Merge of branch new-semantics: revised and strengthened top-level statements of semantic preservation.

git-svn-id: https://yquem.inria.fr/compcert/svn/compcert/trunk@1683 fca1b0fc-160b-0410-b1d3-a4f43f01ea2e

1 files changed, 155 insertions, 102 deletions

diff --git a/common/Determinism.v b/common/Determinism.v
index 00d8855..16e8890 100644
--- a/common/Determinism.v
+++ b/common/Determinism.v
@@ -20,6 +20,7 @@ Require Import Values.
 Require Import Events.
 Require Import Globalenvs.
 Require Import Smallstep.
+Require Import Behaviors.
 
 (** This file uses classical logic (the axiom of excluded middle), as
   well as the following extensionality property over infinite
@@ -80,7 +81,9 @@ Inductive possible_event: world -> event -> world -> Prop :=
       possible_event w1 (Event_vload chunk id ofs evres) w2
   | possible_event_vstore: forall w1 chunk id ofs evarg w2,
       nextworld_vstore w1 chunk id ofs evarg = Some w2 ->
-      possible_event w1 (Event_vstore chunk id ofs evarg) w2.
+      possible_event w1 (Event_vstore chunk id ofs evarg) w2
+  | possible_event_annot: forall w1 id args,
+      possible_event w1 (Event_annot id args) w1.
 
 Inductive possible_trace: world -> trace -> world -> Prop :=
   | possible_trace_nil: forall w,
@@ -110,6 +113,20 @@ Proof.
   exists w1; split. econstructor; eauto. auto.
 Qed.
 
+Lemma match_possible_traces:
+  forall (F V: Type) (ge: Genv.t F V) t1 t2 w0 w1 w2,
+  match_traces ge t1 t2 -> possible_trace w0 t1 w1 -> possible_trace w0 t2 w2 ->
+  t1 = t2 /\ w1 = w2.
+Proof.
+  intros. inv H; inv H1; inv H0.
+  auto.
+  inv H7; inv H6. inv H9; inv H10. split; congruence.
+  inv H7; inv H6. inv H9; inv H10. split; congruence.
+  inv H4; inv H3. inv H6; inv H7. split; congruence. 
+  inv H4; inv H3. inv H7; inv H6. auto.
+Qed.
+
+(*
 Lemma possible_event_final_world:
   forall w ev w1 w2,
   possible_event w ev w1 -> possible_event w ev w2 -> w1 = w2.
@@ -126,6 +143,7 @@ Proof.
   inv H1. assert (w2 = w5) by (eapply possible_event_final_world; eauto). 
   subst; eauto.
 Qed.
+*)
 
 CoInductive possible_traceinf: world -> traceinf -> Prop :=
   | possible_traceinf_cons: forall w1 ev w2 T,
@@ -200,46 +218,38 @@ Proof.
   inv H3. simpl. auto. econstructor; eauto. econstructor; eauto. unfold E0; congruence.
 Qed.
 
-(** * Properties of deterministic semantics *)
-
-Section DETERM_SEM.
+(** * Definition and properties of deterministic semantics *)
 
-(** We assume given a semantics that is deterministic, in the following sense. *)
-
-Variable genv: Type.
-Variable state: Type.
-Variable step: genv -> state -> trace -> state -> Prop.
-Variable initial_state: state -> Prop.
-Variable final_state: state -> int -> Prop.
+Record sem_deterministic (L: semantics) := mk_deterministic {
+  det_step: forall s0 t1 s1 t2 s2,
+    L (genv L) s0 t1 s1 -> L (genv L) s0 t2 s2 -> s1 = s2 /\ t1 = t2;
+  det_initial_state: forall s1 s2,
+    initial_state L s1 -> initial_state L s2 -> s1 = s2;
+  det_final_state: forall s r1 r2,
+    final_state L s r1 -> final_state L s r2 -> r1 = r2;
+  det_final_nostep: forall s r,
+    final_state L s r -> nostep L (genv L) s
+}.
 
-Hypothesis step_deterministic:
-  forall ge s0 t1 s1 t2 s2,
-  step ge s0 t1 s1 -> step ge s0 t2 s2 ->
-  s1 = s2 /\ t1 = t2.
-
-Hypothesis initial_state_determ:
-  forall s1 s2, initial_state s1 -> initial_state s2 -> s1 = s2.
-
-Hypothesis final_state_determ:
-  forall st r1 r2, final_state st r1 -> final_state st r2 -> r1 = r2.
+Section DETERM_SEM.
 
-Hypothesis final_state_nostep:
-  forall ge st r, final_state st r -> nostep step ge st.
+Variable L: semantics.
+Hypothesis DET: sem_deterministic L.
 
 Ltac use_step_deterministic :=
   match goal with
-  | [ S1: step _ _ ?t1 _, S2: step _ _ ?t2 _ |- _ ] =>
-    destruct (step_deterministic _ _ _ _ _ _ S1 S2) as [EQ1 EQ2]; subst
+  | [ S1: step L (genv L) _ ?t1 _, S2: step L (genv L) _ ?t2 _ |- _ ] =>
+    destruct (det_step L DET _ _ _ _ _ S1 S2) as [EQ1 EQ2]; subst
   end.
 
 (** Determinism for finite transition sequences. *)
 
 Lemma star_step_diamond:
-  forall ge s0 t1 s1, star step ge s0 t1 s1 -> 
-  forall t2 s2, star step ge s0 t2 s2 -> 
+  forall s0 t1 s1, star L (genv L) s0 t1 s1 -> 
+  forall t2 s2, star L (genv L) s0 t2 s2 -> 
   exists t,
-     (star step ge s1 t s2 /\ t2 = t1 ** t)
-  \/ (star step ge s2 t s1 /\ t1 = t2 ** t).
+     (star L (genv L) s1 t s2 /\ t2 = t1 ** t)
+  \/ (star L (genv L) s2 t s1 /\ t1 = t2 ** t).
 Proof.
   induction 1; intros. 
   exists t2; auto. 
@@ -252,24 +262,24 @@ Qed.
 
 Ltac use_star_step_diamond :=
   match goal with
-  | [ S1: star step _ _ ?t1 _, S2: star step _ _ ?t2 _ |- _ ] =>
+  | [ S1: star (step L) (genv L) _ ?t1 _, S2: star (step L) (genv L) _ ?t2 _ |- _ ] =>
     let t := fresh "t" in let P := fresh "P" in let EQ := fresh "EQ" in
-    destruct (star_step_diamond _ _ _ _ S1 _ _ S2)
+    destruct (star_step_diamond _ _ _ S1 _ _ S2)
     as [t [ [P EQ] | [P EQ] ]]; subst
  end.
 
 Ltac use_nostep :=
   match goal with
-  | [ S: step _ ?s _ _, NO: nostep step _ ?s |- _ ] => elim (NO _ _ S)
+  | [ S: step L (genv L) ?s _ _, NO: nostep (step L) (genv L) ?s |- _ ] => elim (NO _ _ S)
   end.
 
 Lemma star_step_triangle:
-  forall ge s0 t1 s1 t2 s2,
-  star step ge s0 t1 s1 -> 
-  star step ge s0 t2 s2 -> 
-  nostep step ge s2 ->
+  forall s0 t1 s1 t2 s2,
+  star L (genv L) s0 t1 s1 -> 
+  star L (genv L) s0 t2 s2 -> 
+  nostep L (genv L) s2 ->
   exists t,
-  star step ge s1 t s2 /\ t2 = t1 ** t.
+  star L (genv L) s1 t s2 /\ t2 = t1 ** t.
 Proof.
   intros. use_star_step_diamond.
   exists t; auto.
@@ -279,17 +289,17 @@ Qed.
 
 Ltac use_star_step_triangle :=
   match goal with
-  | [ S1: star step _ _ ?t1 _, S2: star step _ _ ?t2 ?s2,
-      NO: nostep step _ ?s2 |- _ ] =>
+  | [ S1: star (step L) (genv L) _ ?t1 _, S2: star (step L) (genv L) _ ?t2 ?s2,
+      NO: nostep (step L) (genv L) ?s2 |- _ ] =>
     let t := fresh "t" in let P := fresh "P" in let EQ := fresh "EQ" in
-    destruct (star_step_triangle _ _ _ _ _ _ S1 S2 NO)
+    destruct (star_step_triangle _ _ _ _ _ S1 S2 NO)
     as [t [P EQ]]; subst
   end.
 
 Lemma steps_deterministic:
-  forall ge s0 t1 s1 t2 s2,
-  star step ge s0 t1 s1 -> star step ge s0 t2 s2 -> 
-  nostep step ge s1 -> nostep step ge s2 ->
+  forall s0 t1 s1 t2 s2,
+  star L (genv L) s0 t1 s1 -> star L (genv L) s0 t2 s2 -> 
+  nostep L (genv L) s1 -> nostep L (genv L) s2 ->
   t1 = t2 /\ s1 = s2.
 Proof.
   intros. use_star_step_triangle. inv P.
@@ -297,23 +307,23 @@ Proof.
 Qed.
 
 Lemma terminates_not_goes_wrong:
-  forall ge s t1 s1 r t2 s2,
-  star step ge s t1 s1 -> final_state s1 r ->
-  star step ge s t2 s2 -> nostep step ge s2 ->
-  (forall r, ~final_state s2 r) -> False.
+  forall s t1 s1 r t2 s2,
+  star L (genv L) s t1 s1 -> final_state L s1 r ->
+  star L (genv L) s t2 s2 -> nostep L (genv L) s2 ->
+  (forall r, ~final_state L s2 r) -> False.
 Proof.
   intros.
   assert (t1 = t2 /\ s1 = s2). 
-    eapply steps_deterministic; eauto. 
+    eapply steps_deterministic; eauto. eapply det_final_nostep; eauto. 
   destruct H4; subst. elim (H3 _ H0).
 Qed.
 
 (** Determinism for infinite transition sequences. *)
 
 Lemma star_final_not_forever_silent:
-  forall ge s t s', star step ge s t s' ->
-  nostep step ge s' ->
-  forever_silent step ge s -> False.
+  forall s t s', star L (genv L) s t s' ->
+  nostep L (genv L) s' ->
+  forever_silent L (genv L) s -> False.
 Proof.
   induction 1; intros. 
   inv H0. use_nostep. 
@@ -321,9 +331,9 @@ Proof.
 Qed.
 
 Lemma star2_final_not_forever_silent:
-  forall ge s t1 s1 t2 s2,
-  star step ge s t1 s1 -> nostep step ge s1 ->
-  star step ge s t2 s2 -> forever_silent step ge s2 ->
+  forall s t1 s1 t2 s2,
+  star L (genv L) s t1 s1 -> nostep L (genv L) s1 ->
+  star L (genv L) s t2 s2 -> forever_silent L (genv L) s2 ->
   False.
 Proof.
   intros. use_star_step_triangle.
@@ -331,8 +341,8 @@ Proof.
 Qed.
 
 Lemma star_final_not_forever_reactive:
-  forall ge s t s', star step ge s t s' -> 
-  forall T, nostep step ge s' -> forever_reactive step ge s T -> False.
+  forall s t s', star L (genv L) s t s' -> 
+  forall T, nostep L (genv L) s' -> forever_reactive L (genv L) s T -> False.
 Proof.
   induction 1; intros.
   inv H0. inv H1. congruence. use_nostep. 
@@ -343,9 +353,9 @@ Proof.
 Qed.
 
 Lemma star_forever_silent_inv:
-  forall ge s t s', star step ge s t s' ->
-  forever_silent step ge s -> 
-  t = E0 /\ forever_silent step ge s'.
+  forall s t s', star L (genv L) s t s' ->
+  forever_silent L (genv L) s -> 
+  t = E0 /\ forever_silent L (genv L) s'.
 Proof.
   induction 1; intros.
   auto.
@@ -353,24 +363,24 @@ Proof.
 Qed.
 
 Lemma forever_silent_reactive_exclusive:
-  forall ge s T,
-  forever_silent step ge s -> forever_reactive step ge s T -> False.
+  forall s T,
+  forever_silent L (genv L) s -> forever_reactive L (genv L) s T -> False.
 Proof.
   intros. inv H0. exploit star_forever_silent_inv; eauto. 
   intros [A B]. contradiction.
 Qed.
 
 Lemma forever_reactive_inv2:
-  forall ge s t1 s1, star step ge s t1 s1 ->
+  forall s t1 s1, star L (genv L) s t1 s1 ->
   forall t2 s2 T1 T2,
-  star step ge s t2 s2 ->
+  star L (genv L) s t2 s2 ->
   t1 <> E0 -> t2 <> E0 ->
-  forever_reactive step ge s1 T1 ->
-  forever_reactive step ge s2 T2 ->
+  forever_reactive L (genv L) s1 T1 ->
+  forever_reactive L (genv L) s2 T2 ->
   exists s', exists t, exists T1', exists T2',
   t <> E0 /\
-  forever_reactive step ge s' T1' /\
-  forever_reactive step ge s' T2' /\
+  forever_reactive L (genv L) s' T1' /\
+  forever_reactive L (genv L) s' T2' /\
   t1 *** T1 = t *** T1' /\
   t2 *** T2 = t *** T2'.
 Proof.
@@ -390,32 +400,32 @@ Proof.
 Qed.
 
 Lemma forever_reactive_determ':
-  forall ge s T1 T2,
-  forever_reactive step ge s T1 ->
-  forever_reactive step ge s T2 ->
+  forall s T1 T2,
+  forever_reactive L (genv L) s T1 ->
+  forever_reactive L (genv L) s T2 ->
   traceinf_sim' T1 T2.
 Proof.
   cofix COINDHYP; intros.
   inv H. inv H0.
-  destruct (forever_reactive_inv2 _ _ _ _ H t s2 T0 T)
+  destruct (forever_reactive_inv2 _ _ _ H t s2 T0 T)
   as [s' [t' [T1' [T2' [A [B [C [D E]]]]]]]]; auto.
   rewrite D; rewrite E. constructor. auto. 
   eapply COINDHYP; eauto. 
 Qed.
 
 Lemma forever_reactive_determ:
-  forall ge s T1 T2,
-  forever_reactive step ge s T1 ->
-  forever_reactive step ge s T2 ->
+  forall s T1 T2,
+  forever_reactive L (genv L) s T1 ->
+  forever_reactive L (genv L) s T2 ->
   traceinf_sim T1 T2.
 Proof.
   intros. apply traceinf_sim'_sim. eapply forever_reactive_determ'; eauto.
 Qed.
 
 Lemma star_forever_reactive_inv:
-  forall ge s t s', star step ge s t s' ->
-  forall T, forever_reactive step ge s T ->
-  exists T', forever_reactive step ge s' T' /\ T = t *** T'.
+  forall s t s', star L (genv L) s t s' ->
+  forall T, forever_reactive L (genv L) s T ->
+  exists T', forever_reactive L (genv L) s' T' /\ T = t *** T'.
 Proof.
   induction 1; intros. 
   exists T; auto.
@@ -426,9 +436,9 @@ Proof.
 Qed.
 
 Lemma forever_silent_reactive_exclusive2:
-  forall ge s t s' T,
-  star step ge s t s' -> forever_silent step ge s' ->
-  forever_reactive step ge s T ->
+  forall s t s' T,
+  star L (genv L) s t s' -> forever_silent L (genv L) s' ->
+  forever_reactive L (genv L) s T ->
   False.
 Proof.
   intros. exploit star_forever_reactive_inv; eauto. 
@@ -438,26 +448,16 @@ Qed.
 
 (** Determinism for program executions *)
 
-Ltac use_init_state :=
-  match goal with
-  | [ H1: (initial_state _), H2: (initial_state _) |- _ ] =>
-        generalize (initial_state_determ _ _ H1 H2); intro; subst; clear H2
-  | [ H1: (initial_state _), H2: (forall s, ~initial_state s) |- _ ] =>
-        elim (H2 _ H1)
-  | _ => idtac
-  end.
-
-Theorem program_behaves_deterministic:
-  forall ge beh1 beh2,
-  program_behaves step initial_state final_state ge beh1 ->
-  program_behaves step initial_state final_state ge beh2 ->
-  beh1 = beh2.
+Lemma state_behaves_deterministic:
+  forall s beh1 beh2,
+  state_behaves L s beh1 -> state_behaves L s beh2 -> beh1 = beh2.
 Proof.
+  generalize (det_final_nostep L DET); intro dfns.
   intros until beh2; intros BEH1 BEH2.
-  inv BEH1; inv BEH2; use_init_state.
+  inv BEH1; inv BEH2.
 (* terminates, terminates *)
   assert (t = t0 /\ s' = s'0). eapply steps_deterministic; eauto.
-  destruct H2. f_equal; auto. subst. eauto. 
+  destruct H3. f_equal; auto. subst. eapply det_final_state; eauto. 
 (* terminates, diverges *)
   byContradiction. eapply star2_final_not_forever_silent with (s1 := s') (s2 := s'0); eauto.
 (* terminates, reacts *)
@@ -493,9 +493,23 @@ Proof.
   byContradiction. eapply star_final_not_forever_reactive; eauto.
 (* goes wrong, goes wrong *)
   assert (t = t0 /\ s' = s'0). eapply steps_deterministic; eauto.
-  destruct H3. congruence.
-(* goes initially wrong, goes initially wrong *)
-  reflexivity.
+  destruct H5. congruence.
+Qed.
+
+Theorem program_behaves_deterministic:
+  forall beh1 beh2,
+  program_behaves L beh1 -> program_behaves L beh2 ->
+  beh1 = beh2.
+Proof.
+  intros until beh2; intros BEH1 BEH2. inv BEH1; inv BEH2.
+(* both initial states defined *)
+  assert (s = s0) by (eapply det_initial_state; eauto). subst s0. 
+  eapply state_behaves_deterministic; eauto.
+(* one initial state defined, the other undefined *)
+  elim (H1 _ H).
+  elim (H _ H0).
+(* both initial states undefined *)
+  auto.
 Qed.
 
 End DETERM_SEM.
@@ -508,6 +522,48 @@ End DETERM_SEM.
 
 Section WORLD_SEM.
 
+Variable L: semantics.
+Variable initial_world: world.
+
+Notation "s #1" := (fst s) (at level 9, format "s '#1'") : pair_scope.
+Notation "s #2" := (snd s) (at level 9, format "s '#2'") : pair_scope.
+Local Open Scope pair_scope.
+
+Definition world_sem : semantics := @mk_semantics
+  (state L * world)%type
+  (funtype L)
+  (vartype L)
+  (fun ge s t s' => L ge s#1 t s'#1 /\ possible_trace s#2 t s'#2)
+  (fun s => initial_state L s#1 /\ s#2 = initial_world)
+  (fun s r => final_state L s#1 r)
+  (genv L).
+
+(** If the original semantics is determinate, the world-aware semantics is deterministic. *)
+
+Hypothesis D: sem_determinate L.
+
+Theorem world_sem_deterministic: sem_deterministic world_sem.
+Proof.
+  constructor; simpl; intros.
+(* steps *)
+  destruct H; destruct H0.
+  exploit (sd_match D). eexact H. eexact H0. intros MT.
+  exploit match_possible_traces; eauto. intros [EQ1 EQ2]. subst t2.
+  exploit (sd_determ D). eexact H. eexact H0. intros EQ3. 
+  split; auto. rewrite (surjective_pairing s1). rewrite (surjective_pairing s2). congruence.
+(* initial states *)
+  destruct H; destruct H0.
+  rewrite (surjective_pairing s1). rewrite (surjective_pairing s2). decEq. 
+  eapply (sd_initial_determ D); eauto. 
+  congruence.
+(* final states *)
+  eapply (sd_final_determ D); eauto.
+(* final no step *)
+  red; simpl; intros. red; intros [A B]. exploit (sd_final_nostep D); eauto. 
+Qed.
+
+
+
 Variable genv: Type.
 Variable state: Type.
 Variable step: genv -> state -> trace -> state -> Prop.
@@ -517,9 +573,6 @@ Variable initial_world: world.
 
 Definition wstate : Type := (state * world)%type.
 
-Notation "s #1" := (fst s) (at level 9, format "s '#1'") : pair_scope.
-Notation "s #2" := (snd s) (at level 9, format "s '#2'") : pair_scope.
-Local Open Scope pair_scope.
 
 Definition wstep (ge: genv) (S: wstate) (t: trace) (S': wstate) :=
   step ge S#1 t S'#1 /\ possible_trace S#2 t S'#2.