### Initial Generator Setup Source: https://compcert.org/doc/html/compcert.cfrontend.SimplExpr.html Initializes the generator with a fresh identifier and an empty trail. Requires a function 'first_unused_ident' to provide the starting identifier. ```Coq Parameter first_unused_ident: unit -> ident. Definition initial_generator (x: unit) : generator := mkgenerator (first_unused_ident x) nil. ``` -------------------------------- ### C Strategy: For Loop (Start 1) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for the initialization part of a for loop. ```Coq assert (a1 <> Sskip). red; intros; subst a1; inv H0. eapply forever_N_plus. apply plus_one. right. constructor. auto. eapply COS; eauto. traceEq. ``` -------------------------------- ### C Strategy: For Loop (Start 2) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for the initialization and sequence part of a for loop. ```Coq destruct (exec_stmt_to_steps _ _ _ _ _ _ H0 f (Kseq (Sfor Sskip a2 a3 s0) k)) as [S1 [A1 B1]]; auto. inv B1. eapply forever_N_plus. eapply plus_left. right; constructor. auto. eapply star_trans. eexact A1. apply star_one. right; constructor. reflexivity. reflexivity. eapply COS; eauto. traceEq. ``` -------------------------------- ### Proof for 'get i (set i x m) = x' Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gss' lemma, demonstrating that setting a value for a key and then immediately getting it returns the set value. ```Coq Theorem gss: forall (A: Type) (i: positive) (x: A) (m: t A), get i (set i x m) = x. Proof. intros. unfold get. unfold set. simpl. rewrite PTree.gss. auto. Qed. ``` -------------------------------- ### Proof for 'get i (init x) = x' Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gi' lemma, showing that retrieving an element from an initialized map returns the initial value. ```Coq Theorem gi: forall (A: Type) (i: positive) (x: A), get i (init x) = x. Proof. intros. reflexivity. Qed. ``` -------------------------------- ### Get N Bytes from Map Source: https://compcert.org/doc/html/compcert.common.Memory.html Retrieves N consecutive memory values starting from a given position in a ZMap. ```Coq Fixpoint getN (n: nat) (p: Z) (c: ZMap.t memval) {struct n}: list memval := match n with | O => nil | S n' => ZMap.get p c :: getN n' (p + 1) c end. ``` -------------------------------- ### Initial Function Inlining Setup Source: https://compcert.org/doc/html/compcert.backend.Inlining.html Sets up the context and initiates the recursive expansion for inlining a function. It determines maximum program counter and register counts, reserves nodes and registers, initializes the context, and then calls expand_cfg. ```Coq Definition expand_function (fenv: funenv) (f: function): mon context := let npc := max_pc_function f in let nreg := max_reg_function f in do dpc <- reserve_nodes npc; do dreg <- reserve_regs nreg; let ctx := initcontext dpc dreg nreg f.(fn_stacksize) in do x <- expand_cfg fenv ctx f; ret ctx. ``` -------------------------------- ### Prove Get Property for Right Combine (gcombine_r) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A lemma proving the `get` property for `combine_r`, similar to `gcombine_l`. It shows how `get` on `combine_r m` relates to applying `f` with `None` to `get i m`. ```Coq Lemma gcombine_r: forall m i, get i (combine_r m) = f None (get i m). Proof. intros; unfold combine_r; rewrite gmap_filter1. destruct (get i m); auto. Qed. ``` -------------------------------- ### Initial State Introduction Proof Source: https://compcert.org/doc/html/compcert.backend.CleanupLabelsproof.html Applies the initial state introduction with a specific function transformation and uses auto-tactic for proof completion. ```Coq eapply initial_state_intro with (f := transf_fundef f). eapply (Genv.init_mem_transf TRANSL); eauto. rewrite (match_program_main TRANSL), symbols_preserved; eauto. apply function_ptr_translated; auto. rewrite sig_function_translated. auto. constructor; auto. constructor. Qed. ``` -------------------------------- ### Proof for 'get i (map f m) = f(get i m)' Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gmap' lemma, showing that applying the 'map' function to a map and then getting an element is equivalent to getting the element from the original map and then applying the function. ```Coq Theorem gmap: forall (A B: Type) (f: A -> B) (i: positive) (m: t A), get i (map f m) = f(get i m). Proof. intros. unfold map. unfold get. simpl. rewrite PTree.gmap1. unfold option_map. destruct (PTree.get i (snd m)); auto. Qed. ``` -------------------------------- ### Empty Environment Initialization Source: https://compcert.org/doc/html/compcert.cfrontend.Csharpminor.html Initializes empty local and temporary environments. ```Coq Definition empty_env : env := PTree.empty (block * Z). Definition empty_temp_env : temp_env := PTree.empty val. ``` -------------------------------- ### Prove Get Property for map1 (gmap1) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A theorem proving the `get` property for the `map1` function. It shows that `get` on a `map1`-transformed tree is equivalent to applying the function `f` to the result of `get` on the original tree. ```Coq Theorem gmap1: forall {A B} (f: A -> B) (i: elt) (m: t A), get i (map1 f m) = option_map f (get i m). Proof. intros. destruct m as [|m]; simpl. auto. revert i; induction m; destruct i; simpl; auto. Qed. ``` -------------------------------- ### C Frontend Strategy: Binop Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proof step for the 'binop' strategy in the C frontend. ```Coq destruct (andb_prop _ _ S) as [S1 S2]; clear S. StepR IHa1 (fun x => C(Ebinop op x a2 ty)) a1. StepR IHa2 (fun x => C(Ebinop op (Eval v (typeof a1)) x ty)) a2. exploit safe_inv. eexact SAFE1. eauto. simpl. intros [v' EQ]. ``` -------------------------------- ### Prove Get Property for Mapped Tree (gmap) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A theorem proving the `get` property for the `map` function on a `tree`. It shows how `get` on a mapped tree relates to `get` on the original tree and the mapping function `f`. ```Coq Theorem gmap: forall {A B} (f: positive -> A -> B) (i: positive) (m: t A), get i (map f m) = option_map (f i) (get i m). Proof. intros; destruct m as [|m]; simpl. auto. rewrite gmap'. repeat f_equal. exact (prev_involutive i). Qed. ``` -------------------------------- ### Proof Step: Handling Initial Data Types Source: https://compcert.org/doc/html/compcert.common.Globalenvs.html Proof steps for `store_init_data_list_charact` that handle specific initial data types like integers, floats, and addresses. ```Coq split; auto. eapply (A Mint8unsigned (Vint i)); eauto. split; auto. eapply (A Mint16unsigned (Vint i)); eauto. split; auto. eapply (A Mint32 (Vint i)); eauto. split; auto. eapply (A Mint64 (Vlong i)); eauto. split; auto. eapply (A Mfloat32 (Vsingle f)); eauto. split; auto. eapply (A Mfloat64 (Vfloat f)); eauto. split; auto. ``` -------------------------------- ### Prove Get Property for Left Combine (gcombine_l) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A lemma proving the `get` property for `combine_l`, which is a specialized version of `map_filter1` used in the `combine` operation. It shows how `get` on `combine_l m` relates to applying `f` with `None` to `get i m`. ```Coq Lemma gcombine_l: forall m i, get i (combine_l m) = f (get i m) None. Proof. intros; unfold combine_l; rewrite gmap_filter1. destruct (get i m); auto. Qed. ``` -------------------------------- ### Prove Get Property for Combine (gcombine) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A theorem proving the `get` property for the `combine` function. It demonstrates that `get` on the combined tree `combine m1 m2` is equivalent to applying the combining function `f` to the results of `get` on the individual trees `m1` and `m2`. ```Coq Theorem gcombine: forall (m1: t A) (m2: t B) (i: positive), get i (combine m1 m2) = f (get i m1) (get i m2). Proof. change combine with combine_nonopt. induction m1 using tree_ind; induction m2 using tree_ind; intros. - auto. ``` -------------------------------- ### C Strategy: Do-While Loop (Full) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for a complete do-while loop. ```Coq destruct (exec_stmt_to_steps _ _ _ _ _ _ H0 f (Kdowhile1 a s0 k)) as [S1 [A1 B1]]; auto. eapply forever_N_plus. eapply plus_left. right; constructor. eapply star_trans. eexact A1. eapply star_left. right. inv H1; inv B1; apply step_skip_or_continue_dowhile; auto. eapply star_right. eapply eval_expression_to_steps; eauto. right; apply step_dowhile_true; auto. reflexivity. reflexivity. reflexivity. reflexivity. eapply COS; eauto. traceEq. ``` -------------------------------- ### Proof for 'get j (set i (get i m) m) = get j m' Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gsident' lemma, showing that setting a key to its current value does not change the map's state. ```Coq Theorem gsident: forall (A: Type) (i j: positive) (m: t A), get j (set i (get i m) m) = get j m. Proof. intros. destruct (peq i j). rewrite e. rewrite gss. auto. rewrite gso; auto. Qed. ``` -------------------------------- ### Proof for 'get i (set j x m) = if peq i j then x else get i m' Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gsspec' lemma, providing a general specification for 'get' after a 'set' operation, covering both cases where the keys are equal or not. ```Coq Theorem gsspec: forall (A: Type) (i j: positive) (x: A) (m: t A), get i (set j x m) = if peq i j then x else get i m. Proof. intros. destruct (peq i j). rewrite e. apply gss. auto. apply gso. auto. Qed. ``` -------------------------------- ### Initialize the workset with public definitions and main entry point Source: https://compcert.org/doc/html/compcert.backend.Unusedglob.html Constructs the initial workset by adding all public definitions and the program's main entry point. This sets up the starting point for the graph traversal to find all reachable global identifiers. ```Coq Definition initial_workset (p: program): workset := add_workset p.(prog_main) (List.fold_left (fun w id => add_workset id w) p.(prog_public) {| w_seen := IS.empty; w_todo := nil |}). ``` -------------------------------- ### Initialize Function Parameters and Local Variables Source: https://compcert.org/doc/html/compcert.backend.Cminor.html Initializes the local environment by binding function parameters to arguments and local variables to Vundef. Handles cases where parameters or variables might be missing. ```Coq Fixpoint set_params (vl: list val) (il: list ident) {struct il} : env := match il, vl with | i1 :: il, v1 :: vl => PTree.set i1 v1 (set_params vl il) | i1 :: il, nil => PTree.set i1 Vundef (set_params nil il) | _, _ => PTree.empty val end. Fixpoint set_locals (il: list ident) (e: env) {struct il} : env := match il with | nil => e | i1 :: il => PTree.set i1 Vundef (set_locals il e) end. Definition set_optvar (optid: option ident) (v: val) (e: env) : env := match optid with | None => e | Some id => PTree.set id v e end. ``` -------------------------------- ### Install OCaml, Coq, and Menhir using OPAM Source: https://compcert.org/man/manual002.html Use OPAM to create an OCaml switch, set up the environment, and install specific versions of Coq and Menhir. Ensure OPAM is installed and initialized first. ```bash opam switch create 4.14.2 # Use OCaml version 4.14.2 (for example) eval $(opam env) opam install coq=8.20.1 # Use Coq version 8.20.1 (for example) opam install menhir ``` -------------------------------- ### Theorem: Remove and Get Consistency Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves that getting an element immediately after removing it results in None. ```Coq Theorem grs: forall (A: Type) (i: elt) (m: t A), get i (remove i m) = None. Proof. intros. apply PTree.grs. Qed. ``` -------------------------------- ### Lemma Store_init_data_list_match Source: https://compcert.org/doc/html/compcert.common.Globalenvs.html Proves that if `store_init_data_list` succeeds on program `p`'s global environment, it also succeeds with the same result on program `tp`'s global environment, provided they match. ```Coq Lemma store_init_data_list_match: forall idl m b ofs m', store_init_data_list (globalenv p) m b ofs idl = Some m' -> store_init_data_list (globalenv tp) m b ofs idl = Some m'. ``` -------------------------------- ### Execution Step: Start Block Source: https://compcert.org/doc/html/compcert.backend.LTL.html Defines the transition rule for starting the execution of a basic block. ```Coq step: state -> trace -> state -> Prop := | exec_start_block: forall s f sp pc rs m bb, (fn_code f)!pc = Some bb -> step (State s f sp pc rs m) E0 (Block s f sp bb rs m) ``` -------------------------------- ### Proof of exec_straight_steps_goto Source: https://compcert.org/doc/html/compcert.powerpc.Asmgenproof.html The proof script for `exec_straight_steps_goto`, handling goto instructions by leveraging label finding and instruction execution lemmas. ```Coq Proof. intros. inversion H3. subst. monadInv H10. exploit H6; eauto. intros (jmp & k' & rs2 & A & B & C & D). generalize (functions_transl _ _ _ H8 H9); intro FN. generalize (transf_function_no_overflow _ _ H9); intro NOOV. exploit exec_straight_steps_2; eauto. intros [ofs' [PC2 CT2]]. exploit find_label_goto_label; eauto. intros [tc' [rs3 [GOTO [AT' OTH]]]]. exists (State rs3 m2'); split. eapply plus_right'. eapply exec_straight_steps_1; eauto. econstructor; eauto. eapply find_instr_tail. eauto. rewrite C. eexact GOTO. traceEq. econstructor; eauto. apply agree_exten with rs2; auto with asmgen. congruence. intros. rewrite OTH by congruence. rewrite D. auto. Qed. ``` -------------------------------- ### Theorem: Set and Get Consistency Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves that getting an element immediately after setting it returns the set value. ```Coq Theorem gss: forall (A: Type) (i: elt) (x: A) (m: t A), get i (set i x m) = Some x. Proof. intros. apply PTree.gss. Qed. ``` -------------------------------- ### C Strategy: For Loop (Full) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for a complete for loop. ```Coq destruct (exec_stmt_to_steps _ _ _ _ _ _ H2 f (Kfor3 a2 a3 s0 k)) as [S1 [A1 B1]]; auto. destruct (exec_stmt_to_steps _ _ _ _ _ _ H4 f (Kfor4 a2 a3 s0 k)) as [S2 [A2 B2]]; auto. inv B2. eapply forever_N_plus. eapply plus_left. right; apply step_for. eapply star_trans. eapply eval_expression_to_steps; eauto. eapply star_left. right; apply step_for_true; auto. eapply star_trans. eexact A1. eapply star_left. inv H3; inv B1; right; apply step_skip_or_continue_for3; auto. eapply star_right. eexact A2. right; constructor. reflexivity. reflexivity. reflexivity. reflexivity. reflexivity. reflexivity. eapply COS; eauto. traceEq. ``` -------------------------------- ### Theorem: Empty Map Get Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves that getting an element from an empty map always results in None. ```Coq Theorem gempty: forall (A: Type) (i: elt), get i (empty A) = None. Proof. intros. apply PTree.gempty. Qed. ``` -------------------------------- ### C Frontend Strategy: Unop Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proof step for the 'unop' strategy in the C frontend. ```Coq StepR IHa (fun x => C(Eunop op x ty)) a. exploit safe_inv. eexact SAFE0. eauto. simpl. intros [v' EQ]. ``` -------------------------------- ### Prove Get Property for Filter (gfilter1) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A theorem proving the `get` property for the `filter1` function. It demonstrates that `get` on a filtered tree returns `Some x` only if the original element `x` exists and satisfies the predicate, otherwise it returns `None`. ```Coq Theorem gfilter1: forall {A} (pred: A -> bool) (i: elt) (m: t A), get i (filter1 pred m) = match get i m with None => None | Some x => if pred x then Some x else None end. Proof. intros. apply gmap_filter1. Qed. ``` -------------------------------- ### Retyping Statements Proof Steps Source: https://compcert.org/doc/html/compcert.cfrontend.Ctyping.html These are proof steps for the `retype_stmt_sound` lemma, covering various statement constructors like `sdo`, `sifthenelse`, `swhile`, `sdowhile`, `sfor`, `sreturn`, and `sswitch`. ```Coq Proof. - destruct s; simpl; intros s' RT; try (monadInv RT). + constructor. + eapply sdo_sound; eauto using retype_expr_sound. + constructor; eauto. + eapply sifthenelse_sound; eauto using retype_expr_sound. + eapply swhile_sound; eauto using retype_expr_sound. + eapply sdowhile_sound; eauto using retype_expr_sound. + eapply sfor_sound; eauto using retype_expr_sound. + constructor. + constructor. + destruct o; monadInv RT. eapply sreturn_sound; eauto using retype_expr_sound. constructor. + eapply sswitch_sound; eauto using retype_expr_sound. + constructor; eauto. + constructor. - destruct sl; simpl; intros sl' RT; monadInv RT. + constructor. + constructor; eauto. Qed. ``` -------------------------------- ### Theorem: General Remove and Get Specification Source: https://compcert.org/doc/html/compcert.lib.Maps.html Provides a general specification for get after remove, handling cases where the key is the same or different. ```Coq Theorem grspec: forall (A: Type) (i j: elt) (m: t A), get i (remove j m) = if elt_eq i j then None else get i m. Proof. intros. destruct (elt_eq i j). subst j; apply grs. apply gro; auto. Qed. ``` -------------------------------- ### Prove Program Main Entry Point Equality Source: https://compcert.org/doc/html/compcert.common.Linking.html Proves that if two programs match genericaly, their main entry points are identical. This lemma simplifies reasoning about program equivalence. ```Coq Lemma match_program_gen_main: forall ctx p1 p2, match_program_gen ctx p1 p2 -> p2.(prog_main) = p1.(prog_main). Proof. intros. apply H. Qed. ``` -------------------------------- ### Theorem: General Set and Get Specification Source: https://compcert.org/doc/html/compcert.lib.Maps.html Provides a general specification for get after set, handling cases where the key is the same or different. ```Coq Theorem gsspec: forall (A: Type) (i j: elt) (x: A) (m: t A), get i (set j x m) = if elt_eq i j then Some x else get i m. Proof. intros. destruct (elt_eq i j). subst j; apply gss. apply gso; auto. Qed. ``` -------------------------------- ### Proof Steps for Genv Functions Source: https://compcert.org/doc/html/compcert.cfrontend.SimplLocalsproof.html These lines represent proof steps within a Coq-like proof assistant, applying generic environment functions and using auto-completion tactics. ```Coq eapply Genv.find_funct_ptr_not_fresh; eauto. eapply Genv.find_var_info_not_fresh; eauto. extlia. extlia. eapply Genv.initmem_inject; eauto. constructor. Qed. ``` -------------------------------- ### Prove Empty Environment Matching Source: https://compcert.org/doc/html/compcert.cfrontend.Cshmgenproof.html Lemma proving that the empty environments in Clight and Csharpminor match. ```Coq Lemma match_env_empty: match_env Clight.empty_env Csharpminor.empty_env. ``` -------------------------------- ### Theorem: Get identity for set Source: https://compcert.org/doc/html/compcert.lib.Maps.html Shows that if getting a value from a map succeeds, setting that value at the same key does not change the map. ```Coq Theorem gsident: forall {A} (i: positive) (m: t A) (v: A), get i m = Some v -> set i v m = m. Proof. intros; apply extensionality; intros j. rewrite gsspec. destruct (peq j i); congruence. Qed. ``` -------------------------------- ### Calculate Start Offset for Bitfield Source: https://compcert.org/doc/html/compcert.cfrontend.Ctypes.html Calculates the starting bit offset within a byte for a given bitfield, considering its type and position. ```Coq Definition layout_start (p: Z) (bf: bitfield) := p * 8 + match bf with Full => 0 | Bits sz sg pos w => pos end. ``` -------------------------------- ### Lemma exec_straight_steps_goto Source: https://compcert.org/doc/html/compcert.powerpc.Asmgenproof.html Proves the simulation step for `exec_straight` when the instruction is a goto, ensuring correct state transitions and label finding. ```Coq Lemma exec_straight_steps_goto: forall s fb f rs1 i c ep tf tc m1' m2 m2' sp ms2 lbl c', match_stack ge s -> Mem.extends m2 m2' -> Genv.find_funct_ptr ge fb = Some (Internal f) -> Mach.find_label lbl f.(Mach.fn_code) = Some c' -> transl_code_at_pc ge (rs1 PC) fb f (i :: c) ep tf tc -> it1_is_parent ep i = false -> (is_leaf_function f = true -> rs1#LR = parent_ra s) -> (forall k c (TR: transl_instr f i ep k = OK c), exists jmp, exists k', exists rs2, exec_straight tge tf c rs1 m1' (jmp :: k') rs2 m2' /\ agree ms2 sp rs2 /\ exec_instr tge tf jmp rs2 m2' = goto_label tf lbl rs2 m2' /\ rs2#LR = rs1#LR) -> exists st', plus step tge (State rs1 m1') E0 st' /\ match_states (Mach.State s fb sp c' ms2 m2) st'. ``` -------------------------------- ### Lemma mconj_intro: Introduction rule for mconj Source: https://compcert.org/doc/html/compcert.common.Separation.html Proves that if memory satisfies P ** R and Q ** R, it satisfies mconj P Q ** R. ```Coq Lemma mconj_intro: forall P Q R m, m |= P ** R -> m |= Q ** R -> m |= mconj P Q ** R. Proof. intros. destruct H as (A & B & C). destruct H0 as (D & E & F). split; [|split]. - simpl; auto. - auto. - red; simpl; intros. destruct H; [eelim C | eelim F]; eauto. Qed. ``` -------------------------------- ### C Strategy: While Loop (Full) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for a complete while loop. ```Coq destruct (exec_stmt_to_steps _ _ _ _ _ _ H2 f (Kwhile2 a s0 k)) as [S1 [A1 B1]]; auto. eapply forever_N_plus. eapply plus_left. right; constructor. eapply star_trans. eapply eval_expression_to_steps; eauto. eapply star_left. right; apply step_while_true; auto. eapply star_trans. eexact A1. inv H3; inv B1; apply star_one; right; apply step_skip_or_continue_while; auto. reflexivity. reflexivity. reflexivity. reflexivity. eapply COS; eauto. traceEq. ``` -------------------------------- ### Branch Tunneling Loop Example 1 Source: https://compcert.org/doc/html/compcert.backend.Tunneling.html An example of a program loop consisting only of a self-branch, which can cause termination issues for naive branch tunneling implementations. ```text L1: branch L1; ``` -------------------------------- ### Extended Inline Assembly Example Source: https://compcert.org/man/manual006.html This example demonstrates the basic structure of extended inline assembly, including output operands, clobbered registers, and assembly template. ```c asm volatile ( "movl %%eax, %Q0\n\t" "movl %%edx, %R0\n\t" : "=r" (res) : : "eax", "edx"); return res; } ``` -------------------------------- ### Lemma analyze_entrypoint Proof Source: https://compcert.org/doc/html/compcert.backend.ValueAnalysis.html This lemma proves properties of the dataflow solution at the entrypoint of a function. It ensures that the analyzed state at the entrypoint is consistent with the initial state. ```Coq Lemma analyze_entrypoint: forall rm f vl m bc, (forall v, In v vl -> vmatch bc v (Ifptr Nonstack)) -> Val.has_argtype_list vl f.(fn_sig).(sig_args) -> mmatch bc m mfunction_entry -> exists ae am, (analyze rm f)!!(fn_entrypoint f) = VA.State ae am / ematch bc (init_regs vl (fn_params f)) ae / mmatch bc m am. Proof. intros. unfold analyze. set (lu := Liveness.last_uses f). set (entry := VA.State (einit_regs f.(fn_params) f.(fn_sig).(sig_args)) mfunction_entry). destruct (DS.fixpoint (fn_code f) successors_instr (transfer' f lu rm) (fn_entrypoint f) entry) as [res|] eqn:FIX. - assert (A: VA.ge res!!(fn_entrypoint f) entry) by (eapply DS.fixpoint_entry; eauto). destruct (res!!(fn_entrypoint f)) as [ | ae am ]; simpl in A. contradiction. destruct A as [A1 A2]. exists ae, am. split. auto. split. eapply ematch_ge; eauto. apply ematch_init; auto. auto. - exists AE.top, mtop. split. apply PMap.gi. split. apply ematch_ge with (einit_regs (fn_params f) f.(fn_sig).(sig_args)). apply ematch_init; auto. apply AE.ge_top. eapply mmatch_top'; eauto. Qed. ``` -------------------------------- ### Build Initial Composite Environment Source: https://compcert.org/doc/html/compcert.cfrontend.Ctypes.html Initializes an empty composite environment and adds all composite definitions to it. This is the starting point for managing composite types in a program. ```Coq Definition build_composite_env (defs: list composite_definition) := add_composite_definitions (PTree.empty _) defs. ``` -------------------------------- ### Prove Disjointness from Interval Separation Source: https://compcert.org/doc/html/compcert.lib.Intv.html Proves that if the end of interval i is less than or equal to the start of interval j, or the end of j is less than or equal to the start of i, then i and j are disjoint. ```Coq Lemma disjoint_range: forall i j, snd i <= fst j \/ snd j <= fst i -> disjoint i j. ``` -------------------------------- ### Lemma: Symbol Environment Equivalent Source: https://compcert.org/doc/html/compcert.cfrontend.SimplLocalsproof.html Proves that the symbol environments (senv) of the original and transformed programs are equivalent. This ensures consistent symbol resolution. ```Coq Lemma senv_preserved: Senv.equiv ge tge. Proof (Genv.senv_match (proj1 TRANSF)). ``` -------------------------------- ### Prove Get Property for Mapped Tree (gmap') Source: https://compcert.org/doc/html/compcert.lib.Maps.html A lemma proving the behavior of `get'` on a tree mapped with `map'`. It relates the retrieved element to the original element and the combined position. ```Coq Lemma gmap': forall {A B} (f: positive -> A -> B) (i j : positive) (m: tree' A), get' i (map' f m j) = option_map (f (prev (prev_append i j))) (get' i m). Proof. induction i; intros; destruct m; simpl; auto. Qed. ``` -------------------------------- ### Add Start Debug Range Annotation Source: https://compcert.org/doc/html/compcert.backend.Debugvar.html Defines `add_start_range` to prepend a debug annotation (EF_debug 3) to a code sequence, marking the start of a live range for a local variable. ```Coq Definition add_start_range (vi: ident * debuginfo) (c: code) : code := let (v, i) := vi in Lbuiltin (EF_debug 3%positive v nil) (proj1_sig i :: nil) BR_none :: c. ``` -------------------------------- ### Proof for Return Instruction (Standard) Source: https://compcert.org/doc/html/compcert.backend.Renumberproof.html Proof steps for the standard 'return' instruction. ```Coq econstructor; split. eapply exec_Ireturn; eauto. constructor; auto. ``` -------------------------------- ### Proof for Value Simplification (val) Source: https://compcert.org/doc/html/compcert.cfrontend.SimplExprproof.html This snippet demonstrates the proof steps for simplifying an expression when it results in a value. It uses tactics like `exploit`, `eauto`, `intros`, `subst`, `simpl`, `econstructor`, `split`, `left`, `eapply`, `star_trans`, `step_makeif`, `congruence`, `push_seq`, `reflexivity`, `rewrite`, `match_exprstates`, `apply S`, `tr_paren_val`, and `tr_expr_monotone`. ```Coq exploit tr_top_leftcontext; eauto. clear TR. intros [dst' [sl1 [sl2 [a' [tmp' [P [Q [R S]]]]]]]]. inv P. inv H2. + (* for val *) exploit tr_simple_rvalue; eauto. intros [SL [TY EV]]. subst sl0; simpl Kseqlist. econstructor; split. left. eapply plus_left. constructor. eapply star_trans. apply step_makeif with (b := false) (v1 := v); auto. congruence. apply push_seq. reflexivity. reflexivity. rewrite <- Kseqlist_app. eapply match_exprstates; eauto. apply S. apply tr_paren_val with (a1 := a2); auto. apply tr_expr_monotone with tmp2; eauto. auto. auto. ``` -------------------------------- ### Proof for 'get i (set j x m) = get i m' when i <> j Source: https://compcert.org/doc/html/compcert.lib.Maps.html Proves the 'gso' lemma, showing that setting a value for a different key does not affect the retrieval of the original key's value. ```Coq Theorem gso: forall (A: Type) (i j: positive) (x: A) (m: t A), i <> j -> get i (set j x m) = get i m. Proof. intros. unfold get. unfold set. simpl. rewrite PTree.gso; auto. Qed. ``` -------------------------------- ### Lemma: Seen Main Initial Workset Source: https://compcert.org/doc/html/compcert.backend.Unusedglobproof.html Proves that the main entry point of a program is always present in the initial workset. ```Coq Lemma seen_main_initial_workset: forall p, IS.In p.(prog_main) (initial_workset p). Proof. intros. apply seen_add_workset. Qed. ``` -------------------------------- ### Branch Tunneling Loop Example 2 Source: https://compcert.org/doc/html/compcert.backend.Tunneling.html An example of a program loop consisting of two branches between different labels, which can also cause termination issues for naive branch tunneling implementations. ```text L1: branch L2; L2: branch L1; ``` -------------------------------- ### Prove Interval Separation from Disjointness Source: https://compcert.org/doc/html/compcert.lib.Intv.html Proves that if two intervals i and j are disjoint, then either i is empty, j is empty, or the end of i is less than or equal to the start of j, or the end of j is less than or equal to the start of i. ```Coq Lemma range_disjoint: forall i j, disjoint i j -> empty i \/ empty j \/ snd i <= fst j \/ snd j <= fst i. ``` -------------------------------- ### Proof for loadimm64_correct with loadimm-add Source: https://compcert.org/doc/html/compcert.powerpc.Asmgenproof1.html This snippet shows a proof step for `loadimm64_correct` in a loadimm-add context. It utilizes `exec_straight_trans` and `exec_straight_one` for proving execution correctness. ```Coq edestruct (loadimm64_correct GPR0 n) as (rs2 & A & B & C). econstructor; split. eapply exec_straight_trans. eexact A. apply exec_straight_one. simpl; reflexivity. auto. split. rewrite B, C by eauto with asmgen. Simpl. intros. Simpl. ``` -------------------------------- ### Coq Lemma wf_initial Proof Source: https://compcert.org/doc/html/compcert.backend.Mach.html Proves the `wf_initial` lemma, showing that the initial state of a program is well-formed. This lemma is crucial for establishing the overall correctness of the state transitions. ```Coq Lemma wf_initial: forall p S, initial_state p S -> wf_state (Genv.globalenv p) S. Proof. intros. inv H. fold ge. constructor. constructor. Qed. ``` -------------------------------- ### Prove Get Property for Map Filter (gmap_filter1) Source: https://compcert.org/doc/html/compcert.lib.Maps.html A theorem proving the `get` property for the `map_filter1` function. It shows that retrieving an element from a mapped-filtered tree results in applying the function `f` to the original element, or `None` if the original was `None` or `f` returned `None`. ```Coq Lemma gmap_filter1: forall {A B} (f: A -> option B) (m: tree A) (i: positive), get i (map_filter1 f m) = match get i m with None => None | Some a => f a end. Proof. change @map_filter1 with @map_filter1_nonopt. unfold map_filter1_nonopt. intros until f. induction m using tree_ind; intros. - auto. - rewrite unroll_tree_rec by auto. rewrite ! gNode; destruct i; auto. Qed. ``` -------------------------------- ### Load 64-bit Immediate (32-bit Signed) Source: https://compcert.org/doc/html/compcert.powerpc.Asmgen.html Generates PowerPC instructions to load a 64-bit integer into a register, optimized for cases where the value fits within a 32-bit signed representation. Uses `paddi64` or `paddis64` and `pori64`. ```Coq Definition loadimm64_32s (r: ireg) (n: int64) (k: code) := let lo_u := low64_u n in let lo_s := low64_s n in let hi_s := low64_s (Int64.shr n (Int64.repr 16)) in if Int64.eq n lo_s then Paddi64 r GPR0 n :: k else Paddis64 r GPR0 hi_s :: Pori64 r r lo_u :: k. ``` -------------------------------- ### Aligned Attribute for Pointers and Typedefs Source: https://compcert.org/man/manual006.html Illustrates the usage of the aligned attribute. The first example aligns the pointer 'p' to 16 bytes. The second example defines a 16-aligned char type 'char16' and then declares 'q' as a pointer to it, showing different alignment behaviors for pointers versus pointed-to types. ```c __attribute((aligned(16))) char * p; typedef __attribute((aligned(16))) char char16; char16 * q; ``` -------------------------------- ### Get Builtin Function Signature Source: https://compcert.org/doc/html/compcert.common.Builtins.html Defines how to retrieve the signature for a given `builtin_function`. ```Coq Definition builtin_function_sig (b: builtin_function) : signature := match b with | BI_standard b => standard_builtin_sig b | BI_platform b => platform_builtin_sig b end. ``` -------------------------------- ### Proof of exec_straight_steps Source: https://compcert.org/doc/html/compcert.powerpc.Asmgenproof.html The proof script for the `exec_straight_steps` lemma, using inversion and exploiting previous results to establish the simulation step. ```Coq Proof. intros. inversion H2. subst. monadInv H8. exploit H4; eauto. intros (rs2 & A & B & C & D). exists (State rs2 m2'); split. eapply exec_straight_exec; eauto. econstructor; eauto. eapply exec_straight_at; eauto. rewrite D; auto. Qed. ``` -------------------------------- ### Size and Alignment Source: https://compcert.org/doc/html/compcert.cfrontend.Cshmgen.html Functions to get the size and alignment of a type, with checks for completeness. ```APIDOC ## Size and Alignment ### Description Functions to get the size and alignment of a type, with checks for completeness. ### Functions - **sizeof**: Returns the size of a type if it is complete, otherwise returns an error. - Parameters: - `ce` (composite_env): The composite environment. - `t` (type): The type to get the size of. - **alignof**: Returns the alignment of a type if it is complete, otherwise returns an error. - Parameters: - `ce` (composite_env): The composite environment. - `t` (type): The type to get the alignment of. ``` -------------------------------- ### exec_stmt for Sfor (start) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Initiates the execution of a for loop by evaluating the initialization statement. ```Coq exec_Sfor_start: forall e m s a1 a2 a3 out m1 m2 t1 t2, exec_stmt e m a1 t1 m1 Out_normal -> exec_stmt e m1 (Sfor Sskip a2 a3 s) t2 m2 out -> exec_stmt e m (Sfor a1 a2 a3 s) (t1 ** t2) m2 out ``` -------------------------------- ### Initialize with Byte Source: https://compcert.org/doc/html/compcert.cfrontend.Initializers.html Creates an initialization data item for a single byte. ```Coq Definition Init_byte (b: byte) := Init_int8 (int_of_byte b). ``` -------------------------------- ### Get Builtin Function Semantics Source: https://compcert.org/doc/html/compcert.common.Builtins.html Defines the semantics for a given `builtin_function`, returning its operational behavior. ```Coq Definition builtin_function_sem (b: builtin_function) : builtin_sem (sig_res (builtin_function_sig b)) := match b with | BI_standard b => standard_builtin_sem b | BI_platform b => platform_builtin_sem b end. ``` -------------------------------- ### Proof for store_init_data_aligned Source: https://compcert.org/doc/html/compcert.common.Globalenvs.html The proof details for ensuring alignment when storing initial data. ```Coq Proof. intros. assert (DFL: forall chunk v, Mem.store chunk m b p v = Some m' -> align_chunk chunk = init_data_alignment i -> (init_data_alignment i | p)). { intros. apply Mem.store_valid_access_3 in H0. destruct H0. congruence. } destruct i; simpl in H; eauto. simpl. apply Z.divide_1_l. destruct (find_symbol ge i); try discriminate. eapply DFL. eassumption. unfold Mptr, init_data_alignment; destruct Archi.ptr64; auto. Qed. ``` -------------------------------- ### C Frontend Strategy: AddrOf Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proof step for the 'addrof' strategy in the C frontend. ```Coq StepL IHa (fun x => C(Eaddrof x ty)) a. exploit safe_inv. eexact SAFE0. eauto. simpl. intros EQ; subst bf. exists (Vptr b ofs); econstructor; eauto. ``` -------------------------------- ### Lemma: start_state_good Proof Source: https://compcert.org/doc/html/compcert.backend.Kildall.html Proves that the initial state generated by 'start_state' satisfies the 'good_state' invariant. This is a base case for the overall correctness proof. ```Coq Lemma start_state_good: forall enode eval, good_state (start_state enode eval). Proof. intros. unfold start_state; constructor; simpl; intros. - subst n. rewrite NS.add_spec; auto. - rewrite PTree.gsspec in H. rewrite PTree.gempty in H. destruct (peq n enode). auto. discriminate. Qed. ``` -------------------------------- ### Calculate First Bit Position Source: https://compcert.org/doc/html/compcert.cfrontend.Cop.html Calculates the starting bit position for a bitfield, accounting for endianness. ```Coq Definition first_bit (sz: intsize) (pos width: Z) : Z := if Archi.big_endian then bitsize_carrier sz - pos - width else pos. ``` -------------------------------- ### Translate Function Body Source: https://compcert.org/doc/html/compcert.cfrontend.SimplExpr.html Initiates the translation of a function's body, starting with an initial generator. ```OCaml Definition transl_function (f: Csyntax.function) : res function := match transl_stmt f.(Csyntax.fn_body) (initial_generator tt) with ``` -------------------------------- ### Prove Compatibility with Link Order Source: https://compcert.org/doc/html/compcert.backend.Inliningspec.html Demonstrates that if a compilation unit is compatible with a program and respects link order, then the program itself is compatible with the function environment. This is crucial for handling dependencies and module linking. ```Coq Lemma fenv_compat_linkorder: forall cunit prog fenv, linkorder cunit prog -> fenv_compat cunit fenv -> fenv_compat prog fenv. ``` -------------------------------- ### Theorem init_mem_match Source: https://compcert.org/doc/html/compcert.common.Globalenvs.html Proves that if the initial memory for program p matches, then the initial memory for program tp also matches. ```coq Theorem init_mem_match: forall m, init_mem p = Some m -> init_mem tp = Some m. Proof. unfold init_mem; intros. eapply alloc_globals_match; eauto. apply progmatch. Qed. ``` -------------------------------- ### Get Value from Location Mapping Source: https://compcert.org/doc/html/compcert.backend.Locations.html Retrieves the value associated with a specific location 'l' from a mapping 'm'. ```Coq Definition get (l: loc) (m: t) : val := m l. ``` -------------------------------- ### Unpack CompCert Archive Source: https://compcert.org/man/manual002.html Extract the CompCert archive from a terminal. Navigate into the extracted directory to proceed with the installation. ```bash tar xzf CompCert-version-number.tgz cd CompCert-version-number ``` -------------------------------- ### Proof of Store_init_data_list_match Source: https://compcert.org/doc/html/compcert.common.Globalenvs.html The proof for `store_init_data_list_match` uses induction on the list of initial data. It relies on `find_symbol_match` and the inductive hypothesis to show the property holds for the entire list. ```Coq Proof. induction idl; simpl; intros. - auto. - destruct (store_init_data (globalenv p) m b ofs a) as [m1|] eqn:S; try discriminate. assert (X: store_init_data (globalenv tp) m b ofs a = Some m1). { destruct a; auto. simpl; rewrite find_symbol_match; auto. } rewrite X. auto. Qed. ``` -------------------------------- ### Set N Bytes in Map Source: https://compcert.org/doc/html/compcert.common.Memory.html Writes N memory values into a ZMap starting from a given position. ```Coq Fixpoint setN (vl: list memval) (p: Z) (c: ZMap.t memval) {struct vl}: ZMap.t memval := match vl with | nil => c | v :: vl' => setN vl' (p + 1) (ZMap.set p v c) end. ``` -------------------------------- ### C Strategy: For Loop (Next) Source: https://compcert.org/doc/html/compcert.cfrontend.Cstrategy.html Proves the transition semantics for the update part of a for loop. ```Coq destruct (exec_stmt_to_steps _ _ _ _ _ _ H2 f (Kfor3 a2 a3 s0 k)) as [S1 [A1 B1]]; auto. eapply forever_N_plus. eapply plus_left. right; apply step_for. eapply star_trans. eapply eval_expression_to_steps; eauto. eapply star_left. right; apply step_for_true; auto. eapply star_trans. eexact A1. inv H3; inv B1; apply star_one; right; apply step_skip_or_continue_for3; auto. reflexivity. reflexivity. reflexivity. reflexivity. eapply COS; eauto. traceEq. ``` -------------------------------- ### Initialize Type Environment Source: https://compcert.org/doc/html/compcert.common.Unityping.html Initializes an empty type environment with no type mappings and no equality constraints. ```Coq Definition initial : typenv := {| te_typ := PTree.empty _; te_equ := nil |}. ```