1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
(* *********************************************************************)
(* *)
(* The Compcert verified compiler *)
(* *)
(* Xavier Leroy, INRIA Paris-Rocquencourt *)
(* *)
(* Copyright Institut National de Recherche en Informatique et en *)
(* Automatique. All rights reserved. This file is distributed *)
(* under the terms of the GNU General Public License as published by *)
(* the Free Software Foundation, either version 2 of the License, or *)
(* (at your option) any later version. This file is also distributed *)
(* under the terms of the INRIA Non-Commercial License Agreement. *)
(* *)
(* *********************************************************************)
(** Representation of observable events and execution traces. *)
Require Import Coqlib.
Require Import AST.
Require Import Integers.
Require Import Floats.
Require Import Values.
(** The observable behaviour of programs is stated in terms of
input/output events, which can also be thought of as system calls
to the operating system. An event is generated each time an
external function (see module AST) is invoked. The event records
the name of the external function, the arguments to the function
invocation provided by the program, and the return value provided by
the outside world (e.g. the operating system). Arguments and values
are either integers or floating-point numbers. We currently do not
allow pointers to be exchanged between the program and the outside
world. *)
Inductive eventval: Type :=
| EVint: int -> eventval
| EVfloat: float -> eventval.
Record event : Type := mkevent {
ev_name: ident;
ev_args: list eventval;
ev_res: eventval
}.
(** The dynamic semantics for programs collect traces of events.
Traces are of two kinds: finite (type [trace]) or infinite (type [traceinf]). *)
Definition trace := list event.
Definition E0 : trace := nil.
Definition Eextcall
(name: ident) (args: list eventval) (res: eventval) : trace :=
mkevent name args res :: nil.
Definition Eapp (t1 t2: trace) : trace := t1 ++ t2.
CoInductive traceinf : Type :=
| Econsinf: event -> traceinf -> traceinf.
Fixpoint Eappinf (t: trace) (T: traceinf) {struct t} : traceinf :=
match t with
| nil => T
| ev :: t' => Econsinf ev (Eappinf t' T)
end.
(** Concatenation of traces is written [**] in the finite case
or [***] in the infinite case. *)
Infix "**" := Eapp (at level 60, right associativity).
Infix "***" := Eappinf (at level 60, right associativity).
Lemma E0_left: forall t, E0 ** t = t.
Proof. auto. Qed.
Lemma E0_right: forall t, t ** E0 = t.
Proof. intros. unfold E0, Eapp. rewrite <- app_nil_end. auto. Qed.
Lemma Eapp_assoc: forall t1 t2 t3, (t1 ** t2) ** t3 = t1 ** (t2 ** t3).
Proof. intros. unfold Eapp, trace. apply app_ass. Qed.
Lemma Eapp_E0_inv: forall t1 t2, t1 ** t2 = E0 -> t1 = E0 /\ t2 = E0.
Proof (@app_eq_nil event).
Lemma E0_left_inf: forall T, E0 *** T = T.
Proof. auto. Qed.
Lemma Eappinf_assoc: forall t1 t2 T, (t1 ** t2) *** T = t1 *** (t2 *** T).
Proof.
induction t1; intros; simpl. auto. decEq; auto.
Qed.
Hint Rewrite E0_left E0_right Eapp_assoc
E0_left_inf Eappinf_assoc: trace_rewrite.
Opaque trace E0 Eextcall Eapp Eappinf.
(** The following [traceEq] tactic proves equalities between traces
or infinite traces. *)
Ltac substTraceHyp :=
match goal with
| [ H: (@eq trace ?x ?y) |- _ ] =>
subst x || clear H
end.
Ltac decomposeTraceEq :=
match goal with
| [ |- (_ ** _) = (_ ** _) ] =>
apply (f_equal2 Eapp); auto; decomposeTraceEq
| _ =>
auto
end.
Ltac traceEq :=
repeat substTraceHyp; autorewrite with trace_rewrite; decomposeTraceEq.
(** The predicate [event_match ef vargs t vres] expresses that
the event [t] is generated when invoking external function [ef]
with arguments [vargs], and obtaining [vres] as a return value
from the operating system. *)
Inductive eventval_match: eventval -> typ -> val -> Prop :=
| ev_match_int:
forall i, eventval_match (EVint i) Tint (Vint i)
| ev_match_float:
forall f, eventval_match (EVfloat f) Tfloat (Vfloat f).
Inductive eventval_list_match: list eventval -> list typ -> list val -> Prop :=
| evl_match_nil:
eventval_list_match nil nil nil
| evl_match_cons:
forall ev1 evl ty1 tyl v1 vl,
eventval_match ev1 ty1 v1 ->
eventval_list_match evl tyl vl ->
eventval_list_match (ev1::evl) (ty1::tyl) (v1::vl).
Inductive event_match:
external_function -> list val -> trace -> val -> Prop :=
event_match_intro:
forall ef vargs vres eargs eres,
eventval_list_match eargs (sig_args ef.(ef_sig)) vargs ->
eventval_match eres (proj_sig_res ef.(ef_sig)) vres ->
event_match ef vargs (Eextcall ef.(ef_id) eargs eres) vres.
(** The following section shows that [event_match] is stable under
relocation of pointer values, as performed by memory injections
(see module [Mem]). *)
Require Import Mem.
Section EVENT_MATCH_INJECT.
Variable f: meminj.
Remark eventval_match_inject:
forall ev ty v1, eventval_match ev ty v1 ->
forall v2, val_inject f v1 v2 ->
eventval_match ev ty v2.
Proof.
induction 1; intros; inversion H; constructor.
Qed.
Remark eventval_list_match_inject:
forall evl tyl vl1, eventval_list_match evl tyl vl1 ->
forall vl2, val_list_inject f vl1 vl2 ->
eventval_list_match evl tyl vl2.
Proof.
induction 1; intros.
inversion H; constructor.
inversion H1; constructor.
eapply eventval_match_inject; eauto.
eauto.
Qed.
Lemma event_match_inject:
forall ef args1 t res args2,
event_match ef args1 t res ->
val_list_inject f args1 args2 ->
event_match ef args2 t res /\ val_inject f res res.
Proof.
intros. inversion H; subst.
split. constructor. eapply eventval_list_match_inject; eauto. auto.
inversion H2; constructor.
Qed.
End EVENT_MATCH_INJECT.
(** The following section shows that [event_match] is stable under
replacement of [Vundef] values by more defined values. *)
Section EVENT_MATCH_LESSDEF.
Remark eventval_match_lessdef:
forall ev ty v1, eventval_match ev ty v1 ->
forall v2, Val.lessdef v1 v2 ->
eventval_match ev ty v2.
Proof.
induction 1; intros; inv H; constructor.
Qed.
Remark eventval_list_match_moredef:
forall evl tyl vl1, eventval_list_match evl tyl vl1 ->
forall vl2, Val.lessdef_list vl1 vl2 ->
eventval_list_match evl tyl vl2.
Proof.
induction 1; intros.
inversion H; constructor.
inversion H1; constructor.
eapply eventval_match_lessdef; eauto.
eauto.
Qed.
Lemma event_match_lessdef:
forall ef args1 t res1 args2,
event_match ef args1 t res1 ->
Val.lessdef_list args1 args2 ->
exists res2, event_match ef args2 t res2 /\ Val.lessdef res1 res2.
Proof.
intros. inversion H; subst. exists res1; split.
constructor. eapply eventval_list_match_moredef; eauto. auto.
auto.
Qed.
End EVENT_MATCH_LESSDEF.
(** Bisimilarity between infinite traces. *)
CoInductive traceinf_sim: traceinf -> traceinf -> Prop :=
| traceinf_sim_cons: forall e T1 T2,
traceinf_sim T1 T2 ->
traceinf_sim (Econsinf e T1) (Econsinf e T2).
Lemma traceinf_sim_refl:
forall T, traceinf_sim T T.
Proof.
cofix COINDHYP; intros.
destruct T. constructor. apply COINDHYP.
Qed.
Lemma traceinf_sim_sym:
forall T1 T2, traceinf_sim T1 T2 -> traceinf_sim T2 T1.
Proof.
cofix COINDHYP; intros. inv H; constructor; auto.
Qed.
Lemma traceinf_sim_trans:
forall T1 T2 T3,
traceinf_sim T1 T2 -> traceinf_sim T2 T3 -> traceinf_sim T1 T3.
Proof.
cofix COINDHYP;intros. inv H; inv H0; constructor; eauto.
Qed.
(** The "is prefix of" relation between a finite and an infinite trace. *)
Inductive traceinf_prefix: trace -> traceinf -> Prop :=
| traceinf_prefix_nil: forall T,
traceinf_prefix nil T
| traceinf_prefix_cons: forall e t1 T2,
traceinf_prefix t1 T2 ->
traceinf_prefix (e :: t1) (Econsinf e T2).
Lemma traceinf_prefix_app:
forall t1 T2 t,
traceinf_prefix t1 T2 ->
traceinf_prefix (t ** t1) (t *** T2).
Proof.
induction t; simpl; intros. auto.
change ((a :: t) ** t1) with (a :: (t ** t1)).
change ((a :: t) *** T2) with (Econsinf a (t *** T2)).
constructor. auto.
Qed.
(** An alternate presentation of infinite traces as
infinite concatenations of nonempty finite traces. *)
CoInductive traceinf': Type :=
| Econsinf': forall (t: trace) (T: traceinf'), t <> E0 -> traceinf'.
Program Definition split_traceinf' (t: trace) (T: traceinf') (NE: t <> E0): event * traceinf' :=
match t with
| nil => _
| e :: nil => (e, T)
| e :: t' => (e, Econsinf' t' T _)
end.
Next Obligation.
elimtype False. elim NE. auto.
Qed.
Next Obligation.
red; intro. elim (H e). rewrite H0. auto.
Qed.
CoFixpoint traceinf_of_traceinf' (T': traceinf') : traceinf :=
match T' with
| Econsinf' t T'' NOTEMPTY =>
let (e, tl) := split_traceinf' t T'' NOTEMPTY in
Econsinf e (traceinf_of_traceinf' tl)
end.
Remark unroll_traceinf':
forall T, T = match T with Econsinf' t T' NE => Econsinf' t T' NE end.
Proof.
intros. destruct T; auto.
Qed.
Remark unroll_traceinf:
forall T, T = match T with Econsinf t T' => Econsinf t T' end.
Proof.
intros. destruct T; auto.
Qed.
Lemma traceinf_traceinf'_app:
forall t T NE,
traceinf_of_traceinf' (Econsinf' t T NE) = t *** traceinf_of_traceinf' T.
Proof.
induction t.
intros. elim NE. auto.
intros. simpl.
rewrite (unroll_traceinf (traceinf_of_traceinf' (Econsinf' (a :: t) T NE))).
simpl. destruct t. auto.
Transparent Eappinf.
simpl. f_equal. apply IHt.
Qed.
|
