Library ddifc-coq
Notation "[ ]" := nil (at level 1).
Notation "[ a ; .. ; b ]" := (a :: .. (b :: []) ..) (at level 1).
Proposition app_assoc {A} : forall l1 l2 l3 : list A, (l1 ++ l2) ++ l3 = l1 ++ l2 ++ l3.
Proposition in_app_iff {A} : forall (l1 l2 : list A) x, In x (l1++l2) <-> In x l1 \/ In x l2.
Proposition app_nil_r {A} : forall l : list A, l ++ [] = l.
Proposition list_finite {A} : forall (l : list A) x, l <> x :: l.
Proposition list_finite' {A} : forall l l' : list A, l' <> [] -> l <> l' ++ l.
Proposition app_cancel_l {A} : forall l l1 l2 : list A, l ++ l1 = l ++ l2 -> l1 = l2.
Proposition app_cancel_r_help {A} : forall (l1 l2 : list A) x, l1 ++ [x] = l2 ++ [x] -> l1 = l2.
Proposition app_cancel_r {A} : forall l l1 l2 : list A, l1 ++ l = l2 ++ l -> l1 = l2.
Definition var := nat.
Definition lvar1 := nat.
Definition lvar2 := nat.
Definition addr := nat.
Definition fname := nat.
Definition nat_of_Z (v : Z) (pf : v >= 0) : nat.
Defined.
Proposition Zneg_dec : forall v : Z, {v >= 0} + {v < 0}.
Record poset {A : Set} : Type :=
{leq : A -> A -> bool;
leq_refl : forall x : A, leq x x = true;
leq_antisym : forall x y : A, leq x y = true -> leq y x = true -> x = y;
leq_trans : forall x y z : A, leq x y = true -> leq y z = true -> leq x z = true}.
Record join_semi {A : Set} : Type :=
{po : poset (A:=A);
lub : A -> A -> A;
lub_l : forall x y : A, leq po x (lub x y) = true;
lub_r : forall x y : A, leq po y (lub x y) = true;
lub_least : forall x y z : A, leq po x z = true -> leq po y z = true -> leq po (lub x y) z = true}.
Record join_semi' {A : Set} (js : join_semi (A:=A)) : Type :=
{lub_idem : forall x : A, lub js x x = x;
lub_comm : forall x y : A, lub js x y = lub js y x;
lub_assoc : forall x y z : A, lub js (lub js x y) z = lub js x (lub js y z);
lub_leq : forall x y z : A, leq (po js) (lub js x y) z = true <-> leq (po js) x z = true /\ leq (po js) y z = true}.
Definition join_semi_extend {A : Set} (js : join_semi (A:=A)) : join_semi' (A:=A) js.
Qed.
Record bounded_join_semi {A : Set} : Type :=
{js : join_semi (A:=A);
bot : A;
leq_bot : forall x : A, leq (po js) bot x = true}.
Record bounded_join_semi' {A : Set} (bjs : bounded_join_semi (A:=A)) : Type :=
{bot_unit : forall x : A, lub (js bjs) x (bot bjs) = x}.
Definition bounded_join_semi_extend {A : Set} (bjs : bounded_join_semi (A:=A)) : bounded_join_semi' (A:=A) bjs.
Qed.
Coercion po : join_semi >-> poset.
Coercion js : bounded_join_semi >-> join_semi.
Parameter lbl : Set.
Parameter lbl_lattice : bounded_join_semi (A:=lbl).
Definition lbl_lattice' := join_semi_extend lbl_lattice.
Definition lbl_lattice'' := bounded_join_semi_extend lbl_lattice.
Definition bottom := bot lbl_lattice.
Definition llub := lub lbl_lattice.
Definition lleq := leq lbl_lattice.
Inductive glbl := Lo | Hi.
Definition grp (L l : lbl) := if lleq l L then Lo else Hi.
Definition glbl_poset : poset (A:=glbl).
Defined.
Definition glbl_join_semi : join_semi (A:=glbl).
Defined.
Definition glbl_lattice : bounded_join_semi (A:=glbl).
Defined.
Definition glbl_lattice' := join_semi_extend glbl_lattice.
Definition glbl_lattice'' := bounded_join_semi_extend glbl_lattice.
Definition gleq := leq glbl_lattice.
Definition glub := lub glbl_lattice.
Notation "x <<= y" := (gleq x y = true) (at level 70) : glbl_scope.
Notation "x \_/ y" := (glub x y) (at level 50) : glbl_scope.
Notation "x <<= y" := (lleq x y = true) (at level 70) : lbl_scope.
Notation "x \_/ y" := (llub x y) (at level 50) : lbl_scope.
Proposition glub_homo : forall l l1 l2, grp l (llub l1 l2) = glub (grp l l1) (grp l l2).
Proposition glub_leq : forall l l1 l2, glub (grp l l1) (grp l l2) = Lo <-> grp l l1 = Lo /\ grp l l2 = Lo.
Proposition glub_lo : forall l1 l2, glub l1 l2 = Lo <-> l1 = Lo /\ l2 = Lo.
Inductive binop := Plus | Minus | Mult | Div | Mod.
Inductive bbinop := And | Or | Impl.
Inductive exp :=
| Var : var -> exp
| LVar : lvar1 -> exp
| Num : Z -> exp
| BinOp : binop -> exp -> exp -> exp.
Fixpoint expvars (e : exp) (x : var) : bool :=
match e with
| Var y => if eq_nat_dec y x then true else false
| BinOp _ e1 e2 => if expvars e1 x then true else expvars e2 x
| _ => false
end.
Fixpoint no_lvars_exp (e : exp) :=
match e with
| LVar _ => False
| BinOp _ e1 e2 => no_lvars_exp e1 /\ no_lvars_exp e2
| _ => True
end.
Proposition exp_eq_dec : forall e1 e2 : exp, {e1 = e2} + {e1 <> e2}.
Inductive bexp :=
| FF : bexp
| TT : bexp
| Eq : exp -> exp -> bexp
| Not : bexp -> bexp
| BBinOp : bbinop -> bexp -> bexp -> bexp.
Fixpoint bexpvars (b : bexp) (x : var) : bool :=
match b with
| Eq e1 e2 => if expvars e1 x then true else expvars e2 x
| Not b => bexpvars b x
| BBinOp _ b1 b2 => if bexpvars b1 x then true else bexpvars b2 x
| _ => false
end.
Fixpoint no_lvars_bexp (b : bexp) :=
match b with
| Eq e1 e2 => no_lvars_exp e1 /\ no_lvars_exp e2
| Not b => no_lvars_bexp b
| BBinOp _ b1 b2 => no_lvars_bexp b1 /\ no_lvars_bexp b2
| _ => True
end.
Inductive cmd :=
| Skip : cmd
| Output : exp -> cmd
| Assign : var -> exp -> cmd
| Read : var -> exp -> cmd
| Write : exp -> exp -> cmd
| Seq : cmd -> cmd -> cmd
| If : bexp -> cmd -> cmd -> cmd
| While : bexp -> cmd -> cmd.
Fixpoint mods (C : cmd) : list var :=
match C with
| Assign x _ => [x]
| Read x _ => [x]
| Seq C1 C2 => mods C1 ++ mods C2
| If _ C1 C2 => mods C1 ++ mods C2
| While _ C => mods C
| _ => []
end.
Fixpoint modifies (K : list cmd) : list var :=
match K with
| [] => []
| C::K => mods C ++ modifies K
end.
Fixpoint no_lvars_cmd (C : cmd) :=
match C with
| Skip => True
| Output e => no_lvars_exp e
| Assign _ e => no_lvars_exp e
| Read _ e => no_lvars_exp e
| Write e1 e2 => no_lvars_exp e1 /\ no_lvars_exp e2
| Seq C1 C2 => no_lvars_cmd C1 /\ no_lvars_cmd C2
| If b C1 C2 => no_lvars_bexp b /\ no_lvars_cmd C1 /\ no_lvars_cmd C2
| While b C => no_lvars_bexp b /\ no_lvars_cmd C
end.
Fixpoint no_lvars (K : list cmd) :=
match K with
| [] => True
| C::K => no_lvars_cmd C /\ no_lvars K
end.
Definition val := prod Z glbl.
Definition lmap := prod (lvar1 -> Z) (lvar2 -> glbl).
Definition store := var -> option val.
Definition heap := addr -> option val.
Inductive state := St : lmap -> store -> heap -> state.
Definition getLmap (st : state) := let (i,_,_) := st in i.
Coercion getLmap : state >-> lmap.
Definition getStore (st : state) := let (_,s,_) := st in s.
Coercion getStore : state >-> store.
Definition getHeap (st : state) := let (_,_,h) := st in h.
Coercion getHeap : state >-> heap.
Proposition val_eq_dec : forall v1 v2 : val, {v1 = v2} + {v1 <> v2}.
Proposition opt_eq_dec {A} : (forall a1 a2 : A, {a1 = a2} + {a1 <> a2}) -> forall o1 o2 : option A, {o1 = o2} + {o1 <> o2}.
Definition upd {A} (x : nat -> option A) y z : nat -> option A := fun w => if eq_nat_dec w y then Some z else x w.
Record SepAlg : Type := mkSepAlg {
sepstate : Set;
unit : sepstate -> Prop;
dot : sepstate -> sepstate -> sepstate -> Prop;
dot_func : forall x y z1 z2, dot x y z1 -> dot x y z2 -> z1 = z2;
dot_comm : forall x y z, dot x y z -> dot y x z;
dot_assoc : forall x y z a b, dot x y a -> dot a z b -> exists c, dot y z c /\ dot x c b;
dot_unit : forall x, exists u, unit u /\ dot u x x;
dot_unit_min : forall u x y, unit u -> dot u x y -> x = y}.
Definition mycombine {A} (s1 s2 : nat -> option A) (n : nat) : option A :=
match s1 n, s2 n with
| Some a, _ => Some a
| None, Some a => Some a
| None, None => None
end.
Definition mydot {A} (s1 s2 s : nat -> option A) : Prop := forall n,
match s n with
| None => s1 n = None /\ s2 n = None
| Some a => (s1 n = Some a /\ s2 n = None) \/ (s1 n = None /\ s2 n = Some a)
end.
Definition mysep : SepAlg.
Defined.
Proposition mydot_upd {A} : forall (x y z : nat -> option A) n v,
mydot x y z -> y n = None -> mydot (upd x n v) y (upd z n v).
Definition option_map2 {A B C} (op : A -> B -> C) x y : option C :=
match x, y with
| Some x, Some y => Some (op x y)
| _, _ => None
end.
Definition opden (bop : binop) : Z -> Z -> Z :=
match bop with
| Plus => Zplus
| Minus => Zminus
| Mult => Zmult
| Div => Zdiv
| Mod => Zmod
end.
Fixpoint eden (e : exp) (i : lmap) (s : store) : option val :=
match e with
| Var x => s x
| LVar X => Some (fst i X, Lo)
| Num c => Some (c,Lo)
| BinOp bop e1 e2 => option_map2 (fun v1 v2 => (opden bop (fst v1) (fst v2), snd v1 \_/ snd v2)) (eden e1 i s) (eden e2 i s)
end.
Fixpoint edenZ (e : exp) (i : lmap) (s : store) : option Z :=
match e with
| Var x => option_map (fun v => fst v) (s x)
| LVar X => Some (fst i X)
| Num c => Some c
| BinOp bop e1 e2 => option_map2 (fun v1 v2 => opden bop v1 v2) (edenZ e1 i s) (edenZ e2 i s)
end.
Proposition edenZ_some : forall e i s v, edenZ e i s = Some v <-> exists l, eden e i s = Some (v,l).
Proposition edenZ_none : forall e i s, edenZ e i s = None <-> eden e i s = None.
Definition bopden (bop : bbinop) : bool -> bool -> bool :=
match bop with
| And => andb
| Or => orb
| Impl => fun v1 v2 => if v1 then v2 else true
end.
Fixpoint bden (b : bexp) (i : lmap) (s : store) : option (bool * glbl) :=
match b with
| FF => Some (false,Lo)
| TT => Some (true,Lo)
| Eq e1 e2 => option_map2 (fun v1 v2 => (if Z_eq_dec (fst v1) (fst v2) then true else false, snd v1 \_/ snd v2)) (eden e1 i s) (eden e2 i s)
| Not b => option_map (fun v => (negb (fst v), snd v)) (bden b i s)
| BBinOp bop b1 b2 => option_map2 (fun v1 v2 => (bopden bop (fst v1) (fst v2), snd v1 \_/ snd v2)) (bden b1 i s) (bden b2 i s)
end.
Fixpoint bdenZ (b : bexp) (i : lmap) (s : store) : option bool :=
match b with
| FF => Some false
| TT => Some true
| Eq e1 e2 => option_map2 (fun v1 v2 => if Z_eq_dec v1 v2 then true else false) (edenZ e1 i s) (edenZ e2 i s)
| Not b => option_map (fun v => negb v) (bdenZ b i s)
| BBinOp bop b1 b2 => option_map2 (fun v1 v2 => bopden bop v1 v2) (bdenZ b1 i s) (bdenZ b2 i s)
end.
Proposition bdenZ_some : forall b i s v, bdenZ b i s = Some v <-> exists l, bden b i s = Some (v,l).
Proposition bdenZ_none : forall b i s, bdenZ b i s = None <-> bden b i s = None.
Proposition eden_local : forall e i1 s1 h1 i2 s2 h2 i3 s3 h3 v,
dot mysep (St i1 s1 h1) (St i2 s2 h2) (St i3 s3 h3) -> eden e i1 s1 = Some v -> eden e i3 s3 = Some v.
Proposition bden_local : forall b i1 s1 h1 i2 s2 h2 i3 s3 h3 v,
dot mysep (St i1 s1 h1) (St i2 s2 h2) (St i3 s3 h3) -> bden b i1 s1 = Some v -> bden b i3 s3 = Some v.
Proposition eden_no_lvars : forall e i i' s, no_lvars_exp e -> eden e i s = eden e i' s.
Proposition bden_no_lvars : forall b i i' s, no_lvars_bexp b -> bden b i s = bden b i' s.
Definition context := glbl.
Inductive config := Cf : state -> cmd -> list cmd -> config.
Definition getStoreFromConfig (cf : config) := match cf with Cf (St _ s _) _ _ => s end.
Coercion getStoreFromConfig : config >-> store.
Definition taint_vars (K : list cmd) (s : store) : store :=
fun x => if In_dec eq_nat_dec x (modifies K) then
match s x with Some (v,_) => Some (v,Hi) | None => Some (0,Hi) end
else s x.
Definition taint_vars_cf (cf : config) : config :=
match cf with Cf (St i s h) C K => Cf (St i (taint_vars (C::K) s) h) C K end.
Inductive hstep : config -> config -> Prop :=
| HStep_skip : forall st C K, hstep (Cf st Skip (C::K)) (Cf st C K)
| HStep_assign : forall i s h K x e v l,
eden e i s = Some (v,l) ->
hstep (Cf (St i s h) (Assign x e) K) (Cf (St i (upd s x (v, Hi)) h) Skip K)
| HStep_read : forall i s h K x e v1 l1 v2 l2 (pf : v1 >= 0),
eden e i s = Some (v1,l1) -> h (nat_of_Z v1 pf) = Some (v2,l2) ->
hstep (Cf (St i s h) (Read x e) K) (Cf (St i (upd s x (v2, Hi)) h) Skip K)
| HStep_write : forall i s h K e1 e2 v1 l1 v2 l2 (pf : v1 >= 0),
eden e1 i s = Some (v1,l1) -> eden e2 i s = Some (v2,l2) -> h (nat_of_Z v1 pf) <> None ->
hstep (Cf (St i s h) (Write e1 e2) K) (Cf (St i s (upd h (nat_of_Z v1 pf) (v2, Hi))) Skip K)
| HStep_seq : forall st C1 C2 K, hstep (Cf st (Seq C1 C2) K) (Cf st C1 (C2::K))
| HStep_if_true : forall i s h C1 C2 K b l,
bden b i s = Some (true,l) -> hstep (Cf (St i s h) (If b C1 C2) K) (Cf (St i s h) C1 K)
| HStep_if_false : forall i s h C1 C2 K b l,
bden b i s = Some (false,l) -> hstep (Cf (St i s h) (If b C1 C2) K) (Cf (St i s h) C2 K)
| HStep_while_true : forall i s h C K b l,
bden b i s = Some (true,l) -> hstep (Cf (St i s h) (While b C) K) (Cf (St i s h) C (While b C :: K))
| HStep_while_false : forall i s h C K b l,
bden b i s = Some (false,l) -> hstep (Cf (St i s h) (While b C) K) (Cf (St i s h) Skip K).
Inductive hstepn : nat -> config -> config -> Prop :=
| HStep_zero : forall cf, hstepn 0 cf cf
| HStep_succ : forall n cf cf' cf'', hstep cf cf' -> hstepn n cf' cf'' -> hstepn (S n) cf cf''.
Definition halt_config cf := match cf with Cf _ Skip [] => true | _ => false end.
Inductive can_hstep : config -> Prop := Can_hstep : forall cf cf', hstep cf cf' -> can_hstep cf.
Definition hsafe cf := forall n cf', hstepn n cf cf' -> halt_config cf' = false -> can_hstep cf'.
Inductive lstep : config -> config -> list Z -> Prop :=
| LStep_skip : forall st C K, lstep (Cf st Skip (C::K)) (Cf st C K) []
| LStep_output : forall i s h K e v,
eden e i s = Some (v,Lo) ->
lstep (Cf (St i s h) (Output e) K) (Cf (St i s h) Skip K) [v]
| LStep_assign : forall i s h K x e v l,
eden e i s = Some (v,l) ->
lstep (Cf (St i s h) (Assign x e) K) (Cf (St i (upd s x (v, l)) h) Skip K) []
| LStep_read : forall i s h K x e v1 l1 v2 l2 (pf : v1 >= 0),
eden e i s = Some (v1,l1) -> h (nat_of_Z v1 pf) = Some (v2,l2) ->
lstep (Cf (St i s h) (Read x e) K) (Cf (St i (upd s x (v2, l1 \_/ l2)) h) Skip K) []
| LStep_write : forall i s h K e1 e2 v1 l1 v2 l2 (pf : v1 >= 0),
eden e1 i s = Some (v1,l1) -> eden e2 i s = Some (v2,l2) -> h (nat_of_Z v1 pf) <> None ->
lstep (Cf (St i s h) (Write e1 e2) K) (Cf (St i s (upd h (nat_of_Z v1 pf) (v2, l1 \_/ l2))) Skip K) []
| LStep_seq : forall st C1 C2 K, lstep (Cf st (Seq C1 C2) K) (Cf st C1 (C2::K)) []
| LStep_if_true : forall i s h C1 C2 K b,
bden b i s = Some (true,Lo) -> lstep (Cf (St i s h) (If b C1 C2) K) (Cf (St i s h) C1 K) []
| LStep_if_false : forall i s h C1 C2 K b,
bden b i s = Some (false,Lo) -> lstep (Cf (St i s h) (If b C1 C2) K) (Cf (St i s h) C2 K) []
| LStep_while_true : forall i s h C K b,
bden b i s = Some (true,Lo) -> lstep (Cf (St i s h) (While b C) K) (Cf (St i s h) C (While b C :: K)) []
| LStep_while_false : forall i s h C K b,
bden b i s = Some (false,Lo) -> lstep (Cf (St i s h) (While b C) K) (Cf (St i s h) Skip K) []
| LStep_if_hi : forall i s h st' C1 C2 K b v n,
bden b i s = Some (v,Hi) -> hsafe (taint_vars_cf (Cf (St i s h) (If b C1 C2) [])) ->
hstepn n (taint_vars_cf (Cf (St i s h) (If b C1 C2) [])) (Cf st' Skip []) ->
lstep (Cf (St i s h) (If b C1 C2) K) (Cf st' Skip K) []
| LStep_if_hi_dvg : forall i s h C1 C2 K b v,
bden b i s = Some (v,Hi) -> hsafe (taint_vars_cf (Cf (St i s h) (If b C1 C2) [])) ->
(forall n st', ~ hstepn n (taint_vars_cf (Cf (St i s h) (If b C1 C2) [])) (Cf st' Skip [])) ->
lstep (Cf (St i s h) (If b C1 C2) K) (Cf (St i s h) (If b C1 C2) K) []
| LStep_while_hi : forall i s h st' C K b v n,
bden b i s = Some (v,Hi) -> hsafe (taint_vars_cf (Cf (St i s h) (While b C) [])) ->
hstepn n (taint_vars_cf (Cf (St i s h) (While b C) [])) (Cf st' Skip []) ->
lstep (Cf (St i s h) (While b C) K) (Cf st' Skip K) []
| LStep_while_hi_dvg : forall i s h C K b v,
bden b i s = Some (v,Hi) -> hsafe (taint_vars_cf (Cf (St i s h) (While b C) [])) ->
(forall n st', ~ hstepn n (taint_vars_cf (Cf (St i s h) (While b C) [])) (Cf st' Skip [])) ->
lstep (Cf (St i s h) (While b C) K) (Cf (St i s h) (While b C) K) [].
Inductive lstepn : nat -> config -> config -> list Z -> Prop :=
| LStep_zero : forall cf, lstepn 0 cf cf []
| LStep_succ : forall n cf cf' cf'' o o', lstep cf cf' o -> lstepn n cf' cf'' o' -> lstepn (S n) cf cf'' (o++o').
Inductive can_lstep : config -> Prop := Can_lstep : forall cf cf' o, lstep cf cf' o -> can_lstep cf.
Definition lsafe cf := forall n cf' o, lstepn n cf cf' o -> halt_config cf' = false -> can_lstep cf'.
Definition side_condition C (st1 st2 : state) :=
match C, st1, st2 with
| Read _ e, St i1 s1 h1, St i2 s2 h2 =>
match (eden e i1 s1), (eden e i2 s2) with
| Some (v1,_), Some (v2,_) =>
match Zneg_dec v1, Zneg_dec v2 with
| left pf1, left pf2 =>
match h1 (nat_of_Z v1 pf1), h2 (nat_of_Z v2 pf2) with
| Some (_,l1), Some (_,l2) => l1 = l2
| _, _ => False
end
| _, _ => False
end
| _, _ => False
end
| _, _, _ => True
end.
Proposition dvg_ex_mid : forall cf,
(forall n st, ~ hstepn n cf (Cf st Skip [])) \/ exists n, exists st, hstepn n cf (Cf st Skip []).
Lemma hstep_trans : forall n1 n2 cf1 cf2 cf3, hstepn n1 cf1 cf2 -> hstepn n2 cf2 cf3 -> hstepn (n1+n2) cf1 cf3.
Lemma lstep_trans : forall n1 n2 cf1 cf2 cf3 o1 o2, lstepn n1 cf1 cf2 o1 -> lstepn n2 cf2 cf3 o2 -> lstepn (n1+n2) cf1 cf3 (o1++o2).
Lemma hstep_extend : forall st C K st' C' K' K0,
hstep (Cf st C K) (Cf st' C' K') -> hstep (Cf st C (K++K0)) (Cf st' C' (K'++K0)).
Lemma hstepn_extend : forall n st C K st' C' K' K0,
hstepn n (Cf st C K) (Cf st' C' K') -> hstepn n (Cf st C (K++K0)) (Cf st' C' (K'++K0)).
Lemma lstep_extend : forall st C K st' C' K' K0 o,
lstep (Cf st C K) (Cf st' C' K') o -> lstep (Cf st C (K++K0)) (Cf st' C' (K'++K0)) o.
Lemma lstepn_extend : forall n st C K st' C' K' K0 o,
lstepn n (Cf st C K) (Cf st' C' K') o -> lstepn n (Cf st C (K++K0)) (Cf st' C' (K'++K0)) o.
Lemma hstep_trans_inv : forall n st st' C C' K0 K K',
hstepn n (Cf st C (K0++K)) (Cf st' C' K') ->
(exists K'', hstepn n (Cf st C K0) (Cf st' C' K'') /\ K' = K''++K) \/
exists st'', exists n1, exists n2,
hstepn n1 (Cf st C K0) (Cf st'' Skip []) /\ hstepn n2 (Cf st'' Skip K) (Cf st' C' K') /\
n = n1 + n2.
Lemma lstep_trans_inv : forall n st st' C C' K0 K K' o,
lstepn n (Cf st C (K0++K)) (Cf st' C' K') o ->
(exists K'', lstepn n (Cf st C K0) (Cf st' C' K'') o /\ K' = K''++K) \/
exists st'', exists n1, exists n2, exists o1, exists o2,
lstepn n1 (Cf st C K0) (Cf st'' Skip []) o1 /\ lstepn n2 (Cf st'' Skip K) (Cf st' C' K') o2 /\
n = n1 + n2 /\ o = o1 ++ o2.
Lemma hstep_trans_inv' : forall a b cf cf',
hstepn (a+b) cf cf' -> exists cf'', hstepn a cf cf'' /\ hstepn b cf'' cf'.
Lemma lstep_trans_inv' : forall a b cf cf' o,
lstepn (a+b) cf cf' o -> exists cf'', exists o1, exists o2,
lstepn a cf cf'' o1 /\ lstepn b cf'' cf' o2 /\ o = o1 ++ o2.
Lemma hstep_det : forall cf cf1 cf2, hstep cf cf1 -> hstep cf cf2 -> cf1 = cf2.
Lemma hstepn_det : forall n cf cf1 cf2, hstepn n cf cf1 -> hstepn n cf cf2 -> cf1 = cf2.
Lemma hstepn_det_term : forall n1 n2 cf st1 st2, hstepn n1 cf (Cf st1 Skip []) -> hstepn n2 cf (Cf st2 Skip []) -> n1 = n2.
Lemma lstep_det : forall cf cf1 cf2 o1 o2, lstep cf cf1 o1 -> lstep cf cf2 o2 -> cf1 = cf2 /\ o1 = o2.
Lemma lstepn_det : forall n cf cf1 cf2 o1 o2, lstepn n cf cf1 o1 -> lstepn n cf cf2 o2 -> cf1 = cf2 /\ o1 = o2.
Lemma lstepn_det_term : forall n1 n2 cf st1 st2 o1 o2, lstepn n1 cf (Cf st1 Skip []) o1 -> lstepn n2 cf (Cf st2 Skip []) o2 -> n1 = n2.
Definition diverge cf := forall n, exists cf', exists o, lstepn n cf cf' o.
Corollary diverge_halt : forall n cf st o, diverge cf -> lstepn n cf (Cf st Skip []) o -> False.
Proposition diverge_same_cf : forall cf o, lstep cf cf o -> diverge cf.
Lemma diverge_seq1 : forall C1 C2 K st, diverge (Cf st C1 []) -> diverge (Cf st (Seq C1 C2) K).
Lemma diverge_seq2 : forall C1 C2 K st st' n o,
lstepn n (Cf st C1 []) (Cf st' Skip []) o -> diverge (Cf st' C2 K) -> diverge (Cf st (Seq C1 C2) K).
Lemma hstep_ff : forall C K C' K' i s h1 h2 h3 i' s' h1',
mydot h1 h2 h3 -> hstep (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') ->
exists h3', mydot h1' h2 h3' /\ hstep (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K').
Lemma hstepn_ff : forall n C K C' K' i s h1 h2 h3 i' s' h1',
mydot h1 h2 h3 -> hstepn n (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') ->
exists h3', mydot h1' h2 h3' /\ hstepn n (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K').
Lemma hstep_bf : forall C K C' K' i s h1 h2 h3 i' s' h3',
mydot h1 h2 h3 -> hstep (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') -> hsafe (Cf (St i s h1) C K) ->
exists h1', mydot h1' h2 h3' /\ hstep (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K').
Lemma hstepn_bf : forall n C K C' K' i s h1 h2 h3 i' s' h3',
mydot h1 h2 h3 -> hstepn n (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') -> hsafe (Cf (St i s h1) C K) ->
exists h1', mydot h1' h2 h3' /\ hstepn n (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K').
Lemma lstep_ff : forall C K C' K' i s h1 h2 h3 i' s' h1' o,
mydot h1 h2 h3 -> lstep (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') o ->
exists h3', mydot h1' h2 h3' /\ lstep (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') o.
Lemma lstepn_ff : forall n C K C' K' i s h1 h2 h3 i' s' h1' o,
mydot h1 h2 h3 -> lstepn n (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') o ->
exists h3', mydot h1' h2 h3' /\ lstepn n (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') o.
Corollary lstepn_nonincreasing : forall n i s h i' s' h' C K C' K' o a,
lstepn n (Cf (St i s h) C K) (Cf (St i' s' h') C' K') o -> h a = None -> h' a = None.
Lemma lstep_bf : forall C K C' K' i s h1 h2 h3 i' s' h3' o,
mydot h1 h2 h3 -> lstep (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') o -> lsafe (Cf (St i s h1) C K) ->
exists h1', mydot h1' h2 h3' /\ lstep (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') o.
Lemma lstepn_bf : forall n C K C' K' i s h1 h2 h3 i' s' h3' o,
mydot h1 h2 h3 -> lstepn n (Cf (St i s h3) C K) (Cf (St i' s' h3') C' K') o -> lsafe (Cf (St i s h1) C K) ->
exists h1', mydot h1' h2 h3' /\ lstepn n (Cf (St i s h1) C K) (Cf (St i' s' h1') C' K') o.
Lemma hstep_modifies_monotonic : forall st st' C C' K K' x,
hstep (Cf st C K) (Cf st' C' K') -> In x (modifies (C'::K')) -> In x (modifies (C::K)).
Lemma hstepn_modifies_monotonic : forall n st st' C C' K K' x,
hstepn n (Cf st C K) (Cf st' C' K') -> In x (modifies (C'::K')) -> In x (modifies (C::K)).
Lemma lstep_modifies_monotonic : forall st st' C C' K K' x o,
lstep (Cf st C K) (Cf st' C' K') o -> In x (modifies (C'::K')) -> In x (modifies (C::K)).
Lemma lstepn_modifies_monotonic : forall n st st' C C' K K' x o,
lstepn n (Cf st C K) (Cf st' C' K') o -> In x (modifies (C'::K')) -> In x (modifies (C::K)).
Lemma hstep_modifies_const : forall st st' C C' K K' x,
hstep (Cf st C K) (Cf st' C' K') -> ~ In x (modifies (C::K)) -> (st:store) x = (st':store) x.
Lemma hstepn_modifies_const : forall n st st' C C' K K' x,
hstepn n (Cf st C K) (Cf st' C' K') -> ~ In x (modifies (C::K)) -> (st:store) x = (st':store) x.
Lemma lstep_modifies_const : forall st st' C C' K K' x o,
lstep (Cf st C K) (Cf st' C' K') o -> ~ In x (modifies (C::K)) -> (st:store) x = (st':store) x.
Lemma lstepn_modifies_const : forall n st st' C C' K K' x o,
lstepn n (Cf st C K) (Cf st' C' K') o -> ~ In x (modifies (C::K)) -> (st:store) x = (st':store) x.
Lemma hstep_taints_s : forall i s h i' s' h' C K C' K' x,
hstep (Cf (St i s h) C K) (Cf (St i' s' h') C' K') ->
s x <> s' x -> exists v, s' x = Some (v,Hi).
Lemma hstepn_taints_s : forall n i s h i' s' h' C K C' K' x,
hstepn n (Cf (St i s h) C K) (Cf (St i' s' h') C' K') ->
s x <> s' x -> exists v, s' x = Some (v,Hi).
Lemma hstep_taints_h : forall i s h i' s' h' C K C' K' a,
hstep (Cf (St i s h) C K) (Cf (St i' s' h') C' K') ->
h a <> h' a -> exists v, h' a = Some (v,Hi).
Lemma hstepn_taints_h : forall n i s h i' s' h' C K C' K' a,
hstepn n (Cf (St i s h) C K) (Cf (St i' s' h') C' K') ->
h a <> h' a -> exists v, h' a = Some (v,Hi).
Proposition hstep_i_const : forall i s h i' s' h' C C' K K',
hstep (Cf (St i s h) C K) (Cf (St i' s' h') C' K') -> i' = i.
Proposition hstepn_i_const : forall n i s h i' s' h' C C' K K',
hstepn n (Cf (St i s h) C K) (Cf (St i' s' h') C' K') -> i' = i.
Proposition lstep_i_const : forall i s h i' s' h' C C' K K' o,
lstep (Cf (St i s h) C K) (Cf (St i' s' h') C' K') o -> i' = i.
Proposition lstepn_i_const : forall n i s h i' s' h' C C' K K' o,
lstepn n (Cf (St i s h) C K) (Cf (St i' s' h') C' K') o -> i' = i.
Definition obs_eq_s (s1 s2 : store) : Prop := forall x,
match s1 x, s2 x with
| None, None => True
| Some (v1,l1), Some (v2,l2) => l1 = l2 /\ (l1 = Lo -> v1 = v2)
| _, _ => False
end.
Definition obs_eq_h (h1 h2 : heap) : Prop := forall n,
match h1 n, h2 n with
| Some (v1,l1), Some (v2,l2) => l1 = Lo -> l2 = Lo -> v1 = v2
| _, _ => True
end.
Definition obs_eq (st1 st2 : state) : Prop := (st1:lmap) = (st2:lmap) /\ obs_eq_s st1 st2 /\ obs_eq_h st1 st2.
Proposition obs_eq_s_refl : forall s, obs_eq_s s s.
Proposition obs_eq_h_refl : forall h, obs_eq_h h h.
Proposition obs_eq_refl : forall st, obs_eq st st.
Proposition obs_eq_s_sym : forall s1 s2, obs_eq_s s1 s2 -> obs_eq_s s2 s1.
Proposition obs_eq_h_sym : forall h1 h2, obs_eq_h h1 h2 -> obs_eq_h h2 h1.
Proposition obs_eq_sym : forall st1 st2, obs_eq st1 st2 -> obs_eq st2 st1.
Lemma obs_eq_exp : forall e i1 s1 h1 i2 s2 h2, obs_eq (St i1 s1 h1) (St i2 s2 h2) ->
match eden e i1 s1, eden e i2 s2 with
| None, None => True
| Some (v1,l1), Some (v2,l2) => l1 = l2 /\ (l1 = Lo -> v1 = v2)
| _, _ => False
end.
Lemma obs_eq_bexp : forall b i1 s1 h1 i2 s2 h2, obs_eq (St i1 s1 h1) (St i2 s2 h2) ->
match bden b i1 s1, bden b i2 s2 with
| None, None => True
| Some (v1,l1), Some (v2,l2) => l1 = l2 /\ (l1 = Lo -> v1 = v2)
| _, _ => False
end.
Inductive lexp :=
| Lbl : glbl -> lexp
| Lblvar : nat -> lexp
| Lub : lexp -> lexp -> lexp.
Definition toLexp (l : glbl) : lexp := Lbl l.
Coercion toLexp : glbl >-> lexp.
Fixpoint lden (L : lexp) (i : lmap) : glbl :=
match L with
| Lbl l => l
| Lblvar X => snd i X
| Lub L1 L2 => glub (lden L1 i) (lden L2 i)
end.
Proposition lden_lblvars : forall L i1 i2 i, lden L (i1,i) = lden L (i2,i).
Inductive assert :=
| TrueA : assert
| FalseA : assert
| Emp : assert
| Allocated : exp -> assert
| Mapsto : exp -> exp -> lexp -> assert
| BoolExp : bexp -> assert
| EqLbl : lexp -> lexp -> assert
| LblEq : var -> lexp -> assert
| LblLeq : var -> lexp -> assert
| LblLeq' : lexp -> var -> assert
| LblExp : exp -> lexp -> assert
| LblBexp : bexp -> lexp -> assert
| Conj : assert -> assert -> assert
| Disj : assert -> assert -> assert
| Star : assert -> assert -> assert.
Fixpoint vars (P : assert) (x : var) : bool :=
match P with
| TrueA => false
| FalseA => false
| Emp => false
| Allocated e => expvars e x
| Mapsto e e' L => orb (expvars e x) (expvars e' x)
| BoolExp b => bexpvars b x
| EqLbl L1 L2 => false
| LblEq y L => if eq_nat_dec y x then true else false
| LblLeq y L => if eq_nat_dec y x then true else false
| LblLeq' L y => if eq_nat_dec y x then true else false
| LblExp e L => expvars e x
| LblBexp b L => bexpvars b x
| Conj P Q => orb (vars P x) (vars Q x)
| Disj P Q => orb (vars P x) (vars Q x)
| Star P Q => orb (vars P x) (vars Q x)
end.
Notation " P `AND` Q " := (Conj P Q) (at level 91, left associativity).
Notation " P `OR` Q " := (Disj P Q) (at level 91, left associativity).
Notation " P ** Q " := (Star P Q) (at level 91, left associativity).
Fixpoint ereplace e x ex : exp :=
match e with
| Var y => if eq_nat_dec y x then ex else Var y
| BinOp bop e1 e2 => BinOp bop (ereplace e1 x ex) (ereplace e2 x ex)
| _ => e
end.
Proposition ereplace_deletes : forall e x ex, expvars ex x = false -> expvars (ereplace e x ex) x = false.
Proposition eden_ereplace : forall e x ex i s, eden (Var x) i s = eden ex i s -> eden (ereplace e x ex) i s = eden e i s.
Proposition edenZ_ereplace : forall e x ex i s, edenZ (Var x) i s = edenZ ex i s -> edenZ (ereplace e x ex) i s = edenZ e i s.
Fixpoint aden (P : assert) (st : state) : Prop :=
match st with St i s h =>
match P with
| TrueA => True
| FalseA => False
| Emp => h = fun _ => None
| Allocated e => exists v : Z, exists pf : (v>=0)%Z, edenZ e i s = Some v /\
exists v', exists l', h = fun n => if eq_nat_dec n (nat_of_Z v pf) then Some (v',l') else None
| Mapsto e e' L => exists v : Z, exists pf : (v>=0)%Z, edenZ e i s = Some v /\ exists v', edenZ e' i s = Some v' /\
h = fun n => if eq_nat_dec n (nat_of_Z v pf) then Some (v', lden L i) else None
| BoolExp b => bdenZ b i s = Some true
| EqLbl L1 L2 => lden L1 i = lden L2 i
| LblEq x L => exists v, s x = Some (v, lden L i)
| LblLeq x L => exists v, exists l, s x = Some (v,l) /\ gleq l (lden L i) = true
| LblLeq' L x => exists v, exists l, s x = Some (v,l) /\ gleq (lden L i) l = true
| LblExp e L => exists v, eden e i s = Some (v, lden L i)
| LblBexp b L => exists v, bden b i s = Some (v, lden L i)
| Conj P Q => aden P st /\ aden Q st
| Disj P Q => aden P st \/ aden Q st
| Star P Q => exists h1, exists h2, mydot h1 h2 h /\ aden P (St i s h1) /\ aden Q (St i s h2)
end
end.
Definition aden2 (P : assert) (st1 st2 : state) : Prop := aden P st1 /\ aden P st2 /\ obs_eq st1 st2.
Definition implies (P Q : assert) := forall st, aden P st -> aden Q st.
Fixpoint haslbl (P : assert) (x : var) : bool :=
match P with
| LblEq y L => if eq_nat_dec y x then true else false
| LblLeq y L => if eq_nat_dec y x then true else false
| LblLeq' L y => if eq_nat_dec y x then true else false
| LblExp e L => expvars e x
| LblBexp b L => bexpvars b x
| Conj P Q => orb (haslbl P x) (haslbl Q x)
| Disj P Q => orb (haslbl P x) (haslbl Q x)
| Star P Q => orb (haslbl P x) (haslbl Q x)
| _ => false
end.
Proposition eden_upd : forall e x i s v l, expvars e x = false -> eden e i (upd s x (v,l)) = eden e i s.
Proposition edenZ_upd : forall e x i s v l, expvars e x = false -> edenZ e i (upd s x (v,l)) = edenZ e i s.
Proposition bden_upd : forall b x i s v l, bexpvars b x = false -> bden b i (upd s x (v,l)) = bden b i s.
Proposition bdenZ_upd : forall b x i s v l, bexpvars b x = false -> bdenZ b i (upd s x (v,l)) = bdenZ b i s.
Proposition aden_upd : forall P x i s h v l, vars P x = false -> aden P (St i s h) -> aden P (St i (upd s x (v,l)) h).
Proposition eden_vars_same : forall e i s s',
(forall x, expvars e x = true -> s x = s' x) -> eden e i s = eden e i s'.
Proposition edenZ_vars_same : forall e i s s',
(forall x, expvars e x = true -> s x = s' x) -> edenZ e i s = edenZ e i s'.
Proposition bden_vars_same : forall b i s s',
(forall x, bexpvars b x = true -> s x = s' x) -> bden b i s = bden b i s'.
Proposition bdenZ_vars_same : forall b i s s',
(forall x, bexpvars b x = true -> s x = s' x) -> bdenZ b i s = bdenZ b i s'.
Proposition aden_vars_same : forall P i s s' h,
(forall x, vars P x = true -> s x = s' x) -> aden P (St i s h) -> aden P (St i s' h).
Proposition expvars_none : forall e i s x v l, eden e i s = Some (v,l) -> s x = None -> expvars e x = false.
Proposition bexpvars_none : forall b i s x v l, bden b i s = Some (v,l) -> s x = None -> bexpvars b x = false.
Proposition aden_upd_none : forall P x i s h v l, s x = None -> aden P (St i s h) -> aden P (St i (upd s x (v,l)) h).
Proposition eden_taint_vars : forall e i s K v l, eden e i s = Some (v,l) ->
exists l', eden e i (taint_vars K s) = Some (v,l') /\ l <<= l'.
Proposition bden_taint_vars : forall b i s K v l, bden b i s = Some (v,l) ->
exists l', bden b i (taint_vars K s) = Some (v,l') /\ l <<= l'.
Proposition edenZ_ignores_lbl : forall e i s x v l l',
s x = Some (v,l) -> edenZ e i (upd s x (v,l')) = edenZ e i s.
Proposition bdenZ_ignores_lbl : forall b i s x v l l',
s x = Some (v,l) -> bdenZ b i (upd s x (v,l')) = bdenZ b i s.
Proposition aden_haslbl : forall P x i s h v l l', haslbl P x = false -> s x = Some (v,l) ->
aden P (St i s h) -> aden P (St i (upd s x (v,l')) h).
Definition taint_vars_assert (P : assert) (xs : list var) (l1 l2 : glbl) : assert :=
if gleq l1 l2 then P else P `AND` fold_right (fun x P => P `AND` LblLeq' (glub l1 l2) x) TrueA xs.
Proposition aden_fold : forall (f : var -> assert) xs st,
(forall x, In x xs -> aden (f x) st) -> aden (fold_right (fun x P => P `AND` f x) TrueA xs) st.
Proposition aden_fold_inv : forall (f : var -> assert) xs st,
aden (fold_right (fun x P => P `AND` f x) TrueA xs) st -> forall x, In x xs -> aden (f x) st.
Fixpoint no_lbls (P : assert) (xs : list var) :=
match xs with
| [] => true
| x::xs => andb (negb (haslbl P x)) (no_lbls P xs)
end.
Definition same_values (s1 s2 : store) (xs : list var) := forall x,
if In_dec eq_nat_dec x xs then
match s1 x, s2 x with
| Some (v1,_), Some (v2,_) => v1 = v2
| Some _, None => False
| _, _ => True
end
else s1 x = s2 x.
Proposition no_lbls_same_values : forall P xs i s1 s2 h,
no_lbls P xs = true -> same_values s1 s2 xs -> aden P (St i s1 h) -> aden P (St i s2 h).
Proposition taint_vars_same_values : forall K s, same_values s (taint_vars K s) (modifies K).
Proposition no_lbls_taint_vars : forall P K i s h,
no_lbls P (modifies K) = true -> aden P (St i s h) -> aden P (St i (taint_vars K s) h).
Proposition taint_vars_assert_inv : forall P K l l' i s h, gleq l l' = false ->
aden (taint_vars_assert P (modifies K) l l') (St i s h) -> s = taint_vars K s.
Proposition taint_vars_idempotent : forall K s, taint_vars K (taint_vars K s) = taint_vars K s.
Inductive judge : nat -> context -> assert -> cmd -> assert -> Prop :=
| Judge_skip : forall pc, judge 0 pc Emp Skip Emp
| Judge_output : forall e, judge 0 Lo (LblExp e Lo `AND` Emp) (Output e) (LblExp e Lo `AND` Emp)
| Judge_assign : forall x e e' pc L, expvars e' x = false ->
judge 0 pc (BoolExp (Eq e e') `AND` LblExp e L `AND` Emp) (Assign x e)
(BoolExp (Eq (Var x) e') `AND` LblEq x (Lub L pc) `AND` Emp)
| Judge_read : forall x e e1 e2 pc L1 L2, expvars e1 x = false -> expvars e2 x = false ->
judge 0 pc (BoolExp (Eq (Var x) e1) `AND` LblExp e L1 `AND` Mapsto e e2 L2) (Read x e)
(BoolExp (Eq (Var x) e2) `AND` LblEq x (Lub (Lub L1 L2) pc) `AND` Mapsto (ereplace e x e1) e2 L2)
| Judge_write : forall e1 e2 pc L1 L2,
judge 0 pc (LblExp e1 L1 `AND` LblExp e2 L2 `AND` Allocated e1) (Write e1 e2)
(Mapsto e1 e2 (Lub (Lub L1 L2) pc))
| Judge_seq : forall N1 N2 P Q R C1 C2 pc, judge N1 pc P C1 Q -> judge N2 pc Q C2 R -> judge (S (N1+N2)) pc P (Seq C1 C2) R
| Judge_if : forall N1 N2 P Q b C1 C2 pc (lt lf : glbl),
implies P (BoolExp b `OR` BoolExp (Not b)) ->
implies (BoolExp b `AND` P) (LblBexp b lt) -> implies (BoolExp (Not b) `AND` P) (LblBexp b lf) ->
(gleq (glub lt lf) pc = false -> no_lbls P (modifies [If b C1 C2]) = true) ->
judge N1 (glub lt pc) (BoolExp b `AND` taint_vars_assert P (modifies [If b C1 C2]) lt pc) C1 Q ->
judge N2 (glub lf pc) (BoolExp (Not b) `AND` taint_vars_assert P (modifies [If b C1 C2]) lf pc) C2 Q ->
judge (S (N1+N2)) pc P (If b C1 C2) Q
| Judge_while : forall N P b C pc (l : glbl),
implies P (LblBexp b l) -> (gleq l pc = false -> no_lbls P (modifies [While b C]) = true) ->
judge N (glub l pc) (BoolExp b `AND` taint_vars_assert P (modifies [While b C]) l pc) C
(taint_vars_assert P (modifies [While b C]) l pc) ->
judge (S N) pc P (While b C) (BoolExp (Not b) `AND` taint_vars_assert P (modifies [While b C]) l pc)
| Judge_conseq : forall N P P' Q Q' C pc, implies P' P -> implies Q Q' -> judge N pc P C Q -> judge (S N) pc P' C Q'
| Judge_conj : forall N1 N2 P1 P2 Q1 Q2 C pc, judge N1 pc P1 C Q1 -> judge N2 pc P2 C Q2 ->
judge (S (N1+N2)) pc (P1 `AND` P2) C (Q1 `AND` Q2)
| Judge_frame : forall N P Q R C pc, judge N pc P C Q -> (forall x, In x (modifies [C]) -> vars R x = false) ->
judge (S N) pc (P ** R) C (Q ** R).
Inductive sound : context -> assert -> cmd -> assert -> Prop :=
| Jden_hi : forall P C Q,
(forall st, aden P st -> hsafe (Cf st C [])) ->
(forall n st st', aden P st -> hstepn n (Cf st C []) (Cf st' Skip []) -> aden Q st') ->
sound Hi P C Q
| Jden_lo : forall P C Q,
(forall st, aden P st -> lsafe (Cf st C [])) ->
(forall n st st' o, aden P st -> lstepn n (Cf st C []) (Cf st' Skip []) o -> aden Q st') ->
(forall n st1 st2 st1' st2' C' K' o1 o2, aden2 P st1 st2 ->
lstepn n (Cf st1 C []) (Cf st1' C' K') o1 -> lstepn n (Cf st2 C []) (Cf st2' C' K') o2 ->
diverge (Cf st1 C []) \/ diverge (Cf st2 C []) \/ side_condition C' st1' st2') ->
(forall n1 n2 st1 st2 st1' st2' o1 o2, aden2 P st1 st2 -> side_condition C st1 st2 ->
lstepn n1 (Cf st1 C []) (Cf st1' Skip []) o1 -> lstepn n2 (Cf st2 C []) (Cf st2' Skip []) o2 ->
obs_eq st1' st2' /\ o1 = o2) ->
(forall n st1 st2 st1' C' K' o1, aden2 P st1 st2 ->
lstepn n (Cf st1 C []) (Cf st1' C' K') o1 ->
diverge (Cf st1 C []) \/ diverge (Cf st2 C []) \/
exists st2', exists o2, lstepn n (Cf st2 C []) (Cf st2' C' K') o2) ->
(forall n1 n2 i1 s1 h1 i1' s1' h1' i2 s2 h2 i2' s2' h2' o1 o2 a,
aden2 P (St i1 s1 h1) (St i2 s2 h2) ->
lstepn n1 (Cf (St i1 s1 h1) C []) (Cf (St i1' s1' h1') Skip []) o1 ->
lstepn n2 (Cf (St i2 s2 h2) C []) (Cf (St i2' s2' h2') Skip []) o2 ->
h1 a <> h1' a -> (exists v, h1' a = Some (v,Lo)) -> h2 a <> None) ->
sound Lo P C Q.
Lemma soundness_skip : forall ct, sound ct Emp Skip Emp.
Lemma soundness_output : forall e, sound Lo (LblExp e Lo `AND` Emp) (Output e) (LblExp e Lo `AND` Emp).
Lemma soundness_assign : forall e e' x L ct, expvars e' x = false ->
sound ct (BoolExp (Eq e e') `AND` LblExp e L `AND` Emp) (Assign x e)
(BoolExp (Eq (Var x) e') `AND` LblEq x (Lub L ct) `AND` Emp).
Lemma soundness_read : forall ct e e1 e2 x L1 L2, expvars e1 x = false -> expvars e2 x = false ->
sound ct (BoolExp (Eq (Var x) e1) `AND` LblExp e L1 `AND` Mapsto e e2 L2)
(Read x e) (BoolExp (Eq (Var x) e2) `AND` LblEq x (Lub (Lub L1 L2) ct)
`AND` Mapsto (ereplace e x e1) e2 L2).
Lemma soundness_write : forall e1 e2 ct L1 L2,
sound ct (LblExp e1 L1 `AND` LblExp e2 L2 `AND` Allocated e1) (Write e1 e2)
(Mapsto e1 e2 (Lub (Lub L1 L2) ct)).
Lemma soundness_seq : forall N1 N2 P Q R C1 C2 ct,
(forall y : nat, y < S (N1 + N2) ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
judge N1 ct P C1 Q -> judge N2 ct Q C2 R -> sound ct P (Seq C1 C2) R.
Lemma soundness_if : forall N1 N2 P Q b C1 C2 ct (lt lf : glbl),
(forall y : nat, y < S (N1 + N2) ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
implies P (BoolExp b `OR` BoolExp (Not b)) ->
implies (BoolExp b `AND` P) (LblBexp b lt) -> implies (BoolExp (Not b) `AND` P) (LblBexp b lf) ->
(gleq (glub lt lf) ct = false -> no_lbls P (modifies [If b C1 C2]) = true) ->
judge N1 (glub lt ct) (BoolExp b `AND` taint_vars_assert P (modifies [If b C1 C2]) lt ct) C1 Q ->
judge N2 (glub lf ct) (BoolExp (Not b) `AND` taint_vars_assert P (modifies [If b C1 C2]) lf ct) C2 Q ->
sound ct P (If b C1 C2) Q.
Lemma soundness_while : forall N P b C ct (l : glbl),
(forall y : nat,
y < S N ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
implies P (LblBexp b l) -> (gleq l ct = false -> no_lbls P (modifies [While b C]) = true) ->
judge N (glub l ct) (BoolExp b `AND` taint_vars_assert P (modifies [While b C]) l ct) C
(taint_vars_assert P (modifies [While b C]) l ct) ->
sound ct P (While b C) (BoolExp (Not b) `AND` taint_vars_assert P (modifies [While b C]) l ct).
Lemma soundness_conseq : forall N P P' Q Q' C ct,
(forall y : nat,
y < S N ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
implies P' P -> implies Q Q' -> judge N ct P C Q -> sound ct P' C Q'.
Lemma soundness_conj : forall N1 N2 P1 P2 Q1 Q2 C ct,
(forall y : nat,
y < S (N1 + N2) ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
judge N1 ct P1 C Q1 -> judge N2 ct P2 C Q2 -> sound ct (P1 `AND` P2) C (Q1 `AND` Q2).
Proposition aden2_star_inv : forall P Q i1 s1 h1 i2 s2 h2,
aden2 (P**Q) (St i1 s1 h1) (St i2 s2 h2) ->
exists ha, exists hb, exists hc, exists hd,
mydot ha hb h1 /\ mydot hc hd h2 /\ aden2 P (St i1 s1 ha) (St i2 s2 hc).
Proposition mydot_comm {A} : forall h1 h2 h3, mydot(A:=A) h1 h2 h3 -> mydot h2 h1 h3.
Proposition obs_eq_mydot_inv : forall ha hb hc hd h1 h2,
mydot ha hb h1 -> mydot hc hd h2 -> obs_eq_h h1 h2 -> obs_eq_h ha hc.
Lemma soundness_frame : forall N P Q R C ct,
(forall y : nat,
y < S N ->
forall (ct : context) (P : assert) (C : cmd) (Q : assert),
judge y ct P C Q -> sound ct P C Q) ->
judge N ct P C Q -> (forall x, In x (modifies [C]) -> vars R x = false) -> sound ct (P ** R) C (Q ** R).
Theorem soundness : forall N ct P C Q, judge N ct P C Q -> sound ct P C Q.
Definition store' := var -> option Z.
Definition heap' := addr -> option Z.
Inductive state' := St' : store' -> heap' -> state'.
Inductive config' := Cf' : state' -> cmd -> list cmd -> config'.
Definition erase (f : nat -> option val) : nat -> option Z := fun x => option_map (fun v => fst v) (f x).
Definition erase_fill (f : nat -> option val) : nat -> option Z :=
fun x => match f x with Some v => Some (fst v) | None => Some 0%Z end.
Definition erase_st (st : state) : state' := St' (erase_fill (st:store)) (erase (st:heap)).
Proposition erase_upd : forall f x v l, erase (upd f x (v,l)) = upd (erase f) x v.
Proposition erase_fill_upd : forall f x v l, erase_fill (upd f x (v,l)) = upd (erase_fill f) x v.
Fixpoint eden' (e : exp) (s : store') : option Z :=
match e with
| Var x => s x
| LVar _ => None
| Num n => Some n
| BinOp op e1 e2 => option_map2 (fun v1 v2 => opden op v1 v2) (eden' e1 s) (eden' e2 s)
end.
Fixpoint bden' (b : bexp) (s : store') : option bool :=
match b with
| FF => Some false
| TT => Some true
| Eq e1 e2 => option_map2 (fun v1 v2 => if Z_eq_dec v1 v2 then true else false) (eden' e1 s) (eden' e2 s)
| Not b => option_map (fun v => negb v) (bden' b s)
| BBinOp bop b1 b2 => option_map2 (fun v1 v2 => bopden bop v1 v2) (bden' b1 s) (bden' b2 s)
end.
Proposition eden_erase : forall e i s, no_lvars_exp e -> edenZ e i s <> None -> eden' e (erase_fill s) = edenZ e i s.
Proposition bden_erase : forall b i s, no_lvars_bexp b -> bdenZ b i s <> None -> bden' b (erase_fill s) = bdenZ b i s.
Proposition erase_taint_vars : forall K s, erase_fill (taint_vars K s) = erase_fill s.
Inductive step : config' -> config' -> list Z -> Prop :=
| Step_skip : forall st C K, step (Cf' st Skip (C::K)) (Cf' st C K) []
| Step_output : forall s h K e v, eden' e s = Some v ->
step (Cf' (St' s h) (Output e) K) (Cf' (St' s h) Skip K) [v]
| Step_assign : forall s h K x e v, eden' e s = Some v ->
step (Cf' (St' s h) (Assign x e) K) (Cf' (St' (upd s x v) h) Skip K) []
| Step_read : forall s h K x e v1 v2 (pf : v1 >= 0), eden' e s = Some v1 -> h (nat_of_Z v1 pf) = Some v2 ->
step (Cf' (St' s h) (Read x e) K) (Cf' (St' (upd s x v2) h) Skip K) []
| Step_write : forall s h K e1 e2 v1 v2 (pf : v1 >= 0), eden' e1 s = Some v1 ->
eden' e2 s = Some v2 -> h (nat_of_Z v1 pf) <> None ->
step (Cf' (St' s h) (Write e1 e2) K) (Cf' (St' s (upd h (nat_of_Z v1 pf) v2)) Skip K) []
| Step_seq : forall st C1 C2 K, step (Cf' st (Seq C1 C2) K) (Cf' st C1 (C2::K)) []
| Step_if_true : forall s h C1 C2 K b, bden' b s = Some true ->
step (Cf' (St' s h) (If b C1 C2) K) (Cf' (St' s h) C1 K) []
| Step_if_false : forall s h C1 C2 K b, bden' b s = Some false ->
step (Cf' (St' s h) (If b C1 C2) K) (Cf' (St' s h) C2 K) []
| Step_while_true : forall s h C K b, bden' b s = Some true ->
step (Cf' (St' s h) (While b C) K) (Cf' (St' s h) C (While b C :: K)) []
| Step_while_false : forall s h C K b, bden' b s = Some false ->
step (Cf' (St' s h) (While b C) K) (Cf' (St' s h) Skip K) [].
Inductive stepn : nat -> config' -> config' -> list Z -> Prop :=
| Step_zero : forall cf, stepn 0 cf cf []
| Step_succ : forall n cf cf' cf'' o o', step cf cf' o -> stepn n cf' cf'' o' -> stepn (S n) cf cf'' (o++o').
Lemma step_trans : forall n1 n2 cf1 cf2 cf3 o1 o2, stepn n1 cf1 cf2 o1 -> stepn n2 cf2 cf3 o2 -> stepn (n1+n2) cf1 cf3 (o1++o2).
Lemma step_extend : forall st C K st' C' K' K0 o,
step (Cf' st C K) (Cf' st' C' K') o -> step (Cf' st C (K++K0)) (Cf' st' C' (K'++K0)) o.
Lemma stepn_extend : forall n st C K st' C' K' K0 o,
stepn n (Cf' st C K) (Cf' st' C' K') o -> stepn n (Cf' st C (K++K0)) (Cf' st' C' (K'++K0)) o.
Lemma step_trans_inv : forall n st st' C C' K0 K K' o,
stepn n (Cf' st C (K0++K)) (Cf' st' C' K') o ->
(exists K'', stepn n (Cf' st C K0) (Cf' st' C' K'') o /\ K' = K''++K) \/
exists st'', exists n1, exists n2, exists o1, exists o2,
stepn n1 (Cf' st C K0) (Cf' st'' Skip []) o1 /\ stepn n2 (Cf' st'' Skip K) (Cf' st' C' K') o2 /\
n = n1 + n2 /\ o = o1 ++ o2.
Lemma step_trans_inv' : forall a b cf cf' o, stepn (a + b) cf cf' o ->
exists cf'', exists o1, exists o2, stepn a cf cf'' o1 /\ stepn b cf'' cf' o2 /\ o = o1 ++ o2.
Lemma step_det : forall cf cf1 cf2 o1 o2, step cf cf1 o1 -> step cf cf2 o2 -> cf1 = cf2 /\ o1 = o2.
Lemma stepn_det : forall n cf cf1 cf2 o1 o2, stepn n cf cf1 o1 -> stepn n cf cf2 o2 -> cf1 = cf2 /\ o1 = o2.
Lemma step_output_inv : forall n st st' C C' K K' v,
stepn n (Cf' st C K) (Cf' st' C' K') [v] ->
exists n1, exists n2, exists st'', exists e, exists K'',
stepn n1 (Cf' st C K) (Cf' st'' (Output e) K'') [] /\
stepn n2 (Cf' st'' (Output e) K'') (Cf' st' C' K') [v] /\ n = n1 + n2.
Lemma step_output_inv' : forall n st st' C C' K K' o1 o2,
stepn n (Cf' st C K) (Cf' st' C' K') (o1++o2) ->
exists n1, exists n2, exists st'', exists C'', exists K'',
stepn n1 (Cf' st C K) (Cf' st'' C'' K'') o1 /\
stepn n2 (Cf' st'' C'' K'') (Cf' st' C' K') o2 /\ n = n1 + n2.
Proposition hstep_no_lvars_monotonic : forall st st' C C' K K',
hstep (Cf st C K) (Cf st' C' K') -> no_lvars (C::K) -> no_lvars (C'::K').
Proposition hstepn_no_lvars_monotonic : forall n st st' C C' K K',
hstepn n (Cf st C K) (Cf st' C' K') -> no_lvars (C::K) -> no_lvars (C'::K').
Proposition lstep_no_lvars_monotonic : forall st st' C C' K K' o,
lstep (Cf st C K) (Cf st' C' K') o -> no_lvars (C::K) -> no_lvars (C'::K').
Proposition lstepn_no_lvars_monotonic : forall n st st' C C' K K' o,
lstepn n (Cf st C K) (Cf st' C' K') o -> no_lvars (C::K) -> no_lvars (C'::K').
Lemma hstep_erase : forall st st' C C' K K', no_lvars (C::K) -> hstep (Cf st C K) (Cf st' C' K') ->
exists n, stepn n (Cf' (erase_st st) C K) (Cf' (erase_st st') C' K') [].
Lemma hstepn_erase : forall n st st' C C' K K', no_lvars (C::K) -> hstepn n (Cf st C K) (Cf st' C' K') ->
exists n', stepn n' (Cf' (erase_st st) C K) (Cf' (erase_st st') C' K') [].
Lemma lstep_erase : forall st st' C C' K K' o, no_lvars (C::K) -> lstep (Cf st C K) (Cf st' C' K') o ->
exists n, stepn n (Cf' (erase_st st) C K) (Cf' (erase_st st') C' K') o.
Lemma lstepn_erase : forall n st st' C C' K K' o, no_lvars (C::K) -> lstepn n (Cf st C K) (Cf st' C' K') o ->
exists n', stepn n' (Cf' (erase_st st) C K) (Cf' (erase_st st') C' K') o.
Theorem step_erase : forall n st st' C o, no_lvars_cmd C -> lstepn n (Cf st C []) (Cf st' Skip []) o ->
exists n', stepn n' (Cf' (erase_st st) C []) (Cf' (erase_st st') Skip []) o.
Lemma hstep_instrument : forall st est C C' K K' o, no_lvars (C::K) ->
step (Cf' (erase_st st) C K) (Cf' est C' K') o -> hsafe (Cf st C K) ->
exists n, exists st', hstepn n (Cf st C K) (Cf st' C' K') /\ est = erase_st st'.
Lemma hstepn_instrument : forall n st est C C' K K' o, no_lvars (C::K) ->
stepn n (Cf' (erase_st st) C K) (Cf' est C' K') o -> hsafe (Cf st C K) ->
exists n', exists st', hstepn n' (Cf st C K) (Cf st' C' K') /\ est = erase_st st'.
Lemma lstepn_instrument : forall n st est C K K' e, no_lvars (C::K) ->
stepn (S n) (Cf' (erase_st st) C K) (Cf' est (Output e) K') [] -> lsafe (Cf st C K) ->
exists n1, exists n2, exists st', exists C'', exists K'',
stepn n1 (Cf' (erase_st st) C K) (Cf' (erase_st st') C'' K'') [] /\
stepn n2 (Cf' (erase_st st') C'' K'') (Cf' est (Output e) K') [] /\
lstep (Cf st C K) (Cf st' C'' K'') [] /\ S n = n1 + n2.
Fixpoint size (C : cmd) :=
match C with
| Seq C1 C2 => S (size C1 + size C2)
| If _ C1 C2 => S (size C1 + size C2)
| While _ C => S (size C)
| _ => 0
end.
Lemma step_instrument_term : forall n st est C K, no_lvars (C::K) ->
stepn n (Cf' (erase_st st) C K) (Cf' est Skip []) [] -> lsafe (Cf st C K) ->
exists n', exists st', lstepn n' (Cf st C K) (Cf st' Skip []) [].
Theorem step_instrument : forall n st est C K o, no_lvars (C::K) ->
stepn n (Cf' (erase_st st) C K) (Cf' est Skip []) o -> lsafe (Cf st C K) ->
exists n', exists st', lstepn n' (Cf st C K) (Cf st' Skip []) o.
Theorem noninterference : forall N P C Q st1 st2 st1' st2' n1 n2 o1 o2,
no_lvars_cmd C -> judge N Lo P C Q -> aden2 P st1 st2 ->
stepn n1 (Cf' (erase_st st1) C []) (Cf' st1' Skip []) o1 ->
stepn n2 (Cf' (erase_st st2) C []) (Cf' st2' Skip []) o2 -> o1 = o2.
Print Assumptions noninterference.
This page has been generated by coqdoc