Correctness proof for PPC generation: auxiliary results.
Require Import Coqlib.
Require Import Errors.
Require Import Maps.
Require Import AST.
Require Import Zbits.
Require Import Integers.
Require Import Floats.
Require Import Values.
Require Import Memory.
Require Import Globalenvs.
Require Import Op.
Require Import Locations.
Require Import Mach.
Require Import Asm.
Require Import Asmgen.
Require Import Conventions.
Require Import Asmgenproof0.
Local Transparent Archi.ptr64.
Properties of low half/high half decomposition
Lemma low_high_u:
forall n,
Int.or (
Int.shl (
high_u n) (
Int.repr 16)) (
low_u n) =
n.
Proof.
Lemma low_high_u_xor:
forall n,
Int.xor (
Int.shl (
high_u n) (
Int.repr 16)) (
low_u n) =
n.
Proof.
Lemma low_high_s:
forall n,
Int.add (
Int.shl (
high_s n) (
Int.repr 16)) (
low_s n) =
n.
Proof.
Lemma add_zero_symbol_address:
forall (
ge:
genv)
id ofs,
Val.add Vzero (
Genv.symbol_address ge id ofs) =
Genv.symbol_address ge id ofs.
Proof.
Lemma low_high_half_zero:
forall (
ge:
genv)
id ofs,
Val.add (
Val.add Vzero (
high_half ge id ofs)) (
low_half ge id ofs) =
Genv.symbol_address ge id ofs.
Proof.
Useful properties of registers
important_preg extends data_preg by tracking the LR register as well.
It is used to state that a code sequence modifies no data registers
and does not modify LR either.
Definition important_preg (
r:
preg) :
bool :=
match r with
|
IR GPR0 =>
false
|
PC =>
false |
CTR =>
false
|
CR0_0 =>
false |
CR0_1 =>
false |
CR0_2 =>
false |
CR0_3 =>
false
|
CARRY =>
false
|
_ =>
true
end.
Lemma important_diff:
forall r r',
important_preg r =
true ->
important_preg r' =
false ->
r <>
r'.
Proof.
congruence.
Qed.
Global Hint Resolve important_diff:
asmgen.
Lemma important_data_preg_1:
forall r,
data_preg r =
true ->
important_preg r =
true.
Proof.
destruct r; simpl; auto; discriminate.
Qed.
Lemma important_data_preg_2:
forall r,
important_preg r =
false ->
data_preg r =
false.
Proof.
Global Hint Resolve important_data_preg_1 important_data_preg_2:
asmgen.
Lemma nextinstr_inv2:
forall r rs,
important_preg r =
true -> (
nextinstr rs)#
r =
rs#
r.
Proof.
intros.
apply nextinstr_inv.
red;
intro;
subst;
discriminate.
Qed.
Useful properties of the GPR0 registers.
Lemma gpr_or_zero_not_zero:
forall rs r,
r <>
GPR0 ->
gpr_or_zero rs r =
rs#
r.
Proof.
Lemma gpr_or_zero_zero:
forall rs,
gpr_or_zero rs GPR0 =
Vzero.
Proof.
intros. reflexivity.
Qed.
Global Hint Resolve gpr_or_zero_not_zero gpr_or_zero_zero:
asmgen.
Lemma gpr_or_zero_l_not_zero:
forall rs r,
r <>
GPR0 ->
gpr_or_zero_l rs r =
rs#
r.
Proof.
Lemma gpr_or_zero_l_zero:
forall rs,
gpr_or_zero_l rs GPR0 =
Vlong Int64.zero.
Proof.
intros. reflexivity.
Qed.
Global Hint Resolve gpr_or_zero_l_not_zero gpr_or_zero_l_zero:
asmgen.
Lemma ireg_of_not_GPR0:
forall m r,
ireg_of m =
OK r ->
IR r <>
IR GPR0.
Proof.
intros.
erewrite <-
ireg_of_eq;
eauto with asmgen.
Qed.
Global Hint Resolve ireg_of_not_GPR0:
asmgen.
Lemma ireg_of_not_GPR0':
forall m r,
ireg_of m =
OK r ->
r <>
GPR0.
Proof.
Global Hint Resolve ireg_of_not_GPR0':
asmgen.
Useful properties of the LR register
Lemma preg_of_not_LR:
forall r,
LR <>
preg_of r.
Proof.
Lemma preg_notin_LR:
forall rl,
preg_notin LR rl.
Proof.
Global Hint Resolve preg_of_not_LR preg_notin_LR:
asmgen.
Useful simplification tactic
Ltac Simplif :=
((
rewrite nextinstr_inv by eauto with asmgen)
|| (
rewrite nextinstr_inv2 by eauto with asmgen)
|| (
rewrite Pregmap.gss)
|| (
rewrite nextinstr_pc)
|| (
rewrite Pregmap.gso by eauto with asmgen));
auto with asmgen.
Ltac Simpl :=
repeat Simplif.
Useful properties of pointer addition
Lemma loadv_offset_ptr:
forall chunk m a delta v,
Mem.loadv chunk m (
Val.offset_ptr a delta) =
Some v ->
Mem.loadv chunk m (
Val.add a (
Vint (
Ptrofs.to_int delta))) =
Some v.
Proof.
intros.
destruct a;
try discriminate H.
simpl.
rewrite Ptrofs.of_int_to_int by auto.
assumption.
Qed.
Lemma storev_offset_ptr:
forall chunk m a delta v m',
Mem.storev chunk m (
Val.offset_ptr a delta)
v =
Some m' ->
Mem.storev chunk m (
Val.add a (
Vint (
Ptrofs.to_int delta)))
v =
Some m'.
Proof.
intros.
destruct a;
try discriminate H.
simpl.
rewrite Ptrofs.of_int_to_int by auto.
assumption.
Qed.
Correctness of PowerPC constructor functions
Section CONSTRUCTORS.
Variable ge:
genv.
Variable fn:
function.
Properties of comparisons.
Lemma compare_float_spec:
forall rs v1 v2,
let rs1 :=
nextinstr (
compare_float rs v1 v2)
in
rs1#
CR0_0 =
Val.cmpf Clt v1 v2
/\
rs1#
CR0_1 =
Val.cmpf Cgt v1 v2
/\
rs1#
CR0_2 =
Val.cmpf Ceq v1 v2
/\
forall r',
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
r' <>
PC ->
rs1#
r' =
rs#
r'.
Proof.
intros.
unfold rs1.
split.
reflexivity.
split.
reflexivity.
split.
reflexivity.
intros.
unfold compare_float.
Simpl.
Qed.
Lemma compare_sint_spec:
forall rs v1 v2,
let rs1 :=
nextinstr (
compare_sint rs v1 v2)
in
rs1#
CR0_0 =
Val.cmp Clt v1 v2
/\
rs1#
CR0_1 =
Val.cmp Cgt v1 v2
/\
rs1#
CR0_2 =
Val.cmp Ceq v1 v2
/\
forall r',
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
r' <>
PC ->
rs1#
r' =
rs#
r'.
Proof.
intros.
unfold rs1.
split.
reflexivity.
split.
reflexivity.
split.
reflexivity.
intros.
unfold compare_sint.
Simpl.
Qed.
Lemma compare_uint_spec:
forall rs m v1 v2,
let rs1 :=
nextinstr (
compare_uint rs m v1 v2)
in
rs1#
CR0_0 =
Val.cmpu (
Mem.valid_pointer m)
Clt v1 v2
/\
rs1#
CR0_1 =
Val.cmpu (
Mem.valid_pointer m)
Cgt v1 v2
/\
rs1#
CR0_2 =
Val.cmpu (
Mem.valid_pointer m)
Ceq v1 v2
/\
forall r',
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
r' <>
PC ->
rs1#
r' =
rs#
r'.
Proof.
intros.
unfold rs1.
split.
reflexivity.
split.
reflexivity.
split.
reflexivity.
intros.
unfold compare_uint.
Simpl.
Qed.
Lemma compare_slong_spec:
forall rs v1 v2,
let rs1 :=
nextinstr (
compare_slong rs v1 v2)
in
rs1#
CR0_0 =
Val.of_optbool (
Val.cmpl_bool Clt v1 v2)
/\
rs1#
CR0_1 =
Val.of_optbool (
Val.cmpl_bool Cgt v1 v2)
/\
rs1#
CR0_2 =
Val.of_optbool (
Val.cmpl_bool Ceq v1 v2)
/\
forall r',
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
r' <>
PC ->
rs1#
r' =
rs#
r'.
Proof.
intros.
unfold rs1.
split.
reflexivity.
split.
reflexivity.
split.
reflexivity.
intros.
unfold compare_slong.
Simpl.
Qed.
Lemma compare_ulong_spec:
forall rs m v1 v2,
let rs1 :=
nextinstr (
compare_ulong rs m v1 v2)
in
rs1#
CR0_0 =
Val.of_optbool (
Val.cmplu_bool (
Mem.valid_pointer m)
Clt v1 v2)
/\
rs1#
CR0_1 =
Val.of_optbool (
Val.cmplu_bool (
Mem.valid_pointer m)
Cgt v1 v2)
/\
rs1#
CR0_2 =
Val.of_optbool (
Val.cmplu_bool (
Mem.valid_pointer m)
Ceq v1 v2)
/\
forall r',
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
r' <>
PC ->
rs1#
r' =
rs#
r'.
Proof.
intros.
unfold rs1.
split.
reflexivity.
split.
reflexivity.
split.
reflexivity.
intros.
unfold compare_ulong.
Simpl.
Qed.
Loading a constant.
Lemma loadimm_correct:
forall r n k rs m,
exists rs',
exec_straight ge fn (
loadimm r n k)
rs m k rs'
m
/\
rs'#
r =
Vint n
/\
forall r':
preg,
r' <>
r ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Add integer immediate.
Lemma addimm_correct:
forall r1 r2 n k rs m,
r1 <>
GPR0 ->
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
addimm r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.add rs#
r2 (
Vint n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
And integer immediate.
Lemma andimm_base_correct:
forall r1 r2 n k (
rs :
regset)
m,
r2 <>
GPR0 ->
let v :=
Val.and rs#
r2 (
Vint n)
in
exists rs',
exec_straight ge fn (
andimm_base r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
v
/\
rs'#
CR0_2 =
Val.cmp Ceq v Vzero
/\
forall r',
important_preg r' =
true ->
r' <>
r1 ->
rs'#
r' =
rs#
r'.
Proof.
Lemma andimm_correct:
forall r1 r2 n k (
rs :
regset)
m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
andimm r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.and rs#
r2 (
Vint n)
/\
forall r',
important_preg r' =
true ->
r' <>
r1 ->
rs'#
r' =
rs#
r'.
Proof.
Or integer immediate.
Lemma orimm_correct:
forall r1 (
r2:
ireg)
n k (
rs :
regset)
m,
let v :=
Val.or rs#
r2 (
Vint n)
in
exists rs',
exec_straight ge fn (
orimm r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
v
/\
forall r':
preg,
r' <>
r1 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Xor integer immediate.
Lemma xorimm_correct:
forall r1 (
r2:
ireg)
n k (
rs :
regset)
m,
let v :=
Val.xor rs#
r2 (
Vint n)
in
exists rs',
exec_straight ge fn (
xorimm r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
v
/\
forall r':
preg,
r' <>
r1 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Rotate and mask.
Lemma rolm_correct:
forall r1 r2 amount mask k (
rs :
regset)
m,
r1 <>
GPR0 ->
exists rs',
exec_straight ge fn (
rolm r1 r2 amount mask k)
rs m k rs'
m
/\
rs'#
r1 =
Val.rolm rs#
r2 amount mask
/\
forall r',
important_preg r' =
true ->
r' <>
r1 ->
rs'#
r' =
rs#
r'.
Proof.
Load int64 constant.
Lemma loadimm64_32s_correct:
forall r n k rs m,
exists rs',
exec_straight ge fn (
loadimm64_32s r n k)
rs m k rs'
m
/\
rs'#
r =
Vlong (
Int64.sign_ext 32
n)
/\
forall r':
preg,
r' <>
r ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Lemma loadimm64_correct:
forall r n k rs m,
exists rs',
exec_straight ge fn (
loadimm64 r n k)
rs m k rs'
m
/\
rs'#
r =
Vlong n
/\
forall r':
preg,
r' <>
r ->
r' <>
GPR12 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Alternate load int64 immediate
Lemma loadimm64_notemp_correct:
forall r n k rs m,
exists rs',
exec_straight ge fn (
loadimm64_notemp r n k)
rs m k rs'
m
/\
rs'#
r =
Vlong n
/\
forall r':
preg,
r' <>
r ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Add int64 immediate.
Lemma addimm64_correct:
forall r1 r2 n k rs m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
addimm64 r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.addl rs#
r2 (
Vlong n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR0 ->
r' <>
GPR12 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Or int64 immediate.
Lemma orimm64_correct:
forall r1 r2 n k rs m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
orimm64 r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.orl rs#
r2 (
Vlong n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR0 ->
r' <>
GPR12 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
Xor int64 immediate.
Lemma xorimm64_correct:
forall r1 r2 n k rs m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
xorimm64 r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.xorl rs#
r2 (
Vlong n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR0 ->
r' <>
GPR12 ->
r' <>
PC ->
rs'#
r' =
rs#
r'.
Proof.
And int64 immediate.
Lemma andimm64_base_correct:
forall r1 r2 n k rs m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
andimm64_base r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.andl rs#
r2 (
Vlong n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR12 ->
important_preg r' =
true ->
rs'#
r' =
rs#
r'.
Proof.
Lemma andimm64_correct:
forall r1 r2 n k rs m,
r2 <>
GPR0 ->
exists rs',
exec_straight ge fn (
andimm64 r1 r2 n k)
rs m k rs'
m
/\
rs'#
r1 =
Val.andl rs#
r2 (
Vlong n)
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR12 ->
important_preg r' =
true ->
rs'#
r' =
rs#
r'.
Proof.
Rotate-and-mask for int64
Lemma rolm64_correct:
forall r1 r2 amount mask k rs m,
r1 <>
GPR0 ->
exists rs',
exec_straight ge fn (
rolm64 r1 r2 amount mask k)
rs m k rs'
m
/\
rs'#
r1 =
Val.rolml rs#
r2 amount mask
/\
forall r':
preg,
r' <>
r1 ->
r' <>
GPR12 ->
important_preg r' =
true ->
rs'#
r' =
rs#
r'.
Proof.
Indexed memory loads.
Lemma accessind_load_correct:
forall (
A:
Type) (
inj:
A ->
preg)
(
instr1:
A ->
constant ->
ireg ->
instruction)
(
instr2:
A ->
ireg ->
ireg ->
instruction)
(
unaligned:
bool)
(
base:
ireg)
ofs rx chunk v (
rs:
regset)
m k,
(
forall rs m r1 cst r2,
exec_instr ge fn (
instr1 r1 cst r2)
rs m =
load1 ge chunk (
inj r1)
cst r2 rs m) ->
(
forall rs m r1 r2 r3,
exec_instr ge fn (
instr2 r1 r2 r3)
rs m =
load2 chunk (
inj r1)
r2 r3 rs m) ->
Mem.loadv chunk m (
Val.offset_ptr rs#
base ofs) =
Some v ->
base <>
GPR0 ->
inj rx <>
PC ->
exists rs',
exec_straight ge fn (
accessind instr1 instr2 unaligned base ofs rx k)
rs m k rs'
m
/\
rs'#(
inj rx) =
v
/\
forall r,
r <>
PC ->
r <>
inj rx ->
r <>
GPR0 ->
rs'#
r =
rs#
r.
Proof.
Lemma loadind_correct:
forall (
base:
ireg)
ofs ty dst k (
rs:
regset)
m v c,
loadind base ofs ty dst k =
OK c ->
Mem.loadv (
chunk_of_type ty)
m (
Val.offset_ptr rs#
base ofs) =
Some v ->
base <>
GPR0 ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
rs'#(
preg_of dst) =
v
/\
forall r,
r <>
PC ->
r <>
preg_of dst ->
r <>
GPR0 ->
rs'#
r =
rs#
r.
Proof.
Indexed memory stores.
Lemma accessind_store_correct:
forall (
A:
Type) (
inj:
A ->
preg)
(
instr1:
A ->
constant ->
ireg ->
instruction)
(
instr2:
A ->
ireg ->
ireg ->
instruction)
(
unaligned:
bool)
(
base:
ireg)
ofs rx chunk (
rs:
regset)
m m'
k,
(
forall rs m r1 cst r2,
exec_instr ge fn (
instr1 r1 cst r2)
rs m =
store1 ge chunk (
inj r1)
cst r2 rs m) ->
(
forall rs m r1 r2 r3,
exec_instr ge fn (
instr2 r1 r2 r3)
rs m =
store2 chunk (
inj r1)
r2 r3 rs m) ->
Mem.storev chunk m (
Val.offset_ptr rs#
base ofs) (
rs (
inj rx)) =
Some m' ->
base <>
GPR0 ->
inj rx <>
PC ->
inj rx <>
GPR0 ->
exists rs',
exec_straight ge fn (
accessind instr1 instr2 unaligned base ofs rx k)
rs m k rs'
m'
/\
forall r,
r <>
PC ->
r <>
GPR0 ->
rs'#
r =
rs#
r.
Proof.
Lemma storeind_correct:
forall (
base:
ireg)
ofs ty src k (
rs:
regset)
m m'
c,
storeind src base ofs ty k =
OK c ->
Mem.storev (
chunk_of_type ty)
m (
Val.offset_ptr rs#
base ofs) (
rs#(
preg_of src)) =
Some m' ->
base <>
GPR0 ->
exists rs',
exec_straight ge fn c rs m k rs'
m'
/\
forall r,
r <>
PC ->
r <>
GPR0 ->
rs'#
r =
rs#
r.
Proof.
Float comparisons.
Lemma floatcomp_correct:
forall cmp (
r1 r2:
freg)
k rs m,
exists rs',
exec_straight ge fn (
floatcomp cmp r1 r2 k)
rs m k rs'
m
/\
rs'#(
reg_of_crbit (
fst (
crbit_for_fcmp cmp))) =
(
if snd (
crbit_for_fcmp cmp)
then Val.cmpf cmp rs#
r1 rs#
r2
else Val.notbool (
Val.cmpf cmp rs#
r1 rs#
r2))
/\
forall r',
r' <>
PC ->
r' <>
CR0_0 ->
r' <>
CR0_1 ->
r' <>
CR0_2 ->
r' <>
CR0_3 ->
rs'#
r' =
rs#
r'.
Proof.
Translation of conditions.
Ltac ArgsInv :=
repeat (
match goal with
| [
H:
Error _ =
OK _ |-
_ ] =>
discriminate
| [
H:
match ?
args with nil =>
_ |
_ ::
_ =>
_ end =
OK _ |-
_ ] =>
destruct args
| [
H:
bind _ _ =
OK _ |-
_ ] =>
monadInv H
| [
H:
match _ with left _ =>
_ |
right _ =>
assertion_failed end =
OK _ |-
_ ] =>
monadInv H;
ArgsInv
| [
H:
match _ with true =>
_ |
false =>
assertion_failed end =
OK _ |-
_ ] =>
monadInv H;
ArgsInv
end);
subst;
repeat (
match goal with
| [
H:
ireg_of _ =
OK _ |-
_ ] =>
simpl in *;
rewrite (
ireg_of_eq _ _ H)
in *
| [
H:
freg_of _ =
OK _ |-
_ ] =>
simpl in *;
rewrite (
freg_of_eq _ _ H)
in *
end).
Lemma transl_cond_correct_1:
forall cond args k rs m c,
transl_cond cond args k =
OK c ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
rs'#(
reg_of_crbit (
fst (
crbit_for_cond cond))) =
(
if snd (
crbit_for_cond cond)
then Val.of_optbool (
eval_condition cond (
map rs (
map preg_of args))
m)
else Val.notbool (
Val.of_optbool (
eval_condition cond (
map rs (
map preg_of args))
m)))
/\
forall r,
important_preg r =
true ->
rs'#
r =
rs#
r.
Proof.
Lemma transl_cond_correct_2:
forall cond args k rs m b c,
transl_cond cond args k =
OK c ->
eval_condition cond (
map rs (
map preg_of args))
m =
Some b ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
rs'#(
reg_of_crbit (
fst (
crbit_for_cond cond))) =
(
if snd (
crbit_for_cond cond)
then Val.of_bool b
else Val.notbool (
Val.of_bool b))
/\
forall r,
important_preg r =
true ->
rs'#
r =
rs#
r.
Proof.
Lemma transl_cond_correct_3:
forall cond args k ms sp rs m b m'
c,
transl_cond cond args k =
OK c ->
agree ms sp rs ->
eval_condition cond (
map ms args)
m =
Some b ->
Mem.extends m m' ->
exists rs',
exec_straight ge fn c rs m'
k rs'
m'
/\
rs'#(
reg_of_crbit (
fst (
crbit_for_cond cond))) =
(
if snd (
crbit_for_cond cond)
then Val.of_bool b
else Val.notbool (
Val.of_bool b))
/\
agree (
Mach.undef_regs (
destroyed_by_cond cond)
ms)
sp rs'.
Proof.
Translation of condition operators
Remark add_carry_eq0:
forall i,
Vint (
Int.add (
Int.add (
Int.sub Int.zero i)
i)
(
Int.add_carry Int.zero (
Int.xor i Int.mone)
Int.one)) =
Val.of_bool (
Int.eq i Int.zero).
Proof.
Remark add_carry_ne0:
forall i,
Vint (
Int.add (
Int.add i (
Int.xor (
Int.add i Int.mone)
Int.mone))
(
Int.add_carry i Int.mone Int.zero)) =
Val.of_bool (
negb (
Int.eq i Int.zero)).
Proof.
Lemma transl_cond_op_correct:
forall cond args r k rs m c,
transl_cond_op cond args r k =
OK c ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
rs'#(
preg_of r) =
Val.of_optbool (
eval_condition cond (
map rs (
map preg_of args))
m)
/\
forall r',
important_preg r' =
true ->
preg_notin r' (
destroyed_by_cond cond) ->
r' <>
preg_of r ->
rs'#
r' =
rs#
r'.
Proof.
Lemma transl_select_op_correct:
forall cond args ty r1 r2 rd k rs m c,
transl_select_op cond args r1 r2 rd k =
OK c ->
important_preg rd =
true ->
important_preg r1 =
true ->
important_preg r2 =
true ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
Val.lessdef (
Val.select (
eval_condition cond (
map rs (
map preg_of args))
m)
rs#
r1 rs#
r2 ty)
rs'#
rd
/\
forall r,
important_preg r =
true ->
r <>
rd ->
rs'#
r =
rs#
r.
Proof.
Lemma transl_fselect_op_correct:
forall cond args ty r1 r2 rd k rs m c,
transl_fselect_op cond args r1 r2 rd k =
OK c ->
important_preg rd =
true ->
important_preg r1 =
true ->
important_preg r2 =
true ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
Val.lessdef (
Val.select (
eval_condition cond (
map rs (
map preg_of args))
m)
rs#
r1 rs#
r2 ty)
rs'#
rd
/\
forall r,
important_preg r =
true ->
r <>
rd ->
rs'#
r =
rs#
r.
Proof.
Translation of arithmetic operations.
Ltac TranslOpSimpl :=
econstructor;
split;
[
apply exec_straight_one; [
simpl;
eauto |
reflexivity]
|
split; [
apply Val.lessdef_same;
Simpl;
fail |
intros;
Simpl;
fail ] ].
Lemma transl_op_correct_aux:
forall op args res k (
rs:
regset)
m v c,
transl_op op args res k =
OK c ->
eval_operation ge (
rs#
GPR1)
op (
map rs (
map preg_of args))
m =
Some v ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
Val.lessdef v rs'#(
preg_of res)
/\
forall r,
important_preg r =
true ->
r <>
preg_of res ->
preg_notin r (
destroyed_by_op op) ->
rs'
r =
rs r.
Proof.
Lemma transl_op_correct:
forall op args res k ms sp rs m v m'
c,
transl_op op args res k =
OK c ->
agree ms sp rs ->
eval_operation ge sp op (
map ms args)
m =
Some v ->
Mem.extends m m' ->
exists rs',
exec_straight ge fn c rs m'
k rs'
m'
/\
agree (
Regmap.set res v (
Mach.undef_regs (
destroyed_by_op op)
ms))
sp rs'
/\
forall r,
important_preg r =
true ->
r <>
preg_of res ->
preg_notin r (
destroyed_by_op op) ->
rs'
r =
rs r.
Proof.
Translation of memory accesses
Lemma transl_memory_access_correct:
forall (
P:
regset ->
Prop)
mk1 mk2 unaligned addr args temp k c (
rs:
regset)
a m m',
transl_memory_access mk1 mk2 unaligned addr args temp k =
OK c ->
eval_addressing ge (
rs#
GPR1)
addr (
map rs (
map preg_of args)) =
Some a ->
temp <>
GPR0 ->
(
forall cst (
r1:
ireg) (
rs1:
regset)
k,
Val.lessdef a (
Val.add (
gpr_or_zero rs1 r1) (
const_low ge cst)) ->
(
forall r,
r <>
PC ->
r <>
temp ->
r <>
GPR0 ->
rs1 r =
rs r) ->
exists rs',
exec_straight ge fn (
mk1 cst r1 ::
k)
rs1 m k rs'
m' /\
P rs') ->
(
forall (
r1 r2:
ireg) (
rs1:
regset)
k,
Val.lessdef a (
Val.add (
gpr_or_zero rs1 r1)
rs1#
r2) ->
(
forall r,
r <>
PC ->
r <>
temp ->
r <>
GPR0 ->
rs1 r =
rs r) ->
exists rs',
exec_straight ge fn (
mk2 r1 r2 ::
k)
rs1 m k rs'
m' /\
P rs') ->
exists rs',
exec_straight ge fn c rs m k rs'
m' /\
P rs'.
Proof.
intros until m';
intros TR ADDR TEMP MK1 MK2.
unfold transl_memory_access in TR;
destruct addr;
ArgsInv;
simpl in ADDR;
inv ADDR.
-
unfold aindexed.
destruct (
unaligned ||
Int.eq (
Int.mods i (
Int.repr 4))
Int.zero); [
destruct (
Int.eq (
high_s i)
Int.zero) |].
+
apply MK1.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
+
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add (
rs x) (
Vint (
Int.shl (
high_s i) (
Int.repr 16)))))).
exploit (
MK1 (
Cint (
low_s i))
temp rs1 k).
simpl.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
unfold rs1;
Simpl.
rewrite Val.add_assoc.
Transparent Val.add.
simpl.
rewrite low_high_s.
auto.
intros;
unfold rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs'.
split.
apply exec_straight_step with rs1 m.
simpl.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
auto.
auto.
+
exploit (
loadimm_correct GPR0 i (
mk2 x GPR0 ::
k)
rs).
intros (
rs' &
A &
B &
C).
exploit (
MK2 x GPR0 rs').
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
rewrite B.
rewrite C;
eauto with asmgen.
auto.
intros.
destruct H as [
rs'' [
A1 B1]].
exists rs''.
split.
eapply exec_straight_trans.
exact A.
exact A1.
auto.
-
apply MK2.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
-
unfold aglobal in *.
destruct (
symbol_is_small_data i i0)
eqn:
SISD; [ |
destruct (
symbol_is_rel_data i i0) ];
inv TR.
+
case (
unaligned ||
symbol_ofs_word_aligned i i0).
apply MK1.
unfold const_low.
rewrite small_data_area_addressing by auto.
rewrite add_zero_symbol_address.
auto.
auto.
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add (
gpr_or_zero rs GPR0) (
const_low ge (
Csymbol_sda i i0))))).
exploit (
MK1 (
Cint Int.zero)
temp rs1).
rewrite gpr_or_zero_not_zero;
auto.
unfold const_low.
unfold rs1.
Simpl.
rewrite gpr_or_zero_zero.
unfold const_low.
rewrite small_data_area_addressing by auto.
rewrite add_zero_symbol_address.
rewrite Val.add_commut.
rewrite add_zero_symbol_address.
auto.
intros.
unfold rs1.
Simpl.
intros.
destruct H as [
rs2 [
A B]].
exists rs2.
split.
eapply exec_straight_step.
reflexivity.
reflexivity.
eexact A.
apply B.
+
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add Vzero (
high_half ge i i0)))).
set (
rs2 :=
nextinstr (
rs1#
temp <- (
Genv.symbol_address ge i i0))).
exploit (
MK1 (
Cint Int.zero)
temp rs2).
simpl.
rewrite gpr_or_zero_not_zero by eauto with asmgen.
unfold rs2.
Simpl.
rewrite Val.add_commut.
rewrite add_zero_symbol_address.
auto.
intros;
unfold rs2,
rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs';
split.
apply exec_straight_step with rs1 m;
auto.
apply exec_straight_step with rs2 m;
auto.
simpl.
unfold rs2.
rewrite gpr_or_zero_not_zero by eauto with asmgen.
f_equal.
f_equal.
f_equal.
unfold rs1;
Simpl.
apply low_high_half_zero.
eexact EX'.
auto.
+
destruct (
unaligned ||
symbol_ofs_word_aligned i i0).
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add Vzero (
high_half ge i i0)))).
exploit (
MK1 (
Csymbol_low i i0)
temp rs1).
simpl.
rewrite gpr_or_zero_not_zero by eauto with asmgen.
unfold rs1.
Simpl.
rewrite low_high_half_zero.
auto.
intros;
unfold rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs';
split.
apply exec_straight_step with rs1 m;
auto.
eexact EX'.
auto.
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add Vzero (
high_half ge i i0)))).
set (
rs2 :=
nextinstr (
rs1#
temp <- (
Genv.symbol_address ge i i0))).
exploit (
MK1 (
Cint Int.zero)
temp rs2).
simpl.
rewrite gpr_or_zero_not_zero by eauto with asmgen.
unfold rs2.
Simpl.
rewrite Val.add_commut.
rewrite add_zero_symbol_address.
auto.
intros;
unfold rs2,
rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs';
split.
apply exec_straight_step with rs1 m;
auto.
apply exec_straight_step with rs2 m;
auto.
simpl.
unfold rs2.
rewrite gpr_or_zero_not_zero;
auto.
f_equal.
f_equal.
f_equal.
unfold rs1;
Simpl.
apply low_high_half_zero.
eexact EX'.
auto.
-
unfold abased in *.
destruct (
symbol_is_small_data i i0)
eqn:
SISD; [ |
destruct (
symbol_is_rel_data i i0) ].
+
set (
rs1 :=
nextinstr (
rs#
GPR0 <- (
Genv.symbol_address ge i i0))).
exploit (
MK2 x GPR0 rs1 k).
simpl.
rewrite gpr_or_zero_not_zero by eauto with asmgen.
unfold rs1;
Simpl.
rewrite Val.add_commut.
auto.
intros.
unfold rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs';
split.
apply exec_straight_step with rs1 m.
unfold exec_instr.
rewrite gpr_or_zero_zero.
f_equal.
unfold rs1.
f_equal.
f_equal.
unfold const_low.
rewrite small_data_area_addressing;
auto.
apply add_zero_symbol_address.
reflexivity.
assumption.
assumption.
+
set (
rs1 :=
nextinstr (
rs#
GPR0 <- (
rs#
x))).
set (
rs2 :=
nextinstr (
rs1#
temp <- (
Val.add Vzero (
high_half ge i i0)))).
set (
rs3 :=
nextinstr (
rs2#
temp <- (
Genv.symbol_address ge i i0))).
exploit (
MK2 temp GPR0 rs3).
rewrite gpr_or_zero_not_zero by eauto with asmgen.
f_equal.
unfold rs3;
Simpl.
unfold rs3,
rs2,
rs1;
Simpl.
intros.
unfold rs3,
rs2,
rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs'.
split.
eapply exec_straight_trans with (
rs2 :=
rs3) (
m2 :=
m).
apply exec_straight_three with rs1 m rs2 m;
auto.
simpl.
unfold rs3.
f_equal.
f_equal.
f_equal.
rewrite gpr_or_zero_not_zero by auto.
unfold rs2;
Simpl.
apply low_high_half_zero.
eexact EX'.
auto.
+
destruct (
unaligned ||
symbol_ofs_word_aligned i i0).
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add (
rs x) (
high_half ge i i0)))).
exploit (
MK1 (
Csymbol_low i i0)
temp rs1 k).
simpl.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
unfold rs1.
Simpl.
rewrite Val.add_assoc.
rewrite low_high_half.
rewrite Val.add_commut.
auto.
intros;
unfold rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs'.
split.
apply exec_straight_step with rs1 m.
unfold exec_instr.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
assumption.
assumption.
set (
rs1 :=
nextinstr (
rs#
GPR0 <- (
rs#
x))).
set (
rs2 :=
nextinstr (
rs1#
temp <- (
Val.add Vzero (
high_half ge i i0)))).
set (
rs3 :=
nextinstr (
rs2#
temp <- (
Genv.symbol_address ge i i0))).
exploit (
MK2 temp GPR0 rs3).
rewrite gpr_or_zero_not_zero by eauto with asmgen.
f_equal.
unfold rs3;
Simpl.
unfold rs3,
rs2,
rs1;
Simpl.
intros.
unfold rs3,
rs2,
rs1;
Simpl.
intros [
rs' [
EX'
AG']].
exists rs'.
split.
eapply exec_straight_trans with (
rs2 :=
rs3) (
m2 :=
m).
apply exec_straight_three with rs1 m rs2 m;
auto.
simpl.
unfold rs3.
f_equal.
f_equal.
f_equal.
rewrite gpr_or_zero_not_zero by auto.
unfold rs2;
Simpl.
apply low_high_half_zero.
eexact EX'.
auto.
-
unfold ainstack in *.
set (
ofs :=
Ptrofs.to_int i)
in *.
assert (
L:
Val.lessdef (
Val.offset_ptr (
rs GPR1)
i) (
Val.add (
rs GPR1) (
Vint ofs))).
{
destruct (
rs GPR1);
simpl;
auto.
unfold ofs;
rewrite Ptrofs.of_int_to_int;
auto. }
destruct (
unaligned ||
Int.eq (
Int.mods ofs (
Int.repr 4))
Int.zero); [
destruct (
Int.eq (
high_s ofs)
Int.zero)|];
inv TR.
+
apply MK1.
simpl.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
+
set (
rs1 :=
nextinstr (
rs#
temp <- (
Val.add rs#
GPR1 (
Vint (
Int.shl (
high_s ofs) (
Int.repr 16)))))).
exploit (
MK1 (
Cint (
low_s ofs))
temp rs1 k).
simpl.
rewrite gpr_or_zero_not_zero;
auto.
unfold rs1.
rewrite nextinstr_inv.
rewrite Pregmap.gss.
rewrite Val.add_assoc.
simpl.
rewrite low_high_s.
auto.
congruence.
intros.
unfold rs1.
rewrite nextinstr_inv;
auto.
apply Pregmap.gso;
auto.
intros [
rs' [
EX'
AG']].
exists rs'.
split.
apply exec_straight_step with rs1 m.
unfold exec_instr.
rewrite gpr_or_zero_not_zero;
eauto with asmgen.
auto.
assumption.
assumption.
+
exploit (
addimm_correct temp GPR1 ofs (
mk1 (
Cint Int.zero)
temp ::
k)
rs);
eauto with asmgen.
intros [
rs1 [
A [
B C]]].
exploit (
MK1 (
Cint Int.zero)
temp rs1 k).
rewrite gpr_or_zero_not_zero;
auto.
rewrite B.
simpl.
destruct (
rs GPR1);
auto.
simpl.
rewrite Ptrofs.add_zero.
unfold ofs.
rewrite Ptrofs.of_int_to_int.
auto.
auto.
intros.
rewrite C;
auto.
intros [
rs2 [
EX'
AG']].
exists rs2.
split;
auto.
eapply exec_straight_trans.
eexact A.
assumption.
Qed.
Translation of loads
Lemma transl_load_correct:
forall chunk addr args dst k c (
rs:
regset)
m a v,
transl_load chunk addr args dst k =
OK c ->
eval_addressing ge (
rs#
GPR1)
addr (
map rs (
map preg_of args)) =
Some a ->
Mem.loadv chunk m a =
Some v ->
exists rs',
exec_straight ge fn c rs m k rs'
m
/\
rs'#(
preg_of dst) =
v
/\
forall r,
r <>
PC ->
r <>
GPR12 ->
r <>
GPR0 ->
r <>
preg_of dst ->
rs'
r =
rs r.
Proof.
Translation of stores
Lemma transl_store_correct:
forall chunk addr args src k c (
rs:
regset)
m a m',
transl_store chunk addr args src k =
OK c ->
eval_addressing ge (
rs#
GPR1)
addr (
map rs (
map preg_of args)) =
Some a ->
Mem.storev chunk m a (
rs (
preg_of src)) =
Some m' ->
exists rs',
exec_straight ge fn c rs m k rs'
m'
/\
forall r,
r <>
PC ->
r <>
GPR0 ->
preg_notin r (
destroyed_by_store chunk addr) ->
rs'
r =
rs r.
Proof.
Translation of function epilogues
Lemma transl_epilogue_correct:
forall ge0 f m stk soff cs m'
ms rs k tm,
load_stack m (
Vptr stk soff)
Tptr f.(
fn_link_ofs) =
Some (
parent_sp cs) ->
load_stack m (
Vptr stk soff)
Tptr f.(
fn_retaddr_ofs) =
Some (
parent_ra cs) ->
Mem.free m stk 0
f.(
fn_stacksize) =
Some m' ->
agree ms (
Vptr stk soff)
rs ->
(
is_leaf_function f =
true ->
rs#
LR =
parent_ra cs) ->
Mem.extends m tm ->
match_stack ge0 cs ->
exists rs',
exists tm',
exec_straight ge fn (
transl_epilogue f k)
rs tm k rs'
tm'
/\
agree ms (
parent_sp cs)
rs'
/\
Mem.extends m'
tm'
/\
rs'#
LR =
parent_ra cs
/\
rs'#
SP =
parent_sp cs
/\ (
forall r,
r <>
PC ->
r <>
LR ->
r <>
SP ->
r <>
GPR0 ->
rs'#
r =
rs#
r).
Proof.
End CONSTRUCTORS.