-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathRSC_DC_MD_Sigs.v
339 lines (284 loc) · 12.6 KB
/
RSC_DC_MD_Sigs.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
Require Import Common.Definitions.
Require Import Common.Linking.
Require Import Common.Blame.
Require Import Common.CompCertExtensions.
Require Import CompCert.Smallstep.
Require Import CompCert.Behaviors.
Set Implicit Arguments.
Unset Strict Implicit.
Unset Printing Implicit Defensive.
(* The repetition verbatim of theorem statements as axioms is
particularly annoying; we will want to eliminate this duplication.
[CH: Agreed, but easy to fix with some extra definitions.]
Naming conventions can also be harmonized.
The current proof is generic while still relying on our Common and
CompCert's infrastructure. [CH: I find this just fine for now.] *)
(* CH: It seemed a bit strange that Program.interface is used
concretely, instead of being just another parameter below.
Same for linkable. It seems related to using everything in
Common though, and so it's just fine for now. *)
Module Type Source_Sig.
Parameter program : Type.
Parameter prog_interface : program -> Program.interface.
Parameter well_formed_program : program -> Prop.
Parameter closed_program : program -> Prop.
Parameter linkable_mains : program -> program -> Prop.
Local Axiom linkable_mains_sym : forall prog1 prog2,
linkable_mains prog1 prog2 ->
linkable_mains prog2 prog1.
Local Axiom linkable_disjoint_mains: forall prog1 prog2,
well_formed_program prog1 ->
well_formed_program prog2 ->
linkable (prog_interface prog1) (prog_interface prog2) ->
linkable_mains prog1 prog2.
Parameter program_link : program -> program -> program.
Local Axiom linking_well_formedness : forall p1 p2,
well_formed_program p1 ->
well_formed_program p2 ->
linkable (prog_interface p1) (prog_interface p2) ->
well_formed_program (program_link p1 p2).
Local Axiom interface_preserves_closedness_l : forall p1 p2 p1',
closed_program (program_link p1 p2) ->
prog_interface p1 = prog_interface p1' ->
well_formed_program p1 ->
well_formed_program p1' ->
closed_program (program_link p1' p2).
Module CS.
Parameter sem : program -> semantics.
End CS.
(* Notes:
- the trace (i.e. behavior) `t` in the diagram from the paper
corresponds to `Goes_wrong t'` in the notation below
- in the paper we use the following notations:
+ t ≺ m = exists m' <= m. t = Goes_wrong m'
t ≺P m = exists m' <= m. t = Goes_wrong m' /\ undef_in t (prog_interface P)
+ this means that t' plays below the role of m' above
*)
Local Axiom blame_program : forall p Cs t' P' m,
well_formed_program p ->
well_formed_program Cs ->
linkable (prog_interface p) (prog_interface Cs) ->
closed_program (program_link p Cs) ->
program_behaves (CS.sem (program_link p Cs)) (Goes_wrong t') ->
well_formed_program P' ->
prog_interface P' = prog_interface p ->
closed_program (program_link P' Cs) ->
does_prefix (CS.sem (program_link P' Cs)) m ->
not_wrong_finpref m ->
trace_finpref_prefix t' m ->
(prefix m (Goes_wrong t') \/ undef_in t' (prog_interface p)).
End Source_Sig.
(* CH: The number of different well-formedness conditions seems a bit
out of control here. *)
Module Type Intermediate_Sig.
Parameter program : Type.
Parameter prog_interface : program -> Program.interface.
Parameter well_formed_program : program -> Prop.
Parameter closed_program : program -> Prop.
Parameter linkable_mains : program -> program -> Prop.
Parameter matching_mains : program -> program -> Prop.
Parameter program_link : program -> program -> program.
Local Axiom linkable_mains_sym : forall p1 p2,
linkable_mains p1 p2 -> linkable_mains p2 p1.
Local Axiom program_linkC : forall p1 p2,
well_formed_program p1 ->
well_formed_program p2 ->
linkable (prog_interface p1) (prog_interface p2) ->
program_link p1 p2 = program_link p2 p1.
Local Axiom linking_well_formedness : forall p1 p2,
well_formed_program p1 ->
well_formed_program p2 ->
linkable (prog_interface p1) (prog_interface p2) ->
well_formed_program (program_link p1 p2).
Local Axiom interface_preserves_closedness_r : forall p1 p2 p2',
well_formed_program p1 ->
well_formed_program p2' ->
prog_interface p2 = prog_interface p2' ->
linkable (prog_interface p1) (prog_interface p2) ->
closed_program (program_link p1 p2) ->
linkable_mains p1 p2 ->
matching_mains p2 p2' ->
closed_program (program_link p1 p2').
Module CS.
Parameter sem : program -> semantics.
End CS.
(* Local Axiom decomposition_with_refinement : *)
(* forall p c, *)
(* well_formed_program p -> *)
(* well_formed_program c -> *)
(* linkable (prog_interface p) (prog_interface c) -> *)
(* linkable_mains p c -> *)
(* forall beh1, *)
(* program_behaves (CS.sem (program_link p c)) beh1 -> *)
(* exists beh2, *)
(* program_behaves (PS.sem p (prog_interface c)) beh2 /\ *)
(* behavior_improves beh1 beh2. *)
(* Local Axiom decomposition_prefix : *)
(* forall p c m, *)
(* well_formed_program p -> *)
(* well_formed_program c -> *)
(* linkable (prog_interface p) (prog_interface c) -> *)
(* linkable_mains p c -> *)
(* not_wrong_finpref m -> (* needed here, and will have it in main proof *) *)
(* does_prefix (CS.sem (program_link p c)) m -> *)
(* does_prefix (PS.sem p (prog_interface c)) m. *)
(* Local Axiom composition_prefix : *)
(* forall p c m, *)
(* well_formed_program p -> *)
(* well_formed_program c -> *)
(* linkable_mains p c -> *)
(* closed_program (program_link p c) -> *)
(* mergeable_interfaces (prog_interface p) (prog_interface c) -> *)
(* does_prefix (PS.sem p (prog_interface c)) m -> *)
(* does_prefix (PS.sem c (prog_interface p)) m -> *)
(* does_prefix (CS.sem (program_link p c)) m. *)
Local Axiom compose_mergeable_interfaces :
forall p c,
linkable (prog_interface p) (prog_interface c) ->
closed_program (program_link p c) ->
mergeable_interfaces (prog_interface p) (prog_interface c).
Local Axiom recombination_prefix :
forall p c p' c',
well_formed_program p ->
well_formed_program c ->
well_formed_program p' ->
well_formed_program c' ->
mergeable_interfaces (prog_interface p) (prog_interface c) ->
prog_interface p = prog_interface p' ->
prog_interface c = prog_interface c' ->
closed_program (program_link p c) ->
closed_program (program_link p' c') ->
forall m,
does_prefix (CS.sem (program_link p c)) m ->
does_prefix (CS.sem (program_link p' c')) m ->
does_prefix (CS.sem (program_link p c')) m.
End Intermediate_Sig.
Module Type S2I_Sig (Source : Source_Sig) (Intermediate : Intermediate_Sig).
Parameter matching_mains : Source.program -> Intermediate.program -> Prop.
Local Axiom matching_mains_equiv : forall p1 p2 p3,
matching_mains p1 p2 ->
matching_mains p1 p3 ->
Intermediate.matching_mains p2 p3.
End S2I_Sig.
Module Type Linker_Sig
(Source : Source_Sig)
(Intermediate : Intermediate_Sig)
(S2I : S2I_Sig Source Intermediate).
Local Axiom definability_with_linking :
forall p c b m,
Intermediate.well_formed_program p ->
Intermediate.well_formed_program c ->
linkable (Intermediate.prog_interface p) (Intermediate.prog_interface c) ->
Intermediate.closed_program (Intermediate.program_link p c) ->
program_behaves (Intermediate.CS.sem (Intermediate.program_link p c)) b ->
prefix m b ->
not_wrong_finpref m ->
exists p' c',
Source.prog_interface p' = Intermediate.prog_interface p /\
Source.prog_interface c' = Intermediate.prog_interface c /\
S2I.matching_mains p' p /\
S2I.matching_mains c' c /\
Source.well_formed_program p' /\
Source.well_formed_program c' /\
Source.closed_program (Source.program_link p' c') /\
does_prefix (Source.CS.sem (Source.program_link p' c')) m.
(* TODO: split definability_with_linking into a more standard
definability + a "unlinking" lemma *)
(* Local Axiom definability : *)
(* forall p m, *)
(* Intermediate.well_formed_program p -> *)
(* Intermediate.closed_program p -> *)
(* does_prefix (Intermediate.CS.sem p) m -> *)
(* not_wrong_finpref m -> *)
(* exists p', *)
(* Source.prog_interface p' = Intermediate.prog_interface p /\ *)
(* S2I.matching_mains p' p /\ *)
(* Source.well_formed_program p' /\ *)
(* Source.closed_program p' /\ *)
(* does_prefix (Source.CS.sem p') m. *)
(* Local Axiom unlinking : forall p i1 i2, *)
(* Source.prog_interface p = unionm i1 i2 -> *)
(* Source.well_formed_program p -> *)
(* linkable i1 i2 -> *)
(* exists p1 p2, Source.program_link p1 p2 = p /\ *)
(* Source.prog_interface p1 = i1 /\ *)
(* Source.prog_interface p2 = i2. *)
End Linker_Sig.
Module Type Compiler_Sig
(Source : Source_Sig)
(Intermediate : Intermediate_Sig)
(S2I : S2I_Sig Source Intermediate).
Parameter compile_program : Source.program -> option Intermediate.program.
Local Axiom well_formed_compilable :
forall p,
Source.well_formed_program p ->
exists pc,
compile_program p = Some pc.
Local Axiom compilation_preserves_well_formedness : forall p p_compiled,
Source.well_formed_program p ->
compile_program p = Some p_compiled ->
Intermediate.well_formed_program p_compiled.
Local Axiom compilation_preserves_interface : forall p p_compiled,
compile_program p = Some p_compiled ->
Intermediate.prog_interface p_compiled = Source.prog_interface p.
Local Axiom compilation_preserves_linkability : forall p p_compiled c c_compiled,
Source.well_formed_program p ->
Source.well_formed_program c ->
linkable (Source.prog_interface p) (Source.prog_interface c) ->
compile_program p = Some p_compiled ->
compile_program c = Some c_compiled ->
linkable (Intermediate.prog_interface p_compiled) (Intermediate.prog_interface c_compiled).
Local Axiom compilation_preserves_linkable_mains : forall p1 p1' p2 p2',
Source.well_formed_program p1 ->
Source.well_formed_program p2 ->
Source.linkable_mains p1 p2 ->
compile_program p1 = Some p1' ->
compile_program p2 = Some p2' ->
Intermediate.linkable_mains p1' p2'.
Local Axiom compilation_has_matching_mains : forall p p_compiled,
Source.well_formed_program p ->
compile_program p = Some p_compiled ->
S2I.matching_mains p p_compiled.
(* CH: To match the paper this should be weakened even more to work with prefixes *)
(* Local Axiom separate_compilation_weaker : *)
(* forall p c pc_comp p_comp c_comp, *)
(* Source.well_formed_program p -> *)
(* Source.well_formed_program c -> *)
(* linkable (Source.prog_interface p) (Source.prog_interface c) -> *)
(* compile_program p = Some p_comp -> *)
(* compile_program c = Some c_comp -> *)
(* compile_program (Source.program_link p c) = Some pc_comp -> *)
(* forall b : program_behavior, *)
(* program_behaves (Intermediate.CS.sem pc_comp) b <-> *)
(* program_behaves (Intermediate.CS.sem (Intermediate.program_link p_comp c_comp)) b. *)
(* Local Axiom S_simulates_I: *)
(* forall p, *)
(* Source.closed_program p -> *)
(* Source.well_formed_program p -> *)
(* forall tp, *)
(* compile_program p = Some tp -> *)
(* backward_simulation (Source.CS.sem p) (Intermediate.CS.sem tp). *)
Local Axiom forward_simulation_same_safe_prefix:
forall p p_compiled c c_compiled m,
linkable (Source.prog_interface p) (Source.prog_interface c) ->
Source.closed_program (Source.program_link p c) ->
Source.well_formed_program p ->
Source.well_formed_program c ->
does_prefix (Source.CS.sem (Source.program_link p c)) m ->
not_wrong_finpref m ->
compile_program p = Some p_compiled ->
compile_program c = Some c_compiled ->
does_prefix (Intermediate.CS.sem (Intermediate.program_link p_compiled c_compiled)) m.
Local Axiom backward_simulation_behavior_improves_prefix :
forall p p_compiled c c_compiled m,
linkable (Source.prog_interface p) (Source.prog_interface c) ->
Source.closed_program (Source.program_link p c) ->
Source.well_formed_program p ->
Source.well_formed_program c ->
compile_program p = Some p_compiled ->
compile_program c = Some c_compiled ->
does_prefix (Intermediate.CS.sem (Intermediate.program_link p_compiled c_compiled)) m ->
exists b,
program_behaves (Source.CS.sem (Source.program_link p c)) b /\
(prefix m b \/ behavior_improves_finpref b m).
End Compiler_Sig.