | 
						
						
						
							|  |  |   qexists_tac `plink path (unfold I (get_next_step p) (last path))` >> rw [] >>
 | 
						
						
						
							|  |  |   qmatch_goalsub_abbrev_tac `finite path1` >>
 | 
						
						
						
							|  |  |   `∃m. length path = Some (Suc m)`
 | 
						
						
						
							|  |  |   by (fs [finite_length] >> Cases_on `n` >> fs [length_never_zero]) >>
 | 
						
						
						
							|  |  |   simp [GSYM PULL_EXISTS] >>
 | 
						
						
						
							|  |  |   conj_asm1_tac
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     simp [Abbr `path1`] >> irule unfold_finite >>
 | 
						
						
						
							|  |  |     WF_REL_TAC `measure (instrs_left p)` >>
 | 
						
						
						
							|  |  |     rpt gen_tac >>
 | 
						
						
						
							|  |  |     rw [instrs_left_def, get_next_step_def] >>
 | 
						
						
						
							|  |  |     qabbrev_tac `P = (\s3 l. sem_step p s2 l s3 ∧ ¬last_step p s2 l s3)` >>
 | 
						
						
						
							|  |  |     `P s3 l` by (irule some_lemma >> simp [Abbr `P`]) >>
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> simp [Abbr `P`] >> strip_tac >>
 | 
						
						
						
							|  |  |     drule sem_step_not_last >> simp [] >> strip_tac >>
 | 
						
						
						
							|  |  |     qpat_x_assum `sem_step p s2 l s3` mp_tac >> rw [Once sem_step_cases]
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       `∃i. get_instr p s2.ip i` by metis_tac [get_instr_cases, step_cases] >>
 | 
						
						
						
							|  |  |       `∃x. i = Inl x` by (fs [last_step_cases] >> metis_tac [sumTheory.sum_CASES]) >>
 | 
						
						
						
							|  |  |       drule step_same_block >> disch_then drule >> simp [] >>
 | 
						
						
						
							|  |  |       impl_tac
 | 
						
						
						
							|  |  |       >- (fs [last_step_cases] >> metis_tac []) >>
 | 
						
						
						
							|  |  |       fs [step_cases, get_instr_cases, inc_bip_def] >> rw [] >> fs [] >>
 | 
						
						
						
							|  |  |       rw [inc_bip_def] >> fs [])
 | 
						
						
						
							|  |  |     >- fs [last_step_cases]) >>
 | 
						
						
						
							|  |  |  `last path = first path1`
 | 
						
						
						
							|  |  |   by (
 | 
						
						
						
							|  |  |     unabbrev_all_tac >> simp [Once unfold_thm] >>
 | 
						
						
						
							|  |  |     CASE_TAC >> rw [] >> split_pair_case_tac >> rw []) >>
 | 
						
						
						
							|  |  |   simp [last_plink] >>
 | 
						
						
						
							|  |  |   conj_asm1_tac
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     unabbrev_all_tac >>
 | 
						
						
						
							|  |  |     irule okpath_unfold >> rw [] >>
 | 
						
						
						
							|  |  |     qexists_tac `\x.T` >> rw [get_next_step_def] >>
 | 
						
						
						
							|  |  |     qabbrev_tac `P = (\s2 l. sem_step p s l s2 ∧ ¬last_step p s l s2)` >>
 | 
						
						
						
							|  |  |     `P s' l` by (irule some_lemma >> simp [Abbr `P`]) >>
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> simp [Abbr `P`]) >>
 | 
						
						
						
							|  |  |   `∃n. length path1 = Some n` by fs [finite_length] >>
 | 
						
						
						
							|  |  |   `n ≠ 0` by metis_tac [length_never_zero] >>
 | 
						
						
						
							|  |  |   `length (plink path path1) = Some (Suc m + n - 1)` by metis_tac [length_plink] >>
 | 
						
						
						
							|  |  |   simp [take_pconcat, PL_def, finite_pconcat, length_plink] >>
 | 
						
						
						
							|  |  |   `!l s. length (pconcat (plink path path1) l (stopped_at s)) = Some ((Suc m + n − 1) + 1)`
 | 
						
						
						
							|  |  |   by metis_tac [length_pconcat, alt_length_thm] >>
 | 
						
						
						
							|  |  |   simp [GSYM PULL_EXISTS] >>
 | 
						
						
						
							|  |  |   unabbrev_all_tac >> drule unfold_last >>
 | 
						
						
						
							|  |  |   qmatch_goalsub_abbrev_tac `last_step _ (last path1) _ _` >>
 | 
						
						
						
							|  |  |   simp [Once get_next_step_def, some_def, FORALL_PROD] >>
 | 
						
						
						
							|  |  |   strip_tac >>
 | 
						
						
						
							|  |  |   simp [CONJ_ASSOC, Once CONJ_SYM] >>
 | 
						
						
						
							|  |  |   simp [GSYM CONJ_ASSOC] >>
 | 
						
						
						
							|  |  |   conj_tac
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     rw [take_plink]
 | 
						
						
						
							|  |  |     >- (imp_res_tac take_all >> fs []) >>
 | 
						
						
						
							|  |  |     metis_tac [finite_plink_trivial]) >>
 | 
						
						
						
							|  |  |   pop_assum mp_tac >>
 | 
						
						
						
							|  |  |   Cases_on `1 ∈ PL path1` >> simp []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     simp [get_next_step_def] >> strip_tac >>
 | 
						
						
						
							|  |  |     qabbrev_tac `P = (\s2 l. sem_step p x l s2 ∧ ¬last_step p x l s2)` >>
 | 
						
						
						
							|  |  |     `P (last path1) l` by (irule some_lemma >> simp [Abbr `P`]) >>
 | 
						
						
						
							|  |  |     pop_assum mp_tac >> simp [Abbr `P`] >>
 | 
						
						
						
							|  |  |     strip_tac >>
 | 
						
						
						
							|  |  |     drule sem_step_not_last >> rw []
 | 
						
						
						
							|  |  |     >- fs [sem_step_cases] >>
 | 
						
						
						
							|  |  |     metis_tac [])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     `n = 1` by (rfs [PL_def, finite_length] >> decide_tac) >>
 | 
						
						
						
							|  |  |     qspec_then `path1` strip_assume_tac path_cases
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       unabbrev_all_tac >> simp [] >>
 | 
						
						
						
							|  |  |       fs [] >> fs [Once unfold_thm] >>
 | 
						
						
						
							|  |  |       Cases_on `get_next_step p (last path)` >> simp [] >> fs [] >> rw [] >>
 | 
						
						
						
							|  |  |       fs [get_next_step_def, some_def, FORALL_PROD] >>
 | 
						
						
						
							|  |  |       TRY split_pair_case_tac >> fs [sem_step_cases] >>
 | 
						
						
						
							|  |  |       metis_tac [])
 | 
						
						
						
							|  |  |     >- fs [alt_length_thm, length_never_zero])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem find_path_prefix:
 | 
						
						
						
							|  |  |   ∀path.
 | 
						
						
						
							|  |  |      okpath (sem_step p) path ∧ finite path
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     !obs l1. toList (labels path) = Some l1 ∧
 | 
						
						
						
							|  |  |     obs ∈ observation_prefixes ((last path).status, l1)
 | 
						
						
						
							|  |  |     ⇒
 | 
						
						
						
							|  |  |     ∃n l2. n ∈ PL path ∧ toList (labels (take n path)) = Some l2 ∧
 | 
						
						
						
							|  |  |       obs = ((last (take n path)).status, filter ($≠ Tau) l2)
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   ho_match_mp_tac finite_okpath_ind >> rw [toList_THM]
 | 
						
						
						
							|  |  |   >- fs [observation_prefixes_cases, IN_DEF] >>
 | 
						
						
						
							|  |  |   `∃s ls. obs = (s, ls)` by metis_tac [pairTheory.pair_CASES] >>
 | 
						
						
						
							|  |  |   fs [] >>
 | 
						
						
						
							|  |  |   `∃l. length path = Some l ∧ l ≠ 0` by metis_tac [finite_length, length_never_zero] >>
 | 
						
						
						
							|  |  |   `take (l-1) path = path` by metis_tac [take_all] >>
 | 
						
						
						
							|  |  |   Cases_on `s` >> fs []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `l` >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |     Cases_on `l` >> fs [toList_THM] >>
 | 
						
						
						
							|  |  |     fs [observation_prefixes_cases, IN_DEF, PL_def])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `l` >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |     Cases_on `l` >> fs [toList_THM] >>
 | 
						
						
						
							|  |  |     fs [observation_prefixes_cases, IN_DEF, PL_def]) >>
 | 
						
						
						
							|  |  |   qpat_x_assum `(Partial, _) ∈ _` mp_tac >>
 | 
						
						
						
							|  |  |   simp [observation_prefixes_cases, Once IN_DEF] >> rw [] >>
 | 
						
						
						
							|  |  |   rename1 `short_l ≼ first_l::long_l` >>
 | 
						
						
						
							|  |  |   Cases_on `short_l` >> fs []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     qexists_tac `0` >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |     fs [sem_step_cases]) >>
 | 
						
						
						
							|  |  |   rename1 `short_l ≼ long_l` >>
 | 
						
						
						
							|  |  |   rfs [] >>
 | 
						
						
						
							|  |  |   `(Partial, filter ($≠ Tau) short_l) ∈ observation_prefixes ((last path).status,long_l)`
 | 
						
						
						
							|  |  |   by (simp [observation_prefixes_cases, IN_DEF] >> metis_tac []) >>
 | 
						
						
						
							|  |  |   first_x_assum drule >> strip_tac >>
 | 
						
						
						
							|  |  |   qexists_tac `Suc n` >> simp [toList_THM] >> rw [] >> rfs [last_take]
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Triviality is_prefix_lem:
 | 
						
						
						
							|  |  |   ∀l1 l2 l3. l1 ≼ l2 ⇒ l1 ≼ l2 ++ l3
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   Induct >> rw [] >> fs [] >>
 | 
						
						
						
							|  |  |   Cases_on `l2` >> fs []
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | Theorem big_sem_equiv:
 | 
						
						
						
							|  |  |   ∀p s1. multi_step_sem p s1 = sem p s1
 | 
						
						
						
							|  |  | Proof
 | 
						
						
						
							|  |  |   rw [multi_step_sem_def, sem_def, EXTENSION] >> eq_tac >> rw []
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     drule expand_multi_step_path >> rw [] >>
 | 
						
						
						
							|  |  |     rename [`toList (labels m_path) = Some m_l`, `toList (labels s_path) = Some (flat m_l)`] >>
 | 
						
						
						
							|  |  |     `∃n short_l.
 | 
						
						
						
							|  |  |       n ∈ PL s_path ∧
 | 
						
						
						
							|  |  |       toList (labels (take n s_path)) = Some short_l ∧
 | 
						
						
						
							|  |  |       x = ((last (take n s_path)).status, filter ($≠ Tau) short_l)`
 | 
						
						
						
							|  |  |     by metis_tac [find_path_prefix] >>
 | 
						
						
						
							|  |  |     qexists_tac `take n s_path` >> rw [])
 | 
						
						
						
							|  |  |   >- (
 | 
						
						
						
							|  |  |     Cases_on `¬∀s. path = stopped_at s ⇒ ∃s' l. sem_step p s l s'`
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       fs [] >> rw [] >> fs [toList_THM] >> rw [] >>
 | 
						
						
						
							|  |  |       qexists_tac `stopped_at s` >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |       rw [observation_prefixes_cases, IN_DEF] >>
 | 
						
						
						
							|  |  |       metis_tac [trace_type_nchotomy]) >>
 | 
						
						
						
							|  |  |     drule extend_step_path >> disch_then drule >>
 | 
						
						
						
							|  |  |     impl_tac >> rw []
 | 
						
						
						
							|  |  |     >- metis_tac [] >>
 | 
						
						
						
							|  |  |     rename1 `last_step _ (last s_ext_path) last_l last_s` >>
 | 
						
						
						
							|  |  |     `∃s_ext_l. toList (labels s_ext_path) = Some s_ext_l` by metis_tac [LFINITE_toList, finite_labels] >>
 | 
						
						
						
							|  |  |     qabbrev_tac `orig_path = take n (pconcat s_ext_path last_l (stopped_at last_s))` >>
 | 
						
						
						
							|  |  |     drule contract_step_path >> simp [] >> disch_then drule >> rw [] >>
 | 
						
						
						
							|  |  |     rename [`toList (labels m_path) = Some m_l`,
 | 
						
						
						
							|  |  |             `toList (labels s_ext_path) = Some s_ext_l`,
 | 
						
						
						
							|  |  |             `first m_path = first s_ext_path`,
 | 
						
						
						
							|  |  |             `okpath (multi_step _) m_path`] >>
 | 
						
						
						
							|  |  |     qexists_tac `m_path` >> rw [] >>
 | 
						
						
						
							|  |  |     TRY (rw [Abbr `orig_path`] >> NO_TAC) >>
 | 
						
						
						
							|  |  |     rfs [last_take, take_pconcat] >>
 | 
						
						
						
							|  |  |     Cases_on `length s_ext_path = Some n`
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       rfs [PL_def] >> fs [] >>
 | 
						
						
						
							|  |  |       rw [observation_prefixes_cases, IN_DEF] >> rw [] >>
 | 
						
						
						
							|  |  |       unabbrev_all_tac >> rw [last_pconcat] >> fs [] >>
 | 
						
						
						
							|  |  |       drule toList_LAPPEND_APPEND >> rw [toList_THM] >>
 | 
						
						
						
							|  |  |       Cases_on `(last m_path).status` >> simp [] >>
 | 
						
						
						
							|  |  |       qexists_tac `s_ext_l ++ [last_l]` >> rw []) >>
 | 
						
						
						
							|  |  |     fs [PL_def, finite_pconcat] >> rfs [] >>
 | 
						
						
						
							|  |  |     `∃m. length s_ext_path = Some m` by metis_tac [finite_length] >>
 | 
						
						
						
							|  |  |     `length s_ext_path = Some m` by metis_tac [finite_length] >>
 | 
						
						
						
							|  |  |     `length (pconcat s_ext_path last_l (stopped_at (last m_path))) = Some (m + 1)`
 | 
						
						
						
							|  |  |     by metis_tac [length_pconcat, alt_length_thm] >>
 | 
						
						
						
							|  |  |     fs [] >>
 | 
						
						
						
							|  |  |     `n < m` by decide_tac >> fs [] >> rw [] >>
 | 
						
						
						
							|  |  |     `n ∈ PL s_ext_path` by rw [PL_def] >>
 | 
						
						
						
							|  |  |     Cases_on `(last orig_path).status = Partial`
 | 
						
						
						
							|  |  |     >- (
 | 
						
						
						
							|  |  |       rw [observation_prefixes_cases, IN_DEF] >> rw [] >>
 | 
						
						
						
							|  |  |       unabbrev_all_tac >> fs [] >>
 | 
						
						
						
							|  |  |       `LTAKE n (labels s_ext_path) = Some l` by metis_tac [LTAKE_labels] >>
 | 
						
						
						
							|  |  |       fs [toList_some] >> rfs [] >>
 | 
						
						
						
							|  |  |       Cases_on `m` >> fs [length_labels] >>
 | 
						
						
						
							|  |  |       qexists_tac `l` >> rw [] >> rfs []
 | 
						
						
						
							|  |  |       >- (
 | 
						
						
						
							|  |  |         irule is_prefix_lem >>
 | 
						
						
						
							|  |  |         `n ≤ length s_ext_l` by decide_tac >>
 | 
						
						
						
							|  |  |         fs [ltake_fromList2] >>
 | 
						
						
						
							|  |  |         rw [take_is_prefix])
 | 
						
						
						
							|  |  |       >- (drule LTAKE_LENGTH >> rw [])) >>
 | 
						
						
						
							|  |  |     unabbrev_all_tac >> rfs [last_take] >>
 | 
						
						
						
							|  |  |     fs [okpath_pointwise] >>
 | 
						
						
						
							|  |  |     Cases_on `Suc n ∈ PL s_ext_path` >> rw []
 | 
						
						
						
							|  |  |     >- (last_x_assum (qspec_then `n` mp_tac) >> rw [sem_step_cases]) >>
 | 
						
						
						
							|  |  |     `n = m - 1` by (fs [PL_def] >> rfs []) >>
 | 
						
						
						
							|  |  |     rw [] >>
 | 
						
						
						
							|  |  |     `el (m - 1) s_ext_path = last s_ext_path` by metis_tac [take_all, pathTheory.last_take] >>
 | 
						
						
						
							|  |  |     fs [last_step_cases])
 | 
						
						
						
							|  |  | QED
 | 
						
						
						
							|  |  | 
 | 
						
						
						
							|  |  | export_theory ();
 |