Library compcert.common.Memtype


This file defines the interface for the memory model that is used in the dynamic semantics of all the languages used in the compiler. It defines a type mem of memory states, the following 4 basic operations over memory states, and their properties:
  • load: read a memory chunk at a given address;
  • store: store a memory chunk at a given address;
  • alloc: allocate a fresh memory block;
  • free: invalidate a memory block.

Require Import Coqlib.
Require Import AST.
Require Import Integers.
Require Import Floats.
Require Import Values.
Require Import Memdata.
Require Intv.

CompCertX:test-compcert-param-memory Needed by Allocproof.
Require Archi.

Memory states are accessed by addresses b, ofs: pairs of a block identifier b and a byte offset ofs within that block. Each address is associated to permissions, also known as access rights. The following permissions are expressible:
  • Freeable (exclusive access): all operations permitted
  • Writable: load, store and pointer comparison operations are permitted, but freeing is not.
  • Readable: only load and pointer comparison operations are permitted.
  • Nonempty: valid, but only pointer comparisons are permitted.
  • Empty: not yet allocated or previously freed; no operation permitted.
The first four cases are represented by the following type of permissions. Being empty is represented by the absence of any permission.

Inductive permission: Type :=
  | Freeable: permission
  | Writable: permission
  | Readable: permission
  | Nonempty: permission.

In the list, each permission implies the other permissions further down the list. We reflect this fact by the following order over permissions.

Inductive perm_order: permission -> permission -> Prop :=
  | perm_refl: forall p, perm_order p p
  | perm_F_any: forall p, perm_order Freeable p
  | perm_W_R: perm_order Writable Readable
  | perm_any_N: forall p, perm_order p Nonempty.

Hint Constructors perm_order: mem.

Lemma perm_order_trans:
  forall p1 p2 p3, perm_order p1 p2 -> perm_order p2 p3 -> perm_order p1 p3.
Proof.
  intros. inv H; inv H0; constructor.
Qed.

Each address has not one, but two permissions associated with it. The first is the current permission. It governs whether operations (load, store, free, etc) over this address succeed or not. The other is the maximal permission. It is always at least as strong as the current permission. Once a block is allocated, the maximal permission of an address within this block can only decrease, as a result of free or drop_perm operations, or of external calls. In contrast, the current permission of an address can be temporarily lowered by an external call, then raised again by another external call.

Inductive perm_kind: Type :=
  | Max: perm_kind
  | Cur: perm_kind.

Local Unset Elimination Schemes.
Local Unset Case Analysis Schemes.

CompCertX:test-compcert-param-memory Previously, CompCert defined the specification of the memory model as a Module Type MEM, which was never used anywhere in CompCert, preferring to use an actual implementation. This used to make the compiler not parameterizable over the implementation of the memory model. However, it turns out that most uses of CompCert's memory model do not depend on the actual implementation, but only depend on properly specified lemmas. The purpose of this branch is to highlight this fact. To this end, we take advantage of Coq 8.4's new type class feature and its inference mechanism, which offers first-order parametricity contrary to the native Coq module system.
To keep compatibility with CompCert's code, we introduce here the module Mem, which is

Module Mem.

CompCertX:test-compcert-param-memory We separate the memory operations (in the class MemoryModelOps below) from their specifications in MemoryModel. Indeed, memory operations are in Type and may be extracted and used by OCaml code -- and in fact, they are, because of the C interpreter -- contrary to the properties which are in Prop.

Class MemoryModelOps (mem: Type) := {

Operations on memory states

empty is the initial memory state.
 empty: mem;

alloc m lo hi allocates a fresh block of size hi - lo bytes. Valid offsets in this block are between lo included and hi excluded. These offsets are writable in the returned memory state. This block is not initialized: its contents are initially undefined. Returns a pair (, b) of the updated memory state and the identifier b of the newly-allocated block. Note that alloc never fails: we are modeling an infinite memory.
alloc: forall (m: mem) (lo hi: Z), mem * block;

free m b lo hi frees (deallocates) the range of offsets from lo included to hi excluded in block b. Returns the updated memory state, or None if the freed addresses are not writable.
free: forall (m: mem) (b: block) (lo hi: Z), option mem;

load chunk m b ofs reads a memory quantity chunk from addresses b, ofs to b, ofs + size_chunk chunk - 1 in memory state m. Returns the value read, or None if the accessed addresses are not readable.
load: forall (chunk: memory_chunk) (m: mem) (b: block) (ofs: Z), option val;

store chunk m b ofs v writes value v as memory quantity chunk from addresses b, ofs to b, ofs + size_chunk chunk - 1 in memory state m. Returns the updated memory state, or None if the accessed addresses are not writable.
store: forall (chunk: memory_chunk) (m: mem) (b: block) (ofs: Z) (v: val), option mem;

loadbytes m b ofs n reads and returns the byte-level representation of the values contained at offsets ofs to ofs + n - 1 within block b in memory state m. None is returned if the accessed addresses are not readable.
loadbytes: forall (m: mem) (b: block) (ofs n: Z), option (list memval);

storebytes m b ofs bytes stores the given list of bytes bytes starting at location (b, ofs). Returns updated memory state or None if the accessed locations are not writable.
storebytes: forall (m: mem) (b: block) (ofs: Z) (bytes: list memval), option mem;

drop_perm m b lo hi p sets the permissions of the byte range (b, lo) ... (b, hi - 1) to p. These bytes must have Freeable permissions in the initial memory state m. Returns updated memory state, or None if insufficient permissions.

drop_perm: forall (m: mem) (b: block) (lo hi: Z) (p: permission), option mem;

Permissions, block validity, access validity, and bounds

The next block of a memory state is the block identifier for the next allocation. It increases by one at each allocation. Block identifiers below nextblock are said to be valid, meaning that they have been allocated previously. Block identifiers above nextblock are fresh or invalid, i.e. not yet allocated. Note that a block identifier remains valid after a free operation over this block.

nextblock: mem -> block;

valid_block (m: mem) (b: block) := Plt b (nextblock m);

perm m b ofs k p holds if the address b, ofs in memory state m has permission p: one of freeable, writable, readable, and nonempty. If the address is empty, perm m b ofs p is false for all values of p. k is the kind of permission we are interested in: either the current permissions or the maximal permissions.
perm: forall (m: mem) (b: block) (ofs: Z) (k: perm_kind) (p: permission), Prop;

valid_pointer m b ofs returns true if the address b, ofs is nonempty in m and false if it is empty.

valid_pointer: forall (m: mem) (b: block) (ofs: Z), bool;

Relating two memory states.

Memory extensions

A store m2 extends a store m1 if m2 can be obtained from m1 by relaxing the permissions of m1 (for instance, allocating larger blocks) and replacing some of the Vundef values stored in m1 by more defined values stored in m2 at the same addresses.

 extends: mem -> mem -> Prop;

Memory injections

A memory injection f is a function from addresses to either None or Some of an address and an offset. It defines a correspondence between the blocks of two memory states m1 and m2:
  • if f b = None, the block b of m1 has no equivalent in m2;
  • if f b = Some(, ofs), the block b of m2 corresponds to a sub-block at offset ofs of the block in m2.
A memory injection f defines a relation val_inject between values that is the identity for integer and float values, and relocates pointer values as prescribed by f. (See module Values.)
Likewise, a memory injection f defines a relation between memory states that we now axiomatize.

 inject: meminj -> mem -> mem -> Prop;

Memory states that inject into themselves.

 inject_neutral: forall (thr: block) (m: mem), Prop;

Invariance properties between two memory states

CompCertX:test-compcert-param-memory Required by Princeton, specified into implementation
 unchanged_on (P: block -> Z -> Prop) (m_before m_after: mem) : Prop

}.

Definition flat_inj (thr: block) : meminj :=
  fun (b: block) => if plt b thr then Some(b, 0) else None.

Section WITHMEMOPS.

Context `{memory_model_ops: MemoryModelOps}.

loadv and storev are variants of load and store where the address being accessed is passed as a value (of the Vptr kind).

Definition loadv (chunk: memory_chunk) (m: mem) (addr: val) : option val :=
  match addr with
  | Vptr b ofs => load chunk m b (Int.unsigned ofs)
  | _ => None
  end.

Definition storev (chunk: memory_chunk) (m: mem) (addr v: val) : option mem :=
  match addr with
  | Vptr b ofs => store chunk m b (Int.unsigned ofs) v
  | _ => None
  end.

range_perm m b lo hi p holds iff the addresses b, lo to b, hi-1 all have permission p of kind k.
Definition range_perm (m: mem) (b: block) (lo hi: Z) (k: perm_kind) (p: permission) : Prop :=
  forall ofs, lo <= ofs < hi -> perm m b ofs k p.

An access to a memory quantity chunk at address b, ofs with permission p is valid in m if the accessed addresses all have current permission p and moreover the offset is properly aligned.
Definition valid_access (m: mem) (chunk: memory_chunk) (b: block) (ofs: Z) (p: permission): Prop :=
  range_perm m b ofs (ofs + size_chunk chunk) Cur p
  /\ (align_chunk chunk | ofs).

C allows pointers one past the last element of an array. These are not valid according to the previously defined valid_pointer. The property weak_valid_pointer m b ofs holds if address b, ofs is a valid pointer in m, or a pointer one past a valid block in m.

Definition weak_valid_pointer (m: mem) (b: block) (ofs: Z) :=
  valid_pointer m b ofs || valid_pointer m b (ofs - 1).

free_list frees all the given (block, lo, hi) triples.
Fixpoint free_list (m: mem) (l: list (block * Z * Z)) {struct l}: option mem :=
  match l with
  | nil => Some m
  | (b, lo, hi) :: =>
      match free m b lo hi with
      | None => None
      | Some => free_list
      end
  end.

Definition inj_offset_aligned (delta: Z) (size: Z) : Prop :=
  forall chunk, size_chunk chunk <= size -> (align_chunk chunk | delta).

Definition meminj_no_overlap (f: meminj) (m: mem) : Prop :=
  forall b1 b1´ delta1 b2 b2´ delta2 ofs1 ofs2,
  b1 <> b2 ->
  f b1 = Some (b1´, delta1) ->
  f b2 = Some (b2´, delta2) ->
  perm m b1 ofs1 Max Nonempty ->
  perm m b2 ofs2 Max Nonempty ->
  b1´ <> b2´ \/ ofs1 + delta1 <> ofs2 + delta2.

End WITHMEMOPS.

CompCertX:test-compcert-param-memory The specification of the memory model retains all axioms provided by the former MEM module type, but it turns out that some places in CompCert 2.x code now also use theorems that used to be defined only in the implementation. We add them here to the specification.

Class MemoryModel (mem: Type) `{memory_model_ops: MemoryModelOps mem}: Prop := {

 valid_not_valid_diff:
  forall m b , valid_block m b -> ~(valid_block m ) -> b <> ;

Logical implications between permissions

 perm_implies:
  forall m b ofs k p1 p2, perm m b ofs k p1 -> perm_order p1 p2 -> perm m b ofs k p2;

The current permission is always less than or equal to the maximal permission.

 perm_cur_max:
  forall m b ofs p, perm m b ofs Cur p -> perm m b ofs Max p;
 perm_cur:
  forall m b ofs k p, perm m b ofs Cur p -> perm m b ofs k p;
 perm_max:
  forall m b ofs k p, perm m b ofs k p -> perm m b ofs Max p;

Having a (nonempty) permission implies that the block is valid. In other words, invalid blocks, not yet allocated, are all empty.
 perm_valid_block:
  forall m b ofs k p, perm m b ofs k p -> valid_block m b;


CompCertX:test-compcert-param-memory Indeed, it is unused. It used to be used in some proof in Initializersproof, but that particular proof also relied on other implementation-specific features, so we rewrote it, and finally the rewritten version no longer uses perm_dec.

 range_perm_implies:
  forall m b lo hi k p1 p2,
  range_perm m b lo hi k p1 -> perm_order p1 p2 -> range_perm m b lo hi k p2;

CompCertX:test-compcert-param-memory Added from implementation, actually used in Events
 range_perm_cur:
  forall m b lo hi k p,
  range_perm m b lo hi Cur p -> range_perm m b lo hi k p;
 range_perm_max:
  forall m b lo hi k p,
  range_perm m b lo hi k p -> range_perm m b lo hi Max p;

 valid_access_implies:
  forall m chunk b ofs p1 p2,
  valid_access m chunk b ofs p1 -> perm_order p1 p2 ->
  valid_access m chunk b ofs p2;

 valid_access_valid_block:
  forall m chunk b ofs,
  valid_access m chunk b ofs Nonempty ->
  valid_block m b;

 valid_access_perm:
  forall m chunk b ofs k p,
  valid_access m chunk b ofs p ->
  perm m b ofs k p;

 valid_pointer_nonempty_perm:
  forall m b ofs,
  valid_pointer m b ofs = true <-> perm m b ofs Cur Nonempty;
 valid_pointer_valid_access:
  forall m b ofs,
  valid_pointer m b ofs = true <-> valid_access m Mint8unsigned b ofs Nonempty;

 weak_valid_pointer_spec:
  forall m b ofs,
  weak_valid_pointer m b ofs = true <->
    valid_pointer m b ofs = true \/ valid_pointer m b (ofs - 1) = true;
 valid_pointer_implies:
  forall m b ofs,
  valid_pointer m b ofs = true -> weak_valid_pointer m b ofs = true;

Properties of the memory operations

Properties of the initial memory state.


 nextblock_empty: nextblock empty = 1%positive;
 perm_empty: forall b ofs k p, ~perm empty b ofs k p;
 valid_access_empty:
  forall chunk b ofs p, ~valid_access empty chunk b ofs p;

Properties of load.

A load succeeds if and only if the access is valid for reading
 valid_access_load:
  forall m chunk b ofs,
  valid_access m chunk b ofs Readable ->
  exists v, load chunk m b ofs = Some v;
 load_valid_access:
  forall m chunk b ofs v,
  load chunk m b ofs = Some v ->
  valid_access m chunk b ofs Readable;

The value returned by load belongs to the type of the memory quantity accessed: Vundef, Vint or Vptr for an integer quantity, Vundef or Vfloat for a float quantity.
 load_type:
  forall m chunk b ofs v,
  load chunk m b ofs = Some v ->
  Val.has_type v (type_of_chunk chunk);

For a small integer or float type, the value returned by load is invariant under the corresponding cast.
 load_cast:
  forall m chunk b ofs v,
  load chunk m b ofs = Some v ->
  match chunk with
  | Mint8signed => v = Val.sign_ext 8 v
  | Mint8unsigned => v = Val.zero_ext 8 v
  | Mint16signed => v = Val.sign_ext 16 v
  | Mint16unsigned => v = Val.zero_ext 16 v
  | Mfloat32 => v = Val.singleoffloat v
  | _ => True
  end;

 load_int8_signed_unsigned:
  forall m b ofs,
  load Mint8signed m b ofs = option_map (Val.sign_ext 8) (load Mint8unsigned m b ofs);

 load_int16_signed_unsigned:
  forall m b ofs,
  load Mint16signed m b ofs = option_map (Val.sign_ext 16) (load Mint16unsigned m b ofs);

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in Allocproof
 loadv_int64_split:
  forall m a v,
  loadv Mint64 m a = Some v ->
  exists v1 v2,
     loadv Mint32 m a = Some (if Archi.big_endian then v1 else v2)
  /\ loadv Mint32 m (Val.add a (Vint (Int.repr 4))) = Some (if Archi.big_endian then v2 else v1)
  /\ v = Val.longofwords v1 v2;

Properties of loadbytes.

loadbytes succeeds if and only if we have read permissions on the accessed memory area.

 range_perm_loadbytes:
  forall m b ofs len,
  range_perm m b ofs (ofs + len) Cur Readable ->
  exists bytes, loadbytes m b ofs len = Some bytes;
 loadbytes_range_perm:
  forall m b ofs len bytes,
  loadbytes m b ofs len = Some bytes ->
  range_perm m b ofs (ofs + len) Cur Readable;

If loadbytes succeeds, the corresponding load succeeds and returns a value that is determined by the bytes read by loadbytes.
 loadbytes_load:
  forall chunk m b ofs bytes,
  loadbytes m b ofs (size_chunk chunk) = Some bytes ->
  (align_chunk chunk | ofs) ->
  load chunk m b ofs = Some(decode_val chunk bytes);

Conversely, if load returns a value, the corresponding loadbytes succeeds and returns a list of bytes which decodes into the result of load.
 load_loadbytes:
  forall chunk m b ofs v,
  load chunk m b ofs = Some v ->
  exists bytes, loadbytes m b ofs (size_chunk chunk) = Some bytes
             /\ v = decode_val chunk bytes;

loadbytes returns a list of length n (the number of bytes read).
 loadbytes_length:
  forall m b ofs n bytes,
  loadbytes m b ofs n = Some bytes ->
  length bytes = nat_of_Z n;

 loadbytes_empty:
  forall m b ofs n,
  n <= 0 -> loadbytes m b ofs n = Some nil;

Composing or decomposing loadbytes operations at adjacent addresses.
 loadbytes_concat:
  forall m b ofs n1 n2 bytes1 bytes2,
  loadbytes m b ofs n1 = Some bytes1 ->
  loadbytes m b (ofs + n1) n2 = Some bytes2 ->
  n1 >= 0 -> n2 >= 0 ->
  loadbytes m b ofs (n1 + n2) = Some(bytes1 ++ bytes2);
 loadbytes_split:
  forall m b ofs n1 n2 bytes,
  loadbytes m b ofs (n1 + n2) = Some bytes ->
  n1 >= 0 -> n2 >= 0 ->
  exists bytes1, exists bytes2,
     loadbytes m b ofs n1 = Some bytes1
  /\ loadbytes m b (ofs + n1) n2 = Some bytes2
  /\ bytes = bytes1 ++ bytes2;

Properties of store.

store preserves block validity, permissions, access validity, and bounds. Moreover, a store succeeds if and only if the corresponding access is valid for writing.

 nextblock_store:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  nextblock m2 = nextblock m1;
 store_valid_block_1:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall , valid_block m1 -> valid_block m2 ;
 store_valid_block_2:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall , valid_block m2 -> valid_block m1 ;

 perm_store_1:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall ofs´ k p, perm m1 ofs´ k p -> perm m2 ofs´ k p;
 perm_store_2:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall ofs´ k p, perm m2 ofs´ k p -> perm m1 ofs´ k p;

 store_valid_access_1:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´ ofs´ p,
  valid_access m1 chunk´ ofs´ p -> valid_access m2 chunk´ ofs´ p;
 store_valid_access_2:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´ ofs´ p,
  valid_access m2 chunk´ ofs´ p -> valid_access m1 chunk´ ofs´ p;
 store_valid_access_3:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  valid_access m1 chunk b ofs Writable;

CompCertX:test-compcert-param-memory This theorem is downgraded from Type to Prop.
 valid_access_store:
  forall m1 chunk b ofs v,
  valid_access m1 chunk b ofs Writable ->
  exists m2: mem, store chunk m1 b ofs v = Some m2;


Load-store properties.

 load_store_similar:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´,
  size_chunk chunk´ = size_chunk chunk ->
  align_chunk chunk´ <= align_chunk chunk ->
  exists , load chunk´ m2 b ofs = Some /\ decode_encode_val v chunk chunk´ ;

CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueDomain
 load_store_similar_2:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´,
    size_chunk chunk´ = size_chunk chunk ->
    align_chunk chunk´ <= align_chunk chunk ->
    type_of_chunk chunk´ = type_of_chunk chunk ->
    load chunk´ m2 b ofs = Some (Val.load_result chunk´ v);

 load_store_same:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  load chunk m2 b ofs = Some (Val.load_result chunk v);

 load_store_other:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´ ofs´,
   <> b
  \/ ofs´ + size_chunk chunk´ <= ofs
  \/ ofs + size_chunk chunk <= ofs´ ->
  load chunk´ m2 ofs´ = load chunk´ m1 ofs´;

Integrity of pointer values.

 load_store_pointer_overlap:
  forall chunk m1 b ofs v_b v_o m2 chunk´ ofs´ v,
  store chunk m1 b ofs (Vptr v_b v_o) = Some m2 ->
  load chunk´ m2 b ofs´ = Some v ->
  ofs´ <> ofs ->
  ofs´ + size_chunk chunk´ > ofs ->
  ofs + size_chunk chunk > ofs´ ->
  v = Vundef;
 load_store_pointer_mismatch:
  forall chunk m1 b ofs v_b v_o m2 chunk´ v,
  store chunk m1 b ofs (Vptr v_b v_o) = Some m2 ->
  load chunk´ m2 b ofs = Some v ->
  chunk <> Mint32 \/ chunk´ <> Mint32 ->
  v = Vundef;
 load_pointer_store:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall chunk´ ofs´ v_b v_o,
  load chunk´ m2 ofs´ = Some(Vptr v_b v_o) ->
  (chunk = Mint32 /\ v = Vptr v_b v_o /\ chunk´ = Mint32 /\ = b /\ ofs´ = ofs)
  \/ ( <> b \/ ofs´ + size_chunk chunk´ <= ofs \/ ofs + size_chunk chunk <= ofs´);

Load-store properties for loadbytes.

 loadbytes_store_same:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  loadbytes m2 b ofs (size_chunk chunk) = Some(encode_val chunk v);
 loadbytes_store_other:
  forall chunk m1 b ofs v m2, store chunk m1 b ofs v = Some m2 ->
  forall ofs´ n,
   <> b \/ n <= 0 \/ ofs´ + n <= ofs \/ ofs + size_chunk chunk <= ofs´ ->
  loadbytes m2 ofs´ n = loadbytes m1 ofs´ n;

store is insensitive to the signedness or the high bits of small integer quantities.

 store_signed_unsigned_8:
  forall m b ofs v,
  store Mint8signed m b ofs v = store Mint8unsigned m b ofs v;
 store_signed_unsigned_16:
  forall m b ofs v,
  store Mint16signed m b ofs v = store Mint16unsigned m b ofs v;
 store_int8_zero_ext:
  forall m b ofs n,
  store Mint8unsigned m b ofs (Vint (Int.zero_ext 8 n)) =
  store Mint8unsigned m b ofs (Vint n);
 store_int8_sign_ext:
  forall m b ofs n,
  store Mint8signed m b ofs (Vint (Int.sign_ext 8 n)) =
  store Mint8signed m b ofs (Vint n);
 store_int16_zero_ext:
  forall m b ofs n,
  store Mint16unsigned m b ofs (Vint (Int.zero_ext 16 n)) =
  store Mint16unsigned m b ofs (Vint n);
 store_int16_sign_ext:
  forall m b ofs n,
  store Mint16signed m b ofs (Vint (Int.sign_ext 16 n)) =
  store Mint16signed m b ofs (Vint n);
 store_float32_truncate:
  forall m b ofs n,
  store Mfloat32 m b ofs (Vfloat (Float.singleoffloat n)) =
  store Mfloat32 m b ofs (Vfloat n);

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in Allocproof
 storev_int64_split:
  forall m a v ,
  storev Mint64 m a v = Some ->
  exists m1,
     storev Mint32 m a (if Archi.big_endian then Val.hiword v else Val.loword v) = Some m1
  /\ storev Mint32 m1 (Val.add a (Vint (Int.repr 4))) (if Archi.big_endian then Val.loword v else Val.hiword v) = Some ;

Properties of storebytes.

storebytes preserves block validity, permissions, access validity, and bounds. Moreover, a storebytes succeeds if and only if we have write permissions on the addressed memory area.

 storebytes_range_perm:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  range_perm m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable;
 perm_storebytes_1:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall ofs´ k p, perm m1 ofs´ k p -> perm m2 ofs´ k p;
 perm_storebytes_2:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall ofs´ k p, perm m2 ofs´ k p -> perm m1 ofs´ k p;
 storebytes_valid_access_1:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall chunk´ ofs´ p,
  valid_access m1 chunk´ ofs´ p -> valid_access m2 chunk´ ofs´ p;
 storebytes_valid_access_2:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall chunk´ ofs´ p,
  valid_access m2 chunk´ ofs´ p -> valid_access m1 chunk´ ofs´ p;
 nextblock_storebytes:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  nextblock m2 = nextblock m1;
 storebytes_valid_block_1:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall , valid_block m1 -> valid_block m2 ;
 storebytes_valid_block_2:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall , valid_block m2 -> valid_block m1 ;

CompCertX:test-compcert-param-memory This theorem is downgraded from Type to Prop.
 range_perm_storebytes:
  forall m1 b ofs bytes,
  range_perm m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable ->
  exists m2 : mem, storebytes m1 b ofs bytes = Some m2;

Connections between store and storebytes.

 storebytes_store:
  forall m1 b ofs chunk v m2,
  storebytes m1 b ofs (encode_val chunk v) = Some m2 ->
  (align_chunk chunk | ofs) ->
  store chunk m1 b ofs v = Some m2;

 store_storebytes:
  forall m1 b ofs chunk v m2,
  store chunk m1 b ofs v = Some m2 ->
  storebytes m1 b ofs (encode_val chunk v) = Some m2;

Load-store properties.

 loadbytes_storebytes_same:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  loadbytes m2 b ofs (Z_of_nat (length bytes)) = Some bytes;
 loadbytes_storebytes_other:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall ofs´ len,
  len >= 0 ->
   <> b
  \/ ofs´ + len <= ofs
  \/ ofs + Z_of_nat (length bytes) <= ofs´ ->
  loadbytes m2 ofs´ len = loadbytes m1 ofs´ len;
 load_storebytes_other:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall chunk ofs´,
   <> b
  \/ ofs´ + size_chunk chunk <= ofs
  \/ ofs + Z_of_nat (length bytes) <= ofs´ ->
  load chunk m2 ofs´ = load chunk m1 ofs´;

CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueDomain
 loadbytes_storebytes_disjoint:
  forall m1 b ofs bytes m2, storebytes m1 b ofs bytes = Some m2 ->
  forall ofs´ len,
  len >= 0 ->
   <> b \/ Intv.disjoint (ofs´, ofs´ + len) (ofs, ofs + Z_of_nat (length bytes)) ->
  loadbytes m2 ofs´ len = loadbytes m1 ofs´ len;

Composing or decomposing storebytes operations at adjacent addresses.

 storebytes_concat:
  forall m b ofs bytes1 m1 bytes2 m2,
  storebytes m b ofs bytes1 = Some m1 ->
  storebytes m1 b (ofs + Z_of_nat(length bytes1)) bytes2 = Some m2 ->
  storebytes m b ofs (bytes1 ++ bytes2) = Some m2;
 storebytes_split:
  forall m b ofs bytes1 bytes2 m2,
  storebytes m b ofs (bytes1 ++ bytes2) = Some m2 ->
  exists m1,
     storebytes m b ofs bytes1 = Some m1
  /\ storebytes m1 b (ofs + Z_of_nat(length bytes1)) bytes2 = Some m2;

Properties of alloc.

The identifier of the freshly allocated block is the next block of the initial memory state.

 alloc_result:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  b = nextblock m1;

Effect of alloc on block validity.

 nextblock_alloc:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  nextblock m2 = Psucc (nextblock m1);

 valid_block_alloc:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall , valid_block m1 -> valid_block m2 ;
 fresh_block_alloc:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  ~(valid_block m1 b);
 valid_new_block:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  valid_block m2 b;
 valid_block_alloc_inv:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall , valid_block m2 -> = b \/ valid_block m1 ;

Effect of alloc on permissions.

 perm_alloc_1:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs k p, perm m1 ofs k p -> perm m2 ofs k p;
 perm_alloc_2:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs k, lo <= ofs < hi -> perm m2 b ofs k Freeable;
 perm_alloc_3:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs k p, perm m2 b ofs k p -> lo <= ofs < hi;
 perm_alloc_4:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs k p, perm m2 ofs k p -> <> b -> perm m1 ofs k p;
 perm_alloc_inv:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs k p,
  perm m2 ofs k p ->
  if eq_block b then lo <= ofs < hi else perm m1 ofs k p;

Effect of alloc on access validity.

 valid_access_alloc_other:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs p,
  valid_access m1 chunk ofs p ->
  valid_access m2 chunk ofs p;
 valid_access_alloc_same:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs,
  lo <= ofs -> ofs + size_chunk chunk <= hi -> (align_chunk chunk | ofs) ->
  valid_access m2 chunk b ofs Freeable;
 valid_access_alloc_inv:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs p,
  valid_access m2 chunk ofs p ->
  if eq_block b
  then lo <= ofs /\ ofs + size_chunk chunk <= hi /\ (align_chunk chunk | ofs)
  else valid_access m1 chunk ofs p;

Load-alloc properties.

 load_alloc_unchanged:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs,
  valid_block m1 ->
  load chunk m2 ofs = load chunk m1 ofs;
 load_alloc_other:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs v,
  load chunk m1 ofs = Some v ->
  load chunk m2 ofs = Some v;
 load_alloc_same:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs v,
  load chunk m2 b ofs = Some v ->
  v = Vundef;
 load_alloc_same´:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall chunk ofs,
  lo <= ofs -> ofs + size_chunk chunk <= hi -> (align_chunk chunk | ofs) ->
  load chunk m2 b ofs = Some Vundef;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueDomain
 loadbytes_alloc_unchanged:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall ofs n,
  valid_block m1 ->
  loadbytes m2 ofs n = loadbytes m1 ofs n;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueAnalysis
 loadbytes_alloc_same:
  forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
  forall n ofs bytes byte,
  loadbytes m2 b ofs n = Some bytes ->
  In byte bytes -> byte = Undef;

Properties of free.

free succeeds if and only if the correspond range of addresses has Freeable current permission.

 free_range_perm:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  range_perm m1 bf lo hi Cur Freeable;

CompCertX:test-compcert-param-memory This theorem is downgraded from Type to Prop.
 range_perm_free:
  forall m1 b lo hi,
  range_perm m1 b lo hi Cur Freeable ->
  exists m2: mem, free m1 b lo hi = Some m2;

Block validity is preserved by free.

 nextblock_free:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  nextblock m2 = nextblock m1;
 valid_block_free_1:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall b, valid_block m1 b -> valid_block m2 b;
 valid_block_free_2:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall b, valid_block m2 b -> valid_block m1 b;

Effect of free on permissions.

 perm_free_1:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall b ofs k p,
  b <> bf \/ ofs < lo \/ hi <= ofs ->
  perm m1 b ofs k p ->
  perm m2 b ofs k p;
 perm_free_2:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall ofs k p, lo <= ofs < hi -> ~ perm m2 bf ofs k p;
 perm_free_3:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall b ofs k p,
  perm m2 b ofs k p -> perm m1 b ofs k p;

CompCertX:test-compcert-param-memory Added from implementation, actually used in SimplLocalsproof
 perm_free_list:
  forall l m b ofs k p,
  free_list m l = Some ->
  perm b ofs k p ->
  perm m b ofs k p /\
  (forall lo hi, In (b, lo, hi) l -> lo <= ofs < hi -> False);

Effect of free on access validity.

 valid_access_free_1:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall chunk b ofs p,
  valid_access m1 chunk b ofs p ->
  b <> bf \/ lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs ->
  valid_access m2 chunk b ofs p;
 valid_access_free_2:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall chunk ofs p,
  lo < hi -> ofs + size_chunk chunk > lo -> ofs < hi ->
  ~(valid_access m2 chunk bf ofs p);
 valid_access_free_inv_1:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall chunk b ofs p,
  valid_access m2 chunk b ofs p ->
  valid_access m1 chunk b ofs p;
 valid_access_free_inv_2:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall chunk ofs p,
  valid_access m2 chunk bf ofs p ->
  lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs;

Load-free properties

 load_free:
  forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
  forall chunk b ofs,
  b <> bf \/ lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs ->
  load chunk m2 b ofs = load chunk m1 b ofs;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueDomain
 loadbytes_free:
   forall m1 bf lo hi m2,
     free m1 bf lo hi = Some m2 ->
     forall b ofs n,
       b <> bf \/ lo >= hi \/ ofs + n <= lo \/ hi <= ofs ->
       loadbytes m2 b ofs n = loadbytes m1 b ofs n;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueDomain
 loadbytes_free_2:
   forall m1 bf lo hi m2,
     free m1 bf lo hi = Some m2 ->
     forall b ofs n bytes,
       loadbytes m2 b ofs n = Some bytes -> loadbytes m1 b ofs n = Some bytes;

Properties of drop_perm.

 nextblock_drop:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  nextblock = nextblock m;
 drop_perm_valid_block_1:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall , valid_block m -> valid_block ;
 drop_perm_valid_block_2:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall , valid_block -> valid_block m ;

 range_perm_drop_1:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  range_perm m b lo hi Cur Freeable;

CompCertX:test-compcert-param-memory This theorem is downgraded from Type to Prop.
 range_perm_drop_2:
  forall m b lo hi p,
  range_perm m b lo hi Cur Freeable -> exists , drop_perm m b lo hi p = Some ;

 perm_drop_1:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall ofs k, lo <= ofs < hi -> perm b ofs k p;
 perm_drop_2:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall ofs k , lo <= ofs < hi -> perm b ofs k -> perm_order p ;
 perm_drop_3:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall ofs k , <> b \/ ofs < lo \/ hi <= ofs -> perm m ofs k -> perm ofs k ;
 perm_drop_4:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall ofs k , perm ofs k -> perm m ofs k ;

 load_drop:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall chunk ofs,
   <> b \/ ofs + size_chunk chunk <= lo \/ hi <= ofs \/ perm_order p Readable ->
  load chunk ofs = load chunk m ofs;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in ValueAnalysis
 loadbytes_drop:
  forall m b lo hi p , drop_perm m b lo hi p = Some ->
  forall ofs n,
   <> b \/ ofs + n <= lo \/ hi <= ofs \/ perm_order p Readable ->
  loadbytes ofs n = loadbytes m ofs n;

 
CompCertX:test-compcert-protect-stack-arg Let's make this one public.
 mext_next:
   forall m1 m2,
     extends m1 m2 ->
     nextblock m1 = nextblock m2;

 extends_refl:
  forall m, extends m m;

 load_extends:
  forall chunk m1 m2 b ofs v1,
  extends m1 m2 ->
  load chunk m1 b ofs = Some v1 ->
  exists v2, load chunk m2 b ofs = Some v2 /\ Val.lessdef v1 v2;

 loadv_extends:
  forall chunk m1 m2 addr1 addr2 v1,
  extends m1 m2 ->
  loadv chunk m1 addr1 = Some v1 ->
  Val.lessdef addr1 addr2 ->
  exists v2, loadv chunk m2 addr2 = Some v2 /\ Val.lessdef v1 v2;

 loadbytes_extends:
  forall m1 m2 b ofs len bytes1,
  extends m1 m2 ->
  loadbytes m1 b ofs len = Some bytes1 ->
  exists bytes2, loadbytes m2 b ofs len = Some bytes2
              /\ list_forall2 memval_lessdef bytes1 bytes2;

 store_within_extends:
  forall chunk m1 m2 b ofs v1 m1´ v2,
  extends m1 m2 ->
  store chunk m1 b ofs v1 = Some m1´ ->
  Val.lessdef v1 v2 ->
  exists m2´,
     store chunk m2 b ofs v2 = Some m2´
  /\ extends m1´ m2´;

 store_outside_extends:
  forall chunk m1 m2 b ofs v m2´,
  extends m1 m2 ->
  store chunk m2 b ofs v = Some m2´ ->
  (forall ofs´, perm m1 b ofs´ Cur Readable -> ofs <= ofs´ < ofs + size_chunk chunk -> False) ->
  extends m1 m2´;

 storev_extends:
  forall chunk m1 m2 addr1 v1 m1´ addr2 v2,
  extends m1 m2 ->
  storev chunk m1 addr1 v1 = Some m1´ ->
  Val.lessdef addr1 addr2 ->
  Val.lessdef v1 v2 ->
  exists m2´,
     storev chunk m2 addr2 v2 = Some m2´
  /\ extends m1´ m2´;

 storebytes_within_extends:
  forall m1 m2 b ofs bytes1 m1´ bytes2,
  extends m1 m2 ->
  storebytes m1 b ofs bytes1 = Some m1´ ->
  list_forall2 memval_lessdef bytes1 bytes2 ->
  exists m2´,
     storebytes m2 b ofs bytes2 = Some m2´
  /\ extends m1´ m2´;

 storebytes_outside_extends:
  forall m1 m2 b ofs bytes2 m2´,
  extends m1 m2 ->
  storebytes m2 b ofs bytes2 = Some m2´ ->
  (forall ofs´, perm m1 b ofs´ Cur Readable -> ofs <= ofs´ < ofs + Z_of_nat (length bytes2) -> False) ->
  extends m1 m2´;

 alloc_extends:
  forall m1 m2 lo1 hi1 b m1´ lo2 hi2,
  extends m1 m2 ->
  alloc m1 lo1 hi1 = (m1´, b) ->
  lo2 <= lo1 -> hi1 <= hi2 ->
  exists m2´,
     alloc m2 lo2 hi2 = (m2´, b)
  /\ extends m1´ m2´;

 free_left_extends:
  forall m1 m2 b lo hi m1´,
  extends m1 m2 ->
  free m1 b lo hi = Some m1´ ->
  extends m1´ m2;

 free_right_extends:
  forall m1 m2 b lo hi m2´,
  extends m1 m2 ->
  free m2 b lo hi = Some m2´ ->
  (forall ofs k p, perm m1 b ofs k p -> lo <= ofs < hi -> False) ->
  extends m1 m2´;

 free_parallel_extends:
  forall m1 m2 b lo hi m1´,
  extends m1 m2 ->
  free m1 b lo hi = Some m1´ ->
  exists m2´,
     free m2 b lo hi = Some m2´
  /\ extends m1´ m2´;

 valid_block_extends:
  forall m1 m2 b,
  extends m1 m2 ->
  (valid_block m1 b <-> valid_block m2 b);
 perm_extends:
  forall m1 m2 b ofs k p,
  extends m1 m2 -> perm m1 b ofs k p -> perm m2 b ofs k p;
 valid_access_extends:
  forall m1 m2 chunk b ofs p,
  extends m1 m2 -> valid_access m1 chunk b ofs p -> valid_access m2 chunk b ofs p;
 valid_pointer_extends:
  forall m1 m2 b ofs,
  extends m1 m2 -> valid_pointer m1 b ofs = true -> valid_pointer m2 b ofs = true;
 weak_valid_pointer_extends:
  forall m1 m2 b ofs,
  extends m1 m2 ->
  weak_valid_pointer m1 b ofs = true -> weak_valid_pointer m2 b ofs = true;

CompCertX:test-compcert-param-memory Added from implementation, actually used in Inliningproof
 mi_freeblocks:
   forall f m1 m2,
   inject f m1 m2 ->
   forall b, ~(valid_block m1 b) -> f b = None;
 mi_mappedblocks:
   forall f m1 m2,
   inject f m1 m2 ->
   forall b delta, f b = Some(, delta) -> valid_block m2 ;
 mi_no_overlap:
   forall f m1 m2,
   inject f m1 m2 ->
   meminj_no_overlap f m1;

 valid_block_inject_1:
  forall f m1 m2 b1 b2 delta,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  valid_block m1 b1;

 valid_block_inject_2:
  forall f m1 m2 b1 b2 delta,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  valid_block m2 b2;

 perm_inject:
  forall f m1 m2 b1 b2 delta ofs k p,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  perm m1 b1 ofs k p -> perm m2 b2 (ofs + delta) k p;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in SimplLocalsproof
 range_perm_inject:
  forall f m1 m2 b1 b2 delta lo hi k p,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  range_perm m1 b1 lo hi k p -> range_perm m2 b2 (lo + delta) (hi + delta) k p;

 valid_access_inject:
  forall f m1 m2 chunk b1 ofs b2 delta p,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  valid_access m1 chunk b1 ofs p ->
  valid_access m2 chunk b2 (ofs + delta) p;

 valid_pointer_inject:
  forall f m1 m2 b1 ofs b2 delta,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  valid_pointer m1 b1 ofs = true ->
  valid_pointer m2 b2 (ofs + delta) = true;

 weak_valid_pointer_inject:
  forall f m1 m2 b1 ofs b2 delta,
  f b1 = Some(b2, delta) ->
  inject f m1 m2 ->
  weak_valid_pointer m1 b1 ofs = true ->
  weak_valid_pointer m2 b2 (ofs + delta) = true;

 address_inject:
  forall f m1 m2 b1 ofs1 b2 delta p,
  inject f m1 m2 ->
  perm m1 b1 (Int.unsigned ofs1) Cur p ->
  f b1 = Some (b2, delta) ->
  Int.unsigned (Int.add ofs1 (Int.repr delta)) = Int.unsigned ofs1 + delta;

 valid_pointer_inject_no_overflow:
  forall f m1 m2 b ofs delta,
  inject f m1 m2 ->
  valid_pointer m1 b (Int.unsigned ofs) = true ->
  f b = Some(, delta) ->
  0 <= Int.unsigned ofs + Int.unsigned (Int.repr delta) <= Int.max_unsigned;

 weak_valid_pointer_inject_no_overflow:
  forall f m1 m2 b ofs delta,
  inject f m1 m2 ->
  weak_valid_pointer m1 b (Int.unsigned ofs) = true ->
  f b = Some(, delta) ->
  0 <= Int.unsigned ofs + Int.unsigned (Int.repr delta) <= Int.max_unsigned;

 valid_pointer_inject_val:
  forall f m1 m2 b ofs ofs´,
  inject f m1 m2 ->
  valid_pointer m1 b (Int.unsigned ofs) = true ->
  val_inject f (Vptr b ofs) (Vptr ofs´) ->
  valid_pointer m2 (Int.unsigned ofs´) = true;

 weak_valid_pointer_inject_val:
  forall f m1 m2 b ofs ofs´,
  inject f m1 m2 ->
  weak_valid_pointer m1 b (Int.unsigned ofs) = true ->
  val_inject f (Vptr b ofs) (Vptr ofs´) ->
  weak_valid_pointer m2 (Int.unsigned ofs´) = true;

 inject_no_overlap:
  forall f m1 m2 b1 b2 b1´ b2´ delta1 delta2 ofs1 ofs2,
  inject f m1 m2 ->
  b1 <> b2 ->
  f b1 = Some (b1´, delta1) ->
  f b2 = Some (b2´, delta2) ->
  perm m1 b1 ofs1 Max Nonempty ->
  perm m1 b2 ofs2 Max Nonempty ->
  b1´ <> b2´ \/ ofs1 + delta1 <> ofs2 + delta2;

 different_pointers_inject:
  forall f m b1 ofs1 b2 ofs2 b1´ delta1 b2´ delta2,
  inject f m ->
  b1 <> b2 ->
  valid_pointer m b1 (Int.unsigned ofs1) = true ->
  valid_pointer m b2 (Int.unsigned ofs2) = true ->
  f b1 = Some (b1´, delta1) ->
  f b2 = Some (b2´, delta2) ->
  b1´ <> b2´ \/
  Int.unsigned (Int.add ofs1 (Int.repr delta1)) <>
  Int.unsigned (Int.add ofs2 (Int.repr delta2));

CompCertX:test-compcert-param-memory Added from implementation, actually used in Events
 disjoint_or_equal_inject:
  forall f m b1 b1´ delta1 b2 b2´ delta2 ofs1 ofs2 sz,
  inject f m ->
  f b1 = Some(b1´, delta1) ->
  f b2 = Some(b2´, delta2) ->
  range_perm m b1 ofs1 (ofs1 + sz) Max Nonempty ->
  range_perm m b2 ofs2 (ofs2 + sz) Max Nonempty ->
  sz > 0 ->
  b1 <> b2 \/ ofs1 = ofs2 \/ ofs1 + sz <= ofs2 \/ ofs2 + sz <= ofs1 ->
  b1´ <> b2´ \/ ofs1 + delta1 = ofs2 + delta2
             \/ ofs1 + delta1 + sz <= ofs2 + delta2
             \/ ofs2 + delta2 + sz <= ofs1 + delta1;
 aligned_area_inject:
  forall f m b ofs al sz delta,
  inject f m ->
  al = 1 \/ al = 2 \/ al = 4 \/ al = 8 -> sz > 0 ->
  (al | sz) ->
  range_perm m b ofs (ofs + sz) Cur Nonempty ->
  (al | ofs) ->
  f b = Some(, delta) ->
  (al | ofs + delta);

 load_inject:
  forall f m1 m2 chunk b1 ofs b2 delta v1,
  inject f m1 m2 ->
  load chunk m1 b1 ofs = Some v1 ->
  f b1 = Some (b2, delta) ->
  exists v2, load chunk m2 b2 (ofs + delta) = Some v2 /\ val_inject f v1 v2;

 loadv_inject:
  forall f m1 m2 chunk a1 a2 v1,
  inject f m1 m2 ->
  loadv chunk m1 a1 = Some v1 ->
  val_inject f a1 a2 ->
  exists v2, loadv chunk m2 a2 = Some v2 /\ val_inject f v1 v2;

 loadbytes_inject:
  forall f m1 m2 b1 ofs len b2 delta bytes1,
  inject f m1 m2 ->
  loadbytes m1 b1 ofs len = Some bytes1 ->
  f b1 = Some (b2, delta) ->
  exists bytes2, loadbytes m2 b2 (ofs + delta) len = Some bytes2
              /\ list_forall2 (memval_inject f) bytes1 bytes2;

 store_mapped_inject:
  forall f chunk m1 b1 ofs v1 n1 m2 b2 delta v2,
  inject f m1 m2 ->
  store chunk m1 b1 ofs v1 = Some n1 ->
  f b1 = Some (b2, delta) ->
  val_inject f v1 v2 ->
  exists n2,
    store chunk m2 b2 (ofs + delta) v2 = Some n2
    /\ inject f n1 n2;

 store_unmapped_inject:
  forall f chunk m1 b1 ofs v1 n1 m2,
  inject f m1 m2 ->
  store chunk m1 b1 ofs v1 = Some n1 ->
  f b1 = None ->
  inject f n1 m2;

 store_outside_inject:
  forall f m1 m2 chunk b ofs v m2´,
  inject f m1 m2 ->
  (forall delta ofs´,
    f = Some(b, delta) ->
    perm m1 ofs´ Cur Readable ->
    ofs <= ofs´ + delta < ofs + size_chunk chunk -> False) ->
  store chunk m2 b ofs v = Some m2´ ->
  inject f m1 m2´;

 storev_mapped_inject:
  forall f chunk m1 a1 v1 n1 m2 a2 v2,
  inject f m1 m2 ->
  storev chunk m1 a1 v1 = Some n1 ->
  val_inject f a1 a2 ->
  val_inject f v1 v2 ->
  exists n2,
    storev chunk m2 a2 v2 = Some n2 /\ inject f n1 n2;

 storebytes_mapped_inject:
  forall f m1 b1 ofs bytes1 n1 m2 b2 delta bytes2,
  inject f m1 m2 ->
  storebytes m1 b1 ofs bytes1 = Some n1 ->
  f b1 = Some (b2, delta) ->
  list_forall2 (memval_inject f) bytes1 bytes2 ->
  exists n2,
    storebytes m2 b2 (ofs + delta) bytes2 = Some n2
    /\ inject f n1 n2;

 storebytes_unmapped_inject:
  forall f m1 b1 ofs bytes1 n1 m2,
  inject f m1 m2 ->
  storebytes m1 b1 ofs bytes1 = Some n1 ->
  f b1 = None ->
  inject f n1 m2;

 storebytes_outside_inject:
  forall f m1 m2 b ofs bytes2 m2´,
  inject f m1 m2 ->
  (forall delta ofs´,
    f = Some(b, delta) ->
    perm m1 ofs´ Cur Readable ->
    ofs <= ofs´ + delta < ofs + Z_of_nat (length bytes2) -> False) ->
  storebytes m2 b ofs bytes2 = Some m2´ ->
  inject f m1 m2´;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in Events
 storebytes_empty_inject:
   forall f m1 b1 ofs1 m1´ m2 b2 ofs2 m2´,
     inject f m1 m2 ->
     storebytes m1 b1 ofs1 nil = Some m1´ ->
     storebytes m2 b2 ofs2 nil = Some m2´ ->
     inject f m1´ m2´;

 alloc_right_inject:
  forall f m1 m2 lo hi b2 m2´,
  inject f m1 m2 ->
  alloc m2 lo hi = (m2´, b2) ->
  inject f m1 m2´;

 alloc_left_unmapped_inject:
  forall f m1 m2 lo hi m1´ b1,
  inject f m1 m2 ->
  alloc m1 lo hi = (m1´, b1) ->
  exists ,
     inject m1´ m2
  /\ inject_incr f
  /\ b1 = None
  /\ (forall b, b <> b1 -> b = f b);

 alloc_left_mapped_inject:
  forall f m1 m2 lo hi m1´ b1 b2 delta,
  inject f m1 m2 ->
  alloc m1 lo hi = (m1´, b1) ->
  valid_block m2 b2 ->
  0 <= delta <= Int.max_unsigned ->
  (forall ofs k p, perm m2 b2 ofs k p -> delta = 0 \/ 0 <= ofs < Int.max_unsigned) ->
  (forall ofs k p, lo <= ofs < hi -> perm m2 b2 (ofs + delta) k p) ->
  inj_offset_aligned delta (hi-lo) ->
  (forall b delta´ ofs k p,
   f b = Some (b2, delta´) ->
   perm m1 b ofs k p ->
   lo + delta <= ofs + delta´ < hi + delta -> False) ->
  exists ,
     inject m1´ m2
  /\ inject_incr f
  /\ b1 = Some(b2, delta)
  /\ (forall b, b <> b1 -> b = f b);

 alloc_parallel_inject:
  forall f m1 m2 lo1 hi1 m1´ b1 lo2 hi2,
  inject f m1 m2 ->
  alloc m1 lo1 hi1 = (m1´, b1) ->
  lo2 <= lo1 -> hi1 <= hi2 ->
  exists , exists m2´, exists b2,
  alloc m2 lo2 hi2 = (m2´, b2)
  /\ inject m1´ m2´
  /\ inject_incr f
  /\ b1 = Some(b2, 0)
  /\ (forall b, b <> b1 -> b = f b);

 free_inject:
  forall f m1 l m1´ m2 b lo hi m2´,
  inject f m1 m2 ->
  free_list m1 l = Some m1´ ->
  free m2 b lo hi = Some m2´ ->
  (forall b1 delta ofs k p,
    f b1 = Some(b, delta) -> perm m1 b1 ofs k p -> lo <= ofs + delta < hi ->
    exists lo1, exists hi1, In (b1, lo1, hi1) l /\ lo1 <= ofs < hi1) ->
  inject f m1´ m2´;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in Inliningproof
 free_left_inject:
  forall f m1 m2 b lo hi m1´,
  inject f m1 m2 ->
  free m1 b lo hi = Some m1´ ->
  inject f m1´ m2;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in SimplLocalsproof
 free_list_left_inject:
  forall f m2 l m1 m1´,
  inject f m1 m2 ->
  free_list m1 l = Some m1´ ->
  inject f m1´ m2;

 
CompCertX:test-compcert-param-memory Added from implementation, actually used in Inliningproof
 free_right_inject:
  forall f m1 m2 b lo hi m2´,
  inject f m1 m2 ->
  free m2 b lo hi = Some m2´ ->
  (forall b1 delta ofs k p,
    f b1 = Some(b, delta) -> perm m1 b1 ofs k p ->
    lo <= ofs + delta < hi -> False) ->
  inject f m1 m2´;

 drop_outside_inject:
  forall f m1 m2 b lo hi p m2´,
  inject f m1 m2 ->
  drop_perm m2 b lo hi p = Some m2´ ->
  (forall delta ofs k p,
    f = Some(b, delta) ->
    perm m1 ofs k p -> lo <= ofs + delta < hi -> False) ->
  inject f m1 m2´;
 
 neutral_inject:
  forall m, inject_neutral (nextblock m) m ->
  inject (flat_inj (nextblock m)) m m;

 empty_inject_neutral:
  forall thr, inject_neutral thr empty;

 alloc_inject_neutral:
  forall thr m lo hi b ,
  alloc m lo hi = (, b) ->
  inject_neutral thr m ->
  Plt (nextblock m) thr ->
  inject_neutral thr ;

 store_inject_neutral:
  forall chunk m b ofs v thr,
  store chunk m b ofs v = Some ->
  inject_neutral thr m ->
  Plt b thr ->
  val_inject (flat_inj thr) v v ->
  inject_neutral thr ;

 drop_inject_neutral:
  forall m b lo hi p thr,
  drop_perm m b lo hi p = Some ->
  inject_neutral thr m ->
  Plt b thr ->
  inject_neutral thr ;

 unchanged_on_refl P:
  forall m, unchanged_on P m m;

 perm_unchanged_on P:
  forall m b ofs k p,
  unchanged_on P m -> P b ofs -> valid_block m b ->
  perm m b ofs k p -> perm b ofs k p;

 perm_unchanged_on_2 P:
  forall m b ofs k p,
  unchanged_on P m -> P b ofs -> valid_block m b ->
  perm b ofs k p -> perm m b ofs k p;

 loadbytes_unchanged_on_1 P:
  forall m b ofs n,
  unchanged_on P m ->
  valid_block m b ->
  (forall i, ofs <= i < ofs + n -> P b i) ->
  loadbytes b ofs n = loadbytes m b ofs n;

 loadbytes_unchanged_on P:
  forall m b ofs n bytes,
  unchanged_on P m ->
  (forall i, ofs <= i < ofs + n -> P b i) ->
  loadbytes m b ofs n = Some bytes ->
  loadbytes b ofs n = Some bytes;

 load_unchanged_on_1 P:
  forall m chunk b ofs,
  unchanged_on P m ->
  valid_block m b ->
  (forall i, ofs <= i < ofs + size_chunk chunk -> P b i) ->
  load chunk b ofs = load chunk m b ofs;

 load_unchanged_on P:
  forall m chunk b ofs v,
  unchanged_on P m ->
  (forall i, ofs <= i < ofs + size_chunk chunk -> P b i) ->
  load chunk m b ofs = Some v ->
  load chunk b ofs = Some v;

 store_unchanged_on P:
  forall chunk m b ofs v ,
  store chunk m b ofs v = Some ->
  (forall i, ofs <= i < ofs + size_chunk chunk -> ~ P b i) ->
  unchanged_on P m ;

 storebytes_unchanged_on P:
  forall m b ofs bytes ,
  storebytes m b ofs bytes = Some ->
  (forall i, ofs <= i < ofs + Z_of_nat (length bytes) -> ~ P b i) ->
  unchanged_on P m ;

 alloc_unchanged_on P:
  forall m lo hi b,
  alloc m lo hi = (, b) ->
  unchanged_on P m ;

 free_unchanged_on P:
  forall m b lo hi ,
  free m b lo hi = Some ->
  (forall i, lo <= i < hi -> ~ P b i) ->
  unchanged_on P m ;

 unchanged_on_empty (P: _ -> _ -> Prop):
  forall m1 m2,
    (forall b o, ~ P b o) ->
    unchanged_on P m1 m2;

 unchanged_on_trans:
  forall P m1 m2 m3,
    unchanged_on P m1 m2 ->
    unchanged_on P m2 m3 ->
    unchanged_on P m1 m3;

 unchanged_on_weak:
  forall (P Q: _ -> _ -> Prop) m1 m2,
    unchanged_on P m1 m2 ->
    (forall b o, Q b o -> valid_block m1 b -> P b o) ->
    unchanged_on Q m1 m2;

 unchanged_on_or:
  forall (P1 P2 P3: _ -> _ -> Prop) m_before m_after,
    unchanged_on P1 m_before m_after ->
    unchanged_on P2 m_before m_after ->
    (forall b o, P3 b o -> (P1 b o \/ P2 b o)) ->
    unchanged_on P3 m_before m_after;

 unchanged_on_exists:
  forall (I: Type) P (: _ -> _ -> Prop) m_before m_after,
    (forall i: I, unchanged_on (P i) m_before m_after) ->
    (forall b o, b o -> exists i, P i b o) ->
    unchanged_on m_before m_after

}.

End Mem.