aboutsummaryrefslogtreecommitdiffstats
path: root/common
diff options
context:
space:
mode:
authorBernhard Schommer <bernhardschommer@gmail.com>2015-10-20 13:32:18 +0200
committerBernhard Schommer <bernhardschommer@gmail.com>2015-10-20 13:32:18 +0200
commit4d542bc7eafadb16b845cf05d1eb4988eb55ed0f (patch)
tree1961b41815fc6e392cc0bd2beeb0fb504bc160ce /common
parent7a6bb90048db7a254e959b1e3c308bac5fe6c418 (diff)
downloadcompcert-kvx-4d542bc7eafadb16b845cf05d1eb4988eb55ed0f.tar.gz
compcert-kvx-4d542bc7eafadb16b845cf05d1eb4988eb55ed0f.zip
Updated PR by removing whitespaces. Bug 17450.
Diffstat (limited to 'common')
-rw-r--r--common/AST.v74
-rw-r--r--common/Behaviors.v228
-rw-r--r--common/Determinism.v92
-rw-r--r--common/Errors.v18
-rw-r--r--common/Events.v284
-rw-r--r--common/Globalenvs.v564
-rw-r--r--common/Memdata.v234
-rw-r--r--common/Memory.v984
-rw-r--r--common/Memtype.v18
-rw-r--r--common/PrintAST.ml8
-rw-r--r--common/Sections.ml6
-rw-r--r--common/Smallstep.v350
-rw-r--r--common/Subtyping.v202
-rw-r--r--common/Switch.v52
-rw-r--r--common/Switchaux.ml2
-rw-r--r--common/Unityping.v84
-rw-r--r--common/Values.v146
17 files changed, 1673 insertions, 1673 deletions
diff --git a/common/AST.v b/common/AST.v
index c62b0091..16673c47 100644
--- a/common/AST.v
+++ b/common/AST.v
@@ -121,7 +121,7 @@ Definition proj_sig_res (s: signature) : typ :=
Definition signature_eq: forall (s1 s2: signature), {s1=s2} + {s1<>s2}.
Proof.
generalize opt_typ_eq, list_typ_eq; intros; decide equality.
- generalize bool_dec; intros. decide equality.
+ generalize bool_dec; intros. decide equality.
Defined.
Global Opaque signature_eq.
@@ -255,14 +255,14 @@ Lemma transform_program_function:
exists f, In (i, Gfun f) p.(prog_defs) /\ transf f = tf.
Proof.
simpl. unfold transform_program. intros.
- exploit list_in_map_inv; eauto.
- intros [[i' gd] [EQ IN]]. simpl in EQ. destruct gd; inv EQ.
+ exploit list_in_map_inv; eauto.
+ intros [[i' gd] [EQ IN]]. simpl in EQ. destruct gd; inv EQ.
exists f; auto.
Qed.
End TRANSF_PROGRAM.
-(** General iterator over program that applies a given code transfomration
+(** General iterator over program that applies a given code transfomration
function to all function descriptions with their identifers and leaves
teh other parts of the program unchanged. *)
@@ -289,18 +289,18 @@ Lemma tranforma_program_function_ident:
exists f, In (i, Gfun f) p.(prog_defs) /\ transf i f = tf.
Proof.
simpl. unfold transform_program_ident. intros.
- exploit list_in_map_inv; eauto.
- intros [[i' gd] [EQ IN]]. simpl in EQ. destruct gd; inv EQ.
+ exploit list_in_map_inv; eauto.
+ intros [[i' gd] [EQ IN]]. simpl in EQ. destruct gd; inv EQ.
exists f; auto.
Qed.
End TRANSF_PROGRAM_IDENT.
-(** The following is a more general presentation of [transform_program] where
+(** The following is a more general presentation of [transform_program] where
global variable information can be transformed, in addition to function
definitions. Moreover, the transformation functions can fail and
return an error message. Also the transformation functions are defined
- for the case the identifier of the function is passed as additional
+ for the case the identifier of the function is passed as additional
argument *)
Local Open Scope error_monad_scope.
@@ -338,7 +338,7 @@ Fixpoint transf_globdefs (l: list (ident * globdef A V)) : res (list (ident * gl
end
end.
-Fixpoint transf_globdefs_ident (l: list (ident * globdef A V)) : res (list (ident * globdef B W)) :=
+Fixpoint transf_globdefs_ident (l: list (ident * globdef A V)) : res (list (ident * globdef B W)) :=
match l with
| nil => OK nil
| (id, Gfun f) :: l' =>
@@ -369,12 +369,12 @@ Lemma transform_partial_program2_function:
In (i, Gfun tf) tp.(prog_defs) ->
exists f, In (i, Gfun f) p.(prog_defs) /\ transf_fun f = OK tf.
Proof.
- intros. monadInv H. simpl in H0.
+ intros. monadInv H. simpl in H0.
revert x EQ H0. induction (prog_defs p); simpl; intros.
inv EQ. contradiction.
destruct a as [id [f|v]].
destruct (transf_fun f) as [tf1|msg] eqn:?; monadInv EQ.
- simpl in H0; destruct H0. inv H. exists f; auto.
+ simpl in H0; destruct H0. inv H. exists f; auto.
exploit IHl; eauto. intros [f' [P Q]]; exists f'; auto.
destruct (transf_globvar v) as [tv1|msg] eqn:?; monadInv EQ.
simpl in H0; destruct H0. inv H.
@@ -387,12 +387,12 @@ Lemma transform_partial_ident_program2_function:
In (i, Gfun tf) tp.(prog_defs) ->
exists f, In (i, Gfun f) p.(prog_defs) /\ transf_fun_ident i f = OK tf.
Proof.
- intros. monadInv H. simpl in H0.
+ intros. monadInv H. simpl in H0.
revert x EQ H0. induction (prog_defs p); simpl; intros.
inv EQ. contradiction.
destruct a as [id [f|v]].
destruct (transf_fun_ident id f) as [tf1|msg] eqn:?; monadInv EQ.
- simpl in H0; destruct H0. inv H. exists f; auto.
+ simpl in H0; destruct H0. inv H. exists f; auto.
exploit IHl; eauto. intros [f' [P Q]]; exists f'; auto.
destruct (transf_globvar_ident id v) as [tv1|msg] eqn:?; monadInv EQ.
simpl in H0; destruct H0. inv H.
@@ -407,7 +407,7 @@ Lemma transform_partial_program2_variable:
In (i, Gvar(mkglobvar v tv.(gvar_init) tv.(gvar_readonly) tv.(gvar_volatile))) p.(prog_defs)
/\ transf_var v = OK tv.(gvar_info).
Proof.
- intros. monadInv H. simpl in H0.
+ intros. monadInv H. simpl in H0.
revert x EQ H0. induction (prog_defs p); simpl; intros.
inv EQ. contradiction.
destruct a as [id [f|v]].
@@ -429,7 +429,7 @@ Lemma transform_partial_ident_program2_variable:
In (i, Gvar(mkglobvar v tv.(gvar_init) tv.(gvar_readonly) tv.(gvar_volatile))) p.(prog_defs)
/\ transf_var_ident i v = OK tv.(gvar_info).
Proof.
- intros. monadInv H. simpl in H0.
+ intros. monadInv H. simpl in H0.
revert x EQ H0. induction (prog_defs p); simpl; intros.
inv EQ. contradiction.
destruct a as [id [f|v]].
@@ -451,11 +451,11 @@ Lemma transform_partial_program2_succeeds:
| Gvar gv => exists tv, transf_var gv.(gvar_info) = OK tv
end.
Proof.
- intros. monadInv H.
+ intros. monadInv H.
revert x EQ H0. induction (prog_defs p); simpl; intros.
contradiction.
destruct a as [id1 g1]. destruct g1.
- destruct (transf_fun f) eqn:TF; try discriminate. monadInv EQ.
+ destruct (transf_fun f) eqn:TF; try discriminate. monadInv EQ.
destruct H0. inv H. econstructor; eauto. eapply IHl; eauto.
destruct (transf_globvar v) eqn:TV; try discriminate. monadInv EQ.
destruct H0. inv H. monadInv TV. econstructor; eauto. eapply IHl; eauto.
@@ -470,11 +470,11 @@ Lemma transform_partial_ident_program2_succeeds:
| Gvar gv => exists tv, transf_var_ident i gv.(gvar_info) = OK tv
end.
Proof.
- intros. monadInv H.
+ intros. monadInv H.
revert x EQ H0. induction (prog_defs p); simpl; intros.
contradiction.
destruct a as [id1 g1]. destruct g1.
- destruct (transf_fun_ident id1 f) eqn:TF; try discriminate. monadInv EQ.
+ destruct (transf_fun_ident id1 f) eqn:TF; try discriminate. monadInv EQ.
destruct H0. inv H. econstructor; eauto. eapply IHl; eauto.
destruct (transf_globvar_ident id1 v) eqn:TV; try discriminate. monadInv EQ.
destruct H0. inv H. monadInv TV. econstructor; eauto. eapply IHl; eauto.
@@ -621,7 +621,7 @@ Lemma transform_partial_program_function:
In (i, Gfun tf) tp.(prog_defs) ->
exists f, In (i, Gfun f) p.(prog_defs) /\ transf_partial f = OK tf.
Proof.
- apply transform_partial_program2_function.
+ apply transform_partial_program2_function.
Qed.
Lemma transform_partial_ident_program_function:
@@ -630,7 +630,7 @@ Lemma transform_partial_ident_program_function:
In (i, Gfun tf) tp.(prog_defs) ->
exists f, In (i, Gfun f) p.(prog_defs) /\ transf_partial_ident i f = OK tf.
Proof.
- apply transform_partial_ident_program2_function.
+ apply transform_partial_ident_program2_function.
Qed.
Lemma transform_partial_program_succeeds:
@@ -639,8 +639,8 @@ Lemma transform_partial_program_succeeds:
In (i, Gfun fd) p.(prog_defs) ->
exists tfd, transf_partial fd = OK tfd.
Proof.
- unfold transform_partial_program; intros.
- exploit transform_partial_program2_succeeds; eauto.
+ unfold transform_partial_program; intros.
+ exploit transform_partial_program2_succeeds; eauto.
Qed.
Lemma transform_partial_ident_program_succeeds:
@@ -649,8 +649,8 @@ Lemma transform_partial_ident_program_succeeds:
In (i, Gfun fd) p.(prog_defs) ->
exists tfd, transf_partial_ident i fd = OK tfd.
Proof.
- unfold transform_partial_ident_program; intros.
- exploit transform_partial_ident_program2_succeeds; eauto.
+ unfold transform_partial_ident_program; intros.
+ exploit transform_partial_ident_program2_succeeds; eauto.
Qed.
End TRANSF_PARTIAL_PROGRAM.
@@ -663,7 +663,7 @@ Proof.
unfold transform_partial_program, transform_partial_program2, transform_program; intros.
replace (transf_globdefs (fun f => OK (transf f)) (fun v => OK v) p.(prog_defs))
with (OK (map (transform_program_globdef transf) p.(prog_defs))).
- auto.
+ auto.
induction (prog_defs p); simpl.
auto.
destruct a as [id [f|v]]; rewrite <- IHl.
@@ -679,7 +679,7 @@ Proof.
unfold transform_partial_ident_program, transform_partial_ident_program2, transform_program; intros.
replace (transf_globdefs_ident (fun id f => OK (transf id f)) (fun _ v => OK v) p.(prog_defs))
with (OK (map (transform_program_globdef_ident transf) p.(prog_defs))).
- auto.
+ auto.
induction (prog_defs p); simpl.
auto.
destruct a as [id [f|v]]; rewrite <- IHl.
@@ -687,11 +687,11 @@ Proof.
destruct v; auto.
Qed.
-(** The following is a relational presentation of
+(** The following is a relational presentation of
[transform_partial_augment_preogram]. Given relations between function
definitions and between variable information, it defines a relation
between programs stating that the two programs have appropriately related
- shapes (global names are preserved and possibly augmented, etc)
+ shapes (global names are preserved and possibly augmented, etc)
and that identically-named function definitions
and variable information are related. *)
@@ -723,24 +723,24 @@ Lemma transform_partial_augment_program_match:
forall (A B V W: Type)
(transf_fun: A -> res B)
(transf_var: V -> res W)
- (p: program A V)
+ (p: program A V)
(new_globs : list (ident * globdef B W))
(new_main : ident)
(tp: program B W),
transform_partial_augment_program transf_fun transf_var new_globs new_main p = OK tp ->
- match_program
+ match_program
(fun fd tfd => transf_fun fd = OK tfd)
(fun info tinfo => transf_var info = OK tinfo)
new_globs new_main
p tp.
Proof.
- unfold transform_partial_augment_program; intros. monadInv H.
+ unfold transform_partial_augment_program; intros. monadInv H.
red; simpl. split; auto. exists x; split; auto.
revert x EQ. generalize (prog_defs p). induction l; simpl; intros.
monadInv EQ. constructor.
- destruct a as [id [f|v]].
+ destruct a as [id [f|v]].
(* function *)
- destruct (transf_fun f) as [tf|?] eqn:?; monadInv EQ.
+ destruct (transf_fun f) as [tf|?] eqn:?; monadInv EQ.
constructor; auto. constructor; auto.
(* variable *)
unfold transf_globvar in EQ.
@@ -890,7 +890,7 @@ End TRANSF_PARTIAL_FUNDEF.
(** * Arguments and results to builtin functions *)
-Set Contextual Implicit.
+Set Contextual Implicit.
Inductive builtin_arg (A: Type) : Type :=
| BA (x: A)
@@ -948,7 +948,7 @@ Fixpoint map_builtin_arg (A B: Type) (f: A -> B) (a: builtin_arg A) : builtin_ar
| BA_addrstack ofs => BA_addrstack ofs
| BA_loadglobal chunk id ofs => BA_loadglobal chunk id ofs
| BA_addrglobal id ofs => BA_addrglobal id ofs
- | BA_splitlong hi lo =>
+ | BA_splitlong hi lo =>
BA_splitlong (map_builtin_arg f hi) (map_builtin_arg f lo)
end.
@@ -956,7 +956,7 @@ Fixpoint map_builtin_res (A B: Type) (f: A -> B) (a: builtin_res A) : builtin_re
match a with
| BR x => BR (f x)
| BR_none => BR_none
- | BR_splitlong hi lo =>
+ | BR_splitlong hi lo =>
BR_splitlong (map_builtin_res f hi) (map_builtin_res f lo)
end.
diff --git a/common/Behaviors.v b/common/Behaviors.v
index 0a7ed171..1a6b8bd6 100644
--- a/common/Behaviors.v
+++ b/common/Behaviors.v
@@ -68,7 +68,7 @@ Lemma behavior_app_assoc:
forall t1 t2 beh,
behavior_app (t1 ** t2) beh = behavior_app t1 (behavior_app t2 beh).
Proof.
- intros. destruct beh; simpl; f_equal; traceEq.
+ intros. destruct beh; simpl; f_equal; traceEq.
Qed.
Lemma behavior_app_E0:
@@ -90,14 +90,14 @@ Proof.
Qed.
Lemma behavior_improves_trans:
- forall beh1 beh2 beh3,
+ forall beh1 beh2 beh3,
behavior_improves beh1 beh2 -> behavior_improves beh2 beh3 ->
behavior_improves beh1 beh3.
Proof.
- intros. red. destruct H; destruct H0; subst; auto.
+ intros. red. destruct H; destruct H0; subst; auto.
destruct H as [t1 [EQ1 [beh2' EQ1']]].
destruct H0 as [t2 [EQ2 [beh3' EQ2']]].
- subst. destruct beh2'; simpl in EQ2; try discriminate. inv EQ2.
+ subst. destruct beh2'; simpl in EQ2; try discriminate. inv EQ2.
right. exists t1; split; auto. exists (behavior_app t beh3'). apply behavior_app_assoc.
Qed.
@@ -112,7 +112,7 @@ Lemma behavior_improves_app:
behavior_improves beh1 beh2 ->
behavior_improves (behavior_app t beh1) (behavior_app t beh2).
Proof.
- intros. red; destruct H. left; congruence.
+ intros. red; destruct H. left; congruence.
destruct H as [t' [A [beh' B]]]. subst.
right; exists (t ** t'); split; auto. exists beh'. rewrite behavior_app_assoc; auto.
Qed.
@@ -152,7 +152,7 @@ Lemma state_behaves_app:
forall s1 t s2 beh,
Star L s1 t s2 -> state_behaves s2 beh -> state_behaves s1 (behavior_app t beh).
Proof.
- intros. inv H0; simpl; econstructor; eauto; try (eapply star_trans; eauto).
+ intros. inv H0; simpl; econstructor; eauto; try (eapply star_trans; eauto).
eapply star_forever_reactive; eauto.
Qed.
@@ -177,7 +177,7 @@ Lemma reacts':
forall s1 t1, Star L s0 t1 s1 ->
{ s2 : state L & { t2 : trace | Star L s1 t2 s2 /\ t2 <> E0 } }.
Proof.
- intros.
+ intros.
destruct (constructive_indefinite_description _ (reacts H)) as [s2 A].
destruct (constructive_indefinite_description _ A) as [t2 [B C]].
exists s2; exists t2; auto.
@@ -186,7 +186,7 @@ Qed.
CoFixpoint build_traceinf' (s1: state L) (t1: trace) (ST: Star L s0 t1 s1) : traceinf' :=
match reacts' ST with
| existT s2 (exist t2 (conj A B)) =>
- Econsinf' t2
+ Econsinf' t2
(build_traceinf' (star_trans ST A (refl_equal _)))
B
end.
@@ -196,10 +196,10 @@ Lemma reacts_forever_reactive_rec:
Forever_reactive L s1 (traceinf_of_traceinf' (build_traceinf' ST)).
Proof.
cofix COINDHYP; intros.
- rewrite (unroll_traceinf' (build_traceinf' ST)). simpl.
- destruct (reacts' ST) as [s2 [t2 [A B]]].
- rewrite traceinf_traceinf'_app.
- econstructor. eexact A. auto. apply COINDHYP.
+ rewrite (unroll_traceinf' (build_traceinf' ST)). simpl.
+ destruct (reacts' ST) as [s2 [t2 [A B]]].
+ rewrite traceinf_traceinf'_app.
+ econstructor. eexact A. auto. apply COINDHYP.
Qed.
Lemma reacts_forever_reactive:
@@ -216,9 +216,9 @@ Lemma diverges_forever_silent:
(forall s1 t1, Star L s0 t1 s1 -> exists s2, Step L s1 E0 s2) ->
Forever_silent L s0.
Proof.
- cofix COINDHYP; intros.
- destruct (H s0 E0) as [s1 ST]. constructor.
- econstructor. eexact ST. apply COINDHYP.
+ cofix COINDHYP; intros.
+ destruct (H s0 E0) as [s1 ST]. constructor.
+ econstructor. eexact ST. apply COINDHYP.
intros. eapply H. eapply star_left; eauto.
Qed.
@@ -233,20 +233,20 @@ Proof.
exists s3, Step L s2 E0 s3))).
(* 1.1 Silent divergence *)
destruct H0 as [s1 [t1 [A B]]].
- exists (Diverges t1); econstructor; eauto.
+ exists (Diverges t1); econstructor; eauto.
apply diverges_forever_silent; auto.
(* 1.2 Reactive divergence *)
destruct (@reacts_forever_reactive s0) as [T FR].
intros.
generalize (not_ex_all_not _ _ H0 s1). intro A; clear H0.
generalize (not_ex_all_not _ _ A t1). intro B; clear A.
- destruct (not_and_or _ _ B). contradiction.
- destruct (not_all_ex_not _ _ H0) as [s2 C]; clear H0.
+ destruct (not_and_or _ _ B). contradiction.
+ destruct (not_all_ex_not _ _ H0) as [s2 C]; clear H0.
destruct (not_all_ex_not _ _ C) as [t2 D]; clear C.
destruct (imply_to_and _ _ D) as [E F]; clear D.
- destruct (H s2 (t1 ** t2)) as [s3 [t3 G]]. eapply star_trans; eauto.
+ destruct (H s2 (t1 ** t2)) as [s3 [t3 G]]. eapply star_trans; eauto.
exists s3; exists (t2 ** t3); split.
- eapply star_right; eauto.
+ eapply star_right; eauto.
red; intros. destruct (app_eq_nil t2 t3 H0). subst. elim F. exists s3; auto.
exists (Reacts T); econstructor; eauto.
(* 2 Termination (normal or by going wrong) *)
@@ -257,9 +257,9 @@ Proof.
(* 2.1 Normal termination *)
exists (Terminates t1 r); econstructor; eauto.
(* 2.2 Going wrong *)
- exists (Goes_wrong t1); econstructor; eauto. red. intros.
- generalize (not_ex_all_not _ _ D s'); intros.
- generalize (not_ex_all_not _ _ H t); intros.
+ exists (Goes_wrong t1); econstructor; eauto. red. intros.
+ generalize (not_ex_all_not _ _ D s'); intros.
+ generalize (not_ex_all_not _ _ H t); intros.
auto.
Qed.
@@ -269,10 +269,10 @@ Proof.
destruct (classic (exists s, initial_state L s)) as [[s0 INIT] | NOTINIT].
(* 1. Initial state is defined. *)
destruct (state_behaves_exists s0) as [beh SB].
- exists beh; econstructor; eauto.
+ exists beh; econstructor; eauto.
(* 2. Initial state is undefined *)
- exists (Goes_wrong E0). apply program_goes_initially_wrong.
- intros. eapply not_ex_all_not; eauto.
+ exists (Goes_wrong E0). apply program_goes_initially_wrong.
+ intros. eapply not_ex_all_not; eauto.
Qed.
End PROGRAM_BEHAVIORS.
@@ -290,7 +290,7 @@ Lemma forward_simulation_state_behaves:
S i s1 s2 -> state_behaves L1 s1 beh1 ->
exists beh2, state_behaves L2 s2 beh2 /\ behavior_improves beh1 beh2.
Proof.
- intros. inv H0.
+ intros. inv H0.
(* termination *)
exploit simulation_star; eauto. intros [i' [s2' [A B]]].
exists (Terminates t r); split.
@@ -308,10 +308,10 @@ Proof.
(* going wrong *)
exploit simulation_star; eauto. intros [i' [s2' [A B]]].
destruct (state_behaves_exists L2 s2') as [beh' SB].
- exists (behavior_app t beh'); split.
- eapply state_behaves_app; eauto.
+ exists (behavior_app t beh'); split.
+ eapply state_behaves_app; eauto.
replace (Goes_wrong t) with (behavior_app t (Goes_wrong E0)).
- apply behavior_improves_app. apply behavior_improves_bot.
+ apply behavior_improves_app. apply behavior_improves_bot.
simpl. decEq. traceEq.
Qed.
@@ -326,11 +326,11 @@ Proof.
exists beh2; split; auto. econstructor; eauto.
(* initial state undefined *)
destruct (classic (exists s', initial_state L2 s')).
- destruct H as [s' INIT].
+ destruct H as [s' INIT].
destruct (state_behaves_exists L2 s') as [beh' SB].
exists beh'; split. econstructor; eauto. apply behavior_improves_bot.
exists (Goes_wrong E0); split.
- apply program_goes_initially_wrong.
+ apply program_goes_initially_wrong.
intros; red; intros. elim H; exists s; auto.
apply behavior_improves_refl.
Qed.
@@ -340,8 +340,8 @@ Corollary forward_simulation_same_safe_behavior:
program_behaves L1 beh -> not_wrong beh ->
program_behaves L2 beh.
Proof.
- intros. exploit forward_simulation_behavior_improves; eauto.
- intros [beh' [A B]]. destruct B.
+ intros. exploit forward_simulation_behavior_improves; eauto.
+ intros [beh' [A B]]. destruct B.
congruence.
destruct H1 as [t [C D]]. subst. contradiction.
Qed.
@@ -364,7 +364,7 @@ Definition safe_along_behavior (s: state L1) (b: program_behavior) : Prop :=
Remark safe_along_safe:
forall s b, safe_along_behavior s b -> safe L1 s.
Proof.
- intros; red; intros. eapply H; eauto. symmetry; apply behavior_app_E0.
+ intros; red; intros. eapply H; eauto. symmetry; apply behavior_app_E0.
Qed.
Remark star_safe_along:
@@ -381,21 +381,21 @@ Remark not_safe_along_behavior:
forall s b,
~ safe_along_behavior s b ->
exists t, exists s',
- behavior_prefix t b
+ behavior_prefix t b
/\ Star L1 s t s'
/\ Nostep L1 s'
/\ (forall r, ~(final_state L1 s' r)).
Proof.
- intros.
+ intros.
destruct (not_all_ex_not _ _ H) as [t1 A]; clear H.
destruct (not_all_ex_not _ _ A) as [s' B]; clear A.
destruct (not_all_ex_not _ _ B) as [b2 C]; clear B.
destruct (imply_to_and _ _ C) as [D E]; clear C.
destruct (imply_to_and _ _ E) as [F G]; clear E.
destruct (not_or_and _ _ G) as [P Q]; clear G.
- exists t1; exists s'.
- split. exists b2; auto.
- split. auto.
+ exists t1; exists s'.
+ split. exists b2; auto.
+ split. auto.
split. red; intros; red; intros. elim Q. exists t; exists s'0; auto.
intros; red; intros. elim P. exists r; auto.
Qed.
@@ -407,7 +407,7 @@ Lemma backward_simulation_star:
Proof.
induction 1; intros.
exists i; exists s1; split; auto. apply star_refl.
- exploit (bsim_simulation S); eauto. eapply safe_along_safe; eauto.
+ exploit (bsim_simulation S); eauto. eapply safe_along_safe; eauto.
intros [i' [s1' [A B]]].
assert (Star L1 s0 t1 s1'). intuition. apply plus_star; auto.
exploit IHstar; eauto. eapply star_safe_along; eauto.
@@ -439,9 +439,9 @@ Lemma backward_simulation_forever_reactive:
Forever_reactive L2 s2 T -> S i s1 s2 -> safe_along_behavior s1 (Reacts T) ->
Forever_reactive L1 s1 T.
Proof.
- cofix COINDHYP; intros. inv H.
+ cofix COINDHYP; intros. inv H.
destruct (backward_simulation_star H2 _ (Reacts T0) H0) as [i' [s1' [A B]]]; eauto.
- econstructor; eauto. eapply COINDHYP; eauto. eapply star_safe_along; eauto.
+ econstructor; eauto. eapply COINDHYP; eauto. eapply star_safe_along; eauto.
Qed.
Lemma backward_simulation_state_behaves:
@@ -452,43 +452,43 @@ Proof.
intros. destruct (classic (safe_along_behavior s1 beh2)).
(* 1. Safe along *)
exists beh2; split; [idtac|apply behavior_improves_refl].
- inv H0.
+ inv H0.
(* termination *)
assert (Terminates t r = behavior_app t (Terminates E0 r)).
simpl. rewrite E0_right; auto.
- rewrite H0 in H1.
+ rewrite H0 in H1.
exploit backward_simulation_star; eauto.
intros [i' [s1' [A B]]].
exploit (bsim_match_final_states S); eauto.
- eapply safe_along_safe. eapply star_safe_along; eauto.
+ eapply safe_along_safe. eapply star_safe_along; eauto.
intros [s1'' [C D]].
econstructor. eapply star_trans; eauto. traceEq. auto.
(* silent divergence *)
assert (Diverges t = behavior_app t (Diverges E0)).
simpl. rewrite E0_right; auto.
- rewrite H0 in H1.
+ rewrite H0 in H1.
exploit backward_simulation_star; eauto.
intros [i' [s1' [A B]]].
- econstructor. eauto. eapply backward_simulation_forever_silent; eauto.
- eapply safe_along_safe. eapply star_safe_along; eauto.
+ econstructor. eauto. eapply backward_simulation_forever_silent; eauto.
+ eapply safe_along_safe. eapply star_safe_along; eauto.
(* reactive divergence *)
- econstructor. eapply backward_simulation_forever_reactive; eauto.
+ econstructor. eapply backward_simulation_forever_reactive; eauto.
(* goes wrong *)
assert (Goes_wrong t = behavior_app t (Goes_wrong E0)).
simpl. rewrite E0_right; auto.
- rewrite H0 in H1.
+ rewrite H0 in H1.
exploit backward_simulation_star; eauto.
intros [i' [s1' [A B]]].
- exploit (bsim_progress S); eauto. eapply safe_along_safe. eapply star_safe_along; eauto.
- intros [[r FIN] | [t' [s2' STEP2]]].
+ exploit (bsim_progress S); eauto. eapply safe_along_safe. eapply star_safe_along; eauto.
+ intros [[r FIN] | [t' [s2' STEP2]]].
elim (H4 _ FIN).
elim (H3 _ _ STEP2).
(* 2. Not safe along *)
- exploit not_safe_along_behavior; eauto.
+ exploit not_safe_along_behavior; eauto.
intros [t [s1' [PREF [STEPS [NOSTEP NOFIN]]]]].
exists (Goes_wrong t); split.
- econstructor; eauto.
+ econstructor; eauto.
right. exists t; auto.
Qed.
@@ -505,14 +505,14 @@ Proof.
exists beh1; split; auto. econstructor; eauto.
(* L1 has no initial state *)
exists (Goes_wrong E0); split.
- apply program_goes_initially_wrong.
+ apply program_goes_initially_wrong.
intros; red; intros. elim NOINIT; exists s0; auto.
apply behavior_improves_bot.
(* L2 has no initial state *)
exists (Goes_wrong E0); split.
- apply program_goes_initially_wrong.
+ apply program_goes_initially_wrong.
intros; red; intros.
- exploit (bsim_initial_states_exist S); eauto. intros [s2 INIT2].
+ exploit (bsim_initial_states_exist S); eauto. intros [s2 INIT2].
elim (H0 s2); auto.
apply behavior_improves_refl.
Qed.
@@ -521,8 +521,8 @@ Corollary backward_simulation_same_safe_behavior:
(forall beh, program_behaves L1 beh -> not_wrong beh) ->
(forall beh, program_behaves L2 beh -> program_behaves L1 beh).
Proof.
- intros. exploit backward_simulation_behavior_improves; eauto.
- intros [beh' [A B]]. destruct B.
+ intros. exploit backward_simulation_behavior_improves; eauto.
+ intros [beh' [A B]]. destruct B.
congruence.
destruct H1 as [t [C D]]. subst. elim (H (Goes_wrong t)). auto.
Qed.
@@ -549,7 +549,7 @@ Lemma step_atomic_plus:
Proof.
intros. destruct t.
apply plus_one. simpl; apply atomic_step_silent; auto.
- exploit Lwb; eauto. simpl; intros.
+ exploit Lwb; eauto. simpl; intros.
eapply plus_left. eapply atomic_step_start; eauto. eapply atomic_finish; eauto. auto.
Qed.
@@ -559,14 +559,14 @@ Proof.
induction 1. apply star_refl. eapply star_trans with (s2 := (E0,s2)).
apply plus_star. eapply step_atomic_plus; eauto. eauto. auto.
Qed.
-
+
Lemma atomic_forward_simulation: forward_simulation L (atomic L).
Proof.
set (ms := fun (s: state L) (ts: state (atomic L)) => ts = (E0,s)).
apply forward_simulation_plus with ms; intros.
auto.
- exists (E0,s1); split. simpl; auto. red; auto.
- red in H. subst s2. simpl; auto.
+ exists (E0,s1); split. simpl; auto. red; auto.
+ red in H. subst s2. simpl; auto.
red in H0. subst s2. exists (E0,s1'); split.
apply step_atomic_plus; auto. red; auto.
Qed.
@@ -575,27 +575,27 @@ Lemma atomic_star_star_gen:
forall ts1 t ts2, Star (atomic L) ts1 t ts2 ->
exists t', Star L (snd ts1) t' (snd ts2) /\ fst ts1 ** t' = t ** fst ts2.
Proof.
- induction 1.
+ induction 1.
exists E0; split. apply star_refl. traceEq.
destruct IHstar as [t' [A B]].
simpl in H; inv H; simpl in *.
exists t'; split. eapply star_left; eauto. auto.
- exists (ev :: t0 ** t'); split. eapply star_left; eauto. rewrite B; auto.
+ exists (ev :: t0 ** t'); split. eapply star_left; eauto. rewrite B; auto.
exists t'; split. auto. rewrite B; auto.
Qed.
Lemma atomic_star_star:
forall s1 t s2, Star (atomic L) (E0,s1) t (E0,s2) -> Star L s1 t s2.
Proof.
- intros. exploit atomic_star_star_gen; eauto. intros [t' [A B]].
- simpl in *. replace t with t'. auto. subst; traceEq.
+ intros. exploit atomic_star_star_gen; eauto. intros [t' [A B]].
+ simpl in *. replace t with t'. auto. subst; traceEq.
Qed.
Lemma atomic_forever_silent_forever_silent:
forall s, Forever_silent (atomic L) s -> Forever_silent L (snd s).
Proof.
- cofix COINDHYP; intros. inv H. inv H0.
- apply forever_silent_intro with (snd (E0, s')). auto. apply COINDHYP; auto.
+ cofix COINDHYP; intros. inv H. inv H0.
+ apply forever_silent_intro with (snd (E0, s')). auto. apply COINDHYP; auto.
Qed.
Remark star_atomic_output_trace:
@@ -608,7 +608,7 @@ Proof.
apply IHstar. auto.
apply IHstar. exploit Lwb; eauto.
destruct H2. apply IHstar. auto.
- intros. change t' with (fst (t',s')). eapply H; eauto. simpl; auto.
+ intros. change t' with (fst (t',s')). eapply H; eauto. simpl; auto.
Qed.
Lemma atomic_forever_reactive_forever_reactive:
@@ -617,15 +617,15 @@ Proof.
assert (forall t s T, Forever_reactive (atomic L) (t,s) T ->
exists T', Forever_reactive (atomic L) (E0,s) T' /\ T = t *** T').
induction t; intros. exists T; auto.
- inv H. inv H0. congruence. simpl in H; inv H.
+ inv H. inv H0. congruence. simpl in H; inv H.
destruct (IHt s (t2***T0)) as [T' [A B]]. eapply star_forever_reactive; eauto.
- exists T'; split; auto. simpl. congruence.
+ exists T'; split; auto. simpl. congruence.
- cofix COINDHYP; intros. inv H0. destruct s2 as [t2 s2].
- destruct (H _ _ _ H3) as [T' [A B]].
+ cofix COINDHYP; intros. inv H0. destruct s2 as [t2 s2].
+ destruct (H _ _ _ H3) as [T' [A B]].
assert (Star (atomic L) (E0, s) (t**t2) (E0, s2)).
- eapply star_trans. eauto. apply atomic_finish. eapply star_atomic_output_trace; eauto. auto.
- replace (t *** T0) with ((t ** t2) *** T'). apply forever_reactive_intro with s2.
+ eapply star_trans. eauto. apply atomic_finish. eapply star_atomic_output_trace; eauto. auto.
+ replace (t *** T0) with ((t ** t2) *** T'). apply forever_reactive_intro with s2.
apply atomic_star_star; auto. destruct t; simpl in *; unfold E0 in *; congruence.
apply COINDHYP. auto.
subst T0; traceEq.
@@ -636,44 +636,44 @@ Theorem atomic_behaviors:
Proof.
intros; split; intros.
(* L -> atomic L *)
- exploit forward_simulation_behavior_improves. eapply atomic_forward_simulation. eauto.
+ exploit forward_simulation_behavior_improves. eapply atomic_forward_simulation. eauto.
intros [beh2 [A B]]. red in B. destruct B as [EQ | [t [C D]]].
congruence.
subst beh. inv H. inv H1.
- apply program_runs with (E0,s). simpl; auto.
- apply state_goes_wrong with (E0,s'). apply star_atomic_star; auto.
- red; intros; red; intros. inv H. eelim H3; eauto. eelim H3; eauto.
- intros; red; intros. simpl in H. destruct H. eelim H4; eauto.
- apply program_goes_initially_wrong.
- intros; red; intros. simpl in H; destruct H. eelim H1; eauto.
+ apply program_runs with (E0,s). simpl; auto.
+ apply state_goes_wrong with (E0,s'). apply star_atomic_star; auto.
+ red; intros; red; intros. inv H. eelim H3; eauto. eelim H3; eauto.
+ intros; red; intros. simpl in H. destruct H. eelim H4; eauto.
+ apply program_goes_initially_wrong.
+ intros; red; intros. simpl in H; destruct H. eelim H1; eauto.
(* atomic L -> L *)
inv H.
(* initial state defined *)
- destruct s as [t s]. simpl in H0. destruct H0; subst t.
- apply program_runs with s; auto.
+ destruct s as [t s]. simpl in H0. destruct H0; subst t.
+ apply program_runs with s; auto.
inv H1.
(* termination *)
- destruct s' as [t' s']. simpl in H2; destruct H2; subst t'.
- econstructor. eapply atomic_star_star; eauto. auto.
+ destruct s' as [t' s']. simpl in H2; destruct H2; subst t'.
+ econstructor. eapply atomic_star_star; eauto. auto.
(* silent divergence *)
destruct s' as [t' s'].
- assert (t' = E0). inv H2. inv H1; auto. subst t'.
- econstructor. eapply atomic_star_star; eauto.
+ assert (t' = E0). inv H2. inv H1; auto. subst t'.
+ econstructor. eapply atomic_star_star; eauto.
change s' with (snd (E0,s')). apply atomic_forever_silent_forever_silent. auto.
(* reactive divergence *)
- econstructor. apply atomic_forever_reactive_forever_reactive. auto.
+ econstructor. apply atomic_forever_reactive_forever_reactive. auto.
(* going wrong *)
destruct s' as [t' s'].
assert (t' = E0).
destruct t'; auto. eelim H2. simpl. apply atomic_step_continue.
eapply star_atomic_output_trace; eauto.
- subst t'. econstructor. apply atomic_star_star; eauto.
+ subst t'. econstructor. apply atomic_star_star; eauto.
red; intros; red; intros. destruct t0.
- elim (H2 E0 (E0,s'0)). constructor; auto.
+ elim (H2 E0 (E0,s'0)). constructor; auto.
elim (H2 (e::nil) (t0,s'0)). constructor; auto.
- intros; red; intros. elim (H3 r). simpl; auto.
+ intros; red; intros. elim (H3 r). simpl; auto.
(* initial state undefined *)
- apply program_goes_initially_wrong.
+ apply program_goes_initially_wrong.
intros; red; intros. elim (H0 (E0,s)); simpl; auto.
Qed.
@@ -722,7 +722,7 @@ Proof.
Qed.
Let treactive (S: tstate) : Prop :=
- forall S1,
+ forall S1,
tsteps S S1 ->
exists S2, exists S3, exists t, tsteps S1 S2 /\ tstep t S2 S3 /\ t <> E0.
@@ -734,16 +734,16 @@ Lemma treactive_or_tsilent:
Proof.
intros. destruct (classic (exists S', tsteps S S' /\ tsilent S')).
auto.
- left. red; intros.
+ left. red; intros.
generalize (not_ex_all_not _ _ H S1). intros.
- destruct (not_and_or _ _ H1). contradiction.
- unfold tsilent in H2.
+ destruct (not_and_or _ _ H1). contradiction.
+ unfold tsilent in H2.
generalize (not_all_ex_not _ _ H2). intros [S2 A].
generalize (not_all_ex_not _ _ A). intros [t B].
generalize (not_all_ex_not _ _ B). intros [S3 C].
generalize (imply_to_and _ _ C). intros [D F].
generalize (imply_to_and _ _ F). intros [G J].
- exists S2; exists S3; exists t. auto.
+ exists S2; exists S3; exists t. auto.
Qed.
Lemma tsteps_star:
@@ -765,14 +765,14 @@ Lemma tsilent_forever_silent:
Proof.
cofix COINDHYP; intro S. case S. intros until f. simpl. case f. intros.
assert (tstep t (ST s1 (t *** T0) (forever_intro s1 t s0 f0))
- (ST s2 T0 f0)).
+ (ST s2 T0 f0)).
constructor.
- assert (t = E0).
+ assert (t = E0).
red in H. eapply H; eauto. apply tsteps_refl.
apply forever_silent_intro with (state_of_tstate (ST s2 T0 f0)).
- rewrite <- H1. assumption.
- apply COINDHYP.
- red; intros. eapply H. eapply tsteps_left; eauto. eauto.
+ rewrite <- H1. assumption.
+ apply COINDHYP.
+ red; intros. eapply H. eapply tsteps_left; eauto. eauto.
Qed.
Lemma treactive_forever_reactive:
@@ -780,14 +780,14 @@ Lemma treactive_forever_reactive:
treactive S -> forever_reactive step ge (state_of_tstate S) (traceinf_of_tstate S).
Proof.
cofix COINDHYP; intros.
- destruct (H S) as [S1 [S2 [t [A [B C]]]]]. apply tsteps_refl.
+ destruct (H S) as [S1 [S2 [t [A [B C]]]]]. apply tsteps_refl.
destruct (tsteps_star _ _ A) as [t' [P Q]].
- inv B. simpl in *. rewrite Q. rewrite <- Eappinf_assoc.
- apply forever_reactive_intro with s2.
- eapply star_right; eauto.
+ inv B. simpl in *. rewrite Q. rewrite <- Eappinf_assoc.
+ apply forever_reactive_intro with s2.
+ eapply star_right; eauto.
red; intros. destruct (Eapp_E0_inv _ _ H0). contradiction.
change (forever_reactive step ge (state_of_tstate (ST s2 T F)) (traceinf_of_tstate (ST s2 T F))).
- apply COINDHYP.
+ apply COINDHYP.
red; intros. apply H.
eapply tsteps_trans. eauto.
eapply tsteps_left. constructor. eauto.
@@ -800,15 +800,15 @@ Theorem forever_silent_or_reactive:
exists t, exists s', exists T',
star step ge s t s' /\ forever_silent step ge s' /\ T = t *** T'.
Proof.
- intros.
+ intros.
destruct (treactive_or_tsilent (ST s T H)).
- left.
+ left.
change (forever_reactive step ge (state_of_tstate (ST s T H)) (traceinf_of_tstate (ST s T H))).
apply treactive_forever_reactive. auto.
destruct H0 as [S' [A B]].
exploit tsteps_star; eauto. intros [t [C D]]. simpl in *.
right. exists t; exists (state_of_tstate S'); exists (traceinf_of_tstate S').
- split. auto.
+ split. auto.
split. apply tsilent_forever_silent. auto.
auto.
Qed.
@@ -829,7 +829,7 @@ Lemma behavior_bigstep_terminates:
forall t r,
bigstep_terminates B t r -> program_behaves L (Terminates t r).
Proof.
- intros. exploit (bigstep_terminates_sound sound); eauto.
+ intros. exploit (bigstep_terminates_sound sound); eauto.
intros [s1 [s2 [P [Q R]]]].
econstructor; eauto. econstructor; eauto.
Qed.
diff --git a/common/Determinism.v b/common/Determinism.v
index 2445398c..e68c363f 100644
--- a/common/Determinism.v
+++ b/common/Determinism.v
@@ -101,7 +101,7 @@ Lemma possible_trace_app_inv:
Proof.
induction t1; simpl; intros.
exists w0; split. constructor. auto.
- inv H. exploit IHt1; eauto. intros [w1 [A B]].
+ inv H. exploit IHt1; eauto. intros [w1 [A B]].
exists w1; split. econstructor; eauto. auto.
Qed.
@@ -114,7 +114,7 @@ Proof.
auto.
inv H7; inv H6. inv H9; inv H10. split; congruence.
inv H7; inv H6. inv H9; inv H10. split; congruence.
- inv H4; inv H3. inv H6; inv H7. split; congruence.
+ inv H4; inv H3. inv H6; inv H7. split; congruence.
inv H4; inv H3. inv H7; inv H6. auto.
Qed.
@@ -141,7 +141,7 @@ Lemma possible_traceinf_app_inv:
Proof.
induction t1; simpl; intros.
exists w0; split. constructor. auto.
- inv H. exploit IHt1; eauto. intros [w1 [A B]].
+ inv H. exploit IHt1; eauto. intros [w1 [A B]].
exists w1; split. econstructor; eauto. auto.
Qed.
@@ -164,7 +164,7 @@ Ltac possibleTraceInv :=
intros w [P1 P2];
possibleTraceInv
| [H: exists w, possible_trace _ _ w |- _] =>
- let P := fresh "P" in let w := fresh "w" in
+ let P := fresh "P" in let w := fresh "w" in
destruct H as [w P]; possibleTraceInv
| _ => idtac
end.
@@ -218,19 +218,19 @@ Ltac use_step_deterministic :=
(** Determinism for finite transition sequences. *)
Lemma star_step_diamond:
- forall s0 t1 s1, Star L s0 t1 s1 ->
- forall t2 s2, Star L s0 t2 s2 ->
+ forall s0 t1 s1, Star L s0 t1 s1 ->
+ forall t2 s2, Star L s0 t2 s2 ->
exists t,
(Star L s1 t s2 /\ t2 = t1 ** t)
\/ (Star L s2 t s1 /\ t1 = t2 ** t).
Proof.
- induction 1; intros.
- exists t2; auto.
- inv H2. exists (t1 ** t2); right.
+ induction 1; intros.
+ exists t2; auto.
+ inv H2. exists (t1 ** t2); right.
split. econstructor; eauto. auto.
- use_step_deterministic.
+ use_step_deterministic.
exploit IHstar. eexact H4. intros [t A]. exists t.
- destruct A. left; intuition. traceEq. right; intuition. traceEq.
+ destruct A. left; intuition. traceEq. right; intuition. traceEq.
Qed.
Ltac use_star_step_diamond :=
@@ -248,8 +248,8 @@ Ltac use_nostep :=
Lemma star_step_triangle:
forall s0 t1 s1 t2 s2,
- Star L s0 t1 s1 ->
- Star L s0 t2 s2 ->
+ Star L s0 t1 s1 ->
+ Star L s0 t2 s2 ->
Nostep L s2 ->
exists t,
Star L s1 t s2 /\ t2 = t1 ** t.
@@ -270,7 +270,7 @@ Ltac use_star_step_triangle :=
Lemma steps_deterministic:
forall s0 t1 s1 t2 s2,
- Star L s0 t1 s1 -> Star L s0 t2 s2 ->
+ Star L s0 t1 s1 -> Star L s0 t2 s2 ->
Nostep L s1 -> Nostep L s2 ->
t1 = t2 /\ s1 = s2.
Proof.
@@ -285,8 +285,8 @@ Lemma terminates_not_goes_wrong:
(forall r, ~final_state L s2 r) -> False.
Proof.
intros.
- assert (t1 = t2 /\ s1 = s2).
- eapply steps_deterministic; eauto. eapply det_final_nostep; eauto.
+ assert (t1 = t2 /\ s1 = s2).
+ eapply steps_deterministic; eauto. eapply det_final_nostep; eauto.
destruct H4; subst. elim (H3 _ H0).
Qed.
@@ -297,8 +297,8 @@ Lemma star_final_not_forever_silent:
Nostep L s' ->
Forever_silent L s -> False.
Proof.
- induction 1; intros.
- inv H0. use_nostep.
+ induction 1; intros.
+ inv H0. use_nostep.
inv H3. use_step_deterministic. eauto.
Qed.
@@ -313,32 +313,32 @@ Proof.
Qed.
Lemma star_final_not_forever_reactive:
- forall s t s', Star L s t s' ->
+ forall s t s', Star L s t s' ->
forall T, Nostep L s' -> Forever_reactive L s T -> False.
Proof.
induction 1; intros.
- inv H0. inv H1. congruence. use_nostep.
+ inv H0. inv H1. congruence. use_nostep.
inv H3. inv H4. congruence.
use_step_deterministic.
- eapply IHstar with (T := t4 *** T0). eauto.
- eapply star_forever_reactive; eauto.
+ eapply IHstar with (T := t4 *** T0). eauto.
+ eapply star_forever_reactive; eauto.
Qed.
Lemma star_forever_silent_inv:
forall s t s', Star L s t s' ->
- Forever_silent L s ->
+ Forever_silent L s ->
t = E0 /\ Forever_silent L s'.
Proof.
induction 1; intros.
auto.
- subst. inv H2. use_step_deterministic. eauto.
+ subst. inv H2. use_step_deterministic. eauto.
Qed.
Lemma forever_silent_reactive_exclusive:
forall s T,
Forever_silent L s -> Forever_reactive L s T -> False.
Proof.
- intros. inv H0. exploit star_forever_silent_inv; eauto.
+ intros. inv H0. exploit star_forever_silent_inv; eauto.
intros [A B]. contradiction.
Qed.
@@ -358,17 +358,17 @@ Lemma forever_reactive_inv2:
Proof.
induction 1; intros.
congruence.
- inv H2. congruence. use_step_deterministic.
+ inv H2. congruence. use_step_deterministic.
destruct t3.
(* inductive case *)
- simpl in *. eapply IHstar; eauto.
+ simpl in *. eapply IHstar; eauto.
(* base case *)
exists s5; exists (e :: t3);
exists (t2 *** T1); exists (t4 *** T2).
split. unfold E0; congruence.
- split. eapply star_forever_reactive; eauto.
- split. eapply star_forever_reactive; eauto.
- split; traceEq.
+ split. eapply star_forever_reactive; eauto.
+ split. eapply star_forever_reactive; eauto.
+ split; traceEq.
Qed.
Lemma forever_reactive_determ':
@@ -381,8 +381,8 @@ Proof.
inv H. inv H0.
destruct (forever_reactive_inv2 _ _ _ H t s2 T0 T)
as [s' [t' [T1' [T2' [A [B [C [D E]]]]]]]]; auto.
- rewrite D; rewrite E. constructor. auto.
- eapply COINDHYP; eauto.
+ rewrite D; rewrite E. constructor. auto.
+ eapply COINDHYP; eauto.
Qed.
Lemma forever_reactive_determ:
@@ -399,12 +399,12 @@ Lemma star_forever_reactive_inv:
forall T, Forever_reactive L s T ->
exists T', Forever_reactive L s' T' /\ T = t *** T'.
Proof.
- induction 1; intros.
+ induction 1; intros.
exists T; auto.
inv H2. inv H3. congruence.
- use_step_deterministic.
+ use_step_deterministic.
exploit IHstar. eapply star_forever_reactive. 2: eauto. eauto.
- intros [T' [A B]]. exists T'; intuition. traceEq. congruence.
+ intros [T' [A B]]. exists T'; intuition. traceEq. congruence.
Qed.
Lemma forever_silent_reactive_exclusive2:
@@ -413,7 +413,7 @@ Lemma forever_silent_reactive_exclusive2:
Forever_reactive L s T ->
False.
Proof.
- intros. exploit star_forever_reactive_inv; eauto.
+ intros. exploit star_forever_reactive_inv; eauto.
intros [T' [A B]]. subst T.
eapply forever_silent_reactive_exclusive; eauto.
Qed.
@@ -438,7 +438,7 @@ Proof.
inv BEH1; inv BEH2; red.
(* terminates, terminates *)
assert (t = t0 /\ s' = s'0). eapply steps_deterministic; eauto.
- destruct H3. split; auto. subst. eapply det_final_state; eauto.
+ destruct H3. split; auto. subst. eapply det_final_state; eauto.
(* terminates, diverges *)
eapply star2_final_not_forever_silent with (s1 := s') (s2 := s'0); eauto.
(* terminates, reacts *)
@@ -449,9 +449,9 @@ Proof.
eapply star2_final_not_forever_silent with (s2 := s') (s1 := s'0); eauto.
(* diverges, diverges *)
use_star_step_diamond.
- exploit star_forever_silent_inv. eexact P. eauto.
+ exploit star_forever_silent_inv. eexact P. eauto.
intros [A B]. subst; traceEq.
- exploit star_forever_silent_inv. eexact P. eauto.
+ exploit star_forever_silent_inv. eexact P. eauto.
intros [A B]. subst; traceEq.
(* diverges, reacts *)
eapply forever_silent_reactive_exclusive2; eauto.
@@ -459,10 +459,10 @@ Proof.
eapply star2_final_not_forever_silent with (s1 := s'0) (s2 := s'); eauto.
(* reacts, terminates *)
eapply star_final_not_forever_reactive; eauto.
-(* reacts, diverges *)
+(* reacts, diverges *)
eapply forever_silent_reactive_exclusive2; eauto.
(* reacts, reacts *)
- eapply forever_reactive_determ; eauto.
+ eapply forever_reactive_determ; eauto.
(* reacts, goes wrong *)
eapply star_final_not_forever_reactive; eauto.
(* goes wrong, terminate *)
@@ -473,7 +473,7 @@ Proof.
eapply star_final_not_forever_reactive; eauto.
(* goes wrong, goes wrong *)
assert (t = t0 /\ s' = s'0). eapply steps_deterministic; eauto.
- tauto.
+ tauto.
Qed.
Theorem program_behaves_deterministic:
@@ -483,7 +483,7 @@ Theorem program_behaves_deterministic:
Proof.
intros until beh2; intros BEH1 BEH2. inv BEH1; inv BEH2.
(* both initial states defined *)
- assert (s = s0) by (eapply det_initial_state; eauto). subst s0.
+ assert (s = s0) by (eapply det_initial_state; eauto). subst s0.
eapply state_behaves_deterministic; eauto.
(* one initial state defined, the other undefined *)
elim (H1 _ H).
@@ -533,13 +533,13 @@ Proof.
rewrite (surjective_pairing s1). rewrite (surjective_pairing s2). intuition congruence.
(* initial states *)
destruct H; destruct H0.
- rewrite (surjective_pairing s1). rewrite (surjective_pairing s2). decEq.
- eapply (sd_initial_determ D); eauto.
+ rewrite (surjective_pairing s1). rewrite (surjective_pairing s2). decEq.
+ eapply (sd_initial_determ D); eauto.
congruence.
(* final states *)
eapply (sd_final_determ D); eauto.
(* final no step *)
- red; simpl; intros. red; intros [A B]. exploit (sd_final_nostep D); eauto.
+ red; simpl; intros. red; intros [A B]. exploit (sd_final_nostep D); eauto.
Qed.
End WORLD_SEM.
diff --git a/common/Errors.v b/common/Errors.v
index 78e11999..338d777d 100644
--- a/common/Errors.v
+++ b/common/Errors.v
@@ -122,7 +122,7 @@ Proof.
destruct (bind_inversion _ _ H) as [hd' [P Q]].
destruct (bind_inversion _ _ Q) as [tl' [R S]].
inversion_clear S.
- constructor. auto. auto.
+ constructor. auto. auto.
Qed.
(** * Reasoning over monadic computations *)
@@ -174,20 +174,20 @@ Ltac monadInv1 H :=
Ltac monadInv H :=
monadInv1 H ||
match type of H with
- | (?F _ _ _ _ _ _ _ _ = OK _) =>
+ | (?F _ _ _ _ _ _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ _ _ _ _ _ = OK _) =>
+ | (?F _ _ _ _ _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ _ _ _ _ = OK _) =>
+ | (?F _ _ _ _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ _ _ _ = OK _) =>
+ | (?F _ _ _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ _ _ = OK _) =>
+ | (?F _ _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ _ = OK _) =>
+ | (?F _ _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ _ = OK _) =>
+ | (?F _ _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
- | (?F _ = OK _) =>
+ | (?F _ = OK _) =>
((progress simpl in H) || unfold F in H); monadInv1 H
end.
diff --git a/common/Events.v b/common/Events.v
index dc38b344..7029a984 100644
--- a/common/Events.v
+++ b/common/Events.v
@@ -31,7 +31,7 @@ Require Import Globalenvs.
input/output events, which represent the actions of the program
that the external world can observe. CompCert leaves much flexibility as to
the exact content of events: the only requirement is that they
- do not expose memory states nor pointer values
+ do not expose memory states nor pointer values
(other than pointers to global variables), because these
are not preserved literally during compilation. For concreteness,
we use the following type for events. Each event represents either:
@@ -40,10 +40,10 @@ Require Import Globalenvs.
name of the system call, its parameters, and its result.
- A volatile load from a global memory location, recording the chunk
- and address being read and the value just read.
+ and address being read and the value just read.
- A volatile store to a global memory location, recording the chunk
- and address being written and the value stored there.
+ and address being written and the value stored there.
- An annotation, recording the text of the annotation and the values
of the arguments.
@@ -102,7 +102,7 @@ Proof. intros. unfold Eapp, trace. apply app_ass. Qed.
Lemma Eapp_E0_inv: forall t1 t2, t1 ** t2 = E0 -> t1 = E0 /\ t2 = E0.
Proof (@app_eq_nil event).
-
+
Lemma E0_left_inf: forall T, E0 *** T = T.
Proof. auto. Qed.
@@ -133,7 +133,7 @@ Ltac decomposeTraceEq :=
auto
end.
-Ltac traceEq :=
+Ltac traceEq :=
repeat substTraceHyp; autorewrite with trace_rewrite; decomposeTraceEq.
(** Bisimilarity between infinite traces. *)
@@ -149,7 +149,7 @@ Proof.
cofix COINDHYP; intros.
destruct T. constructor. apply COINDHYP.
Qed.
-
+
Lemma traceinf_sim_sym:
forall T1 T2, traceinf_sim T1 T2 -> traceinf_sim T2 T1.
Proof.
@@ -157,7 +157,7 @@ Proof.
Qed.
Lemma traceinf_sim_trans:
- forall T1 T2 T3,
+ forall T1 T2 T3,
traceinf_sim T1 T2 -> traceinf_sim T2 T3 -> traceinf_sim T1 T3.
Proof.
cofix COINDHYP;intros. inv H; inv H0; constructor; eauto.
@@ -170,11 +170,11 @@ CoInductive traceinf_sim': traceinf -> traceinf -> Prop :=
Lemma traceinf_sim'_sim:
forall T1 T2, traceinf_sim' T1 T2 -> traceinf_sim T1 T2.
Proof.
- cofix COINDHYP; intros. inv H.
+ cofix COINDHYP; intros. inv H.
destruct t. elim H0; auto.
Transparent Eappinf.
Transparent E0.
- simpl.
+ simpl.
destruct t. simpl. constructor. apply COINDHYP; auto.
constructor. apply COINDHYP.
constructor. unfold E0; congruence. auto.
@@ -193,10 +193,10 @@ Program Definition split_traceinf' (t: trace) (T: traceinf') (NE: t <> E0): even
| e :: t' => (e, Econsinf' t' T _)
end.
Next Obligation.
- elimtype False. elim NE. auto.
+ elimtype False. elim NE. auto.
Qed.
Next Obligation.
- red; intro. elim (H e). rewrite H0. auto.
+ red; intro. elim (H e). rewrite H0. auto.
Qed.
CoFixpoint traceinf_of_traceinf' (T': traceinf') : traceinf :=
@@ -224,11 +224,11 @@ Lemma traceinf_traceinf'_app:
Proof.
induction t.
intros. elim NE. auto.
- intros. simpl.
+ intros. simpl.
rewrite (unroll_traceinf (traceinf_of_traceinf' (Econsinf' (a :: t) T NE))).
simpl. destruct t. auto.
Transparent Eappinf.
- simpl. f_equal. apply IHt.
+ simpl. f_equal. apply IHt.
Qed.
(** Prefixes of traces. *)
@@ -244,7 +244,7 @@ Lemma trace_prefix_app:
trace_prefix t1 t2 ->
trace_prefix (t ** t1) (t ** t2).
Proof.
- intros. destruct H as [t3 EQ]. exists t3. traceEq.
+ intros. destruct H as [t3 EQ]. exists t3. traceEq.
Qed.
Lemma traceinf_prefix_app:
@@ -295,7 +295,7 @@ Lemma eventval_match_type:
forall ev ty v,
eventval_match ev ty v -> Val.has_type v ty.
Proof.
- intros. inv H; simpl; auto.
+ intros. inv H; simpl; auto.
Qed.
Lemma eventval_list_match_length:
@@ -331,7 +331,7 @@ Lemma eventval_match_determ_2:
forall ev1 ev2 ty v, eventval_match ev1 ty v -> eventval_match ev2 ty v -> ev1 = ev2.
Proof.
intros. inv H; inv H0; auto.
- decEq. eapply Senv.find_symbol_injective; eauto.
+ decEq. eapply Senv.find_symbol_injective; eauto.
Qed.
Lemma eventval_list_match_determ_2:
@@ -370,13 +370,13 @@ Lemma eventval_match_receptive:
Proof.
intros. inv H; destruct ev2; simpl in H2; try discriminate.
- exists (Vint i0); constructor.
-- simpl in H1; exploit Senv.public_symbol_exists; eauto. intros [b FS].
+- simpl in H1; exploit Senv.public_symbol_exists; eauto. intros [b FS].
exists (Vptr b i1); constructor; auto.
- exists (Vlong i0); constructor.
- exists (Vfloat f0); constructor.
- exists (Vsingle f0); constructor; auto.
- exists (Vint i); constructor.
-- simpl in H1. exploit Senv.public_symbol_exists. eexact H1. intros [b' FS].
+- simpl in H1. exploit Senv.public_symbol_exists. eexact H1. intros [b' FS].
exists (Vptr b' i0); constructor; auto.
Qed.
@@ -390,7 +390,7 @@ Lemma eventval_match_same_type:
forall ev1 ty v1 ev2 v2,
eventval_match ev1 ty v1 -> eventval_match ev2 ty v2 -> eventval_type ev1 = eventval_type ev2.
Proof.
- destruct 1; intros EV; inv EV; auto.
+ destruct 1; intros EV; inv EV; auto.
Qed.
End EVENTVAL.
@@ -407,7 +407,7 @@ Hypothesis public_preserved:
Lemma eventval_valid_preserved:
forall ev, eventval_valid ge1 ev -> eventval_valid ge2 ev.
Proof.
- intros. destruct ev; simpl in *; auto. rewrite <- H; auto.
+ intros. destruct ev; simpl in *; auto. rewrite <- H; auto.
Qed.
Hypothesis symbols_preserved:
@@ -418,8 +418,8 @@ Lemma eventval_match_preserved:
eventval_match ge1 ev ty v -> eventval_match ge2 ev ty v.
Proof.
induction 1; constructor; auto.
- rewrite public_preserved; auto.
- rewrite symbols_preserved; auto.
+ rewrite public_preserved; auto.
+ rewrite symbols_preserved; auto.
Qed.
Lemma eventval_list_match_preserved:
@@ -463,12 +463,12 @@ Qed.
Lemma eventval_match_inject_2:
forall ev ty v1,
- eventval_match ge1 ev ty v1 ->
+ eventval_match ge1 ev ty v1 ->
exists v2, eventval_match ge2 ev ty v2 /\ Val.inject f v1 v2.
Proof.
intros. inv H; try (econstructor; split; eauto; constructor; fail).
destruct symb_inj as (A & B & C & D). exploit C; eauto. intros [b2 [EQ FS]].
- exists (Vptr b2 ofs); split. econstructor; eauto.
+ exists (Vptr b2 ofs); split. econstructor; eauto.
econstructor; eauto. rewrite Int.add_zero; auto.
Qed.
@@ -536,7 +536,7 @@ Definition output_event (ev: event) : Prop :=
| Event_vstore _ _ _ _ => True
| Event_annot _ _ => True
end.
-
+
Fixpoint output_trace (t: trace) : Prop :=
match t with
| nil => True
@@ -584,7 +584,7 @@ Inductive volatile_store (ge: Senv.t):
- the trace generated by the call (can be empty).
*)
-Definition extcall_sem : Type :=
+Definition extcall_sem : Type :=
Senv.t -> list val -> mem -> trace -> val -> mem -> Prop.
(** We now specify the expected properties of this predicate. *)
@@ -736,20 +736,20 @@ Lemma volatile_load_inject:
Mem.inject f m m' ->
exists v', volatile_load ge2 chunk m' b' ofs' t v' /\ Val.inject f v v'.
Proof.
- intros until m'; intros SI VL VI MI. generalize SI; intros (A & B & C & D).
+ intros until m'; intros SI VL VI MI. generalize SI; intros (A & B & C & D).
inv VL.
- (* volatile load *)
- inv VI. exploit B; eauto. intros [U V]. subst delta.
+ inv VI. exploit B; eauto. intros [U V]. subst delta.
exploit eventval_match_inject_2; eauto. intros (v2 & X & Y).
rewrite Int.add_zero. exists (Val.load_result chunk v2); split.
constructor; auto.
erewrite D; eauto.
apply Val.load_result_inject. auto.
- (* normal load *)
- exploit Mem.loadv_inject; eauto. simpl; eauto. simpl; intros (v2 & X & Y).
- exists v2; split; auto.
+ exploit Mem.loadv_inject; eauto. simpl; eauto. simpl; intros (v2 & X & Y).
+ exists v2; split; auto.
constructor; auto.
- inv VI. erewrite D; eauto.
+ inv VI. erewrite D; eauto.
Qed.
Lemma volatile_load_receptive:
@@ -765,15 +765,15 @@ Qed.
Lemma volatile_load_ok:
forall chunk,
- extcall_properties (volatile_load_sem chunk)
+ extcall_properties (volatile_load_sem chunk)
(mksignature (Tint :: nil) (Some (type_of_chunk chunk)) cc_default).
Proof.
intros; constructor; intros.
(* well typed *)
-- unfold proj_sig_res; simpl. inv H. inv H0. apply Val.load_result_type.
- eapply Mem.load_type; eauto.
+- unfold proj_sig_res; simpl. inv H. inv H0. apply Val.load_result_type.
+ eapply Mem.load_type; eauto.
(* symbols *)
-- inv H2. constructor. eapply volatile_load_preserved; eauto.
+- inv H2. constructor. eapply volatile_load_preserved; eauto.
(* valid blocks *)
- inv H; auto.
(* max perms *)
@@ -781,12 +781,12 @@ Proof.
(* readonly *)
- inv H. apply Mem.unchanged_on_refl.
(* mem extends *)
-- inv H. inv H1. inv H6. inv H4.
+- inv H. inv H1. inv H6. inv H4.
exploit volatile_load_extends; eauto. intros [v' [A B]].
exists v'; exists m1'; intuition. constructor; auto.
(* mem injects *)
-- inv H0. inv H2. inv H7. inversion H5; subst.
- exploit volatile_load_inject; eauto. intros [v' [A B]].
+- inv H0. inv H2. inv H7. inversion H5; subst.
+ exploit volatile_load_inject; eauto. intros [v' [A B]].
exists f; exists v'; exists m1'; intuition. constructor; auto.
red; intros. congruence.
(* trace length *)
@@ -797,11 +797,11 @@ Proof.
(* determ *)
- inv H; inv H0. inv H1; inv H7; try congruence.
assert (id = id0) by (eapply Senv.find_symbol_injective; eauto). subst id0.
- split. constructor.
+ split. constructor.
eapply eventval_match_valid; eauto.
eapply eventval_match_valid; eauto.
eapply eventval_match_same_type; eauto.
- intros EQ; inv EQ.
+ intros EQ; inv EQ.
assert (v = v0) by (eapply eventval_match_determ_1; eauto). subst v0.
auto.
split. constructor. intuition congruence.
@@ -837,10 +837,10 @@ Lemma volatile_store_readonly:
Proof.
intros. inv H.
apply Mem.unchanged_on_refl.
- eapply Mem.store_unchanged_on; eauto.
- exploit Mem.store_valid_access_3; eauto. intros [P Q].
- intros. unfold loc_not_writable. red; intros. elim H2.
- apply Mem.perm_cur_max. apply P. auto.
+ eapply Mem.store_unchanged_on; eauto.
+ exploit Mem.store_valid_access_3; eauto. intros [P Q].
+ intros. unfold loc_not_writable. red; intros. elim H2.
+ apply Mem.perm_cur_max. apply P. auto.
Qed.
Lemma volatile_store_extends:
@@ -848,19 +848,19 @@ Lemma volatile_store_extends:
volatile_store ge chunk m1 b ofs v t m2 ->
Mem.extends m1 m1' ->
Val.lessdef v v' ->
- exists m2',
+ exists m2',
volatile_store ge chunk m1' b ofs v' t m2'
/\ Mem.extends m2 m2'
/\ Mem.unchanged_on (loc_out_of_bounds m1) m1' m2'.
Proof.
intros. inv H.
- econstructor; split. econstructor; eauto.
- eapply eventval_match_lessdef; eauto. apply Val.load_result_lessdef; auto.
+ eapply eventval_match_lessdef; eauto. apply Val.load_result_lessdef; auto.
auto with mem.
- exploit Mem.store_within_extends; eauto. intros [m2' [A B]].
exists m2'; intuition.
+ econstructor; eauto.
-+ eapply Mem.store_unchanged_on; eauto.
++ eapply Mem.store_unchanged_on; eauto.
unfold loc_out_of_bounds; intros.
assert (Mem.perm m1 b i Max Nonempty).
{ apply Mem.perm_cur_max. apply Mem.perm_implies with Writable; auto with mem.
@@ -881,13 +881,13 @@ Lemma volatile_store_inject:
/\ Mem.unchanged_on (loc_unmapped f) m1 m2
/\ Mem.unchanged_on (loc_out_of_reach f m1) m1' m2'.
Proof.
- intros until v'; intros SI VS AI VI MI.
- generalize SI; intros (P & Q & R & S).
+ intros until v'; intros SI VS AI VI MI.
+ generalize SI; intros (P & Q & R & S).
inv VS.
- (* volatile store *)
- inv AI. exploit Q; eauto. intros [A B]. subst delta.
+ inv AI. exploit Q; eauto. intros [A B]. subst delta.
rewrite Int.add_zero. exists m1'; split.
- constructor; auto. erewrite S; eauto.
+ constructor; auto. erewrite S; eauto.
eapply eventval_match_inject; eauto. apply Val.load_result_inject. auto.
intuition auto with mem.
- (* normal store *)
@@ -895,17 +895,17 @@ Proof.
assert (Mem.storev chunk m1 (Vptr b ofs) v = Some m2). simpl; auto.
exploit Mem.storev_mapped_inject; eauto. intros [m2' [A B]].
exists m2'; intuition auto.
-+ constructor; auto. erewrite S; eauto.
++ constructor; auto. erewrite S; eauto.
+ eapply Mem.store_unchanged_on; eauto.
unfold loc_unmapped; intros. inv AI; congruence.
-+ eapply Mem.store_unchanged_on; eauto.
- unfold loc_out_of_reach; intros. red; intros. simpl in A.
++ eapply Mem.store_unchanged_on; eauto.
+ unfold loc_out_of_reach; intros. red; intros. simpl in A.
assert (EQ: Int.unsigned (Int.add ofs (Int.repr delta)) = Int.unsigned ofs + delta)
by (eapply Mem.address_inject; eauto with mem).
rewrite EQ in *.
- eelim H3; eauto.
- exploit Mem.store_valid_access_3. eexact H0. intros [X Y].
- apply Mem.perm_cur_max. apply Mem.perm_implies with Writable; auto with mem.
+ eelim H3; eauto.
+ exploit Mem.store_valid_access_3. eexact H0. intros [X Y].
+ apply Mem.perm_cur_max. apply Mem.perm_implies with Writable; auto with mem.
apply X. omega.
Qed.
@@ -913,29 +913,29 @@ Lemma volatile_store_receptive:
forall ge chunk m b ofs v t1 m1 t2,
volatile_store ge chunk m b ofs v t1 m1 -> match_traces ge t1 t2 -> t1 = t2.
Proof.
- intros. inv H; inv H0; auto.
+ intros. inv H; inv H0; auto.
Qed.
Lemma volatile_store_ok:
forall chunk,
- extcall_properties (volatile_store_sem chunk)
+ extcall_properties (volatile_store_sem chunk)
(mksignature (Tint :: type_of_chunk chunk :: nil) None cc_default).
Proof.
intros; constructor; intros.
(* well typed *)
- unfold proj_sig_res; simpl. inv H; constructor.
(* symbols preserved *)
-- inv H2. constructor. eapply volatile_store_preserved; eauto.
+- inv H2. constructor. eapply volatile_store_preserved; eauto.
(* valid block *)
- inv H. inv H1. auto. eauto with mem.
(* perms *)
-- inv H. inv H2. auto. eauto with mem.
+- inv H. inv H2. auto. eauto with mem.
(* readonly *)
- inv H. eapply volatile_store_readonly; eauto.
(* mem extends*)
- inv H. inv H1. inv H6. inv H7. inv H4.
- exploit volatile_store_extends; eauto. intros [m2' [A [B C]]].
- exists Vundef; exists m2'; intuition. constructor; auto.
+ exploit volatile_store_extends; eauto. intros [m2' [A [B C]]].
+ exists Vundef; exists m2'; intuition. constructor; auto.
(* mem inject *)
- inv H0. inv H2. inv H7. inv H8. inversion H5; subst.
exploit volatile_store_inject; eauto. intros [m2' [A [B [C D]]]].
@@ -963,7 +963,7 @@ Inductive extcall_malloc_sem (ge: Senv.t):
extcall_malloc_sem ge (Vint n :: nil) m E0 (Vptr b Int.zero) m''.
Lemma extcall_malloc_ok:
- extcall_properties extcall_malloc_sem
+ extcall_properties extcall_malloc_sem
(mksignature (Tint :: nil) (Some Tint) cc_default).
Proof.
assert (UNCHANGED:
@@ -978,7 +978,7 @@ Proof.
erewrite Mem.store_mem_contents; eauto. rewrite Maps.PMap.gso by auto.
Local Transparent Mem.alloc. unfold Mem.alloc in H. injection H; intros A B.
rewrite <- B; simpl. rewrite A. rewrite Maps.PMap.gso by auto. auto.
- }
+ }
constructor; intros.
(* well typed *)
@@ -989,34 +989,34 @@ Proof.
- inv H. eauto with mem.
(* perms *)
- inv H. exploit Mem.perm_alloc_inv. eauto. eapply Mem.perm_store_2; eauto.
- rewrite dec_eq_false. auto.
+ rewrite dec_eq_false. auto.
apply Mem.valid_not_valid_diff with m1; eauto with mem.
(* readonly *)
-- inv H. eapply UNCHANGED; eauto.
+- inv H. eapply UNCHANGED; eauto.
(* mem extends *)
-- inv H. inv H1. inv H5. inv H7.
+- inv H. inv H1. inv H5. inv H7.
exploit Mem.alloc_extends; eauto. apply Zle_refl. apply Zle_refl.
intros [m3' [A B]].
- exploit Mem.store_within_extends. eexact B. eauto.
- instantiate (1 := Vint n). auto.
+ exploit Mem.store_within_extends. eexact B. eauto.
+ instantiate (1 := Vint n). auto.
intros [m2' [C D]].
exists (Vptr b Int.zero); exists m2'; intuition.
econstructor; eauto.
eapply UNCHANGED; eauto.
(* mem injects *)
- inv H0. inv H2. inv H6. inv H8.
- exploit Mem.alloc_parallel_inject; eauto. apply Zle_refl. apply Zle_refl.
+ exploit Mem.alloc_parallel_inject; eauto. apply Zle_refl. apply Zle_refl.
intros [f' [m3' [b' [ALLOC [A [B [C D]]]]]]].
- exploit Mem.store_mapped_inject. eexact A. eauto. eauto.
- instantiate (1 := Vint n). auto.
+ exploit Mem.store_mapped_inject. eexact A. eauto. eauto.
+ instantiate (1 := Vint n). auto.
intros [m2' [E G]].
exists f'; exists (Vptr b' Int.zero); exists m2'; intuition.
econstructor; eauto.
econstructor. eauto. auto.
eapply UNCHANGED; eauto.
eapply UNCHANGED; eauto.
- red; intros. destruct (eq_block b1 b).
- subst b1. rewrite C in H2. inv H2. eauto with mem.
+ red; intros. destruct (eq_block b1 b).
+ subst b1. rewrite C in H2. inv H2. eauto with mem.
rewrite D in H2 by auto. congruence.
(* trace length *)
- inv H; simpl; omega.
@@ -1024,7 +1024,7 @@ Proof.
- assert (t1 = t2). inv H; inv H0; auto. subst t2.
exists vres1; exists m1; auto.
(* determ *)
-- inv H; inv H0. split. constructor. intuition congruence.
+- inv H; inv H0. split. constructor. intuition congruence.
Qed.
(** ** Semantics of dynamic memory deallocation (free) *)
@@ -1038,7 +1038,7 @@ Inductive extcall_free_sem (ge: Senv.t):
extcall_free_sem ge (Vptr b lo :: nil) m E0 Vundef m'.
Lemma extcall_free_ok:
- extcall_properties extcall_free_sem
+ extcall_properties extcall_free_sem
(mksignature (Tint :: nil) None cc_default).
Proof.
constructor; intros.
@@ -1049,22 +1049,22 @@ Proof.
(* valid block *)
- inv H. eauto with mem.
(* perms *)
-- inv H. eapply Mem.perm_free_3; eauto.
+- inv H. eapply Mem.perm_free_3; eauto.
(* readonly *)
-- inv H. eapply Mem.free_unchanged_on; eauto.
- intros. red; intros. elim H3.
- apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
- eapply Mem.free_range_perm; eauto.
+- inv H. eapply Mem.free_unchanged_on; eauto.
+ intros. red; intros. elim H3.
+ apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
+ eapply Mem.free_range_perm; eauto.
(* mem extends *)
-- inv H. inv H1. inv H8. inv H6.
- exploit Mem.load_extends; eauto. intros [vsz [A B]]. inv B.
+- inv H. inv H1. inv H8. inv H6.
+ exploit Mem.load_extends; eauto. intros [vsz [A B]]. inv B.
exploit Mem.free_parallel_extends; eauto. intros [m2' [C D]].
exists Vundef; exists m2'; intuition.
econstructor; eauto.
- eapply Mem.free_unchanged_on; eauto.
- unfold loc_out_of_bounds; intros.
+ eapply Mem.free_unchanged_on; eauto.
+ unfold loc_out_of_bounds; intros.
assert (Mem.perm m1 b i Max Nonempty).
- { apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
+ { apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
eapply Mem.free_range_perm. eexact H4. eauto. }
tauto.
(* mem inject *)
@@ -1072,24 +1072,24 @@ Proof.
exploit Mem.load_inject; eauto. intros [vsz [A B]]. inv B.
assert (Mem.range_perm m1 b (Int.unsigned lo - 4) (Int.unsigned lo + Int.unsigned sz) Cur Freeable).
eapply Mem.free_range_perm; eauto.
- exploit Mem.address_inject; eauto.
+ exploit Mem.address_inject; eauto.
apply Mem.perm_implies with Freeable; auto with mem.
- apply H0. instantiate (1 := lo). omega.
+ apply H0. instantiate (1 := lo). omega.
intro EQ.
exploit Mem.free_parallel_inject; eauto. intros (m2' & C & D).
exists f, Vundef, m2'; split.
- apply extcall_free_sem_intro with (sz := sz) (m' := m2').
- rewrite EQ. rewrite <- A. f_equal. omega.
+ apply extcall_free_sem_intro with (sz := sz) (m' := m2').
+ rewrite EQ. rewrite <- A. f_equal. omega.
auto.
rewrite ! EQ. rewrite <- C. f_equal; omega.
- split. auto.
+ split. auto.
split. auto.
split. eapply Mem.free_unchanged_on; eauto. unfold loc_unmapped. intros; congruence.
- split. eapply Mem.free_unchanged_on; eauto. unfold loc_out_of_reach.
+ split. eapply Mem.free_unchanged_on; eauto. unfold loc_out_of_reach.
intros. red; intros. eelim H7; eauto.
- apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
+ apply Mem.perm_cur_max. apply Mem.perm_implies with Freeable; auto with mem.
apply H0. omega.
- split. auto.
+ split. auto.
red; intros. congruence.
(* trace length *)
- inv H; simpl; omega.
@@ -1122,19 +1122,19 @@ Lemma extcall_memcpy_ok:
Proof.
intros. constructor.
- (* return type *)
- intros. inv H. constructor.
+ intros. inv H. constructor.
- (* change of globalenv *)
intros. inv H2. econstructor; eauto.
- (* valid blocks *)
- intros. inv H. eauto with mem.
+ intros. inv H. eauto with mem.
- (* perms *)
- intros. inv H. eapply Mem.perm_storebytes_2; eauto.
+ intros. inv H. eapply Mem.perm_storebytes_2; eauto.
- (* readonly *)
- intros. inv H. eapply Mem.storebytes_unchanged_on; eauto.
- intros; red; intros. elim H8.
- apply Mem.perm_cur_max. eapply Mem.storebytes_range_perm; eauto.
+ intros. inv H. eapply Mem.storebytes_unchanged_on; eauto.
+ intros; red; intros. elim H8.
+ apply Mem.perm_cur_max. eapply Mem.storebytes_range_perm; eauto.
- (* extensions *)
- intros. inv H.
+ intros. inv H.
inv H1. inv H13. inv H14. inv H10. inv H11.
exploit Mem.loadbytes_length; eauto. intros LEN.
exploit Mem.loadbytes_extends; eauto. intros [bytes2 [A B]].
@@ -1143,28 +1143,28 @@ Proof.
split. econstructor; eauto.
split. constructor.
split. auto.
- eapply Mem.storebytes_unchanged_on; eauto. unfold loc_out_of_bounds; intros.
+ eapply Mem.storebytes_unchanged_on; eauto. unfold loc_out_of_bounds; intros.
assert (Mem.perm m1 bdst i Max Nonempty).
apply Mem.perm_cur_max. apply Mem.perm_implies with Writable; auto with mem.
- eapply Mem.storebytes_range_perm; eauto.
- erewrite list_forall2_length; eauto.
+ eapply Mem.storebytes_range_perm; eauto.
+ erewrite list_forall2_length; eauto.
tauto.
- (* injections *)
intros. inv H0. inv H2. inv H14. inv H15. inv H11. inv H12.
destruct (zeq sz 0).
+ (* special case sz = 0 *)
- assert (bytes = nil).
+ assert (bytes = nil).
{ exploit (Mem.loadbytes_empty m1 bsrc (Int.unsigned osrc) sz). omega. congruence. }
subst.
destruct (Mem.range_perm_storebytes m1' b0 (Int.unsigned (Int.add odst (Int.repr delta0))) nil)
as [m2' SB].
simpl. red; intros; omegaContradiction.
- exists f, Vundef, m2'.
- split. econstructor; eauto.
+ exists f, Vundef, m2'.
+ split. econstructor; eauto.
intros; omegaContradiction.
intros; omegaContradiction.
- right; omega.
- apply Mem.loadbytes_empty. omega.
+ right; omega.
+ apply Mem.loadbytes_empty. omega.
split. auto.
split. eapply Mem.storebytes_empty_inject; eauto.
split. eapply Mem.storebytes_unchanged_on; eauto. unfold loc_unmapped; intros.
@@ -1190,7 +1190,7 @@ Proof.
exploit Mem.loadbytes_inject; eauto. intros [bytes2 [A B]].
exploit Mem.storebytes_mapped_inject; eauto. intros [m2' [C D]].
exists f; exists Vundef; exists m2'.
- split. econstructor; try rewrite EQ1; try rewrite EQ2; eauto.
+ split. econstructor; try rewrite EQ1; try rewrite EQ2; eauto.
intros; eapply Mem.aligned_area_inject with (m := m1); eauto.
intros; eapply Mem.aligned_area_inject with (m := m1); eauto.
eapply Mem.disjoint_or_equal_inject with (m := m1); eauto.
@@ -1201,17 +1201,17 @@ Proof.
split. eapply Mem.storebytes_unchanged_on; eauto. unfold loc_unmapped; intros.
congruence.
split. eapply Mem.storebytes_unchanged_on; eauto. unfold loc_out_of_reach; intros. red; intros.
- eelim H2; eauto.
+ eelim H2; eauto.
apply Mem.perm_cur_max. apply Mem.perm_implies with Writable; auto with mem.
- eapply Mem.storebytes_range_perm; eauto.
- erewrite list_forall2_length; eauto.
+ eapply Mem.storebytes_range_perm; eauto.
+ erewrite list_forall2_length; eauto.
omega.
split. apply inject_incr_refl.
red; intros; congruence.
- (* trace length *)
intros; inv H. simpl; omega.
- (* receptive *)
- intros.
+ intros.
assert (t1 = t2). inv H; inv H0; auto. subst t2.
exists vres1; exists m1; auto.
- (* determ *)
@@ -1235,7 +1235,7 @@ Proof.
(* well typed *)
- inv H. simpl. auto.
(* symbols *)
-- inv H2. econstructor; eauto.
+- inv H2. econstructor; eauto.
eapply eventval_list_match_preserved; eauto.
(* valid blocks *)
- inv H; auto.
@@ -1257,7 +1257,7 @@ Proof.
(* trace length *)
- inv H; simpl; omega.
(* receptive *)
-- assert (t1 = t2). inv H; inv H0; auto.
+- assert (t1 = t2). inv H; inv H0; auto.
exists vres1; exists m1; congruence.
(* determ *)
- inv H; inv H0.
@@ -1280,7 +1280,7 @@ Proof.
(* well typed *)
- inv H. unfold proj_sig_res; simpl. eapply eventval_match_type; eauto.
(* symbols *)
-- inv H2. econstructor; eauto.
+- inv H2. econstructor; eauto.
eapply eventval_match_preserved; eauto.
(* valid blocks *)
- inv H; auto.
@@ -1289,7 +1289,7 @@ Proof.
(* readonly *)
- inv H. apply Mem.unchanged_on_refl.
(* mem extends *)
-- inv H. inv H1. inv H6.
+- inv H. inv H1. inv H6.
exists v2; exists m1'; intuition.
econstructor; eauto.
eapply eventval_match_lessdef; eauto.
@@ -1324,7 +1324,7 @@ Proof.
(* well typed *)
- inv H. simpl. auto.
(* symbols *)
-- inv H2. econstructor; eauto.
+- inv H2. econstructor; eauto.
(* valid blocks *)
- inv H; auto.
(* perms *)
@@ -1386,7 +1386,7 @@ Definition external_call (ef: external_function): extcall_sem :=
| EF_builtin name sg => external_functions_sem name sg
| EF_vload chunk => volatile_load_sem chunk
| EF_vstore chunk => volatile_store_sem chunk
- | EF_malloc => extcall_malloc_sem
+ | EF_malloc => extcall_malloc_sem
| EF_free => extcall_free_sem
| EF_memcpy sz al => extcall_memcpy_sem sz al
| EF_annot txt targs => extcall_annot_sem txt targs
@@ -1396,7 +1396,7 @@ Definition external_call (ef: external_function): extcall_sem :=
end.
Theorem external_call_spec:
- forall ef,
+ forall ef,
extcall_properties (external_call ef) (ef_sig ef).
Proof.
intros. unfold external_call, ef_sig; destruct ef.
@@ -1473,7 +1473,7 @@ Lemma external_call_mem_inject:
/\ inject_incr f f'
/\ inject_separated f f' m1 m1'.
Proof.
- intros. destruct H as (A & B & C). eapply external_call_mem_inject_gen with (ge1 := ge); eauto.
+ intros. destruct H as (A & B & C). eapply external_call_mem_inject_gen with (ge1 := ge); eauto.
repeat split; intros.
+ simpl in H3. exploit A; eauto. intros EQ; rewrite EQ in H; inv H. auto.
+ simpl in H3. exploit A; eauto. intros EQ; rewrite EQ in H; inv H. auto.
@@ -1548,29 +1548,29 @@ Inductive external_call'
Lemma decode_longs_lessdef:
forall tyl vl1 vl2, Val.lessdef_list vl1 vl2 -> Val.lessdef_list (decode_longs tyl vl1) (decode_longs tyl vl2).
Proof.
- induction tyl; simpl; intros.
+ induction tyl; simpl; intros.
auto.
- destruct a; inv H; auto. inv H1; auto. constructor; auto. apply Val.longofwords_lessdef; auto.
+ destruct a; inv H; auto. inv H1; auto. constructor; auto. apply Val.longofwords_lessdef; auto.
Qed.
Lemma decode_longs_inject:
forall f tyl vl1 vl2, Val.inject_list f vl1 vl2 -> Val.inject_list f (decode_longs tyl vl1) (decode_longs tyl vl2).
Proof.
- induction tyl; simpl; intros.
+ induction tyl; simpl; intros.
auto.
destruct a; inv H; auto. inv H1; auto. constructor; auto. apply Val.longofwords_inject; auto. Qed.
Lemma encode_long_lessdef:
forall oty v1 v2, Val.lessdef v1 v2 -> Val.lessdef_list (encode_long oty v1) (encode_long oty v2).
Proof.
- intros. destruct oty as [[]|]; simpl; auto.
+ intros. destruct oty as [[]|]; simpl; auto.
constructor. apply Val.hiword_lessdef; auto. constructor. apply Val.loword_lessdef; auto. auto.
Qed.
Lemma encode_long_inject:
forall f oty v1 v2, Val.inject f v1 v2 -> Val.inject_list f (encode_long oty v1) (encode_long oty v2).
Proof.
- intros. destruct oty as [[]|]; simpl; auto.
+ intros. destruct oty as [[]|]; simpl; auto.
constructor. apply Val.hiword_inject; auto. constructor. apply Val.loword_inject; auto. auto.
Qed.
@@ -1589,8 +1589,8 @@ Lemma external_call_well_typed':
external_call' ef ge vargs m1 t vres m2 ->
Val.has_type_list vres (proj_sig_res' (ef_sig ef)).
Proof.
- intros. inv H. apply encode_long_has_type.
- eapply external_call_well_typed; eauto.
+ intros. inv H. apply encode_long_has_type.
+ eapply external_call_well_typed; eauto.
Qed.
Lemma external_call_symbols_preserved':
@@ -1631,9 +1631,9 @@ Lemma external_call_mem_extends':
/\ Mem.extends m2 m2'
/\ Mem.unchanged_on (loc_out_of_bounds m1) m1' m2'.
Proof.
- intros. inv H.
+ intros. inv H.
exploit external_call_mem_extends; eauto.
- eapply decode_longs_lessdef; eauto.
+ eapply decode_longs_lessdef; eauto.
intros (v' & m2' & A & B & C & D).
exists (encode_long (sig_res (ef_sig ef)) v'); exists m2'; intuition.
econstructor; eauto.
@@ -1655,7 +1655,7 @@ Lemma external_call_mem_inject':
/\ inject_incr f f'
/\ inject_separated f f' m1 m1'.
Proof.
- intros. inv H0.
+ intros. inv H0.
exploit external_call_mem_inject; eauto.
eapply decode_longs_inject; eauto.
intros (f' & v' & m2' & A & B & C & D & E & P & Q).
@@ -1670,8 +1670,8 @@ Lemma external_call_determ':
external_call' ef ge vargs m t2 vres2 m2 ->
match_traces ge t1 t2 /\ (t1 = t2 -> vres1 = vres2 /\ m1 = m2).
Proof.
- intros. inv H; inv H0. exploit external_call_determ. eexact H1. eexact H.
- intros [A B]. split. auto. intros. destruct B as [C D]; auto. subst. auto.
+ intros. inv H; inv H0. exploit external_call_determ. eexact H1. eexact H.
+ intros [A B]. split. auto. intros. destruct B as [C D]; auto. subst. auto.
Qed.
Lemma external_call_match_traces':
@@ -1689,7 +1689,7 @@ Lemma external_call_deterministic':
external_call' ef ge vargs m t vres2 m2 ->
vres1 = vres2 /\ m1 = m2.
Proof.
- intros. inv H; inv H0.
+ intros. inv H; inv H0.
exploit external_call_deterministic. eexact H1. eexact H. intros [A B].
split; congruence.
Qed.
@@ -1768,13 +1768,13 @@ Lemma eval_builtin_arg_preserved:
Proof.
assert (EQ: forall id ofs, Senv.symbol_address ge2 id ofs = Senv.symbol_address ge1 id ofs).
{ unfold Senv.symbol_address; simpl; intros. rewrite symbols_preserved; auto. }
- induction 1; eauto with barg. rewrite <- EQ in H; eauto with barg. rewrite <- EQ; eauto with barg.
-Qed.
+ induction 1; eauto with barg. rewrite <- EQ in H; eauto with barg. rewrite <- EQ; eauto with barg.
+Qed.
Lemma eval_builtin_args_preserved:
forall al vl, eval_builtin_args ge1 e sp m al vl -> eval_builtin_args ge2 e sp m al vl.
Proof.
- induction 1; constructor; auto; eapply eval_builtin_arg_preserved; eauto.
+ induction 1; constructor; auto; eapply eval_builtin_arg_preserved; eauto.
Qed.
End EVAL_BUILTIN_ARG_PRESERVED.
@@ -1802,13 +1802,13 @@ Proof.
- econstructor; eauto with barg.
- econstructor; eauto with barg.
- econstructor; eauto with barg.
-- exploit Mem.loadv_extends; eauto. intros (v' & P & Q). exists v'; eauto with barg.
+- exploit Mem.loadv_extends; eauto. intros (v' & P & Q). exists v'; eauto with barg.
- econstructor; eauto with barg.
- exploit Mem.loadv_extends; eauto. intros (v' & P & Q). exists v'; eauto with barg.
- econstructor; eauto with barg.
- destruct IHeval_builtin_arg1 as (vhi' & P & Q).
destruct IHeval_builtin_arg2 as (vlo' & R & S).
- econstructor; split; eauto with barg. apply Val.longofwords_lessdef; auto.
+ econstructor; split; eauto with barg. apply Val.longofwords_lessdef; auto.
Qed.
Lemma eval_builtin_args_lessdef:
@@ -1817,7 +1817,7 @@ Lemma eval_builtin_args_lessdef:
Proof.
induction 1.
- econstructor; split. constructor. auto.
-- exploit eval_builtin_arg_lessdef; eauto. intros (v1' & P & Q).
+- exploit eval_builtin_arg_lessdef; eauto. intros (v1' & P & Q).
destruct IHlist_forall2 as (vl' & U & V).
exists (v1'::vl'); split; constructor; auto.
Qed.
diff --git a/common/Globalenvs.v b/common/Globalenvs.v
index 30f03654..5f78ea6b 100644
--- a/common/Globalenvs.v
+++ b/common/Globalenvs.v
@@ -14,11 +14,11 @@
(* *)
(* *********************************************************************)
-(** Global environments are a component of the dynamic semantics of
+(** Global environments are a component of the dynamic semantics of
all languages involved in the compiler. A global environment
maps symbol names (names of functions and of global variables)
to the corresponding memory addresses. It also maps memory addresses
- of functions to the corresponding function descriptions.
+ of functions to the corresponding function descriptions.
Global environments, along with the initial memory state at the beginning
of program execution, are built from the program of interest, as follows:
@@ -110,7 +110,7 @@ Theorem shift_symbol_address:
forall ge id ofs n,
symbol_address ge id (Int.add ofs n) = Val.add (symbol_address ge id ofs) (Vint n).
Proof.
- intros. unfold symbol_address. destruct (find_symbol ge id); auto.
+ intros. unfold symbol_address. destruct (find_symbol ge id); auto.
Qed.
End Senv.
@@ -137,7 +137,7 @@ Record t: Type := mkgenv {
genv_vars_range: forall b v, PTree.get b genv_vars = Some v -> Plt b genv_next;
genv_funs_vars: forall b1 b2 f v,
PTree.get b1 genv_funs = Some f -> PTree.get b2 genv_vars = Some v -> b1 <> b2;
- genv_vars_inj: forall id1 id2 b,
+ genv_vars_inj: forall id1 id2 b,
PTree.get id1 genv_symb = Some b -> PTree.get id2 genv_symb = Some b -> id1 = id2
}.
@@ -225,18 +225,18 @@ Next Obligation.
apply Plt_trans_succ; eauto.
Qed.
Next Obligation.
- destruct ge; simpl in *.
- destruct g.
- rewrite PTree.gsspec in H.
+ destruct ge; simpl in *.
+ destruct g.
+ rewrite PTree.gsspec in H.
destruct (peq b genv_next0). inv H. apply Plt_succ.
apply Plt_trans_succ; eauto.
apply Plt_trans_succ; eauto.
Qed.
Next Obligation.
- destruct ge; simpl in *.
+ destruct ge; simpl in *.
destruct g.
apply Plt_trans_succ; eauto.
- rewrite PTree.gsspec in H.
+ rewrite PTree.gsspec in H.
destruct (peq b genv_next0). inv H. apply Plt_succ.
apply Plt_trans_succ; eauto.
Qed.
@@ -253,8 +253,8 @@ Next Obligation.
eauto.
Qed.
Next Obligation.
- destruct ge; simpl in *.
- rewrite PTree.gsspec in H. rewrite PTree.gsspec in H0.
+ destruct ge; simpl in *.
+ rewrite PTree.gsspec in H. rewrite PTree.gsspec in H0.
destruct (peq id1 i); destruct (peq id2 i).
congruence.
inv H. eelim Plt_strict. eapply genv_symb_range0; eauto.
@@ -304,9 +304,9 @@ Lemma add_globals_preserves:
(forall ge id g, P ge -> In (id, g) gl -> P (add_global ge (id, g))) ->
P ge -> P (add_globals ge gl).
Proof.
- induction gl; simpl; intros.
+ induction gl; simpl; intros.
auto.
- destruct a. apply IHgl; auto.
+ destruct a. apply IHgl; auto.
Qed.
Lemma add_globals_ensures:
@@ -317,8 +317,8 @@ Lemma add_globals_ensures:
Proof.
induction gl; simpl; intros.
contradiction.
- destruct H1. subst a. apply add_globals_preserves; auto.
- apply IHgl; auto.
+ destruct H1. subst a. apply add_globals_preserves; auto.
+ apply IHgl; auto.
Qed.
Lemma add_globals_unique_preserves:
@@ -326,9 +326,9 @@ Lemma add_globals_unique_preserves:
(forall ge id1 g, P ge -> In (id1, g) gl -> id1 <> id -> P (add_global ge (id1, g))) ->
~In id (map fst gl) -> P ge -> P (add_globals ge gl).
Proof.
- induction gl; simpl; intros.
+ induction gl; simpl; intros.
auto.
- destruct a. apply IHgl; auto.
+ destruct a. apply IHgl; auto.
Qed.
Lemma add_globals_unique_ensures:
@@ -347,10 +347,10 @@ Remark in_norepet_unique:
Proof.
induction gl as [|[id1 g1] gl]; simpl; intros.
contradiction.
- inv H0. destruct H.
- inv H. exists nil, gl. auto.
- exploit IHgl; eauto. intros (gl1 & gl2 & X & Y).
- exists ((id1, g1) :: gl1), gl2; split; auto. rewrite X; auto.
+ inv H0. destruct H.
+ inv H. exists nil, gl. auto.
+ exploit IHgl; eauto. intros (gl1 & gl2 & X & Y).
+ exists ((id1, g1) :: gl1), gl2; split; auto. rewrite X; auto.
Qed.
Lemma add_globals_norepet_ensures:
@@ -359,8 +359,8 @@ Lemma add_globals_norepet_ensures:
(forall ge, P (add_global ge (id, g))) ->
In (id, g) gl -> list_norepet (map fst gl) -> P (add_globals ge gl).
Proof.
- intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
- subst gl. apply add_globals_unique_ensures; auto. intros. eapply H; eauto.
+ intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
+ subst gl. apply add_globals_unique_ensures; auto. intros. eapply H; eauto.
apply in_or_app; simpl; auto.
Qed.
@@ -371,7 +371,7 @@ End GLOBALENV_PRINCIPLES.
Theorem public_symbol_exists:
forall ge id, public_symbol ge id = true -> exists b, find_symbol ge id = Some b.
Proof.
- unfold public_symbol; intros. destruct (find_symbol ge id) as [b|].
+ unfold public_symbol; intros. destruct (find_symbol ge id) as [b|].
exists b; auto.
discriminate.
Qed.
@@ -380,15 +380,15 @@ Theorem shift_symbol_address:
forall ge id ofs n,
symbol_address ge id (Int.add ofs n) = Val.add (symbol_address ge id ofs) (Vint n).
Proof.
- intros. unfold symbol_address. destruct (find_symbol ge id); auto.
+ intros. unfold symbol_address. destruct (find_symbol ge id); auto.
Qed.
Theorem find_funct_inv:
forall ge v f,
find_funct ge v = Some f -> exists b, v = Vptr b Int.zero.
Proof.
- intros until f; unfold find_funct.
- destruct v; try congruence.
+ intros until f; unfold find_funct.
+ destruct v; try congruence.
destruct (Int.eq_dec i Int.zero); try congruence.
intros. exists b; congruence.
Qed.
@@ -428,7 +428,7 @@ Proof.
rewrite PTree.gso; auto.
destruct g1 as [f1 | v1]. rewrite PTree.gso. auto.
apply Plt_ne. eapply genv_funs_range; eauto.
- auto.
+ auto.
(* ensures *)
intros. unfold find_symbol, find_funct_ptr in *; simpl.
exists (genv_next ge); split. apply PTree.gss. apply PTree.gss.
@@ -442,8 +442,8 @@ Corollary find_funct_ptr_exists:
find_symbol (globalenv p) id = Some b
/\ find_funct_ptr (globalenv p) b = Some f.
Proof.
- intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
- eapply find_funct_ptr_exists_2; eauto.
+ intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
+ eapply find_funct_ptr_exists_2; eauto.
Qed.
Theorem find_var_exists_2:
@@ -462,7 +462,7 @@ Proof.
apply Plt_ne. eapply genv_vars_range; eauto.
(* ensures *)
intros. unfold find_symbol, find_var_info in *; simpl.
- exists (genv_next ge); split. apply PTree.gss. apply PTree.gss.
+ exists (genv_next ge); split. apply PTree.gss. apply PTree.gss.
Qed.
Corollary find_var_exists:
@@ -473,8 +473,8 @@ Corollary find_var_exists:
find_symbol (globalenv p) id = Some b
/\ find_var_info (globalenv p) b = Some v.
Proof.
- intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
- eapply find_var_exists_2; eauto.
+ intros. exploit in_norepet_unique; eauto. intros (gl1 & gl2 & X & Y).
+ eapply find_var_exists_2; eauto.
Qed.
Lemma find_symbol_inversion : forall p x b,
@@ -483,7 +483,7 @@ Lemma find_symbol_inversion : forall p x b,
Proof.
intros until b; unfold globalenv. eapply add_globals_preserves.
(* preserves *)
- unfold find_symbol; simpl; intros. rewrite PTree.gsspec in H1.
+ unfold find_symbol; simpl; intros. rewrite PTree.gsspec in H1.
destruct (peq x id). subst x. change id with (fst (id, g)). apply List.in_map; auto.
auto.
(* base *)
@@ -495,9 +495,9 @@ Theorem find_funct_ptr_inversion:
find_funct_ptr (globalenv p) b = Some f ->
exists id, In (id, Gfun f) (prog_defs p).
Proof.
- intros until f. unfold globalenv. apply add_globals_preserves.
+ intros until f. unfold globalenv. apply add_globals_preserves.
(* preserves *)
- unfold find_funct_ptr; simpl; intros. destruct g; auto.
+ unfold find_funct_ptr; simpl; intros. destruct g; auto.
rewrite PTree.gsspec in H1. destruct (peq b (genv_next ge)).
inv H1. exists id; auto.
auto.
@@ -510,7 +510,7 @@ Theorem find_funct_inversion:
find_funct (globalenv p) v = Some f ->
exists id, In (id, Gfun f) (prog_defs p).
Proof.
- intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
+ intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
rewrite find_funct_find_funct_ptr in H.
eapply find_funct_ptr_inversion; eauto.
Qed.
@@ -539,9 +539,9 @@ Theorem find_funct_ptr_symbol_inversion:
find_funct_ptr (globalenv p) b = Some f ->
In (id, Gfun f) p.(prog_defs).
Proof.
- intros until f. unfold globalenv, find_symbol, find_funct_ptr. apply add_globals_preserves.
+ intros until f. unfold globalenv, find_symbol, find_funct_ptr. apply add_globals_preserves.
(* preserves *)
- intros. simpl in *. rewrite PTree.gsspec in H1. destruct (peq id id0).
+ intros. simpl in *. rewrite PTree.gsspec in H1. destruct (peq id id0).
inv H1. destruct g as [f1|v1]. rewrite PTree.gss in H2. inv H2. auto.
eelim Plt_strict. eapply genv_funs_range; eauto.
destruct g as [f1|v1]. rewrite PTree.gso in H2. auto.
@@ -559,7 +559,7 @@ Theorem global_addresses_distinct:
find_symbol ge id2 = Some b2 ->
b1 <> b2.
Proof.
- intros. red; intros; subst. elim H. destruct ge. eauto.
+ intros. red; intros; subst. elim H. destruct ge. eauto.
Qed.
Theorem invert_find_symbol:
@@ -568,9 +568,9 @@ Theorem invert_find_symbol:
Proof.
intros until b; unfold find_symbol, invert_symbol.
apply PTree_Properties.fold_rec.
- intros. rewrite H in H0; auto.
+ intros. rewrite H in H0; auto.
congruence.
- intros. destruct (eq_block b v). inv H2. apply PTree.gss.
+ intros. destruct (eq_block b v). inv H2. apply PTree.gss.
rewrite PTree.gsspec. destruct (peq id k).
subst. assert (m!k = Some b) by auto. congruence.
auto.
@@ -588,9 +588,9 @@ Proof.
rewrite PTree.gempty; congruence.
intros. destruct (eq_block b v). exists k; auto.
rewrite PTree.gsspec in H2. destruct (peq id k).
- inv H2. congruence. auto.
+ inv H2. congruence. auto.
- intros; exploit H; eauto. intros [id' A].
+ intros; exploit H; eauto. intros [id' A].
assert (id = id'). eapply genv_vars_inj; eauto. apply invert_find_symbol; auto.
congruence.
Qed.
@@ -604,14 +604,14 @@ Remark genv_next_add_globals:
Proof.
induction gl; simpl; intros.
auto.
- rewrite IHgl. auto.
+ rewrite IHgl. auto.
Qed.
Remark genv_public_add_globals:
forall gl ge,
genv_public (add_globals ge gl) = genv_public ge.
Proof.
- induction gl; simpl; intros.
+ induction gl; simpl; intros.
auto.
rewrite IHgl; auto.
Qed.
@@ -619,7 +619,7 @@ Qed.
Theorem globalenv_public:
forall p, genv_public (globalenv p) = prog_public p.
Proof.
- unfold globalenv; intros. rewrite genv_public_add_globals. auto.
+ unfold globalenv; intros. rewrite genv_public_add_globals. auto.
Qed.
Theorem block_is_volatile_below:
@@ -765,11 +765,11 @@ Remark store_init_data_list_nextblock:
Proof.
induction idl; simpl; intros until m'.
intros. congruence.
- caseEq (store_init_data m b p a); try congruence. intros.
- transitivity (Mem.nextblock m0). eauto.
+ caseEq (store_init_data m b p a); try congruence. intros.
+ transitivity (Mem.nextblock m0). eauto.
destruct a; simpl in H; try (eapply Mem.nextblock_store; eauto; fail).
congruence.
- destruct (find_symbol ge i); try congruence. eapply Mem.nextblock_store; eauto.
+ destruct (find_symbol ge i); try congruence. eapply Mem.nextblock_store; eauto.
Qed.
Remark alloc_global_nextblock:
@@ -778,10 +778,10 @@ Remark alloc_global_nextblock:
Mem.nextblock m' = Psucc(Mem.nextblock m).
Proof.
unfold alloc_global. intros.
- destruct g as [id [f|v]].
+ destruct g as [id [f|v]].
(* function *)
destruct (Mem.alloc m 0 1) as [m1 b] eqn:?.
- erewrite Mem.nextblock_drop; eauto. erewrite Mem.nextblock_alloc; eauto.
+ erewrite Mem.nextblock_drop; eauto. erewrite Mem.nextblock_alloc; eauto.
(* variable *)
set (init := gvar_init v) in *.
set (sz := init_data_list_size init) in *.
@@ -824,13 +824,13 @@ Remark store_init_data_list_perm:
(Mem.perm m b' q k prm <-> Mem.perm m' b' q k prm).
Proof.
induction idl; simpl; intros until m'.
- intros. inv H. tauto.
+ intros. inv H. tauto.
caseEq (store_init_data m b p a); try congruence. intros.
rewrite <- (IHidl _ _ _ _ H0).
assert (forall chunk v,
Mem.store chunk m b p v = Some m0 ->
(Mem.perm m b' q k prm <-> Mem.perm m0 b' q k prm)).
- intros; split; eauto with mem.
+ intros; split; eauto with mem.
destruct a; simpl in H; eauto.
inv H; tauto.
destruct (find_symbol ge i). eauto. discriminate.
@@ -842,13 +842,13 @@ Remark alloc_global_perm:
Mem.valid_block m b' ->
(Mem.perm m b' q k prm <-> Mem.perm m' b' q k prm).
Proof.
- intros. destruct idg as [id [f|v]]; simpl in H.
+ intros. destruct idg as [id [f|v]]; simpl in H.
(* function *)
- destruct (Mem.alloc m 0 1) as [m1 b] eqn:?.
+ destruct (Mem.alloc m 0 1) as [m1 b] eqn:?.
assert (b' <> b). apply Mem.valid_not_valid_diff with m; eauto with mem.
split; intros.
- eapply Mem.perm_drop_3; eauto. eapply Mem.perm_alloc_1; eauto.
- eapply Mem.perm_alloc_4; eauto. eapply Mem.perm_drop_4; eauto.
+ eapply Mem.perm_drop_3; eauto. eapply Mem.perm_alloc_1; eauto.
+ eapply Mem.perm_alloc_4; eauto. eapply Mem.perm_drop_4; eauto.
(* variable *)
set (init := gvar_init v) in *.
set (sz := init_data_list_size init) in *.
@@ -860,11 +860,11 @@ Proof.
eapply Mem.perm_drop_3; eauto.
erewrite <- store_init_data_list_perm; [idtac|eauto].
erewrite <- store_zeros_perm; [idtac|eauto].
- eapply Mem.perm_alloc_1; eauto.
+ eapply Mem.perm_alloc_1; eauto.
eapply Mem.perm_alloc_4; eauto.
erewrite store_zeros_perm; [idtac|eauto].
- erewrite store_init_data_list_perm; [idtac|eauto].
- eapply Mem.perm_drop_4; eauto.
+ erewrite store_init_data_list_perm; [idtac|eauto].
+ eapply Mem.perm_drop_4; eauto.
Qed.
Remark alloc_globals_perm:
@@ -876,7 +876,7 @@ Proof.
induction gl.
simpl; intros. inv H. tauto.
simpl; intros. destruct (alloc_global m a) as [m1|] eqn:?; try discriminate.
- erewrite alloc_global_perm; eauto. eapply IHgl; eauto.
+ erewrite alloc_global_perm; eauto. eapply IHgl; eauto.
unfold Mem.valid_block in *. erewrite alloc_global_nextblock; eauto.
apply Plt_trans_succ; auto.
Qed.
@@ -892,9 +892,9 @@ Remark store_zeros_load_outside:
Proof.
intros until n. functional induction (store_zeros m b p n); intros.
inv H; auto.
- transitivity (Mem.load chunk m' b' p').
- apply IHo. auto. intuition omega.
- eapply Mem.load_store_other; eauto. simpl. intuition omega.
+ transitivity (Mem.load chunk m' b' p').
+ apply IHo. auto. intuition omega.
+ eapply Mem.load_store_other; eauto. simpl. intuition omega.
discriminate.
Qed.
@@ -907,15 +907,15 @@ Remark store_zeros_loadbytes_outside:
Proof.
intros until n. functional induction (store_zeros m b p n); intros.
inv H; auto.
- transitivity (Mem.loadbytes m' b' p' n').
+ transitivity (Mem.loadbytes m' b' p' n').
apply IHo. auto. intuition omega.
- eapply Mem.loadbytes_store_other; eauto. simpl. intuition omega.
+ eapply Mem.loadbytes_store_other; eauto. simpl. intuition omega.
discriminate.
Qed.
Definition read_as_zero (m: mem) (b: block) (ofs len: Z) : Prop :=
forall chunk p,
- ofs <= p -> p + size_chunk chunk <= ofs + len ->
+ ofs <= p -> p + size_chunk chunk <= ofs + len ->
(align_chunk chunk | p) ->
Mem.load chunk m b p =
Some (match chunk with
@@ -938,18 +938,18 @@ Proof.
rewrite inj_S in H1. omegaContradiction.
- destruct (zeq p' p).
+ subst p'. destruct n'. simpl. apply Mem.loadbytes_empty. omega.
- rewrite inj_S in H1. rewrite inj_S.
+ rewrite inj_S in H1. rewrite inj_S.
replace (Z.succ (Z.of_nat n')) with (1 + Z.of_nat n') by omega.
change (list_repeat (S n') (Byte Byte.zero))
with ((Byte Byte.zero :: nil) ++ list_repeat n' (Byte Byte.zero)).
- apply Mem.loadbytes_concat.
+ apply Mem.loadbytes_concat.
erewrite store_zeros_loadbytes_outside; eauto.
change (Byte Byte.zero :: nil) with (encode_val Mint8unsigned Vzero).
change 1 with (size_chunk Mint8unsigned).
- eapply Mem.loadbytes_store_same; eauto.
+ eapply Mem.loadbytes_store_same; eauto.
right; omega.
- eapply IHo; eauto. omega. omega. omega. omega.
- + eapply IHo; eauto. omega. omega.
+ eapply IHo; eauto. omega. omega. omega. omega.
+ + eapply IHo; eauto. omega. omega.
- discriminate.
Qed.
@@ -960,9 +960,9 @@ Lemma store_zeros_read_as_zero:
Proof.
intros; red; intros.
transitivity (Some(decode_val chunk (list_repeat (size_chunk_nat chunk) (Byte Byte.zero)))).
- apply Mem.loadbytes_load; auto. rewrite size_chunk_conv.
- eapply store_zeros_loadbytes; eauto. rewrite <- size_chunk_conv; auto.
- f_equal. destruct chunk; reflexivity.
+ apply Mem.loadbytes_load; auto. rewrite size_chunk_conv.
+ eapply store_zeros_loadbytes; eauto. rewrite <- size_chunk_conv; auto.
+ f_equal. destruct chunk; reflexivity.
Qed.
Remark store_init_data_outside:
@@ -974,8 +974,8 @@ Remark store_init_data_outside:
Proof.
intros. destruct i; simpl in *;
try (eapply Mem.load_store_other; eauto; fail).
- inv H; auto.
- destruct (find_symbol ge i); try congruence.
+ inv H; auto.
+ destruct (find_symbol ge i); try congruence.
eapply Mem.load_store_other; eauto; intuition.
Qed.
@@ -991,7 +991,7 @@ Proof.
intros. destruct (store_init_data m b p a) as [m1|] eqn:?; try congruence.
transitivity (Mem.load chunk m1 b' q).
eapply IHil; eauto. generalize (init_data_size_pos a). intuition omega.
- eapply store_init_data_outside; eauto. tauto.
+ eapply store_init_data_outside; eauto. tauto.
Qed.
Fixpoint load_store_init_data (m: mem) (b: block) (p: Z) (il: list init_data) {struct il} : Prop :=
@@ -1041,17 +1041,17 @@ Proof.
Mem.load chunk m' b p = Some(Val.load_result chunk v)).
{
intros. transitivity (Mem.load chunk m1 b p).
- eapply store_init_data_list_outside; eauto. right. omega.
- eapply Mem.load_store_same; eauto.
+ eapply store_init_data_list_outside; eauto. right. omega.
+ eapply Mem.load_store_same; eauto.
}
induction il; simpl.
auto.
intros. destruct (store_init_data m b p a) as [m1|] eqn:?; try congruence.
exploit IHil; eauto.
- red; intros. transitivity (Mem.load chunk m b p0).
- eapply store_init_data_outside. eauto. auto.
- apply H0. generalize (init_data_size_pos a); omega. omega. auto.
- intro D.
+ red; intros. transitivity (Mem.load chunk m b p0).
+ eapply store_init_data_outside. eauto. auto.
+ apply H0. generalize (init_data_size_pos a); omega. omega. auto.
+ intro D.
destruct a; simpl in Heqo; intuition.
eapply (A Mint8unsigned (Vint i)); eauto.
eapply (A Mint16unsigned (Vint i)); eauto.
@@ -1059,11 +1059,11 @@ Proof.
eapply (A Mint64 (Vlong i)); eauto.
eapply (A Mfloat32 (Vsingle f)); eauto.
eapply (A Mfloat64 (Vfloat f)); eauto.
- inv Heqo. red; intros. transitivity (Mem.load chunk m1 b p0).
- eapply store_init_data_list_outside; eauto. right. simpl. xomega.
+ inv Heqo. red; intros. transitivity (Mem.load chunk m1 b p0).
+ eapply store_init_data_list_outside; eauto. right. simpl. xomega.
apply H0; auto. simpl. generalize (init_data_list_size_pos il); xomega.
- destruct (find_symbol ge i); try congruence. exists b0; split; auto.
- eapply (A Mint32 (Vptr b0 i0)); eauto.
+ destruct (find_symbol ge i); try congruence. exists b0; split; auto.
+ eapply (A Mint32 (Vptr b0 i0)); eauto.
Qed.
Remark load_alloc_global:
@@ -1074,10 +1074,10 @@ Remark load_alloc_global:
Proof.
intros. destruct g as [f|v]; simpl in H.
(* function *)
- destruct (Mem.alloc m 0 1) as [m1 b'] eqn:?.
+ destruct (Mem.alloc m 0 1) as [m1 b'] eqn:?.
assert (b <> b'). apply Mem.valid_not_valid_diff with m; eauto with mem.
- transitivity (Mem.load chunk m1 b p).
- eapply Mem.load_drop; eauto.
+ transitivity (Mem.load chunk m1 b p).
+ eapply Mem.load_drop; eauto.
eapply Mem.load_alloc_unchanged; eauto.
(* variable *)
set (init := gvar_init v) in *.
@@ -1086,10 +1086,10 @@ Proof.
destruct (store_zeros m1 b' 0 sz) as [m2|] eqn:?; try discriminate.
destruct (store_init_data_list m2 b' 0 init) as [m3|] eqn:?; try discriminate.
assert (b <> b'). apply Mem.valid_not_valid_diff with m; eauto with mem.
- transitivity (Mem.load chunk m3 b p).
+ transitivity (Mem.load chunk m3 b p).
eapply Mem.load_drop; eauto.
transitivity (Mem.load chunk m2 b p).
- eapply store_init_data_list_outside; eauto.
+ eapply store_init_data_list_outside; eauto.
transitivity (Mem.load chunk m1 b p).
eapply store_zeros_load_outside; eauto.
eapply Mem.load_alloc_unchanged; eauto.
@@ -1104,11 +1104,11 @@ Proof.
induction gl; simpl; intros.
congruence.
destruct (alloc_global m a) as [m''|] eqn:?; try discriminate.
- transitivity (Mem.load chunk m'' b p).
- apply IHgl; auto. unfold Mem.valid_block in *.
- erewrite alloc_global_nextblock; eauto.
+ transitivity (Mem.load chunk m'' b p).
+ apply IHgl; auto. unfold Mem.valid_block in *.
+ erewrite alloc_global_nextblock; eauto.
apply Plt_trans with (Mem.nextblock m); auto. apply Plt_succ.
- destruct a as [id g]. eapply load_alloc_global; eauto.
+ destruct a as [id g]. eapply load_alloc_global; eauto.
Qed.
Remark load_store_init_data_invariant:
@@ -1119,7 +1119,7 @@ Remark load_store_init_data_invariant:
Proof.
induction il; intro p; simpl.
auto.
- repeat rewrite H. destruct a; intuition. red; intros; rewrite H; auto.
+ repeat rewrite H. destruct a; intuition. red; intros; rewrite H; auto.
Qed.
Definition variables_initialized (g: t) (m: mem) :=
@@ -1146,19 +1146,19 @@ Lemma alloc_global_initialized:
/\ functions_initialized (add_global ge (id, g)) m'
/\ genv_next (add_global ge (id, g)) = Mem.nextblock m'.
Proof.
- intros.
+ intros.
exploit alloc_global_nextblock; eauto. intros NB. split.
(* variables-initialized *)
destruct g as [f|v].
(* function *)
- red; intros. unfold find_var_info in H3. simpl in H3.
+ red; intros. unfold find_var_info in H3. simpl in H3.
exploit H1; eauto. intros [A [B C]].
- assert (D: Mem.valid_block m b).
+ assert (D: Mem.valid_block m b).
red. exploit genv_vars_range; eauto. rewrite H; auto.
- split. red; intros. erewrite <- alloc_global_perm; eauto.
- split. intros. eapply B. erewrite alloc_global_perm; eauto.
- intros. apply load_store_init_data_invariant with m; auto.
- intros. eapply load_alloc_global; eauto.
+ split. red; intros. erewrite <- alloc_global_perm; eauto.
+ split. intros. eapply B. erewrite alloc_global_perm; eauto.
+ intros. apply load_store_init_data_invariant with m; auto.
+ intros. eapply load_alloc_global; eauto.
(* variable *)
red; intros. unfold find_var_info in H3. simpl in H3. rewrite PTree.gsspec in H3.
destruct (peq b (genv_next ge0)).
@@ -1169,29 +1169,29 @@ Proof.
destruct (Mem.alloc m 0 sz) as [m1 b'] eqn:?.
destruct (store_zeros m1 b' 0 sz) as [m2|] eqn:?; try discriminate.
destruct (store_init_data_list m2 b' 0 init) as [m3|] eqn:?; try discriminate.
- exploit Mem.alloc_result; eauto. intro RES.
+ exploit Mem.alloc_result; eauto. intro RES.
replace (genv_next ge0) with b' by congruence.
split. red; intros. eapply Mem.perm_drop_1; eauto.
split. intros.
assert (0 <= ofs < sz).
eapply Mem.perm_alloc_3; eauto.
erewrite store_zeros_perm; [idtac|eauto].
- erewrite store_init_data_list_perm; [idtac|eauto].
+ erewrite store_init_data_list_perm; [idtac|eauto].
eapply Mem.perm_drop_4; eauto.
split. auto. eapply Mem.perm_drop_2; eauto.
- intros. apply load_store_init_data_invariant with m3.
- intros. eapply Mem.load_drop; eauto.
- right; right; right. unfold perm_globvar. rewrite H3.
+ intros. apply load_store_init_data_invariant with m3.
+ intros. eapply Mem.load_drop; eauto.
+ right; right; right. unfold perm_globvar. rewrite H3.
destruct (gvar_readonly gv); auto with mem.
eapply store_init_data_list_charact; eauto.
- eapply store_zeros_read_as_zero; eauto.
+ eapply store_zeros_read_as_zero; eauto.
(* older var *)
exploit H1; eauto. intros [A [B C]].
- assert (D: Mem.valid_block m b).
- red. exploit genv_vars_range; eauto. rewrite H; auto.
- split. red; intros. erewrite <- alloc_global_perm; eauto.
- split. intros. eapply B. erewrite alloc_global_perm; eauto.
- intros. apply load_store_init_data_invariant with m; auto.
+ assert (D: Mem.valid_block m b).
+ red. exploit genv_vars_range; eauto. rewrite H; auto.
+ split. red; intros. erewrite <- alloc_global_perm; eauto.
+ split. intros. eapply B. erewrite alloc_global_perm; eauto.
+ intros. apply load_store_init_data_invariant with m; auto.
intros. eapply load_alloc_global; eauto.
(* functions-initialized *)
split. destruct g as [f|v].
@@ -1199,11 +1199,11 @@ Proof.
red; intros. unfold find_funct_ptr in H3. simpl in H3. rewrite PTree.gsspec in H3.
destruct (peq b (genv_next ge0)).
(* same *)
- inv H3. simpl in H0.
- destruct (Mem.alloc m 0 1) as [m1 b'] eqn:?.
- exploit Mem.alloc_result; eauto. intro RES.
+ inv H3. simpl in H0.
+ destruct (Mem.alloc m 0 1) as [m1 b'] eqn:?.
+ exploit Mem.alloc_result; eauto. intro RES.
replace (genv_next ge0) with b' by congruence.
- split. eapply Mem.perm_drop_1; eauto. omega.
+ split. eapply Mem.perm_drop_1; eauto. omega.
intros.
assert (0 <= ofs < 1).
eapply Mem.perm_alloc_3; eauto.
@@ -1211,16 +1211,16 @@ Proof.
split. omega. eapply Mem.perm_drop_2; eauto.
(* older function *)
exploit H2; eauto. intros [A B].
- assert (D: Mem.valid_block m b).
+ assert (D: Mem.valid_block m b).
red. exploit genv_funs_range; eauto. rewrite H; auto.
- split. erewrite <- alloc_global_perm; eauto.
+ split. erewrite <- alloc_global_perm; eauto.
intros. eapply B. erewrite alloc_global_perm; eauto.
(* variables *)
- red; intros. unfold find_funct_ptr in H3. simpl in H3.
+ red; intros. unfold find_funct_ptr in H3. simpl in H3.
exploit H2; eauto. intros [A B].
- assert (D: Mem.valid_block m b).
+ assert (D: Mem.valid_block m b).
red. exploit genv_funs_range; eauto. rewrite H; auto.
- split. erewrite <- alloc_global_perm; eauto.
+ split. erewrite <- alloc_global_perm; eauto.
intros. eapply B. erewrite alloc_global_perm; eauto.
(* nextblock *)
rewrite NB. simpl. rewrite H. auto.
@@ -1238,7 +1238,7 @@ Proof.
inv H0; auto.
destruct a as [id g]. destruct (alloc_global m (id, g)) as [m1|] eqn:?; try discriminate.
exploit alloc_global_initialized; eauto. intros [P [Q R]].
- eapply IHgl; eauto.
+ eapply IHgl; eauto.
Qed.
End INITMEM.
@@ -1247,12 +1247,12 @@ Definition init_mem (p: program F V) :=
alloc_globals (globalenv p) Mem.empty p.(prog_defs).
Lemma init_mem_genv_next: forall p m,
- init_mem p = Some m ->
+ init_mem p = Some m ->
genv_next (globalenv p) = Mem.nextblock m.
Proof.
unfold init_mem; intros.
exploit alloc_globals_nextblock; eauto. rewrite Mem.nextblock_empty. intro.
- generalize (genv_next_add_globals (prog_defs p) (empty_genv (prog_public p))).
+ generalize (genv_next_add_globals (prog_defs p) (empty_genv (prog_public p))).
fold (globalenv p). simpl genv_next. intros. congruence.
Qed.
@@ -1261,7 +1261,7 @@ Theorem find_symbol_not_fresh:
init_mem p = Some m ->
find_symbol (globalenv p) id = Some b -> Mem.valid_block m b.
Proof.
- intros. red. erewrite <- init_mem_genv_next; eauto.
+ intros. red. erewrite <- init_mem_genv_next; eauto.
eapply genv_symb_range; eauto.
Qed.
@@ -1270,7 +1270,7 @@ Theorem find_funct_ptr_not_fresh:
init_mem p = Some m ->
find_funct_ptr (globalenv p) b = Some f -> Mem.valid_block m b.
Proof.
- intros. red. erewrite <- init_mem_genv_next; eauto.
+ intros. red. erewrite <- init_mem_genv_next; eauto.
eapply genv_funs_range; eauto.
Qed.
@@ -1279,7 +1279,7 @@ Theorem find_var_info_not_fresh:
init_mem p = Some m ->
find_var_info (globalenv p) b = Some gv -> Mem.valid_block m b.
Proof.
- intros. red. erewrite <- init_mem_genv_next; eauto.
+ intros. red. erewrite <- init_mem_genv_next; eauto.
eapply genv_vars_range; eauto.
Qed.
@@ -1293,7 +1293,7 @@ Theorem init_mem_characterization:
/\ (gv.(gvar_volatile) = false -> load_store_init_data (globalenv p) m b 0 gv.(gvar_init)).
Proof.
intros. eapply alloc_globals_initialized; eauto.
- rewrite Mem.nextblock_empty. auto.
+ rewrite Mem.nextblock_empty. auto.
red; intros. unfold find_var_info in H1. simpl in H1. rewrite PTree.gempty in H1. congruence.
red; intros. unfold find_funct_ptr in H1. simpl in H1. rewrite PTree.gempty in H1. congruence.
Qed.
@@ -1328,7 +1328,7 @@ Lemma store_zeros_neutral:
Proof.
intros until n. functional induction (store_zeros m b p n); intros.
inv H1; auto.
- apply IHo; auto. eapply Mem.store_inject_neutral; eauto. constructor.
+ apply IHo; auto. eapply Mem.store_inject_neutral; eauto. constructor.
inv H1.
Qed.
@@ -1343,9 +1343,9 @@ Proof.
destruct id; simpl in H1; try (eapply Mem.store_inject_neutral; eauto; fail).
congruence.
destruct (find_symbol ge i) as [b'|] eqn:E; try discriminate.
- eapply Mem.store_inject_neutral; eauto.
- econstructor. unfold Mem.flat_inj. apply pred_dec_true; auto. eauto.
- rewrite Int.add_zero. auto.
+ eapply Mem.store_inject_neutral; eauto.
+ econstructor. unfold Mem.flat_inj. apply pred_dec_true; auto. eauto.
+ rewrite Int.add_zero. auto.
Qed.
Lemma store_init_data_list_neutral:
@@ -1358,7 +1358,7 @@ Proof.
induction idl; simpl; intros.
congruence.
destruct (store_init_data ge m b p a) as [m1|] eqn:E; try discriminate.
- eapply IHidl. eapply store_init_data_neutral; eauto. auto. eauto.
+ eapply IHidl. eapply store_init_data_neutral; eauto. auto. eauto.
Qed.
Lemma alloc_global_neutral:
@@ -1372,7 +1372,7 @@ Proof.
(* function *)
destruct (Mem.alloc m 0 1) as [m1 b] eqn:?.
assert (Plt b thr). rewrite (Mem.alloc_result _ _ _ _ _ Heqp). auto.
- eapply Mem.drop_inject_neutral; eauto.
+ eapply Mem.drop_inject_neutral; eauto.
eapply Mem.alloc_inject_neutral; eauto.
(* variable *)
set (init := gvar_init v) in *.
@@ -1381,9 +1381,9 @@ Proof.
destruct (store_zeros m1 b 0 sz) as [m2|] eqn:?; try discriminate.
destruct (store_init_data_list ge m2 b 0 init) as [m3|] eqn:?; try discriminate.
assert (Plt b thr). rewrite (Mem.alloc_result _ _ _ _ _ Heqp). auto.
- eapply Mem.drop_inject_neutral; eauto.
+ eapply Mem.drop_inject_neutral; eauto.
eapply store_init_data_list_neutral with (m := m2) (b := b); eauto.
- eapply store_zeros_neutral with (m := m1); eauto.
+ eapply store_zeros_neutral with (m := m1); eauto.
eapply Mem.alloc_inject_neutral; eauto.
Qed.
@@ -1403,7 +1403,7 @@ Lemma alloc_globals_neutral:
Proof.
induction gl; intros.
simpl in *. congruence.
- exploit alloc_globals_nextblock; eauto. intros EQ.
+ exploit alloc_globals_nextblock; eauto. intros EQ.
simpl in *. destruct (alloc_global ge m a) as [m1|] eqn:E; try discriminate.
exploit alloc_global_neutral; eauto.
assert (Ple (Psucc (Mem.nextblock m)) (Mem.nextblock m')).
@@ -1419,14 +1419,14 @@ Theorem initmem_inject:
Mem.inject (Mem.flat_inj (Mem.nextblock m)) m m.
Proof.
unfold init_mem; intros.
- apply Mem.neutral_inject.
- eapply alloc_globals_neutral; eauto.
+ apply Mem.neutral_inject.
+ eapply alloc_globals_neutral; eauto.
intros. exploit find_symbol_not_fresh; eauto.
apply Mem.empty_inject_neutral.
apply Ple_refl.
Qed.
-Section INITMEM_AUGMENT_INJ.
+Section INITMEM_AUGMENT_INJ.
Variable ge: t.
Variable thr: block.
@@ -1440,58 +1440,58 @@ Lemma store_zeros_augment:
Proof.
intros until n. functional induction (store_zeros m2 b p n); intros.
inv H1; auto.
- apply IHo; auto. exploit Mem.store_outside_inject; eauto. simpl.
- intros. exfalso. unfold Mem.flat_inj in H2. destruct (plt b' thr).
+ apply IHo; auto. exploit Mem.store_outside_inject; eauto. simpl.
+ intros. exfalso. unfold Mem.flat_inj in H2. destruct (plt b' thr).
inv H2. unfold Plt, Ple in *. zify; omega.
discriminate.
discriminate.
Qed.
-Lemma store_init_data_augment:
- forall m1 m2 b p id m2',
- Mem.inject (Mem.flat_inj thr) m1 m2 ->
- Ple thr b ->
+Lemma store_init_data_augment:
+ forall m1 m2 b p id m2',
+ Mem.inject (Mem.flat_inj thr) m1 m2 ->
+ Ple thr b ->
store_init_data ge m2 b p id = Some m2' ->
Mem.inject (Mem.flat_inj thr) m1 m2'.
-Proof.
- intros until m2'. intros INJ BND ST.
- assert (P: forall chunk ofs v m2',
- Mem.store chunk m2 b ofs v = Some m2' ->
- Mem.inject (Mem.flat_inj thr) m1 m2').
- intros. eapply Mem.store_outside_inject; eauto.
+Proof.
+ intros until m2'. intros INJ BND ST.
+ assert (P: forall chunk ofs v m2',
+ Mem.store chunk m2 b ofs v = Some m2' ->
+ Mem.inject (Mem.flat_inj thr) m1 m2').
+ intros. eapply Mem.store_outside_inject; eauto.
intros. unfold Mem.flat_inj in H0.
destruct (plt b' thr); inv H0. unfold Plt, Ple in *. zify; omega.
destruct id; simpl in ST; try (eapply P; eauto; fail).
congruence.
- revert ST. caseEq (find_symbol ge i); try congruence. intros; eapply P; eauto.
+ revert ST. caseEq (find_symbol ge i); try congruence. intros; eapply P; eauto.
Qed.
Lemma store_init_data_list_augment:
- forall b idl m1 m2 p m2',
- Mem.inject (Mem.flat_inj thr) m1 m2 ->
- Ple thr b ->
+ forall b idl m1 m2 p m2',
+ Mem.inject (Mem.flat_inj thr) m1 m2 ->
+ Ple thr b ->
store_init_data_list ge m2 b p idl = Some m2' ->
Mem.inject (Mem.flat_inj thr) m1 m2'.
-Proof.
+Proof.
induction idl; simpl.
intros; congruence.
intros until m2'; intros INJ FB.
- caseEq (store_init_data ge m2 b p a); try congruence. intros.
- eapply IHidl. eapply store_init_data_augment; eauto. auto. eauto.
+ caseEq (store_init_data ge m2 b p a); try congruence. intros.
+ eapply IHidl. eapply store_init_data_augment; eauto. auto. eauto.
Qed.
Lemma alloc_global_augment:
forall idg m1 m2 m2',
alloc_global ge m2 idg = Some m2' ->
- Mem.inject (Mem.flat_inj thr) m1 m2 ->
- Ple thr (Mem.nextblock m2) ->
+ Mem.inject (Mem.flat_inj thr) m1 m2 ->
+ Ple thr (Mem.nextblock m2) ->
Mem.inject (Mem.flat_inj thr) m1 m2'.
Proof.
intros. destruct idg as [id [f|v]]; simpl in H.
(* function *)
destruct (Mem.alloc m2 0 1) as [m3 b] eqn:?.
assert (Ple thr b). rewrite (Mem.alloc_result _ _ _ _ _ Heqp). auto.
- eapply Mem.drop_outside_inject. 2: eauto.
+ eapply Mem.drop_outside_inject. 2: eauto.
eapply Mem.alloc_right_inject; eauto.
intros. unfold Mem.flat_inj in H3. destruct (plt b' thr); inv H3.
unfold Plt, Ple in *. zify; omega.
@@ -1502,7 +1502,7 @@ Proof.
destruct (store_zeros m3 b 0 sz) as [m4|] eqn:?; try discriminate.
destruct (store_init_data_list ge m4 b 0 init) as [m5|] eqn:?; try discriminate.
assert (Ple thr b). rewrite (Mem.alloc_result _ _ _ _ _ Heqp). auto.
- eapply Mem.drop_outside_inject. 2: eauto.
+ eapply Mem.drop_outside_inject. 2: eauto.
eapply store_init_data_list_augment. 3: eauto. 2: eauto.
eapply store_zeros_augment. 3: eauto. 2: eauto.
eapply Mem.alloc_right_inject; eauto.
@@ -1520,13 +1520,13 @@ Proof.
induction gl; simpl.
intros. congruence.
intros until m2'. caseEq (alloc_global ge m2 a); try congruence. intros.
- eapply IHgl with (m2 := m); eauto.
- eapply alloc_global_augment; eauto.
- rewrite (alloc_global_nextblock _ _ _ H).
+ eapply IHgl with (m2 := m); eauto.
+ eapply alloc_global_augment; eauto.
+ rewrite (alloc_global_nextblock _ _ _ H).
apply Ple_trans with (Mem.nextblock m2); auto. apply Ple_succ.
Qed.
-End INITMEM_AUGMENT_INJ.
+End INITMEM_AUGMENT_INJ.
End GENV.
@@ -1545,7 +1545,7 @@ Inductive match_globvar: globvar V -> globvar W -> Prop :=
match_varinfo info1 info2 ->
match_globvar (mkglobvar info1 init ro vo) (mkglobvar info2 init ro vo).
-Record match_genvs (new_globs : list (ident * globdef B W))
+Record match_genvs (new_globs : list (ident * globdef B W))
(ge1: t A V) (ge2: t B W): Prop := {
mge_next:
genv_next ge2 = advance_next new_globs (genv_next ge1);
@@ -1557,9 +1557,9 @@ Record match_genvs (new_globs : list (ident * globdef B W))
exists tf, PTree.get b (genv_funs ge2) = Some tf /\ match_fun f tf;
mge_rev_funs:
forall b tf, PTree.get b (genv_funs ge2) = Some tf ->
- if plt b (genv_next ge1) then
+ if plt b (genv_next ge1) then
exists f, PTree.get b (genv_funs ge1) = Some f /\ match_fun f tf
- else
+ else
In (Gfun tf) (map snd new_globs);
mge_vars:
forall b v, PTree.get b (genv_vars ge1) = Some v ->
@@ -1583,43 +1583,43 @@ Proof.
(* two functions *)
constructor; simpl.
congruence.
- intros. rewrite mge_next0.
+ intros. rewrite mge_next0.
repeat rewrite PTree.gsspec. destruct (peq id0 id); auto.
- rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
- destruct (peq b (genv_next ge1)).
+ rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
+ destruct (peq b (genv_next ge1)).
exists f2; split; congruence.
eauto.
- rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
- destruct (peq b (genv_next ge1)).
+ rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
+ destruct (peq b (genv_next ge1)).
subst b. rewrite pred_dec_true. exists f1; split; congruence. apply Plt_succ.
- pose proof (mge_rev_funs0 b tf H0).
+ pose proof (mge_rev_funs0 b tf H0).
destruct (plt b (genv_next ge1)). rewrite pred_dec_true. auto. apply Plt_trans_succ; auto.
contradiction.
eauto.
intros.
- pose proof (mge_rev_vars0 b tv H0).
+ pose proof (mge_rev_vars0 b tv H0).
destruct (plt b (genv_next ge1)). rewrite pred_dec_true. auto.
apply Plt_trans with (genv_next ge1); auto. apply Plt_succ.
contradiction.
(* two variables *)
constructor; simpl.
congruence.
- intros. rewrite mge_next0.
+ intros. rewrite mge_next0.
repeat rewrite PTree.gsspec. destruct (peq id0 id); auto.
eauto.
intros.
- pose proof (mge_rev_funs0 b tf H0).
+ pose proof (mge_rev_funs0 b tf H0).
destruct (plt b (genv_next ge1)). rewrite pred_dec_true. auto. apply Plt_trans_succ; auto.
contradiction.
- rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
+ rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
destruct (peq b (genv_next ge1)).
- econstructor; split. eauto. inv H0. constructor; auto.
+ econstructor; split. eauto. inv H0. constructor; auto.
eauto.
- rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
- destruct (peq b (genv_next ge1)).
+ rewrite mge_next0. intros. rewrite PTree.gsspec in H0. rewrite PTree.gsspec.
+ destruct (peq b (genv_next ge1)).
subst b. rewrite pred_dec_true.
econstructor; split. eauto. inv H0. constructor; auto. apply Plt_succ.
- pose proof (mge_rev_vars0 b tv H0).
+ pose proof (mge_rev_vars0 b tv H0).
destruct (plt b (genv_next ge1)). rewrite pred_dec_true. auto. apply Plt_trans_succ; auto.
contradiction.
Qed.
@@ -1629,56 +1629,56 @@ Lemma add_globals_match:
forall ge1 ge2, match_genvs nil ge1 ge2 ->
match_genvs nil (add_globals ge1 gl1) (add_globals ge2 gl2).
Proof.
- induction 1; intros; simpl.
+ induction 1; intros; simpl.
auto.
apply IHlist_forall2. apply add_global_match; auto.
Qed.
-Lemma add_global_augment_match:
+Lemma add_global_augment_match:
forall new_globs ge1 ge2 idg,
match_genvs new_globs ge1 ge2 ->
match_genvs (new_globs ++ (idg :: nil)) ge1 (add_global ge2 idg).
Proof.
- intros. destruct H.
+ intros. destruct H.
assert (LE: Ple (genv_next ge1) (genv_next ge2)).
{ rewrite mge_next0; apply advance_next_le. }
constructor; simpl.
rewrite mge_next0. unfold advance_next. rewrite fold_left_app. simpl. auto.
- intros. rewrite map_app in H. rewrite in_app in H. simpl in H.
- destruct (peq id idg#1). subst. intuition. rewrite PTree.gso.
- apply mge_symb0. intuition. auto.
+ intros. rewrite map_app in H. rewrite in_app in H. simpl in H.
+ destruct (peq id idg#1). subst. intuition. rewrite PTree.gso.
+ apply mge_symb0. intuition. auto.
intros. destruct idg as [id1 [f1|v1]]; simpl; eauto.
rewrite PTree.gso. eauto.
exploit genv_funs_range; eauto. intros.
unfold Plt, Ple in *; zify; omega.
intros. rewrite map_app. destruct idg as [id1 [f1|v1]]; simpl in H.
- rewrite PTree.gsspec in H. destruct (peq b (genv_next ge2)).
+ rewrite PTree.gsspec in H. destruct (peq b (genv_next ge2)).
rewrite pred_dec_false. rewrite in_app. simpl; right; left. congruence.
subst b. unfold Plt, Ple in *; zify; omega.
- exploit mge_rev_funs0; eauto. destruct (plt b (genv_next ge1)); auto.
+ exploit mge_rev_funs0; eauto. destruct (plt b (genv_next ge1)); auto.
rewrite in_app. tauto.
- exploit mge_rev_funs0; eauto. destruct (plt b (genv_next ge1)); auto.
+ exploit mge_rev_funs0; eauto. destruct (plt b (genv_next ge1)); auto.
rewrite in_app. tauto.
intros. destruct idg as [id1 [f1|v1]]; simpl; eauto.
- rewrite PTree.gso. eauto. exploit genv_vars_range; eauto.
+ rewrite PTree.gso. eauto. exploit genv_vars_range; eauto.
unfold Plt, Ple in *; zify; omega.
intros. rewrite map_app. destruct idg as [id1 [f1|v1]]; simpl in H.
- exploit mge_rev_vars0; eauto. destruct (plt b (genv_next ge1)); auto.
+ exploit mge_rev_vars0; eauto. destruct (plt b (genv_next ge1)); auto.
rewrite in_app. tauto.
- rewrite PTree.gsspec in H. destruct (peq b (genv_next ge2)).
+ rewrite PTree.gsspec in H. destruct (peq b (genv_next ge2)).
rewrite pred_dec_false. rewrite in_app. simpl; right; left. congruence.
subst b. unfold Plt, Ple in *; zify; omega.
- exploit mge_rev_vars0; eauto. destruct (plt b (genv_next ge1)); auto.
+ exploit mge_rev_vars0; eauto. destruct (plt b (genv_next ge1)); auto.
rewrite in_app. tauto.
Qed.
-Lemma add_globals_augment_match:
+Lemma add_globals_augment_match:
forall gl new_globs ge1 ge2,
match_genvs new_globs ge1 ge2 ->
match_genvs (new_globs ++ gl) ge1 (add_globals ge2 gl).
Proof.
- induction gl; simpl.
- intros. rewrite app_nil_r. auto.
+ induction gl; simpl.
+ intros. rewrite app_nil_r. auto.
intros. change (a :: gl) with ((a :: nil) ++ gl). rewrite <- app_ass.
apply IHgl. apply add_global_augment_match. auto.
Qed.
@@ -1688,15 +1688,15 @@ Variable new_main : ident.
Variable p: program A V.
Variable p': program B W.
-Hypothesis progmatch:
+Hypothesis progmatch:
match_program match_fun match_varinfo new_globs new_main p p'.
Lemma globalenvs_match:
match_genvs new_globs (globalenv p) (globalenv p').
Proof.
unfold globalenv. destruct progmatch as [[tglob [P Q]] R].
- rewrite Q. rewrite add_globals_app.
- change new_globs with (nil ++ new_globs) at 1.
+ rewrite Q. rewrite add_globals_app.
+ change new_globs with (nil ++ new_globs) at 1.
apply add_globals_augment_match.
apply add_globals_match; auto.
constructor; simpl; auto; intros; rewrite PTree.gempty in H; congruence.
@@ -1712,9 +1712,9 @@ Proof (mge_funs globalenvs_match).
Theorem find_funct_ptr_rev_match:
forall (b : block) (tf : B),
find_funct_ptr (globalenv p') b = Some tf ->
- if plt b (genv_next (globalenv p)) then
+ if plt b (genv_next (globalenv p)) then
exists f, find_funct_ptr (globalenv p) b = Some f /\ match_fun f tf
- else
+ else
In (Gfun tf) (map snd new_globs).
Proof (mge_rev_funs globalenvs_match).
@@ -1723,8 +1723,8 @@ Theorem find_funct_match:
find_funct (globalenv p) v = Some f ->
exists tf : B, find_funct (globalenv p') v = Some tf /\ match_fun f tf.
Proof.
- intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
- rewrite find_funct_find_funct_ptr in H.
+ intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
+ rewrite find_funct_find_funct_ptr in H.
rewrite find_funct_find_funct_ptr.
apply find_funct_ptr_match. auto.
Qed.
@@ -1732,13 +1732,13 @@ Qed.
Theorem find_funct_rev_match:
forall (v : val) (tf : B),
find_funct (globalenv p') v = Some tf ->
- (exists f, find_funct (globalenv p) v = Some f /\ match_fun f tf)
+ (exists f, find_funct (globalenv p) v = Some f /\ match_fun f tf)
\/ (In (Gfun tf) (map snd new_globs)).
Proof.
- intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
- rewrite find_funct_find_funct_ptr in H.
+ intros. exploit find_funct_inv; eauto. intros [b EQ]. subst v.
+ rewrite find_funct_find_funct_ptr in H.
rewrite find_funct_find_funct_ptr.
- apply find_funct_ptr_rev_match in H.
+ apply find_funct_ptr_rev_match in H.
destruct (plt b (genv_next (globalenv p))); auto.
Qed.
@@ -1752,7 +1752,7 @@ Proof (mge_vars globalenvs_match).
Theorem find_var_info_rev_match:
forall (b : block) (tv : globvar W),
find_var_info (globalenv p') b = Some tv ->
- if plt b (genv_next (globalenv p)) then
+ if plt b (genv_next (globalenv p)) then
exists v, find_var_info (globalenv p) b = Some v /\ match_globvar v tv
else
In (Gvar tv) (map snd new_globs).
@@ -1763,7 +1763,7 @@ Theorem find_symbol_match:
~In s (map fst new_globs) ->
find_symbol (globalenv p') s = find_symbol (globalenv p) s.
Proof.
- intros. destruct globalenvs_match. unfold find_symbol. auto.
+ intros. destruct globalenvs_match. unfold find_symbol. auto.
Qed.
Theorem public_symbol_match:
@@ -1771,11 +1771,11 @@ Theorem public_symbol_match:
~In s (map fst new_globs) ->
public_symbol (globalenv p') s = public_symbol (globalenv p) s.
Proof.
- intros. unfold public_symbol. rewrite find_symbol_match by auto.
+ intros. unfold public_symbol. rewrite find_symbol_match by auto.
destruct (find_symbol (globalenv p) s); auto.
- rewrite ! globalenv_public.
- destruct progmatch as (P & Q & R). rewrite R. auto.
-Qed.
+ rewrite ! globalenv_public.
+ destruct progmatch as (P & Q & R). rewrite R. auto.
+Qed.
Hypothesis new_ids_fresh:
forall s, In s (prog_defs_names p) -> In s (map fst new_globs) -> False.
@@ -1787,47 +1787,47 @@ Lemma store_init_data_list_match:
store_init_data_list (globalenv p) m b ofs idl = Some m' ->
store_init_data_list (globalenv p') m b ofs idl = Some m'.
Proof.
- induction idl; simpl; intros.
+ induction idl; simpl; intros.
auto.
assert (forall m', store_init_data (globalenv p) m b ofs a = Some m' ->
store_init_data (globalenv p') m b ofs a = Some m').
destruct a; simpl; auto. rewrite find_symbol_match. auto.
simpl in H. destruct (find_symbol (globalenv p) i) as [b'|] eqn:?; try discriminate.
- red; intros. exploit find_symbol_inversion; eauto.
- case_eq (store_init_data (globalenv p) m b ofs a); intros.
- rewrite H1 in H.
- pose proof (H0 _ H1). rewrite H2. auto.
- rewrite H1 in H. inversion H.
+ red; intros. exploit find_symbol_inversion; eauto.
+ case_eq (store_init_data (globalenv p) m b ofs a); intros.
+ rewrite H1 in H.
+ pose proof (H0 _ H1). rewrite H2. auto.
+ rewrite H1 in H. inversion H.
Qed.
Lemma alloc_globals_match:
forall gl1 gl2, list_forall2 (match_globdef match_fun match_varinfo) gl1 gl2 ->
forall m m',
- alloc_globals (globalenv p) m gl1 = Some m' ->
+ alloc_globals (globalenv p) m gl1 = Some m' ->
alloc_globals (globalenv p') m gl2 = Some m'.
Proof.
induction 1; simpl; intros.
auto.
destruct (alloc_global (globalenv p) m a1) as [m1|] eqn:?; try discriminate.
assert (alloc_global (globalenv p') m b1 = Some m1).
- inv H; simpl in *.
+ inv H; simpl in *.
auto.
set (sz := init_data_list_size init) in *.
destruct (Mem.alloc m 0 sz) as [m2 b] eqn:?.
destruct (store_zeros m2 b 0 sz) as [m3|] eqn:?; try discriminate.
destruct (store_init_data_list (globalenv p) m3 b 0 init) as [m4|] eqn:?; try discriminate.
- erewrite store_init_data_list_match; eauto.
+ erewrite store_init_data_list_match; eauto.
rewrite H2. eauto.
Qed.
Theorem init_mem_match:
- forall m, init_mem p = Some m ->
+ forall m, init_mem p = Some m ->
init_mem p' = alloc_globals (globalenv p') m new_globs.
Proof.
unfold init_mem; intros.
destruct progmatch as [[tglob [P Q]] R].
- rewrite Q. erewrite <- alloc_globals_app; eauto.
- eapply alloc_globals_match; eauto.
+ rewrite Q. erewrite <- alloc_globals_app; eauto.
+ eapply alloc_globals_match; eauto.
Qed.
Theorem find_new_funct_ptr_match:
@@ -1838,9 +1838,9 @@ Theorem find_new_funct_ptr_match:
Proof.
intros.
destruct progmatch as [[tglob [P Q]] R].
- exploit in_norepet_unique; eauto. intros (gl1 & gl2 & S & T).
- rewrite S in Q. rewrite <- app_ass in Q.
- eapply find_funct_ptr_exists_2; eauto.
+ exploit in_norepet_unique; eauto. intros (gl1 & gl2 & S & T).
+ rewrite S in Q. rewrite <- app_ass in Q.
+ eapply find_funct_ptr_exists_2; eauto.
Qed.
Theorem find_new_var_match:
@@ -1851,9 +1851,9 @@ Theorem find_new_var_match:
Proof.
intros.
destruct progmatch as [[tglob [P Q]] R].
- exploit in_norepet_unique; eauto. intros (gl1 & gl2 & S & T).
- rewrite S in Q. rewrite <- app_ass in Q.
- eapply find_var_exists_2; eauto.
+ exploit in_norepet_unique; eauto. intros (gl1 & gl2 & S & T).
+ rewrite S in Q. rewrite <- app_ass in Q.
+ eapply find_var_exists_2; eauto.
Qed.
End MATCH_PROGRAMS.
@@ -1889,8 +1889,8 @@ Theorem find_funct_ptr_transf_augment:
exists f',
find_funct_ptr (globalenv p') b = Some f' /\ transf_fun f = OK f'.
Proof.
- intros.
- exploit find_funct_ptr_match. eexact prog_match. eauto.
+ intros.
+ exploit find_funct_ptr_match. eexact prog_match. eauto.
intros [tf [X Y]]. exists tf; auto.
Qed.
@@ -1899,10 +1899,10 @@ Theorem find_funct_ptr_rev_transf_augment:
find_funct_ptr (globalenv p') b = Some tf ->
if plt b (genv_next (globalenv p)) then
(exists f, find_funct_ptr (globalenv p) b = Some f /\ transf_fun f = OK tf)
- else
+ else
In (Gfun tf) (map snd new_globs).
Proof.
- intros.
+ intros.
exploit find_funct_ptr_rev_match; eauto.
Qed.
@@ -1912,18 +1912,18 @@ Theorem find_funct_transf_augment:
exists f',
find_funct (globalenv p') v = Some f' /\ transf_fun f = OK f'.
Proof.
- intros.
- exploit find_funct_match. eexact prog_match. eauto. auto.
+ intros.
+ exploit find_funct_match. eexact prog_match. eauto. auto.
Qed.
-Theorem find_funct_rev_transf_augment:
+Theorem find_funct_rev_transf_augment:
forall (v: val) (tf: B),
find_funct (globalenv p') v = Some tf ->
(exists f, find_funct (globalenv p) v = Some f /\ transf_fun f = OK tf) \/
In (Gfun tf) (map snd new_globs).
Proof.
- intros.
- exploit find_funct_rev_match. eexact prog_match. eauto. auto.
+ intros.
+ exploit find_funct_rev_match. eexact prog_match. eauto. auto.
Qed.
Theorem find_var_info_transf_augment:
@@ -1932,8 +1932,8 @@ Theorem find_var_info_transf_augment:
exists v',
find_var_info (globalenv p') b = Some v' /\ transf_globvar transf_var v = OK v'.
Proof.
- intros.
- exploit find_var_info_match. eexact prog_match. eauto. intros [tv [X Y]].
+ intros.
+ exploit find_var_info_match. eexact prog_match. eauto. intros [tv [X Y]].
exists tv; split; auto. inv Y. unfold transf_globvar; simpl.
rewrite H0; simpl. auto.
Qed.
@@ -1946,23 +1946,23 @@ Theorem find_var_info_rev_transf_augment:
else
(In (Gvar v') (map snd new_globs)).
Proof.
- intros.
+ intros.
exploit find_var_info_rev_match. eexact prog_match. eauto.
destruct (plt b (genv_next (globalenv p))); auto.
- intros [v [X Y]]. exists v; split; auto. inv Y. unfold transf_globvar; simpl.
+ intros [v [X Y]]. exists v; split; auto. inv Y. unfold transf_globvar; simpl.
rewrite H0; simpl. auto.
Qed.
-Theorem find_symbol_transf_augment:
- forall (s: ident),
+Theorem find_symbol_transf_augment:
+ forall (s: ident),
~ In s (map fst new_globs) ->
find_symbol (globalenv p') s = find_symbol (globalenv p) s.
Proof.
intros. eapply find_symbol_match. eexact prog_match. auto.
Qed.
-Theorem public_symbol_transf_augment:
- forall (s: ident),
+Theorem public_symbol_transf_augment:
+ forall (s: ident),
~ In s (map fst new_globs) ->
public_symbol (globalenv p') s = public_symbol (globalenv p) s.
Proof.
@@ -1974,38 +1974,38 @@ Hypothesis new_ids_fresh:
Hypothesis new_ids_unique:
list_norepet (map fst new_globs).
-Theorem init_mem_transf_augment:
- forall m, init_mem p = Some m ->
+Theorem init_mem_transf_augment:
+ forall m, init_mem p = Some m ->
init_mem p' = alloc_globals (globalenv p') m new_globs.
Proof.
intros. eapply init_mem_match. eexact prog_match. auto. auto.
Qed.
-
+
Theorem init_mem_inject_transf_augment:
forall m, init_mem p = Some m ->
- forall m', init_mem p' = Some m' ->
+ forall m', init_mem p' = Some m' ->
Mem.inject (Mem.flat_inj (Mem.nextblock m)) m m'.
Proof.
- intros.
- pose proof (initmem_inject p H).
- erewrite init_mem_transf_augment in H0; eauto.
- eapply alloc_globals_augment; eauto. apply Ple_refl.
+ intros.
+ pose proof (initmem_inject p H).
+ erewrite init_mem_transf_augment in H0; eauto.
+ eapply alloc_globals_augment; eauto. apply Ple_refl.
Qed.
-Theorem find_new_funct_ptr_exists:
- forall id f, In (id, Gfun f) new_globs ->
+Theorem find_new_funct_ptr_exists:
+ forall id f, In (id, Gfun f) new_globs ->
exists b, find_symbol (globalenv p') id = Some b
/\ find_funct_ptr (globalenv p') b = Some f.
Proof.
- intros. eapply find_new_funct_ptr_match; eauto.
+ intros. eapply find_new_funct_ptr_match; eauto.
Qed.
Theorem find_new_var_exists:
- forall id gv, In (id, Gvar gv) new_globs ->
+ forall id gv, In (id, Gvar gv) new_globs ->
exists b, find_symbol (globalenv p') id = Some b
/\ find_var_info (globalenv p') b = Some gv.
Proof.
- intros. eapply find_new_var_match; eauto.
+ intros. eapply find_new_var_match; eauto.
Qed.
End TRANSF_PROGRAM_AUGMENT.
@@ -2041,7 +2041,7 @@ Theorem find_funct_ptr_rev_transf_partial2:
exists f, find_funct_ptr (globalenv p) b = Some f /\ transf_fun f = OK tf.
Proof.
pose proof (@find_funct_ptr_rev_transf_augment _ _ _ _ _ _ _ _ _ _ transf_augment_OK).
- intros. pose proof (H b tf H0).
+ intros. pose proof (H b tf H0).
destruct (plt b (genv_next (globalenv p))). auto. contradiction.
Qed.
@@ -2060,7 +2060,7 @@ Theorem find_funct_rev_transf_partial2:
exists f, find_funct (globalenv p) v = Some f /\ transf_fun f = OK tf.
Proof.
pose proof (@find_funct_rev_transf_augment _ _ _ _ _ _ _ _ _ _ transf_augment_OK).
- intros. pose proof (H v tf H0).
+ intros. pose proof (H v tf H0).
destruct H1. auto. contradiction.
Qed.
@@ -2080,7 +2080,7 @@ Theorem find_var_info_rev_transf_partial2:
find_var_info (globalenv p) b = Some v /\ transf_globvar transf_var v = OK v'.
Proof.
pose proof (@find_var_info_rev_transf_augment _ _ _ _ _ _ _ _ _ _ transf_augment_OK).
- intros. pose proof (H b v' H0).
+ intros. pose proof (H b v' H0).
destruct (plt b (genv_next (globalenv p))). auto. contradiction.
Qed.
@@ -2104,10 +2104,10 @@ Theorem block_is_volatile_transf_partial2:
forall (b: block),
block_is_volatile (globalenv p') b = block_is_volatile (globalenv p) b.
Proof.
- unfold block_is_volatile; intros.
+ unfold block_is_volatile; intros.
destruct (find_var_info (globalenv p) b) as [v|] eqn:FV.
exploit find_var_info_transf_partial2; eauto. intros (v' & P & Q).
- rewrite P. monadInv Q. auto.
+ rewrite P. monadInv Q. auto.
destruct (find_var_info (globalenv p') b) as [v'|] eqn:FV'.
exploit find_var_info_rev_transf_partial2; eauto. intros (v & P & Q). congruence.
auto.
@@ -2117,7 +2117,7 @@ Theorem init_mem_transf_partial2:
forall m, init_mem p = Some m -> init_mem p' = Some m.
Proof.
pose proof (@init_mem_transf_augment _ _ _ _ _ _ _ _ _ _ transf_augment_OK).
- intros. simpl in H. apply H; auto.
+ intros. simpl in H. apply H; auto.
Qed.
End TRANSF_PROGRAM_PARTIAL2.
@@ -2183,11 +2183,11 @@ Theorem find_var_info_transf_partial:
find_var_info (globalenv p') b = find_var_info (globalenv p) b.
Proof.
intros. case_eq (find_var_info (globalenv p) b); intros.
- exploit find_var_info_transf_partial2. eexact transf_OK. eauto.
- intros [v' [P Q]]. monadInv Q. rewrite P. inv EQ. destruct g; auto.
+ exploit find_var_info_transf_partial2. eexact transf_OK. eauto.
+ intros [v' [P Q]]. monadInv Q. rewrite P. inv EQ. destruct g; auto.
case_eq (find_var_info (globalenv p') b); intros.
exploit find_var_info_rev_transf_partial2. eexact transf_OK. eauto.
- intros [v' [P Q]]. monadInv Q. inv EQ. congruence.
+ intros [v' [P Q]]. monadInv Q. inv EQ. congruence.
auto.
Qed.
@@ -2216,7 +2216,7 @@ Let tp := transform_program transf p.
Remark transf_OK:
transform_partial_program (fun x => OK (transf x)) p = OK tp.
Proof.
- unfold tp. apply transform_program_partial_program.
+ unfold tp. apply transform_program_partial_program.
Qed.
Theorem find_funct_ptr_transf:
@@ -2224,7 +2224,7 @@ Theorem find_funct_ptr_transf:
find_funct_ptr (globalenv p) b = Some f ->
find_funct_ptr (globalenv tp) b = Some (transf f).
Proof.
- intros.
+ intros.
destruct (@find_funct_ptr_transf_partial _ _ _ _ _ _ transf_OK _ _ H)
as [f' [X Y]]. congruence.
Qed.
@@ -2243,7 +2243,7 @@ Theorem find_funct_transf:
find_funct (globalenv p) v = Some f ->
find_funct (globalenv tp) v = Some (transf f).
Proof.
- intros.
+ intros.
destruct (@find_funct_transf_partial _ _ _ _ _ _ transf_OK _ _ H)
as [f' [X Y]]. congruence.
Qed.
diff --git a/common/Memdata.v b/common/Memdata.v
index 9c64563b..4ef7836b 100644
--- a/common/Memdata.v
+++ b/common/Memdata.v
@@ -61,8 +61,8 @@ Qed.
Lemma size_chunk_nat_pos:
forall chunk, exists n, size_chunk_nat chunk = S n.
Proof.
- intros.
- generalize (size_chunk_pos chunk). rewrite size_chunk_conv.
+ intros.
+ generalize (size_chunk_pos chunk). rewrite size_chunk_conv.
destruct (size_chunk_nat chunk).
simpl; intros; omegaContradiction.
intros; exists n; auto.
@@ -71,14 +71,14 @@ Qed.
(** Memory reads and writes must respect alignment constraints:
the byte offset of the location being addressed should be an exact
multiple of the natural alignment for the chunk being addressed.
- This natural alignment is defined by the following
+ This natural alignment is defined by the following
[align_chunk] function. Some target architectures
(e.g. PowerPC and x86) have no alignment constraints, which we could
reflect by taking [align_chunk chunk = 1]. However, other architectures
have stronger alignment requirements. The following definition is
appropriate for PowerPC, ARM and x86. *)
-Definition align_chunk (chunk: memory_chunk) : Z :=
+Definition align_chunk (chunk: memory_chunk) : Z :=
match chunk with
| Mint8signed => 1
| Mint8unsigned => 1
@@ -101,7 +101,7 @@ Qed.
Lemma align_size_chunk_divides:
forall chunk, (align_chunk chunk | size_chunk chunk).
Proof.
- intros. destruct chunk; simpl; try apply Zdivide_refl; exists 2; auto.
+ intros. destruct chunk; simpl; try apply Zdivide_refl; exists 2; auto.
Qed.
Lemma align_le_divides:
@@ -206,40 +206,40 @@ Proof.
Opaque Byte.wordsize.
rewrite inj_S. simpl.
replace (Zsucc (Z_of_nat n) * 8) with (Z_of_nat n * 8 + 8) by omega.
- rewrite two_p_is_exp; try omega.
- rewrite Zmod_recombine. rewrite IHn. rewrite Zplus_comm.
- change (Byte.unsigned (Byte.repr x)) with (Byte.Z_mod_modulus x).
- rewrite Byte.Z_mod_modulus_eq. reflexivity.
+ rewrite two_p_is_exp; try omega.
+ rewrite Zmod_recombine. rewrite IHn. rewrite Zplus_comm.
+ change (Byte.unsigned (Byte.repr x)) with (Byte.Z_mod_modulus x).
+ rewrite Byte.Z_mod_modulus_eq. reflexivity.
apply two_p_gt_ZERO. omega. apply two_p_gt_ZERO. omega.
Qed.
Lemma rev_if_be_involutive:
forall l, rev_if_be (rev_if_be l) = l.
Proof.
- intros; unfold rev_if_be; destruct Archi.big_endian.
- apply List.rev_involutive.
+ intros; unfold rev_if_be; destruct Archi.big_endian.
+ apply List.rev_involutive.
auto.
Qed.
Lemma decode_encode_int:
forall n x, decode_int (encode_int n x) = x mod (two_p (Z_of_nat n * 8)).
Proof.
- unfold decode_int, encode_int; intros. rewrite rev_if_be_involutive.
+ unfold decode_int, encode_int; intros. rewrite rev_if_be_involutive.
apply int_of_bytes_of_int.
Qed.
Lemma decode_encode_int_1:
forall x, Int.repr (decode_int (encode_int 1 (Int.unsigned x))) = Int.zero_ext 8 x.
Proof.
- intros. rewrite decode_encode_int.
+ intros. rewrite decode_encode_int.
rewrite <- (Int.repr_unsigned (Int.zero_ext 8 x)).
- decEq. symmetry. apply Int.zero_ext_mod. compute. intuition congruence.
+ decEq. symmetry. apply Int.zero_ext_mod. compute. intuition congruence.
Qed.
Lemma decode_encode_int_2:
forall x, Int.repr (decode_int (encode_int 2 (Int.unsigned x))) = Int.zero_ext 16 x.
Proof.
- intros. rewrite decode_encode_int.
+ intros. rewrite decode_encode_int.
rewrite <- (Int.repr_unsigned (Int.zero_ext 16 x)).
decEq. symmetry. apply Int.zero_ext_mod. compute; intuition congruence.
Qed.
@@ -268,15 +268,15 @@ Proof.
induction n.
intros; simpl; auto.
intros until y.
- rewrite inj_S.
+ rewrite inj_S.
replace (Zsucc (Z_of_nat n) * 8) with (Z_of_nat n * 8 + 8) by omega.
- rewrite two_p_is_exp; try omega.
+ rewrite two_p_is_exp; try omega.
intro EQM.
- simpl; decEq.
- apply Byte.eqm_samerepr. red.
+ simpl; decEq.
+ apply Byte.eqm_samerepr. red.
eapply Int.eqmod_divides; eauto. apply Zdivide_factor_l.
apply IHn.
- destruct EQM as [k EQ]. exists k. rewrite EQ.
+ destruct EQM as [k EQ]. exists k. rewrite EQ.
rewrite <- Z_div_plus_full_l. decEq. change (two_p 8) with 256. ring. omega.
Qed.
@@ -312,7 +312,7 @@ Fixpoint proj_bytes (vl: list memval) : option (list byte) :=
Remark length_inj_bytes:
forall bl, length (inj_bytes bl) = length bl.
Proof.
- intros. apply List.map_length.
+ intros. apply List.map_length.
Qed.
Remark proj_inj_bytes:
@@ -324,7 +324,7 @@ Qed.
Lemma inj_proj_bytes:
forall cl bl, proj_bytes cl = Some bl -> cl = inj_bytes bl.
Proof.
- induction cl; simpl; intros.
+ induction cl; simpl; intros.
inv H; auto.
destruct a; try congruence. destruct (proj_bytes cl); inv H.
simpl. decEq. auto.
@@ -339,7 +339,7 @@ Fixpoint inj_value_rec (n: nat) (v: val) (q: quantity) {struct n}: list memval :
Definition inj_value (q: quantity) (v: val): list memval :=
inj_value_rec (size_quantity_nat q) v q.
-Fixpoint check_value (n: nat) (v: val) (q: quantity) (vl: list memval)
+Fixpoint check_value (n: nat) (v: val) (q: quantity) (vl: list memval)
{struct n} : bool :=
match n, vl with
| O, nil => true
@@ -395,7 +395,7 @@ Definition decode_val (chunk: memory_chunk) (vl: list memval) : val :=
Lemma encode_val_length:
forall chunk v, length(encode_val chunk v) = size_chunk_nat chunk.
Proof.
- intros. destruct v; simpl; destruct chunk;
+ intros. destruct v; simpl; destruct chunk;
solve [ reflexivity
| apply length_list_repeat
| rewrite length_inj_bytes; apply encode_int_length ].
@@ -404,15 +404,15 @@ Qed.
Lemma check_inj_value:
forall v q n, check_value n v q (inj_value_rec n v q) = true.
Proof.
- induction n; simpl. auto.
- unfold proj_sumbool. rewrite dec_eq_true. rewrite dec_eq_true.
+ induction n; simpl. auto.
+ unfold proj_sumbool. rewrite dec_eq_true. rewrite dec_eq_true.
rewrite <- beq_nat_refl. simpl; auto.
Qed.
Lemma proj_inj_value:
forall q v, proj_value q (inj_value q v) = v.
Proof.
- intros. unfold proj_value, inj_value. destruct (size_quantity_nat_pos q) as [n EQ].
+ intros. unfold proj_value, inj_value. destruct (size_quantity_nat_pos q) as [n EQ].
rewrite EQ at 1. simpl. rewrite check_inj_value. auto.
Qed.
@@ -422,14 +422,14 @@ Proof.
Local Transparent inj_value.
unfold inj_value; intros until q. generalize (size_quantity_nat q). induction n; simpl; intros.
contradiction.
- destruct H. exists n; auto. eauto.
+ destruct H. exists n; auto. eauto.
Qed.
Lemma proj_inj_value_mismatch:
forall q1 q2 v, q1 <> q2 -> proj_value q1 (inj_value q2 v) = Vundef.
Proof.
intros. unfold proj_value. destruct (inj_value q2 v) eqn:V. auto. destruct m; auto.
- destruct (in_inj_value (Fragment v0 q n) v q2) as [n' EQ].
+ destruct (in_inj_value (Fragment v0 q n) v q2) as [n' EQ].
rewrite V; auto with coqlib. inv EQ.
destruct (size_quantity_nat_pos q1) as [p EQ1]; rewrite EQ1; simpl.
unfold proj_sumbool. rewrite dec_eq_true. rewrite dec_eq_false by congruence. auto.
@@ -482,7 +482,7 @@ Qed.
Remark proj_bytes_inj_value:
forall q v, proj_bytes (inj_value q v) = None.
Proof.
- intros. destruct q; reflexivity.
+ intros. destruct q; reflexivity.
Qed.
Lemma decode_encode_val_general:
@@ -492,7 +492,7 @@ Proof.
Opaque inj_value.
intros.
destruct v; destruct chunk1 eqn:C1; simpl; try (apply decode_val_undef);
- destruct chunk2 eqn:C2; unfold decode_val; auto;
+ destruct chunk2 eqn:C2; unfold decode_val; auto;
try (rewrite proj_inj_bytes); try (rewrite proj_bytes_inj_value);
try (rewrite proj_inj_value); try (rewrite proj_inj_value_mismatch by congruence);
auto.
@@ -521,7 +521,7 @@ Lemma decode_encode_val_similar:
decode_encode_val v1 chunk1 chunk2 v2 ->
v2 = Val.load_result chunk2 v1.
Proof.
- intros until v2; intros TY SZ DE.
+ intros until v2; intros TY SZ DE.
destruct chunk1; destruct chunk2; simpl in TY; try discriminate; simpl in SZ; try omegaContradiction;
destruct v1; auto.
Qed.
@@ -530,8 +530,8 @@ Lemma decode_val_type:
forall chunk cl,
Val.has_type (decode_val chunk cl) (type_of_chunk chunk).
Proof.
- intros. unfold decode_val.
- destruct (proj_bytes cl).
+ intros. unfold decode_val.
+ destruct (proj_bytes cl).
destruct chunk; simpl; auto.
destruct chunk; exact I || apply Val.load_result_type.
Qed.
@@ -551,7 +551,7 @@ Qed.
Lemma encode_val_int8_zero_ext:
forall n, encode_val Mint8unsigned (Vint (Int.zero_ext 8 n)) = encode_val Mint8unsigned (Vint n).
Proof.
- intros; unfold encode_val. decEq. apply encode_int_8_mod. apply Int.eqmod_zero_ext.
+ intros; unfold encode_val. decEq. apply encode_int_8_mod. apply Int.eqmod_zero_ext.
compute; intuition congruence.
Qed.
@@ -586,7 +586,7 @@ Lemma decode_val_cast:
Proof.
unfold decode_val; intros; destruct chunk; auto; destruct (proj_bytes l); auto.
unfold Val.sign_ext. rewrite Int.sign_ext_idem; auto. omega.
- unfold Val.zero_ext. rewrite Int.zero_ext_idem; auto. omega.
+ unfold Val.zero_ext. rewrite Int.zero_ext_idem; auto. omega.
unfold Val.sign_ext. rewrite Int.sign_ext_idem; auto. omega.
unfold Val.zero_ext. rewrite Int.zero_ext_idem; auto. omega.
Qed.
@@ -616,41 +616,41 @@ Inductive shape_encoding (chunk: memory_chunk) (v: val): list memval -> Prop :=
Lemma encode_val_shape: forall chunk v, shape_encoding chunk v (encode_val chunk v).
Proof.
- intros.
- destruct (size_chunk_nat_pos chunk) as [sz EQ].
+ intros.
+ destruct (size_chunk_nat_pos chunk) as [sz EQ].
assert (A: forall mv q n,
(n < size_quantity_nat q)%nat ->
In mv (inj_value_rec n v q) ->
exists j, mv = Fragment v q j /\ S j <> size_quantity_nat q).
{
- induction n; simpl; intros. contradiction. destruct H0.
- exists n; split; auto. omega. apply IHn; auto. omega.
- }
+ induction n; simpl; intros. contradiction. destruct H0.
+ exists n; split; auto. omega. apply IHn; auto. omega.
+ }
assert (B: forall q,
- q = quantity_chunk chunk ->
+ q = quantity_chunk chunk ->
(chunk = Mint32 \/ chunk = Many32 \/ chunk = Many64) ->
shape_encoding chunk v (inj_value q v)).
{
Local Transparent inj_value.
- intros. unfold inj_value. destruct (size_quantity_nat_pos q) as [sz' EQ'].
+ intros. unfold inj_value. destruct (size_quantity_nat_pos q) as [sz' EQ'].
rewrite EQ'. simpl. constructor; auto.
- intros; eapply A; eauto. omega.
+ intros; eapply A; eauto. omega.
}
assert (C: forall bl,
match v with Vint _ => True | Vlong _ => True | Vfloat _ => True | Vsingle _ => True | _ => False end ->
length (inj_bytes bl) = size_chunk_nat chunk ->
shape_encoding chunk v (inj_bytes bl)).
{
- intros. destruct bl as [|b1 bl]. simpl in H0; congruence. simpl.
- constructor; auto. unfold inj_bytes; intros. exploit list_in_map_inv; eauto.
+ intros. destruct bl as [|b1 bl]. simpl in H0; congruence. simpl.
+ constructor; auto. unfold inj_bytes; intros. exploit list_in_map_inv; eauto.
intros (b & P & Q); exists b; auto.
}
assert (D: shape_encoding chunk v (list_repeat (size_chunk_nat chunk) Undef)).
{
- intros. rewrite EQ; simpl; constructor; auto.
- intros. eapply in_list_repeat; eauto.
+ intros. rewrite EQ; simpl; constructor; auto.
+ intros. eapply in_list_repeat; eauto.
}
- generalize (encode_val_length chunk v). intros LEN.
+ generalize (encode_val_length chunk v). intros LEN.
unfold encode_val; unfold encode_val in LEN; destruct v; destruct chunk; (apply B || apply C || apply D); auto; red; auto.
Qed.
@@ -671,14 +671,14 @@ Inductive shape_decoding (chunk: memory_chunk): list memval -> val -> Prop :=
Lemma decode_val_shape: forall chunk mv1 mvl,
shape_decoding chunk (mv1 :: mvl) (decode_val chunk (mv1 :: mvl)).
Proof.
- intros.
+ intros.
assert (A: forall mv mvs bs, proj_bytes mvs = Some bs -> In mv mvs ->
exists b, mv = Byte b).
{
- induction mvs; simpl; intros.
+ induction mvs; simpl; intros.
contradiction.
- destruct a; try discriminate. destruct H0. exists i; auto.
- destruct (proj_bytes mvs); try discriminate. eauto.
+ destruct a; try discriminate. destruct H0. exists i; auto.
+ destruct (proj_bytes mvs); try discriminate. eauto.
}
assert (B: forall v q mv n mvs,
check_value n v q mvs = true -> In mv mvs -> (n < size_quantity_nat q)%nat ->
@@ -686,13 +686,13 @@ Proof.
{
induction n; destruct mvs; simpl; intros; try discriminate.
contradiction.
- destruct m; try discriminate. InvBooleans. apply beq_nat_true in H4. subst.
- destruct H0. subst mv. exists n0; split; auto. omega.
- eapply IHn; eauto. omega.
+ destruct m; try discriminate. InvBooleans. apply beq_nat_true in H4. subst.
+ destruct H0. subst mv. exists n0; split; auto. omega.
+ eapply IHn; eauto. omega.
}
assert (U: forall mvs, shape_decoding chunk mvs (Val.load_result chunk Vundef)).
{
- intros. replace (Val.load_result chunk Vundef) with Vundef. constructor.
+ intros. replace (Val.load_result chunk Vundef) with Vundef. constructor.
destruct chunk; auto.
}
assert (C: forall q, size_quantity_nat q = size_chunk_nat chunk ->
@@ -700,21 +700,21 @@ Proof.
shape_decoding chunk (mv1 :: mvl) (Val.load_result chunk (proj_value q (mv1 :: mvl)))).
{
intros. unfold proj_value. destruct mv1; auto.
- destruct (size_quantity_nat_pos q) as [sz EQ]. rewrite EQ.
+ destruct (size_quantity_nat_pos q) as [sz EQ]. rewrite EQ.
simpl. unfold proj_sumbool. rewrite dec_eq_true.
- destruct (quantity_eq q q0); auto.
+ destruct (quantity_eq q q0); auto.
destruct (beq_nat sz n) eqn:EQN; auto.
- destruct (check_value sz v q mvl) eqn:CHECK; auto.
- simpl. apply beq_nat_true in EQN. subst n q0. constructor. auto.
+ destruct (check_value sz v q mvl) eqn:CHECK; auto.
+ simpl. apply beq_nat_true in EQN. subst n q0. constructor. auto.
destruct H0 as [E|[E|E]]; subst chunk; destruct q; auto || discriminate.
- congruence.
- intros. eapply B; eauto. omega.
+ congruence.
+ intros. eapply B; eauto. omega.
}
- unfold decode_val.
- destruct (proj_bytes (mv1 :: mvl)) as [bl|] eqn:PB.
- exploit (A mv1); eauto with coqlib. intros [b1 EQ1]; subst mv1.
+ unfold decode_val.
+ destruct (proj_bytes (mv1 :: mvl)) as [bl|] eqn:PB.
+ exploit (A mv1); eauto with coqlib. intros [b1 EQ1]; subst mv1.
destruct chunk; (apply shape_decoding_u || apply shape_decoding_b); eauto with coqlib.
- destruct chunk; (apply shape_decoding_u || apply C); auto.
+ destruct chunk; (apply shape_decoding_u || apply C); auto.
Qed.
(** * Compatibility with memory injections *)
@@ -734,7 +734,7 @@ Inductive memval_inject (f: meminj): memval -> memval -> Prop :=
Lemma memval_inject_incr:
forall f f' v1 v2, memval_inject f v1 v2 -> inject_incr f f' -> memval_inject f' v1 v2.
Proof.
- intros. inv H; econstructor. eapply val_inject_incr; eauto.
+ intros. inv H; econstructor. eapply val_inject_incr; eauto.
Qed.
(** [decode_val], applied to lists of memory values that are pairwise
@@ -749,8 +749,8 @@ Lemma proj_bytes_inject:
Proof.
induction 1; simpl. congruence.
inv H; try congruence.
- destruct (proj_bytes al); intros.
- inv H. rewrite (IHlist_forall2 l); auto.
+ destruct (proj_bytes al); intros.
+ inv H. rewrite (IHlist_forall2 l); auto.
congruence.
Qed.
@@ -762,11 +762,11 @@ Lemma check_value_inject:
Val.inject f v v' -> v <> Vundef ->
check_value n v' q vl' = true.
Proof.
- induction 1; intros; destruct n; simpl in *; auto.
+ induction 1; intros; destruct n; simpl in *; auto.
inv H; auto.
InvBooleans. assert (n = n0) by (apply beq_nat_true; auto). subst v1 q0 n0.
- replace v2 with v'.
- unfold proj_sumbool; rewrite ! dec_eq_true. rewrite <- beq_nat_refl. simpl; eauto.
+ replace v2 with v'.
+ unfold proj_sumbool; rewrite ! dec_eq_true. rewrite <- beq_nat_refl. simpl; eauto.
inv H2; try discriminate; inv H4; congruence.
discriminate.
Qed.
@@ -776,10 +776,10 @@ Lemma proj_value_inject:
list_forall2 (memval_inject f) vl1 vl2 ->
Val.inject f (proj_value q vl1) (proj_value q vl2).
Proof.
- intros. unfold proj_value.
+ intros. unfold proj_value.
inversion H; subst. auto. inversion H0; subst; auto.
destruct (check_value (size_quantity_nat q) v1 q (Fragment v1 q0 n :: al)) eqn:B; auto.
- destruct (Val.eq v1 Vundef). subst; auto.
+ destruct (Val.eq v1 Vundef). subst; auto.
erewrite check_value_inject by eauto. auto.
Qed.
@@ -790,7 +790,7 @@ Lemma proj_bytes_not_inject:
Proof.
induction 1; simpl; intros.
congruence.
- inv H; try congruence.
+ inv H; try congruence.
right. apply IHlist_forall2.
destruct (proj_bytes al); congruence.
destruct (proj_bytes bl); congruence.
@@ -801,18 +801,18 @@ Lemma check_value_undef:
forall n q v vl,
In Undef vl -> check_value n v q vl = false.
Proof.
- induction n; intros; simpl.
+ induction n; intros; simpl.
destruct vl. elim H. auto.
destruct vl. auto.
destruct m; auto. simpl in H; destruct H. congruence.
- rewrite IHn; auto. apply andb_false_r.
+ rewrite IHn; auto. apply andb_false_r.
Qed.
Lemma proj_value_undef:
forall q vl, In Undef vl -> proj_value q vl = Vundef.
Proof.
intros; unfold proj_value.
- destruct vl; auto. destruct m; auto.
+ destruct vl; auto. destruct m; auto.
rewrite check_value_undef. auto. auto.
Qed.
@@ -821,9 +821,9 @@ Theorem decode_val_inject:
list_forall2 (memval_inject f) vl1 vl2 ->
Val.inject f (decode_val chunk vl1) (decode_val chunk vl2).
Proof.
- intros. unfold decode_val.
+ intros. unfold decode_val.
destruct (proj_bytes vl1) as [bl1|] eqn:PB1.
- exploit proj_bytes_inject; eauto. intros PB2. rewrite PB2.
+ exploit proj_bytes_inject; eauto. intros PB2. rewrite PB2.
destruct chunk; constructor.
assert (A: forall q fn,
Val.inject f (Val.load_result chunk (proj_value q vl1))
@@ -852,8 +852,8 @@ Lemma repeat_Undef_inject_any:
forall f vl,
list_forall2 (memval_inject f) (list_repeat (length vl) Undef) vl.
Proof.
- induction vl; simpl; constructor; auto. constructor.
-Qed.
+ induction vl; simpl; constructor; auto. constructor.
+Qed.
Lemma repeat_Undef_inject_encode_val:
forall f chunk v,
@@ -867,7 +867,7 @@ Lemma repeat_Undef_inject_self:
list_forall2 (memval_inject f) (list_repeat n Undef) (list_repeat n Undef).
Proof.
induction n; simpl; constructor; auto. constructor.
-Qed.
+Qed.
Lemma inj_value_inject:
forall f v1 v2 q, Val.inject f v1 v2 -> list_forall2 (memval_inject f) (inj_value q v1) (inj_value q v2).
@@ -875,7 +875,7 @@ Proof.
intros.
Local Transparent inj_value.
unfold inj_value. generalize (size_quantity_nat q). induction n; simpl; constructor; auto.
- constructor; auto.
+ constructor; auto.
Qed.
Theorem encode_val_inject:
@@ -907,19 +907,19 @@ Proof.
intros. inv H.
inv H0. constructor.
inv H0. econstructor.
- eapply val_inject_compose; eauto.
+ eapply val_inject_compose; eauto.
constructor.
-Qed.
+Qed.
(** * Breaking 64-bit memory accesses into two 32-bit accesses *)
Lemma int_of_bytes_append:
- forall l2 l1,
+ forall l2 l1,
int_of_bytes (l1 ++ l2) = int_of_bytes l1 + int_of_bytes l2 * two_p (Z_of_nat (length l1) * 8).
Proof.
induction l1; simpl int_of_bytes; intros.
simpl. ring.
- simpl length. rewrite inj_S.
+ simpl length. rewrite inj_S.
replace (Z.succ (Z.of_nat (length l1)) * 8) with (Z_of_nat (length l1) * 8 + 8) by omega.
rewrite two_p_is_exp. change (two_p 8) with 256. rewrite IHl1. ring.
omega. omega.
@@ -928,23 +928,23 @@ Qed.
Lemma int_of_bytes_range:
forall l, 0 <= int_of_bytes l < two_p (Z_of_nat (length l) * 8).
Proof.
- induction l; intros.
+ induction l; intros.
simpl. omega.
- simpl length. rewrite inj_S.
+ simpl length. rewrite inj_S.
replace (Z.succ (Z.of_nat (length l)) * 8) with (Z.of_nat (length l) * 8 + 8) by omega.
- rewrite two_p_is_exp. change (two_p 8) with 256.
- simpl int_of_bytes. generalize (Byte.unsigned_range a).
- change Byte.modulus with 256. omega.
- omega. omega.
+ rewrite two_p_is_exp. change (two_p 8) with 256.
+ simpl int_of_bytes. generalize (Byte.unsigned_range a).
+ change Byte.modulus with 256. omega.
+ omega. omega.
Qed.
Lemma length_proj_bytes:
forall l b, proj_bytes l = Some b -> length b = length l.
Proof.
- induction l; simpl; intros.
+ induction l; simpl; intros.
inv H; auto.
- destruct a; try discriminate.
- destruct (proj_bytes l) eqn:E; inv H.
+ destruct a; try discriminate.
+ destruct (proj_bytes l) eqn:E; inv H.
simpl. f_equal. auto.
Qed.
@@ -958,8 +958,8 @@ Lemma proj_bytes_append:
Proof.
induction l1; simpl.
destruct (proj_bytes l2); auto.
- destruct a; auto. rewrite IHl1.
- destruct (proj_bytes l1); auto. destruct (proj_bytes l2); auto.
+ destruct a; auto. rewrite IHl1.
+ destruct (proj_bytes l1); auto. destruct (proj_bytes l2); auto.
Qed.
Lemma decode_val_int64:
@@ -971,26 +971,26 @@ Lemma decode_val_int64:
(decode_val Mint32 (if Archi.big_endian then l2 else l1))).
Proof.
intros. unfold decode_val.
- rewrite proj_bytes_append.
+ rewrite proj_bytes_append.
destruct (proj_bytes l1) as [b1|] eqn:B1; destruct (proj_bytes l2) as [b2|] eqn:B2; auto.
exploit length_proj_bytes. eexact B1. rewrite H; intro L1.
exploit length_proj_bytes. eexact B2. rewrite H0; intro L2.
assert (UR: forall l, length l = 4%nat -> Int.unsigned (Int.repr (int_of_bytes l)) = int_of_bytes l).
- intros. apply Int.unsigned_repr.
- generalize (int_of_bytes_range l). rewrite H1.
- change (two_p (Z.of_nat 4 * 8)) with (Int.max_unsigned + 1).
+ intros. apply Int.unsigned_repr.
+ generalize (int_of_bytes_range l). rewrite H1.
+ change (two_p (Z.of_nat 4 * 8)) with (Int.max_unsigned + 1).
omega.
apply Val.lessdef_same.
unfold decode_int, rev_if_be. destruct Archi.big_endian; rewrite B1; rewrite B2.
- + rewrite <- (rev_length b1) in L1.
+ + rewrite <- (rev_length b1) in L1.
rewrite <- (rev_length b2) in L2.
rewrite rev_app_distr.
set (b1' := rev b1) in *; set (b2' := rev b2) in *.
unfold Val.longofwords. f_equal. rewrite Int64.ofwords_add. f_equal.
- rewrite !UR by auto. rewrite int_of_bytes_append.
+ rewrite !UR by auto. rewrite int_of_bytes_append.
rewrite L2. change (Z.of_nat 4 * 8) with 32. ring.
+ unfold Val.longofwords. f_equal. rewrite Int64.ofwords_add. f_equal.
- rewrite !UR by auto. rewrite int_of_bytes_append.
+ rewrite !UR by auto. rewrite int_of_bytes_append.
rewrite L1. change (Z.of_nat 4 * 8) with 32. ring.
Qed.
@@ -1001,17 +1001,17 @@ Lemma bytes_of_int_append:
bytes_of_int n1 x1 ++ bytes_of_int n2 x2.
Proof.
induction n1; intros.
-- simpl in *. f_equal. omega.
+- simpl in *. f_equal. omega.
- assert (E: two_p (Z.of_nat (S n1) * 8) = two_p (Z.of_nat n1 * 8) * 256).
{
- rewrite inj_S. change 256 with (two_p 8). rewrite <- two_p_is_exp.
- f_equal. omega. omega. omega.
+ rewrite inj_S. change 256 with (two_p 8). rewrite <- two_p_is_exp.
+ f_equal. omega. omega. omega.
}
rewrite E in *. simpl. f_equal.
- apply Byte.eqm_samerepr. exists (x2 * two_p (Z.of_nat n1 * 8)).
+ apply Byte.eqm_samerepr. exists (x2 * two_p (Z.of_nat n1 * 8)).
change Byte.modulus with 256. ring.
rewrite Zmult_assoc. rewrite Z_div_plus. apply IHn1.
- apply Zdiv_interval_1. omega. apply two_p_gt_ZERO; omega. omega.
+ apply Zdiv_interval_1. omega. apply two_p_gt_ZERO; omega. omega.
assumption. omega.
Qed.
@@ -1023,8 +1023,8 @@ Proof.
intros. transitivity (bytes_of_int (4 + 4) (Int64.unsigned (Int64.ofwords (Int64.hiword i) (Int64.loword i)))).
f_equal. f_equal. rewrite Int64.ofwords_recompose. auto.
rewrite Int64.ofwords_add'.
- change 32 with (Z_of_nat 4 * 8).
- rewrite Zplus_comm. apply bytes_of_int_append. apply Int.unsigned_range.
+ change 32 with (Z_of_nat 4 * 8).
+ rewrite Zplus_comm. apply bytes_of_int_append. apply Int.unsigned_range.
Qed.
Lemma encode_val_int64:
@@ -1035,10 +1035,10 @@ Lemma encode_val_int64:
Proof.
intros. destruct v; destruct Archi.big_endian eqn:BI; try reflexivity;
unfold Val.loword, Val.hiword, encode_val.
- unfold inj_bytes. rewrite <- map_app. f_equal.
+ unfold inj_bytes. rewrite <- map_app. f_equal.
unfold encode_int, rev_if_be. rewrite BI. rewrite <- rev_app_distr. f_equal.
- apply bytes_of_int64.
- unfold inj_bytes. rewrite <- map_app. f_equal.
+ apply bytes_of_int64.
+ unfold inj_bytes. rewrite <- map_app. f_equal.
unfold encode_int, rev_if_be. rewrite BI.
apply bytes_of_int64.
Qed.
diff --git a/common/Memory.v b/common/Memory.v
index 3d781cac..93d0e432 100644
--- a/common/Memory.v
+++ b/common/Memory.v
@@ -47,13 +47,13 @@ Local Notation "a # b" := (PMap.get b a) (at level 1).
Module Mem <: MEM.
-Definition perm_order' (po: option permission) (p: permission) :=
+Definition perm_order' (po: option permission) (p: permission) :=
match po with
| Some p' => perm_order p' p
| None => False
end.
-Definition perm_order'' (po1 po2: option permission) :=
+Definition perm_order'' (po1 po2: option permission) :=
match po1, po2 with
| Some p1, Some p2 => perm_order p1 p2
| _, None => True
@@ -65,7 +65,7 @@ Record mem' : Type := mkmem {
mem_access: PMap.t (Z -> perm_kind -> option permission);
(**r [block -> offset -> kind -> option permission] *)
nextblock: block;
- access_max:
+ access_max:
forall b ofs, perm_order'' (mem_access#b ofs Max) (mem_access#b ofs Cur);
nextblock_noaccess:
forall b ofs k, ~(Plt b nextblock) -> mem_access#b ofs k = None;
@@ -118,12 +118,12 @@ Theorem perm_cur_max:
Proof.
assert (forall po1 po2 p,
perm_order' po2 p -> perm_order'' po1 po2 -> perm_order' po1 p).
- unfold perm_order', perm_order''. intros.
+ unfold perm_order', perm_order''. intros.
destruct po2; try contradiction.
- destruct po1; try contradiction.
+ destruct po1; try contradiction.
eapply perm_order_trans; eauto.
unfold perm; intros.
- generalize (access_max m b ofs). eauto.
+ generalize (access_max m b ofs). eauto.
Qed.
Theorem perm_cur:
@@ -143,11 +143,11 @@ Hint Local Resolve perm_cur perm_max: mem.
Theorem perm_valid_block:
forall m b ofs k p, perm m b ofs k p -> valid_block m b.
Proof.
- unfold perm; intros.
+ unfold perm; intros.
destruct (plt b m.(nextblock)).
auto.
assert (m.(mem_access)#b ofs k = None).
- eapply nextblock_noaccess; eauto.
+ eapply nextblock_noaccess; eauto.
rewrite H0 in H.
contradiction.
Qed.
@@ -204,14 +204,14 @@ Hint Local Resolve range_perm_implies range_perm_cur range_perm_max: mem.
Lemma range_perm_dec:
forall m b lo hi k p, {range_perm m b lo hi k p} + {~ range_perm m b lo hi k p}.
Proof.
- intros.
+ intros.
induction lo using (well_founded_induction_type (Zwf_up_well_founded hi)).
destruct (zlt lo hi).
destruct (perm_dec m b lo k p).
- destruct (H (lo + 1)). red. omega.
- left; red; intros. destruct (zeq lo ofs). congruence. apply r. omega.
+ destruct (H (lo + 1)). red. omega.
+ left; red; intros. destruct (zeq lo ofs). congruence. apply r. omega.
right; red; intros. elim n. red; intros; apply H0; omega.
- right; red; intros. elim n. apply H0. omega.
+ right; red; intros. elim n. apply H0. omega.
left; red; intros. omegaContradiction.
Defined.
@@ -282,7 +282,7 @@ Lemma valid_access_dec:
forall m chunk b ofs p,
{valid_access m chunk b ofs p} + {~ valid_access m chunk b ofs p}.
Proof.
- intros.
+ intros.
destruct (range_perm_dec m b ofs (ofs + size_chunk chunk) Cur p).
destruct (Zdivide_dec (align_chunk chunk) ofs (align_chunk_pos chunk)).
left; constructor; auto.
@@ -299,7 +299,7 @@ Theorem valid_pointer_nonempty_perm:
forall m b ofs,
valid_pointer m b ofs = true <-> perm m b ofs Cur Nonempty.
Proof.
- intros. unfold valid_pointer.
+ intros. unfold valid_pointer.
destruct (perm_dec m b ofs Cur Nonempty); simpl;
intuition congruence.
Qed.
@@ -308,10 +308,10 @@ Theorem valid_pointer_valid_access:
forall m b ofs,
valid_pointer m b ofs = true <-> valid_access m Mint8unsigned b ofs Nonempty.
Proof.
- intros. rewrite valid_pointer_nonempty_perm.
+ intros. rewrite valid_pointer_nonempty_perm.
split; intros.
split. simpl; red; intros. replace ofs0 with ofs by omega. auto.
- simpl. apply Zone_divide.
+ simpl. apply Zone_divide.
destruct H. apply H. simpl. omega.
Qed.
@@ -361,7 +361,7 @@ Qed.
infinite memory. *)
Program Definition alloc (m: mem) (lo hi: Z) :=
- (mkmem (PMap.set m.(nextblock)
+ (mkmem (PMap.set m.(nextblock)
(ZMap.init Undef)
m.(mem_contents))
(PMap.set m.(nextblock)
@@ -371,18 +371,18 @@ Program Definition alloc (m: mem) (lo hi: Z) :=
_ _ _,
m.(nextblock)).
Next Obligation.
- repeat rewrite PMap.gsspec. destruct (peq b (nextblock m)).
- subst b. destruct (zle lo ofs && zlt ofs hi); red; auto with mem.
- apply access_max.
+ repeat rewrite PMap.gsspec. destruct (peq b (nextblock m)).
+ subst b. destruct (zle lo ofs && zlt ofs hi); red; auto with mem.
+ apply access_max.
Qed.
Next Obligation.
- rewrite PMap.gsspec. destruct (peq b (nextblock m)).
- subst b. elim H. apply Plt_succ.
- apply nextblock_noaccess. red; intros; elim H.
+ rewrite PMap.gsspec. destruct (peq b (nextblock m)).
+ subst b. elim H. apply Plt_succ.
+ apply nextblock_noaccess. red; intros; elim H.
apply Plt_trans_succ; auto.
Qed.
Next Obligation.
- rewrite PMap.gsspec. destruct (peq b (nextblock m)). auto. apply contents_default.
+ rewrite PMap.gsspec. destruct (peq b (nextblock m)). auto. apply contents_default.
Qed.
(** Freeing a block between the given bounds.
@@ -392,13 +392,13 @@ Qed.
Program Definition unchecked_free (m: mem) (b: block) (lo hi: Z): mem :=
mkmem m.(mem_contents)
- (PMap.set b
+ (PMap.set b
(fun ofs k => if zle lo ofs && zlt ofs hi then None else m.(mem_access)#b ofs k)
m.(mem_access))
m.(nextblock) _ _ _.
Next Obligation.
repeat rewrite PMap.gsspec. destruct (peq b0 b).
- destruct (zle lo ofs && zlt ofs hi). red; auto. apply access_max.
+ destruct (zle lo ofs && zlt ofs hi). red; auto. apply access_max.
apply access_max.
Qed.
Next Obligation.
@@ -411,7 +411,7 @@ Next Obligation.
Qed.
Definition free (m: mem) (b: block) (lo hi: Z): option mem :=
- if range_perm_dec m b lo hi Cur Freeable
+ if range_perm_dec m b lo hi Cur Freeable
then Some(unchecked_free m b lo hi)
else None.
@@ -479,11 +479,11 @@ Remark setN_other:
ZMap.get q (setN vl p c) = ZMap.get q c.
Proof.
induction vl; intros; simpl.
- auto.
+ auto.
simpl length in H. rewrite inj_S in H.
transitivity (ZMap.get q (ZMap.set p a c)).
apply IHvl. intros. apply H. omega.
- apply ZMap.gso. apply not_eq_sym. apply H. omega.
+ apply ZMap.gso. apply not_eq_sym. apply H. omega.
Qed.
Remark setN_outside:
@@ -491,8 +491,8 @@ Remark setN_outside:
q < p \/ q >= p + Z_of_nat (length vl) ->
ZMap.get q (setN vl p c) = ZMap.get q c.
Proof.
- intros. apply setN_other.
- intros. omega.
+ intros. apply setN_other.
+ intros. omega.
Qed.
Remark getN_setN_same:
@@ -501,9 +501,9 @@ Remark getN_setN_same:
Proof.
induction vl; intros; simpl.
auto.
- decEq.
- rewrite setN_outside. apply ZMap.gss. omega.
- apply IHvl.
+ decEq.
+ rewrite setN_outside. apply ZMap.gss. omega.
+ apply IHvl.
Qed.
Remark getN_exten:
@@ -511,7 +511,7 @@ Remark getN_exten:
(forall i, p <= i < p + Z_of_nat n -> ZMap.get i c1 = ZMap.get i c2) ->
getN n p c1 = getN n p c2.
Proof.
- induction n; intros. auto. rewrite inj_S in H. simpl. decEq.
+ induction n; intros. auto. rewrite inj_S in H. simpl. decEq.
apply H. omega. apply IHn. intros. apply H. omega.
Qed.
@@ -521,7 +521,7 @@ Remark getN_setN_disjoint:
getN n p (setN vl q c) = getN n p c.
Proof.
intros. apply getN_exten. intros. apply setN_other.
- intros; red; intros; subst r. eelim H; eauto.
+ intros; red; intros; subst r. eelim H; eauto.
Qed.
Remark getN_setN_outside:
@@ -529,13 +529,13 @@ Remark getN_setN_outside:
p + Z_of_nat n <= q \/ q + Z_of_nat (length vl) <= p ->
getN n p (setN vl q c) = getN n p c.
Proof.
- intros. apply getN_setN_disjoint. apply Intv.disjoint_range. auto.
+ intros. apply getN_setN_disjoint. apply Intv.disjoint_range. auto.
Qed.
Remark setN_default:
forall vl q c, fst (setN vl q c) = fst c.
Proof.
- induction vl; simpl; intros. auto. rewrite IHvl. auto.
+ induction vl; simpl; intros. auto. rewrite IHvl. auto.
Qed.
(** [store chunk m b ofs v] perform a write in memory state [m].
@@ -545,7 +545,7 @@ Qed.
Program Definition store (chunk: memory_chunk) (m: mem) (b: block) (ofs: Z) (v: val): option mem :=
if valid_access_dec m chunk b ofs Writable then
- Some (mkmem (PMap.set b
+ Some (mkmem (PMap.set b
(setN (encode_val chunk v) ofs (m.(mem_contents)#b))
m.(mem_contents))
m.(mem_access)
@@ -555,9 +555,9 @@ Program Definition store (chunk: memory_chunk) (m: mem) (b: block) (ofs: Z) (v:
None.
Next Obligation. apply access_max. Qed.
Next Obligation. apply nextblock_noaccess; auto. Qed.
-Next Obligation.
+Next Obligation.
rewrite PMap.gsspec. destruct (peq b0 b).
- rewrite setN_default. apply contents_default.
+ rewrite setN_default. apply contents_default.
apply contents_default.
Qed.
@@ -585,9 +585,9 @@ Program Definition storebytes (m: mem) (b: block) (ofs: Z) (bytes: list memval)
None.
Next Obligation. apply access_max. Qed.
Next Obligation. apply nextblock_noaccess; auto. Qed.
-Next Obligation.
+Next Obligation.
rewrite PMap.gsspec. destruct (peq b0 b).
- rewrite setN_default. apply contents_default.
+ rewrite setN_default. apply contents_default.
apply contents_default.
Qed.
@@ -606,16 +606,16 @@ Program Definition drop_perm (m: mem) (b: block) (lo hi: Z) (p: permission): opt
else None.
Next Obligation.
repeat rewrite PMap.gsspec. destruct (peq b0 b). subst b0.
- destruct (zle lo ofs && zlt ofs hi). red; auto with mem. apply access_max.
+ destruct (zle lo ofs && zlt ofs hi). red; auto with mem. apply access_max.
apply access_max.
Qed.
Next Obligation.
- specialize (nextblock_noaccess m b0 ofs k H0). intros.
+ specialize (nextblock_noaccess m b0 ofs k H0). intros.
rewrite PMap.gsspec. destruct (peq b0 b). subst b0.
destruct (zle lo ofs). destruct (zlt ofs hi).
- assert (perm m b ofs k Freeable). apply perm_cur. apply H; auto.
+ assert (perm m b ofs k Freeable). apply perm_cur. apply H; auto.
unfold perm in H2. rewrite H1 in H2. contradiction.
- auto. auto. auto.
+ auto. auto. auto.
Qed.
Next Obligation.
apply contents_default.
@@ -629,13 +629,13 @@ Theorem nextblock_empty: nextblock empty = 1%positive.
Proof. reflexivity. Qed.
Theorem perm_empty: forall b ofs k p, ~perm empty b ofs k p.
-Proof.
- intros. unfold perm, empty; simpl. rewrite PMap.gi. simpl. tauto.
+Proof.
+ intros. unfold perm, empty; simpl. rewrite PMap.gi. simpl. tauto.
Qed.
Theorem valid_access_empty: forall chunk b ofs p, ~valid_access empty chunk b ofs p.
Proof.
- intros. red; intros. elim (perm_empty b ofs Cur p). apply H.
+ intros. red; intros. elim (perm_empty b ofs Cur p). apply H.
generalize (size_chunk_pos chunk); omega.
Qed.
@@ -646,7 +646,7 @@ Theorem valid_access_load:
valid_access m chunk b ofs Readable ->
exists v, load chunk m b ofs = Some v.
Proof.
- intros. econstructor. unfold load. rewrite pred_dec_true; eauto.
+ intros. econstructor. unfold load. rewrite pred_dec_true; eauto.
Qed.
Theorem load_valid_access:
@@ -654,9 +654,9 @@ Theorem load_valid_access:
load chunk m b ofs = Some v ->
valid_access m chunk b ofs Readable.
Proof.
- intros until v. unfold load.
+ intros until v. unfold load.
destruct (valid_access_dec m chunk b ofs Readable); intros.
- auto.
+ auto.
congruence.
Qed.
@@ -665,7 +665,7 @@ Lemma load_result:
load chunk m b ofs = Some v ->
v = decode_val chunk (getN (size_chunk_nat chunk) ofs (m.(mem_contents)#b)).
Proof.
- intros until v. unfold load.
+ intros until v. unfold load.
destruct (valid_access_dec m chunk b ofs Readable); intros.
congruence.
congruence.
@@ -678,8 +678,8 @@ Theorem load_type:
load chunk m b ofs = Some v ->
Val.has_type v (type_of_chunk chunk).
Proof.
- intros. exploit load_result; eauto; intros. rewrite H0.
- apply decode_val_type.
+ intros. exploit load_result; eauto; intros. rewrite H0.
+ apply decode_val_type.
Qed.
Theorem load_cast:
@@ -695,7 +695,7 @@ Theorem load_cast:
Proof.
intros. exploit load_result; eauto.
set (l := getN (size_chunk_nat chunk) ofs m.(mem_contents)#b).
- intros. subst v. apply decode_val_cast.
+ intros. subst v. apply decode_val_cast.
Qed.
Theorem load_int8_signed_unsigned:
@@ -706,7 +706,7 @@ Proof.
change (size_chunk_nat Mint8signed) with (size_chunk_nat Mint8unsigned).
set (cl := getN (size_chunk_nat Mint8unsigned) ofs m.(mem_contents)#b).
destruct (valid_access_dec m Mint8signed b ofs Readable).
- rewrite pred_dec_true; auto. unfold decode_val.
+ rewrite pred_dec_true; auto. unfold decode_val.
destruct (proj_bytes cl); auto.
simpl. decEq. decEq. rewrite Int.sign_ext_zero_ext. auto. compute; auto.
rewrite pred_dec_false; auto.
@@ -720,7 +720,7 @@ Proof.
change (size_chunk_nat Mint16signed) with (size_chunk_nat Mint16unsigned).
set (cl := getN (size_chunk_nat Mint16unsigned) ofs m.(mem_contents)#b).
destruct (valid_access_dec m Mint16signed b ofs Readable).
- rewrite pred_dec_true; auto. unfold decode_val.
+ rewrite pred_dec_true; auto. unfold decode_val.
destruct (proj_bytes cl); auto.
simpl. decEq. decEq. rewrite Int.sign_ext_zero_ext. auto. compute; auto.
rewrite pred_dec_false; auto.
@@ -733,7 +733,7 @@ Theorem range_perm_loadbytes:
range_perm m b ofs (ofs + len) Cur Readable ->
exists bytes, loadbytes m b ofs len = Some bytes.
Proof.
- intros. econstructor. unfold loadbytes. rewrite pred_dec_true; eauto.
+ intros. econstructor. unfold loadbytes. rewrite pred_dec_true; eauto.
Qed.
Theorem loadbytes_range_perm:
@@ -751,10 +751,10 @@ Theorem loadbytes_load:
(align_chunk chunk | ofs) ->
load chunk m b ofs = Some(decode_val chunk bytes).
Proof.
- unfold loadbytes, load; intros.
+ unfold loadbytes, load; intros.
destruct (range_perm_dec m b ofs (ofs + size_chunk chunk) Cur Readable);
try congruence.
- inv H. rewrite pred_dec_true. auto.
+ inv H. rewrite pred_dec_true. auto.
split; auto.
Qed.
@@ -765,9 +765,9 @@ Theorem load_loadbytes:
/\ v = decode_val chunk bytes.
Proof.
intros. exploit load_valid_access; eauto. intros [A B].
- exploit load_result; eauto. intros.
+ exploit load_result; eauto. intros.
exists (getN (size_chunk_nat chunk) ofs m.(mem_contents)#b); split.
- unfold loadbytes. rewrite pred_dec_true; auto.
+ unfold loadbytes. rewrite pred_dec_true; auto.
auto.
Qed.
@@ -794,7 +794,7 @@ Proof.
intros. unfold loadbytes. rewrite pred_dec_true. rewrite nat_of_Z_neg; auto.
red; intros. omegaContradiction.
Qed.
-
+
Lemma getN_concat:
forall c n1 n2 p,
getN (n1 + n2)%nat p c = getN n1 p c ++ getN n2 (p + Z_of_nat n1) c.
@@ -803,7 +803,7 @@ Proof.
simpl. decEq. omega.
rewrite inj_S. simpl. decEq.
replace (p + Zsucc (Z_of_nat n1)) with ((p + 1) + Z_of_nat n1) by omega.
- auto.
+ auto.
Qed.
Theorem loadbytes_concat:
@@ -819,7 +819,7 @@ Proof.
rewrite pred_dec_true. rewrite nat_of_Z_plus; auto.
rewrite getN_concat. rewrite nat_of_Z_eq; auto.
congruence.
- red; intros.
+ red; intros.
assert (ofs0 < ofs + n1 \/ ofs0 >= ofs + n1) by omega.
destruct H4. apply r; omega. apply r0; omega.
Qed.
@@ -829,15 +829,15 @@ Theorem loadbytes_split:
loadbytes m b ofs (n1 + n2) = Some bytes ->
n1 >= 0 -> n2 >= 0 ->
exists bytes1, exists bytes2,
- loadbytes m b ofs n1 = Some bytes1
+ loadbytes m b ofs n1 = Some bytes1
/\ loadbytes m b (ofs + n1) n2 = Some bytes2
/\ bytes = bytes1 ++ bytes2.
Proof.
- unfold loadbytes; intros.
+ unfold loadbytes; intros.
destruct (range_perm_dec m b ofs (ofs + (n1 + n2)) Cur Readable);
try congruence.
rewrite nat_of_Z_plus in H; auto. rewrite getN_concat in H.
- rewrite nat_of_Z_eq in H; auto.
+ rewrite nat_of_Z_eq in H; auto.
repeat rewrite pred_dec_true.
econstructor; econstructor.
split. reflexivity. split. reflexivity. congruence.
@@ -846,7 +846,7 @@ Proof.
Qed.
Theorem load_rep:
- forall ch m1 m2 b ofs v1 v2,
+ forall ch m1 m2 b ofs v1 v2,
(forall z, 0 <= z < size_chunk ch -> ZMap.get (ofs + z) m1.(mem_contents)#b = ZMap.get (ofs + z) m2.(mem_contents)#b) ->
load ch m1 b ofs = Some v1 ->
load ch m2 b ofs = Some v2 ->
@@ -879,11 +879,11 @@ Theorem load_int64_split:
/\ load Mint32 m b (ofs + 4) = Some (if Archi.big_endian then v2 else v1)
/\ Val.lessdef v (Val.longofwords v1 v2).
Proof.
- intros.
+ intros.
exploit load_valid_access; eauto. intros [A B]. simpl in *.
exploit load_loadbytes. eexact H. simpl. intros [bytes [LB EQ]].
- change 8 with (4 + 4) in LB.
- exploit loadbytes_split. eexact LB. omega. omega.
+ change 8 with (4 + 4) in LB.
+ exploit loadbytes_split. eexact LB. omega. omega.
intros (bytes1 & bytes2 & LB1 & LB2 & APP).
change 4 with (size_chunk Mint32) in LB1.
exploit loadbytes_load. eexact LB1.
@@ -898,8 +898,8 @@ Proof.
split. destruct Archi.big_endian; auto.
split. destruct Archi.big_endian; auto.
rewrite EQ. rewrite APP. apply decode_val_int64.
- erewrite loadbytes_length; eauto. reflexivity.
- erewrite loadbytes_length; eauto. reflexivity.
+ erewrite loadbytes_length; eauto. reflexivity.
+ erewrite loadbytes_length; eauto. reflexivity.
Qed.
Theorem loadv_int64_split:
@@ -916,12 +916,12 @@ Proof.
rewrite Int.add_unsigned. apply Int.unsigned_repr.
exploit load_valid_access. eexact H. intros [P Q]. simpl in Q.
exploit (Zdivide_interval (Int.unsigned i) Int.modulus 8).
- omega. apply Int.unsigned_range. auto. exists (two_p (32-3)); reflexivity.
+ omega. apply Int.unsigned_range. auto. exists (two_p (32-3)); reflexivity.
unfold Int.max_unsigned. omega.
exists v1; exists v2.
Opaque Int.repr.
split. auto.
- split. simpl. rewrite NV. auto.
+ split. simpl. rewrite NV. auto.
auto.
Qed.
@@ -933,7 +933,7 @@ Theorem valid_access_store:
{ m2: mem | store chunk m1 b ofs v = Some m2 }.
Proof.
intros.
- unfold store.
+ unfold store.
destruct (valid_access_dec m1 chunk b ofs Writable).
eauto.
contradiction.
@@ -956,7 +956,7 @@ Proof.
auto.
Qed.
-Lemma store_mem_contents:
+Lemma store_mem_contents:
mem_contents m2 = PMap.set b (setN (encode_val chunk v) ofs m1.(mem_contents)#b) m1.(mem_contents).
Proof.
unfold store in STORE. destruct (valid_access_dec m1 chunk b ofs Writable); inv STORE.
@@ -966,7 +966,7 @@ Qed.
Theorem perm_store_1:
forall b' ofs' k p, perm m1 b' ofs' k p -> perm m2 b' ofs' k p.
Proof.
- intros.
+ intros.
unfold perm in *. rewrite store_access; auto.
Qed.
@@ -1018,7 +1018,7 @@ Theorem store_valid_access_3:
valid_access m1 chunk b ofs Writable.
Proof.
unfold store in STORE. destruct (valid_access_dec m1 chunk b ofs Writable).
- auto.
+ auto.
congruence.
Qed.
@@ -1032,15 +1032,15 @@ Theorem load_store_similar:
Proof.
intros.
exploit (valid_access_load m2 chunk').
- eapply valid_access_compat. symmetry; eauto. auto. eauto with mem.
+ eapply valid_access_compat. symmetry; eauto. auto. eauto with mem.
intros [v' LOAD].
exists v'; split; auto.
- exploit load_result; eauto. intros B.
- rewrite B. rewrite store_mem_contents; simpl.
+ exploit load_result; eauto. intros B.
+ rewrite B. rewrite store_mem_contents; simpl.
rewrite PMap.gss.
replace (size_chunk_nat chunk') with (length (encode_val chunk v)).
- rewrite getN_setN_same. apply decode_encode_val_general.
- rewrite encode_val_length. repeat rewrite size_chunk_conv in H.
+ rewrite getN_setN_same. apply decode_encode_val_general.
+ rewrite encode_val_length. repeat rewrite size_chunk_conv in H.
apply inj_eq_rev; auto.
Qed.
@@ -1068,9 +1068,9 @@ Theorem load_store_other:
\/ ofs + size_chunk chunk <= ofs' ->
load chunk' m2 b' ofs' = load chunk' m1 b' ofs'.
Proof.
- intros. unfold load.
+ intros. unfold load.
destruct (valid_access_dec m1 chunk' b' ofs' Readable).
- rewrite pred_dec_true.
+ rewrite pred_dec_true.
decEq. decEq. rewrite store_mem_contents; simpl.
rewrite PMap.gsspec. destruct (peq b' b). subst b'.
apply getN_setN_outside. rewrite encode_val_length. repeat rewrite <- size_chunk_conv.
@@ -1078,7 +1078,7 @@ Proof.
auto.
eauto with mem.
rewrite pred_dec_false. auto.
- eauto with mem.
+ eauto with mem.
Qed.
Theorem loadbytes_store_same:
@@ -1086,12 +1086,12 @@ Theorem loadbytes_store_same:
Proof.
intros.
assert (valid_access m2 chunk b ofs Readable) by eauto with mem.
- unfold loadbytes. rewrite pred_dec_true. rewrite store_mem_contents; simpl.
+ unfold loadbytes. rewrite pred_dec_true. rewrite store_mem_contents; simpl.
rewrite PMap.gss.
replace (nat_of_Z (size_chunk chunk)) with (length (encode_val chunk v)).
rewrite getN_setN_same. auto.
rewrite encode_val_length. auto.
- apply H.
+ apply H.
Qed.
Theorem loadbytes_store_other:
@@ -1102,9 +1102,9 @@ Theorem loadbytes_store_other:
\/ ofs + size_chunk chunk <= ofs' ->
loadbytes m2 b' ofs' n = loadbytes m1 b' ofs' n.
Proof.
- intros. unfold loadbytes.
+ intros. unfold loadbytes.
destruct (range_perm_dec m1 b' ofs' (ofs' + n) Cur Readable).
- rewrite pred_dec_true.
+ rewrite pred_dec_true.
decEq. rewrite store_mem_contents; simpl.
rewrite PMap.gsspec. destruct (peq b' b). subst b'.
destruct H. congruence.
@@ -1112,7 +1112,7 @@ Proof.
rewrite (nat_of_Z_neg _ z). auto.
destruct H. omegaContradiction.
apply getN_setN_outside. rewrite encode_val_length. rewrite <- size_chunk_conv.
- rewrite nat_of_Z_eq. auto. omega.
+ rewrite nat_of_Z_eq. auto. omega.
auto.
red; intros. eauto with mem.
rewrite pred_dec_false. auto.
@@ -1126,8 +1126,8 @@ Lemma setN_in:
Proof.
induction vl; intros.
simpl in H. omegaContradiction.
- simpl length in H. rewrite inj_S in H. simpl.
- destruct (zeq p q). subst q. rewrite setN_outside. rewrite ZMap.gss.
+ simpl length in H. rewrite inj_S in H. simpl.
+ destruct (zeq p q). subst q. rewrite setN_outside. rewrite ZMap.gss.
auto with coqlib. omega.
right. apply IHvl. omega.
Qed.
@@ -1141,7 +1141,7 @@ Proof.
simpl in H; omegaContradiction.
rewrite inj_S in H. simpl. destruct (zeq p q).
subst q. auto.
- right. apply IHn. omega.
+ right. apply IHn. omega.
Qed.
End STORE.
@@ -1164,20 +1164,20 @@ Lemma load_store_overlap:
\/ (ofs' > ofs /\ In mv1' mvl)
\/ (ofs' < ofs /\ In mv1 mvl')).
Proof.
- intros.
+ intros.
exploit load_result; eauto. erewrite store_mem_contents by eauto; simpl.
- rewrite PMap.gss.
- set (c := (mem_contents m1)#b). intros V'.
- destruct (size_chunk_nat_pos chunk) as [sz SIZE].
+ rewrite PMap.gss.
+ set (c := (mem_contents m1)#b). intros V'.
+ destruct (size_chunk_nat_pos chunk) as [sz SIZE].
destruct (size_chunk_nat_pos chunk') as [sz' SIZE'].
destruct (encode_val chunk v) as [ | mv1 mvl] eqn:ENC.
generalize (encode_val_length chunk v); rewrite ENC; simpl; congruence.
set (c' := setN (mv1::mvl) ofs c) in *.
exists mv1, mvl, (ZMap.get ofs' c'), (getN sz' (ofs' + 1) c').
split. rewrite <- ENC. apply encode_val_shape.
- split. rewrite V', SIZE'. apply decode_val_shape.
+ split. rewrite V', SIZE'. apply decode_val_shape.
destruct (zeq ofs' ofs).
-- subst ofs'. left; split. auto. unfold c'. simpl.
+- subst ofs'. left; split. auto. unfold c'. simpl.
rewrite setN_outside by omega. apply ZMap.gss.
- right. destruct (zlt ofs ofs').
(* If ofs < ofs': the load reads (at ofs') a continuation byte from the write.
@@ -1185,7 +1185,7 @@ Proof.
[-------------------] write
[-------------------] read
*)
-+ left; split. omega. unfold c'. simpl. apply setN_in.
++ left; split. omega. unfold c'. simpl. apply setN_in.
assert (Z.of_nat (length (mv1 :: mvl)) = size_chunk chunk).
{ rewrite <- ENC; rewrite encode_val_length. rewrite size_chunk_conv; auto. }
simpl length in H3. rewrite inj_S in H3. omega.
@@ -1194,8 +1194,8 @@ Proof.
[-------------------] write
[----------------] read
*)
-+ right; split. omega. replace mv1 with (ZMap.get ofs c').
- apply getN_in.
++ right; split. omega. replace mv1 with (ZMap.get ofs c').
+ apply getN_in.
assert (size_chunk chunk' = Zsucc (Z.of_nat sz')).
{ rewrite size_chunk_conv. rewrite SIZE'. rewrite inj_S; auto. }
omega.
@@ -1231,20 +1231,20 @@ Proof.
destruct (peq b' b); auto. subst b'.
destruct (zle (ofs' + size_chunk chunk') ofs); auto.
destruct (zle (ofs + size_chunk chunk) ofs'); auto.
- exploit load_store_overlap; eauto.
+ exploit load_store_overlap; eauto.
intros (mv1 & mvl & mv1' & mvl' & ENC & DEC & CASES).
inv DEC; try contradiction.
destruct CASES as [(A & B) | [(A & B) | (A & B)]].
- (* Same offset *)
- subst. inv ENC.
+ subst. inv ENC.
assert (chunk = Mint32 \/ chunk = Many32 \/ chunk = Many64)
- by (destruct chunk; auto || contradiction).
+ by (destruct chunk; auto || contradiction).
left; split. rewrite H3.
destruct H4 as [P|[P|P]]; subst chunk'; destruct v0; simpl in H3; congruence.
split. apply compat_pointer_chunks_true; auto.
auto.
- (* ofs' > ofs *)
- inv ENC.
+ inv ENC.
+ exploit H10; eauto. intros (j & P & Q). inv P. congruence.
+ exploit H8; eauto. intros (n & P); congruence.
+ exploit H2; eauto. congruence.
@@ -1261,18 +1261,18 @@ Theorem load_store_pointer_overlap:
ofs + size_chunk chunk > ofs' ->
v = Vundef.
Proof.
- intros.
- exploit load_store_overlap; eauto.
+ intros.
+ exploit load_store_overlap; eauto.
intros (mv1 & mvl & mv1' & mvl' & ENC & DEC & CASES).
destruct CASES as [(A & B) | [(A & B) | (A & B)]].
- congruence.
-- inv ENC.
+- inv ENC.
+ exploit H9; eauto. intros (j & P & Q). subst mv1'. inv DEC. congruence. auto.
+ contradiction.
+ exploit H5; eauto. intros; subst. inv DEC; auto.
-- inv DEC.
- + exploit H10; eauto. intros (j & P & Q). subst mv1. inv ENC. congruence.
- + exploit H8; eauto. intros (n & P). subst mv1. inv ENC. contradiction.
+- inv DEC.
+ + exploit H10; eauto. intros (j & P & Q). subst mv1. inv ENC. congruence.
+ + exploit H8; eauto. intros (n & P). subst mv1. inv ENC. contradiction.
+ auto.
Qed.
@@ -1284,7 +1284,7 @@ Theorem load_store_pointer_mismatch:
v = Vundef.
Proof.
intros.
- exploit load_store_overlap; eauto.
+ exploit load_store_overlap; eauto.
generalize (size_chunk_pos chunk'); omega.
generalize (size_chunk_pos chunk); omega.
intros (mv1 & mvl & mv1' & mvl' & ENC & DEC & CASES).
@@ -1300,7 +1300,7 @@ Lemma store_similar_chunks:
align_chunk chunk1 = align_chunk chunk2 ->
store chunk1 m b ofs v1 = store chunk2 m b ofs v2.
Proof.
- intros. unfold store.
+ intros. unfold store.
assert (size_chunk chunk1 = size_chunk chunk2).
repeat rewrite size_chunk_conv.
rewrite <- (encode_val_length chunk1 v1).
@@ -1353,7 +1353,7 @@ Theorem store_float64al32:
forall m b ofs v m',
store Mfloat64 m b ofs v = Some m' -> store Mfloat64al32 m b ofs v = Some m'.
Proof.
- unfold store; intros.
+ unfold store; intros.
destruct (valid_access_dec m Mfloat64 b ofs Writable); try discriminate.
destruct (valid_access_dec m Mfloat64al32 b ofs Writable).
rewrite <- H. f_equal. apply mkmem_ext; auto.
@@ -1377,7 +1377,7 @@ Theorem range_perm_storebytes:
Proof.
intros. unfold storebytes.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable).
- econstructor; reflexivity.
+ econstructor; reflexivity.
contradiction.
Defined.
@@ -1387,11 +1387,11 @@ Theorem storebytes_store:
(align_chunk chunk | ofs) ->
store chunk m1 b ofs v = Some m2.
Proof.
- unfold storebytes, store. intros.
+ unfold storebytes, store. intros.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length (encode_val chunk v))) Cur Writable); inv H.
destruct (valid_access_dec m1 chunk b ofs Writable).
f_equal. apply mkmem_ext; auto.
- elim n. constructor; auto.
+ elim n. constructor; auto.
rewrite encode_val_length in r. rewrite size_chunk_conv. auto.
Qed.
@@ -1400,14 +1400,14 @@ Theorem store_storebytes:
store chunk m1 b ofs v = Some m2 ->
storebytes m1 b ofs (encode_val chunk v) = Some m2.
Proof.
- unfold storebytes, store. intros.
+ unfold storebytes, store. intros.
destruct (valid_access_dec m1 chunk b ofs Writable); inv H.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length (encode_val chunk v))) Cur Writable).
f_equal. apply mkmem_ext; auto.
- destruct v0. elim n.
+ destruct v0. elim n.
rewrite encode_val_length. rewrite <- size_chunk_conv. auto.
Qed.
-
+
Section STOREBYTES.
Variable m1: mem.
Variable b: block.
@@ -1418,7 +1418,7 @@ Hypothesis STORE: storebytes m1 b ofs bytes = Some m2.
Lemma storebytes_access: mem_access m2 = mem_access m1.
Proof.
- unfold storebytes in STORE.
+ unfold storebytes in STORE.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable);
inv STORE.
auto.
@@ -1427,7 +1427,7 @@ Qed.
Lemma storebytes_mem_contents:
mem_contents m2 = PMap.set b (setN bytes ofs m1.(mem_contents)#b) m1.(mem_contents).
Proof.
- unfold storebytes in STORE.
+ unfold storebytes in STORE.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable);
inv STORE.
auto.
@@ -1467,7 +1467,7 @@ Theorem nextblock_storebytes:
nextblock m2 = nextblock m1.
Proof.
intros.
- unfold storebytes in STORE.
+ unfold storebytes in STORE.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable);
inv STORE.
auto.
@@ -1490,8 +1490,8 @@ Local Hint Resolve storebytes_valid_block_1 storebytes_valid_block_2: mem.
Theorem storebytes_range_perm:
range_perm m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable.
Proof.
- intros.
- unfold storebytes in STORE.
+ intros.
+ unfold storebytes in STORE.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable);
inv STORE.
auto.
@@ -1500,13 +1500,13 @@ Qed.
Theorem loadbytes_storebytes_same:
loadbytes m2 b ofs (Z_of_nat (length bytes)) = Some bytes.
Proof.
- intros. unfold storebytes in STORE. unfold loadbytes.
+ intros. unfold storebytes in STORE. unfold loadbytes.
destruct (range_perm_dec m1 b ofs (ofs + Z_of_nat (length bytes)) Cur Writable);
try discriminate.
- rewrite pred_dec_true.
- decEq. inv STORE; simpl. rewrite PMap.gss. rewrite nat_of_Z_of_nat.
- apply getN_setN_same.
- red; eauto with mem.
+ rewrite pred_dec_true.
+ decEq. inv STORE; simpl. rewrite PMap.gss. rewrite nat_of_Z_of_nat.
+ apply getN_setN_same.
+ red; eauto with mem.
Qed.
Theorem loadbytes_storebytes_disjoint:
@@ -1517,13 +1517,13 @@ Theorem loadbytes_storebytes_disjoint:
Proof.
intros. unfold loadbytes.
destruct (range_perm_dec m1 b' ofs' (ofs' + len) Cur Readable).
- rewrite pred_dec_true.
- rewrite storebytes_mem_contents. decEq.
- rewrite PMap.gsspec. destruct (peq b' b). subst b'.
+ rewrite pred_dec_true.
+ rewrite storebytes_mem_contents. decEq.
+ rewrite PMap.gsspec. destruct (peq b' b). subst b'.
apply getN_setN_disjoint. rewrite nat_of_Z_eq; auto. intuition congruence.
auto.
red; auto with mem.
- apply pred_dec_false.
+ apply pred_dec_false.
red; intros; elim n. red; auto with mem.
Qed.
@@ -1535,8 +1535,8 @@ Theorem loadbytes_storebytes_other:
\/ ofs + Z_of_nat (length bytes) <= ofs' ->
loadbytes m2 b' ofs' len = loadbytes m1 b' ofs' len.
Proof.
- intros. apply loadbytes_storebytes_disjoint; auto.
- destruct H0; auto. right. apply Intv.disjoint_range; auto.
+ intros. apply loadbytes_storebytes_disjoint; auto.
+ destruct H0; auto. right. apply Intv.disjoint_range; auto.
Qed.
Theorem load_storebytes_other:
@@ -1548,13 +1548,13 @@ Theorem load_storebytes_other:
Proof.
intros. unfold load.
destruct (valid_access_dec m1 chunk b' ofs' Readable).
- rewrite pred_dec_true.
+ rewrite pred_dec_true.
rewrite storebytes_mem_contents. decEq.
rewrite PMap.gsspec. destruct (peq b' b). subst b'.
rewrite getN_setN_outside. auto. rewrite <- size_chunk_conv. intuition congruence.
auto.
destruct v; split; auto. red; auto with mem.
- apply pred_dec_false.
+ apply pred_dec_false.
red; intros; elim n. destruct H0. split; auto. red; auto with mem.
Qed.
@@ -1582,10 +1582,10 @@ Proof.
destruct (range_perm_dec m b ofs (ofs + Z_of_nat (length (bytes1 ++ bytes2))) Cur Writable).
inv ST1; inv ST2; simpl. decEq. apply mkmem_ext; auto.
rewrite PMap.gss. rewrite setN_concat. symmetry. apply PMap.set2.
- elim n.
+ elim n.
rewrite app_length. rewrite inj_plus. red; intros.
destruct (zlt ofs0 (ofs + Z_of_nat(length bytes1))).
- apply r. omega.
+ apply r. omega.
eapply perm_storebytes_2; eauto. apply r0. omega.
Qed.
@@ -1596,18 +1596,18 @@ Theorem storebytes_split:
storebytes m b ofs bytes1 = Some m1
/\ storebytes m1 b (ofs + Z_of_nat(length bytes1)) bytes2 = Some m2.
Proof.
- intros.
+ intros.
destruct (range_perm_storebytes m b ofs bytes1) as [m1 ST1].
- red; intros. exploit storebytes_range_perm; eauto. rewrite app_length.
+ red; intros. exploit storebytes_range_perm; eauto. rewrite app_length.
rewrite inj_plus. omega.
destruct (range_perm_storebytes m1 b (ofs + Z_of_nat (length bytes1)) bytes2) as [m2' ST2].
- red; intros. eapply perm_storebytes_1; eauto. exploit storebytes_range_perm.
+ red; intros. eapply perm_storebytes_1; eauto. exploit storebytes_range_perm.
eexact H. instantiate (1 := ofs0). rewrite app_length. rewrite inj_plus. omega.
auto.
assert (Some m2 = Some m2').
rewrite <- H. eapply storebytes_concat; eauto.
inv H0.
- exists m1; split; auto.
+ exists m1; split; auto.
Qed.
Theorem store_int64_split:
@@ -1617,16 +1617,16 @@ Theorem store_int64_split:
store Mint32 m b ofs (if Archi.big_endian then Val.hiword v else Val.loword v) = Some m1
/\ store Mint32 m1 b (ofs + 4) (if Archi.big_endian then Val.loword v else Val.hiword v) = Some m'.
Proof.
- intros.
+ intros.
exploit store_valid_access_3; eauto. intros [A B]. simpl in *.
exploit store_storebytes. eexact H. intros SB.
- rewrite encode_val_int64 in SB.
- exploit storebytes_split. eexact SB. intros [m1 [SB1 SB2]].
- rewrite encode_val_length in SB2. simpl in SB2.
- exists m1; split.
+ rewrite encode_val_int64 in SB.
+ exploit storebytes_split. eexact SB. intros [m1 [SB1 SB2]].
+ rewrite encode_val_length in SB2. simpl in SB2.
+ exists m1; split.
apply storebytes_store. exact SB1.
simpl. apply Zdivides_trans with 8; auto. exists 2; auto.
- apply storebytes_store. exact SB2.
+ apply storebytes_store. exact SB2.
simpl. apply Zdivide_plus_r. apply Zdivides_trans with 8; auto. exists 2; auto. exists 1; auto.
Qed.
@@ -1644,8 +1644,8 @@ Proof.
unfold storev, Val.add. rewrite Int.add_unsigned. rewrite Int.unsigned_repr. exact B.
exploit store_valid_access_3. eexact H. intros [P Q]. simpl in Q.
exploit (Zdivide_interval (Int.unsigned i) Int.modulus 8).
- omega. apply Int.unsigned_range. auto. exists (two_p (32-3)); reflexivity.
- change (Int.unsigned (Int.repr 4)) with 4. unfold Int.max_unsigned. omega.
+ omega. apply Int.unsigned_range. auto. exists (two_p (32-3)); reflexivity.
+ change (Int.unsigned (Int.repr 4)) with 4. unfold Int.max_unsigned. omega.
Qed.
(** ** Properties related to [alloc]. *)
@@ -1673,14 +1673,14 @@ Qed.
Theorem valid_block_alloc:
forall b', valid_block m1 b' -> valid_block m2 b'.
Proof.
- unfold valid_block; intros. rewrite nextblock_alloc.
+ unfold valid_block; intros. rewrite nextblock_alloc.
apply Plt_trans_succ; auto.
Qed.
Theorem fresh_block_alloc:
~(valid_block m1 b).
Proof.
- unfold valid_block. rewrite alloc_result. apply Plt_strict.
+ unfold valid_block. rewrite alloc_result. apply Plt_strict.
Qed.
Theorem valid_new_block:
@@ -1694,8 +1694,8 @@ Local Hint Resolve valid_block_alloc fresh_block_alloc valid_new_block: mem.
Theorem valid_block_alloc_inv:
forall b', valid_block m2 b' -> b' = b \/ valid_block m1 b'.
Proof.
- unfold valid_block; intros.
- rewrite nextblock_alloc in H. rewrite alloc_result.
+ unfold valid_block; intros.
+ rewrite nextblock_alloc in H. rewrite alloc_result.
exploit Plt_succ_inv; eauto. tauto.
Qed.
@@ -1704,7 +1704,7 @@ Theorem perm_alloc_1:
Proof.
unfold perm; intros. injection ALLOC; intros. rewrite <- H1; simpl.
subst b. rewrite PMap.gsspec. destruct (peq b' (nextblock m1)); auto.
- rewrite nextblock_noaccess in H. contradiction. subst b'. apply Plt_strict.
+ rewrite nextblock_noaccess in H. contradiction. subst b'. apply Plt_strict.
Qed.
Theorem perm_alloc_2:
@@ -1716,21 +1716,21 @@ Proof.
Qed.
Theorem perm_alloc_inv:
- forall b' ofs k p,
+ forall b' ofs k p,
perm m2 b' ofs k p ->
if eq_block b' b then lo <= ofs < hi else perm m1 b' ofs k p.
Proof.
- intros until p; unfold perm. inv ALLOC. simpl.
+ intros until p; unfold perm. inv ALLOC. simpl.
rewrite PMap.gsspec. unfold eq_block. destruct (peq b' (nextblock m1)); intros.
destruct (zle lo ofs); try contradiction. destruct (zlt ofs hi); try contradiction.
- split; auto.
+ split; auto.
auto.
Qed.
Theorem perm_alloc_3:
forall ofs k p, perm m2 b ofs k p -> lo <= ofs < hi.
Proof.
- intros. exploit perm_alloc_inv; eauto. rewrite dec_eq_true; auto.
+ intros. exploit perm_alloc_inv; eauto. rewrite dec_eq_true; auto.
Qed.
Theorem perm_alloc_4:
@@ -1756,7 +1756,7 @@ Theorem valid_access_alloc_same:
valid_access m2 chunk b ofs Freeable.
Proof.
intros. constructor; auto with mem.
- red; intros. apply perm_alloc_2. omega.
+ red; intros. apply perm_alloc_2. omega.
Qed.
Local Hint Resolve valid_access_alloc_other valid_access_alloc_same: mem.
@@ -1771,13 +1771,13 @@ Proof.
intros. inv H.
generalize (size_chunk_pos chunk); intro.
destruct (eq_block b' b). subst b'.
- assert (perm m2 b ofs Cur p). apply H0. omega.
- assert (perm m2 b (ofs + size_chunk chunk - 1) Cur p). apply H0. omega.
+ assert (perm m2 b ofs Cur p). apply H0. omega.
+ assert (perm m2 b (ofs + size_chunk chunk - 1) Cur p). apply H0. omega.
exploit perm_alloc_inv. eexact H2. rewrite dec_eq_true. intro.
- exploit perm_alloc_inv. eexact H3. rewrite dec_eq_true. intro.
- intuition omega.
- split; auto. red; intros.
- exploit perm_alloc_inv. apply H0. eauto. rewrite dec_eq_false; auto.
+ exploit perm_alloc_inv. eexact H3. rewrite dec_eq_true. intro.
+ intuition omega.
+ split; auto. red; intros.
+ exploit perm_alloc_inv. apply H0. eauto. rewrite dec_eq_false; auto.
Qed.
Theorem load_alloc_unchanged:
@@ -1809,7 +1809,7 @@ Theorem load_alloc_same:
load chunk m2 b ofs = Some v ->
v = Vundef.
Proof.
- intros. exploit load_result; eauto. intro. rewrite H0.
+ intros. exploit load_result; eauto. intro. rewrite H0.
injection ALLOC; intros. rewrite <- H2; simpl. rewrite <- H1.
rewrite PMap.gss. destruct chunk; simpl; repeat rewrite ZMap.gi; reflexivity.
Qed.
@@ -1831,14 +1831,14 @@ Theorem loadbytes_alloc_unchanged:
valid_block m1 b' ->
loadbytes m2 b' ofs n = loadbytes m1 b' ofs n.
Proof.
- intros. unfold loadbytes.
+ intros. unfold loadbytes.
destruct (range_perm_dec m1 b' ofs (ofs + n) Cur Readable).
rewrite pred_dec_true.
- injection ALLOC; intros A B. rewrite <- B; simpl.
+ injection ALLOC; intros A B. rewrite <- B; simpl.
rewrite PMap.gso. auto. rewrite A. eauto with mem.
- red; intros. eapply perm_alloc_1; eauto.
+ red; intros. eapply perm_alloc_1; eauto.
rewrite pred_dec_false; auto.
- red; intros; elim n0. red; intros. eapply perm_alloc_4; eauto. eauto with mem.
+ red; intros; elim n0. red; intros. eapply perm_alloc_4; eauto. eauto with mem.
Qed.
Theorem loadbytes_alloc_same:
@@ -1848,9 +1848,9 @@ Theorem loadbytes_alloc_same:
Proof.
unfold loadbytes; intros. destruct (range_perm_dec m2 b ofs (ofs + n) Cur Readable); inv H.
revert H0.
- injection ALLOC; intros A B. rewrite <- A; rewrite <- B; simpl. rewrite PMap.gss.
- generalize (nat_of_Z n) ofs. induction n0; simpl; intros.
- contradiction.
+ injection ALLOC; intros A B. rewrite <- A; rewrite <- B; simpl. rewrite PMap.gss.
+ generalize (nat_of_Z n) ofs. induction n0; simpl; intros.
+ contradiction.
rewrite ZMap.gi in H0. destruct H0; eauto.
Qed.
@@ -1919,7 +1919,7 @@ Theorem perm_free_1:
Proof.
intros. rewrite free_result. unfold perm, unchecked_free; simpl.
rewrite PMap.gsspec. destruct (peq b bf). subst b.
- destruct (zle lo ofs); simpl.
+ destruct (zle lo ofs); simpl.
destruct (zlt ofs hi); simpl.
elimtype False; intuition.
auto. auto.
@@ -1930,7 +1930,7 @@ Theorem perm_free_2:
forall ofs k p, lo <= ofs < hi -> ~ perm m2 bf ofs k p.
Proof.
intros. rewrite free_result. unfold perm, unchecked_free; simpl.
- rewrite PMap.gss. unfold proj_sumbool. rewrite zle_true. rewrite zlt_true.
+ rewrite PMap.gss. unfold proj_sumbool. rewrite zle_true. rewrite zlt_true.
simpl. tauto. omega. omega.
Qed.
@@ -1940,9 +1940,9 @@ Theorem perm_free_3:
Proof.
intros until p. rewrite free_result. unfold perm, unchecked_free; simpl.
rewrite PMap.gsspec. destruct (peq b bf). subst b.
- destruct (zle lo ofs); simpl.
- destruct (zlt ofs hi); simpl. tauto.
- auto. auto. auto.
+ destruct (zle lo ofs); simpl.
+ destruct (zlt ofs hi); simpl. tauto.
+ auto. auto. auto.
Qed.
Theorem perm_free_inv:
@@ -1958,13 +1958,13 @@ Qed.
Theorem valid_access_free_1:
forall chunk b ofs p,
- valid_access m1 chunk b ofs p ->
+ valid_access m1 chunk b ofs p ->
b <> bf \/ lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs ->
valid_access m2 chunk b ofs p.
Proof.
intros. inv H. constructor; auto with mem.
red; intros. eapply perm_free_1; eauto.
- destruct (zlt lo hi). intuition. right. omega.
+ destruct (zlt lo hi). intuition. right. omega.
Qed.
Theorem valid_access_free_2:
@@ -1972,13 +1972,13 @@ Theorem valid_access_free_2:
lo < hi -> ofs + size_chunk chunk > lo -> ofs < hi ->
~(valid_access m2 chunk bf ofs p).
Proof.
- intros; red; intros. inv H2.
+ intros; red; intros. inv H2.
generalize (size_chunk_pos chunk); intros.
destruct (zlt ofs lo).
elim (perm_free_2 lo Cur p).
- omega. apply H3. omega.
+ omega. apply H3. omega.
elim (perm_free_2 ofs Cur p).
- omega. apply H3. omega.
+ omega. apply H3. omega.
Qed.
Theorem valid_access_free_inv_1:
@@ -1986,13 +1986,13 @@ Theorem valid_access_free_inv_1:
valid_access m2 chunk b ofs p ->
valid_access m1 chunk b ofs p.
Proof.
- intros. destruct H. split; auto.
- red; intros. generalize (H ofs0 H1).
- rewrite free_result. unfold perm, unchecked_free; simpl.
+ intros. destruct H. split; auto.
+ red; intros. generalize (H ofs0 H1).
+ rewrite free_result. unfold perm, unchecked_free; simpl.
rewrite PMap.gsspec. destruct (peq b bf). subst b.
destruct (zle lo ofs0); simpl.
destruct (zlt ofs0 hi); simpl.
- tauto. auto. auto. auto.
+ tauto. auto. auto. auto.
Qed.
Theorem valid_access_free_inv_2:
@@ -2001,7 +2001,7 @@ Theorem valid_access_free_inv_2:
lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs.
Proof.
intros.
- destruct (zlt lo hi); auto.
+ destruct (zlt lo hi); auto.
destruct (zle (ofs + size_chunk chunk) lo); auto.
destruct (zle hi ofs); auto.
elim (valid_access_free_2 chunk ofs p); auto. omega.
@@ -2014,19 +2014,19 @@ Theorem load_free:
Proof.
intros. unfold load.
destruct (valid_access_dec m2 chunk b ofs Readable).
- rewrite pred_dec_true.
+ rewrite pred_dec_true.
rewrite free_result; auto.
- eapply valid_access_free_inv_1; eauto.
+ eapply valid_access_free_inv_1; eauto.
rewrite pred_dec_false; auto.
- red; intro; elim n. eapply valid_access_free_1; eauto.
+ red; intro; elim n. eapply valid_access_free_1; eauto.
Qed.
Theorem load_free_2:
forall chunk b ofs v,
load chunk m2 b ofs = Some v -> load chunk m1 b ofs = Some v.
Proof.
- intros. unfold load. rewrite pred_dec_true.
- rewrite (load_result _ _ _ _ _ H). rewrite free_result; auto.
+ intros. unfold load. rewrite pred_dec_true.
+ rewrite (load_result _ _ _ _ _ H). rewrite free_result; auto.
apply valid_access_free_inv_1. eauto with mem.
Qed.
@@ -2035,14 +2035,14 @@ Theorem loadbytes_free:
b <> bf \/ lo >= hi \/ ofs + n <= lo \/ hi <= ofs ->
loadbytes m2 b ofs n = loadbytes m1 b ofs n.
Proof.
- intros. unfold loadbytes.
+ intros. unfold loadbytes.
destruct (range_perm_dec m2 b ofs (ofs + n) Cur Readable).
- rewrite pred_dec_true.
- rewrite free_result; auto.
- red; intros. eapply perm_free_3; eauto.
- rewrite pred_dec_false; auto.
- red; intros. elim n0; red; intros.
- eapply perm_free_1; eauto. destruct H; auto. right; omega.
+ rewrite pred_dec_true.
+ rewrite free_result; auto.
+ red; intros. eapply perm_free_3; eauto.
+ rewrite pred_dec_false; auto.
+ red; intros. elim n0; red; intros.
+ eapply perm_free_1; eauto. destruct H; auto. right; omega.
Qed.
Theorem loadbytes_free_2:
@@ -2052,13 +2052,13 @@ Proof.
intros. unfold loadbytes in *.
destruct (range_perm_dec m2 b ofs (ofs + n) Cur Readable); inv H.
rewrite pred_dec_true. rewrite free_result; auto.
- red; intros. apply perm_free_3; auto.
+ red; intros. apply perm_free_3; auto.
Qed.
End FREE.
Local Hint Resolve valid_block_free_1 valid_block_free_2
- perm_free_1 perm_free_2 perm_free_3
+ perm_free_1 perm_free_2 perm_free_3
valid_access_free_1 valid_access_free_inv_1: mem.
(** ** Properties related to [drop_perm] *)
@@ -2066,7 +2066,7 @@ Local Hint Resolve valid_block_free_1 valid_block_free_2
Theorem range_perm_drop_1:
forall m b lo hi p m', drop_perm m b lo hi p = Some m' -> range_perm m b lo hi Cur Freeable.
Proof.
- unfold drop_perm; intros.
+ unfold drop_perm; intros.
destruct (range_perm_dec m b lo hi Cur Freeable). auto. discriminate.
Qed.
@@ -2074,7 +2074,7 @@ Theorem range_perm_drop_2:
forall m b lo hi p,
range_perm m b lo hi Cur Freeable -> {m' | drop_perm m b lo hi p = Some m' }.
Proof.
- unfold drop_perm; intros.
+ unfold drop_perm; intros.
destruct (range_perm_dec m b lo hi Cur Freeable). econstructor. eauto. contradiction.
Defined.
@@ -2110,19 +2110,19 @@ Theorem perm_drop_1:
Proof.
intros.
unfold drop_perm in DROP. destruct (range_perm_dec m b lo hi Cur Freeable); inv DROP.
- unfold perm. simpl. rewrite PMap.gss. unfold proj_sumbool.
+ unfold perm. simpl. rewrite PMap.gss. unfold proj_sumbool.
rewrite zle_true. rewrite zlt_true. simpl. constructor.
- omega. omega.
+ omega. omega.
Qed.
-
+
Theorem perm_drop_2:
forall ofs k p', lo <= ofs < hi -> perm m' b ofs k p' -> perm_order p p'.
Proof.
intros.
unfold drop_perm in DROP. destruct (range_perm_dec m b lo hi Cur Freeable); inv DROP.
- revert H0. unfold perm; simpl. rewrite PMap.gss. unfold proj_sumbool.
- rewrite zle_true. rewrite zlt_true. simpl. auto.
- omega. omega.
+ revert H0. unfold perm; simpl. rewrite PMap.gss. unfold proj_sumbool.
+ rewrite zle_true. rewrite zlt_true. simpl. auto.
+ omega. omega.
Qed.
Theorem perm_drop_3:
@@ -2130,8 +2130,8 @@ Theorem perm_drop_3:
Proof.
intros.
unfold drop_perm in DROP. destruct (range_perm_dec m b lo hi Cur Freeable); inv DROP.
- unfold perm; simpl. rewrite PMap.gsspec. destruct (peq b' b). subst b'.
- unfold proj_sumbool. destruct (zle lo ofs). destruct (zlt ofs hi).
+ unfold perm; simpl. rewrite PMap.gsspec. destruct (peq b' b). subst b'.
+ unfold proj_sumbool. destruct (zle lo ofs). destruct (zlt ofs hi).
byContradiction. intuition omega.
auto. auto. auto.
Qed.
@@ -2149,30 +2149,30 @@ Proof.
Qed.
Lemma valid_access_drop_1:
- forall chunk b' ofs p',
+ forall chunk b' ofs p',
b' <> b \/ ofs + size_chunk chunk <= lo \/ hi <= ofs \/ perm_order p p' ->
valid_access m chunk b' ofs p' -> valid_access m' chunk b' ofs p'.
Proof.
- intros. destruct H0. split; auto.
+ intros. destruct H0. split; auto.
red; intros.
destruct (eq_block b' b). subst b'.
- destruct (zlt ofs0 lo). eapply perm_drop_3; eauto.
+ destruct (zlt ofs0 lo). eapply perm_drop_3; eauto.
destruct (zle hi ofs0). eapply perm_drop_3; eauto.
- apply perm_implies with p. eapply perm_drop_1; eauto. omega.
+ apply perm_implies with p. eapply perm_drop_1; eauto. omega.
generalize (size_chunk_pos chunk); intros. intuition.
eapply perm_drop_3; eauto.
Qed.
Lemma valid_access_drop_2:
- forall chunk b' ofs p',
+ forall chunk b' ofs p',
valid_access m' chunk b' ofs p' -> valid_access m chunk b' ofs p'.
Proof.
- intros. destruct H; split; auto.
- red; intros. eapply perm_drop_4; eauto.
+ intros. destruct H; split; auto.
+ red; intros. eapply perm_drop_4; eauto.
Qed.
Theorem load_drop:
- forall chunk b' ofs,
+ forall chunk b' ofs,
b' <> b \/ ofs + size_chunk chunk <= lo \/ hi <= ofs \/ perm_order p Readable ->
load chunk m' b' ofs = load chunk m b' ofs.
Proof.
@@ -2181,13 +2181,13 @@ Proof.
destruct (valid_access_dec m chunk b' ofs Readable).
rewrite pred_dec_true.
unfold drop_perm in DROP. destruct (range_perm_dec m b lo hi Cur Freeable); inv DROP. simpl. auto.
- eapply valid_access_drop_1; eauto.
+ eapply valid_access_drop_1; eauto.
rewrite pred_dec_false. auto.
red; intros; elim n. eapply valid_access_drop_2; eauto.
Qed.
Theorem loadbytes_drop:
- forall b' ofs n,
+ forall b' ofs n,
b' <> b \/ ofs + n <= lo \/ hi <= ofs \/ perm_order p Readable ->
loadbytes m' b' ofs n = loadbytes m b' ofs n.
Proof.
@@ -2198,13 +2198,13 @@ Proof.
unfold drop_perm in DROP. destruct (range_perm_dec m b lo hi Cur Freeable); inv DROP. simpl. auto.
red; intros.
destruct (eq_block b' b). subst b'.
- destruct (zlt ofs0 lo). eapply perm_drop_3; eauto.
+ destruct (zlt ofs0 lo). eapply perm_drop_3; eauto.
destruct (zle hi ofs0). eapply perm_drop_3; eauto.
apply perm_implies with p. eapply perm_drop_1; eauto. omega. intuition.
- eapply perm_drop_3; eauto.
- rewrite pred_dec_false; eauto.
- red; intros; elim n0; red; intros.
- eapply perm_drop_4; eauto.
+ eapply perm_drop_3; eauto.
+ rewrite pred_dec_false; eauto.
+ red; intros; elim n0; red; intros.
+ eapply perm_drop_4; eauto.
Qed.
End DROP.
@@ -2247,7 +2247,7 @@ Lemma perm_inj:
f b1 = Some(b2, delta) ->
perm m2 b2 (ofs + delta) k p.
Proof.
- intros. eapply mi_perm; eauto.
+ intros. eapply mi_perm; eauto.
Qed.
Lemma range_perm_inj:
@@ -2284,18 +2284,18 @@ Lemma getN_inj:
f b1 = Some(b2, delta) ->
forall n ofs,
range_perm m1 b1 ofs (ofs + Z_of_nat n) Cur Readable ->
- list_forall2 (memval_inject f)
+ list_forall2 (memval_inject f)
(getN n ofs (m1.(mem_contents)#b1))
(getN n (ofs + delta) (m2.(mem_contents)#b2)).
Proof.
induction n; intros; simpl.
constructor.
- rewrite inj_S in H1.
- constructor.
+ rewrite inj_S in H1.
+ constructor.
eapply mi_memval; eauto.
- apply H1. omega.
+ apply H1. omega.
replace (ofs + delta + 1) with ((ofs + 1) + delta) by omega.
- apply IHn. red; intros; apply H1; omega.
+ apply IHn. red; intros; apply H1; omega.
Qed.
Lemma load_inj:
@@ -2307,10 +2307,10 @@ Lemma load_inj:
Proof.
intros.
exists (decode_val chunk (getN (size_chunk_nat chunk) (ofs + delta) (m2.(mem_contents)#b2))).
- split. unfold load. apply pred_dec_true.
+ split. unfold load. apply pred_dec_true.
eapply valid_access_inj; eauto with mem.
- exploit load_result; eauto. intro. rewrite H2.
- apply decode_val_inject. apply getN_inj; auto.
+ exploit load_result; eauto. intro. rewrite H2.
+ apply decode_val_inject. apply getN_inj; auto.
rewrite <- size_chunk_conv. exploit load_valid_access; eauto. intros [A B]. auto.
Qed.
@@ -2322,14 +2322,14 @@ Lemma loadbytes_inj:
exists bytes2, loadbytes m2 b2 (ofs + delta) len = Some bytes2
/\ list_forall2 (memval_inject f) bytes1 bytes2.
Proof.
- intros. unfold loadbytes in *.
+ intros. unfold loadbytes in *.
destruct (range_perm_dec m1 b1 ofs (ofs + len) Cur Readable); inv H0.
exists (getN (nat_of_Z len) (ofs + delta) (m2.(mem_contents)#b2)).
- split. apply pred_dec_true.
+ split. apply pred_dec_true.
replace (ofs + delta + len) with ((ofs + len) + delta) by omega.
- eapply range_perm_inj; eauto with mem.
- apply getN_inj; auto.
- destruct (zle 0 len). rewrite nat_of_Z_eq; auto. omega.
+ eapply range_perm_inj; eauto with mem.
+ apply getN_inj; auto.
+ destruct (zle 0 len). rewrite nat_of_Z_eq; auto. omega.
rewrite nat_of_Z_neg. simpl. red; intros; omegaContradiction. omega.
Qed.
@@ -2340,15 +2340,15 @@ Lemma setN_inj:
list_forall2 (memval_inject f) vl1 vl2 ->
forall p c1 c2,
(forall q, access q -> memval_inject f (ZMap.get q c1) (ZMap.get (q + delta) c2)) ->
- (forall q, access q -> memval_inject f (ZMap.get q (setN vl1 p c1))
+ (forall q, access q -> memval_inject f (ZMap.get q (setN vl1 p c1))
(ZMap.get (q + delta) (setN vl2 (p + delta) c2))).
Proof.
- induction 1; intros; simpl.
+ induction 1; intros; simpl.
auto.
replace (p + delta + 1) with ((p + 1) + delta) by omega.
- apply IHlist_forall2; auto.
+ apply IHlist_forall2; auto.
intros. rewrite ZMap.gsspec at 1. destruct (ZIndexed.eq q0 p). subst q0.
- rewrite ZMap.gss. auto.
+ rewrite ZMap.gss. auto.
rewrite ZMap.gso. auto. unfold ZIndexed.t in *. omega.
Qed.
@@ -2375,13 +2375,13 @@ Proof.
intros.
assert (valid_access m2 chunk b2 (ofs + delta) Writable).
eapply valid_access_inj; eauto with mem.
- destruct (valid_access_store _ _ _ _ v2 H4) as [n2 STORE].
+ destruct (valid_access_store _ _ _ _ v2 H4) as [n2 STORE].
exists n2; split. auto.
constructor.
(* perm *)
intros. eapply perm_store_1; [eexact STORE|].
eapply mi_perm; eauto.
- eapply perm_store_2; eauto.
+ eapply perm_store_2; eauto.
(* align *)
intros. eapply mi_align with (ofs := ofs0) (p := p); eauto.
red; intros; eauto with mem.
@@ -2389,25 +2389,25 @@ Proof.
intros.
rewrite (store_mem_contents _ _ _ _ _ _ H0).
rewrite (store_mem_contents _ _ _ _ _ _ STORE).
- rewrite ! PMap.gsspec.
+ rewrite ! PMap.gsspec.
destruct (peq b0 b1). subst b0.
(* block = b1, block = b2 *)
assert (b3 = b2) by congruence. subst b3.
assert (delta0 = delta) by congruence. subst delta0.
rewrite peq_true.
apply setN_inj with (access := fun ofs => perm m1 b1 ofs Cur Readable).
- apply encode_val_inject; auto. intros. eapply mi_memval; eauto. eauto with mem.
+ apply encode_val_inject; auto. intros. eapply mi_memval; eauto. eauto with mem.
destruct (peq b3 b2). subst b3.
(* block <> b1, block = b2 *)
- rewrite setN_other. eapply mi_memval; eauto. eauto with mem.
- rewrite encode_val_length. rewrite <- size_chunk_conv. intros.
+ rewrite setN_other. eapply mi_memval; eauto. eauto with mem.
+ rewrite encode_val_length. rewrite <- size_chunk_conv. intros.
assert (b2 <> b2 \/ ofs0 + delta0 <> (r - delta) + delta).
eapply H1; eauto. eauto 6 with mem.
exploit store_valid_access_3. eexact H0. intros [A B].
eapply perm_implies. apply perm_cur_max. apply A. omega. auto with mem.
destruct H8. congruence. omega.
(* block <> b1, block <> b2 *)
- eapply mi_memval; eauto. eauto with mem.
+ eapply mi_memval; eauto. eauto with mem.
Qed.
Lemma store_unmapped_inj:
@@ -2424,9 +2424,9 @@ Proof.
intros. eapply mi_align with (ofs := ofs0) (p := p); eauto.
red; intros; eauto with mem.
(* mem_contents *)
- intros.
+ intros.
rewrite (store_mem_contents _ _ _ _ _ _ H0).
- rewrite PMap.gso. eapply mi_memval; eauto with mem.
+ rewrite PMap.gso. eapply mi_memval; eauto with mem.
congruence.
Qed.
@@ -2435,7 +2435,7 @@ Lemma store_outside_inj:
mem_inj f m1 m2 ->
(forall b' delta ofs',
f b' = Some(b, delta) ->
- perm m1 b' ofs' Cur Readable ->
+ perm m1 b' ofs' Cur Readable ->
ofs <= ofs' + delta < ofs + size_chunk chunk -> False) ->
store chunk m2 b ofs v = Some m2' ->
mem_inj f m1 m2'.
@@ -2446,14 +2446,14 @@ Proof.
(* access *)
intros; eapply mi_align0; eauto.
(* mem_contents *)
- intros.
+ intros.
rewrite (store_mem_contents _ _ _ _ _ _ H1).
- rewrite PMap.gsspec. destruct (peq b2 b). subst b2.
- rewrite setN_outside. auto.
- rewrite encode_val_length. rewrite <- size_chunk_conv.
+ rewrite PMap.gsspec. destruct (peq b2 b). subst b2.
+ rewrite setN_outside. auto.
+ rewrite encode_val_length. rewrite <- size_chunk_conv.
destruct (zlt (ofs0 + delta) ofs); auto.
- destruct (zle (ofs + size_chunk chunk) (ofs0 + delta)). omega.
- byContradiction. eapply H0; eauto. omega.
+ destruct (zle (ofs + size_chunk chunk) (ofs0 + delta)). omega.
+ byContradiction. eapply H0; eauto. omega.
eauto with mem.
Qed.
@@ -2468,14 +2468,14 @@ Lemma storebytes_mapped_inj:
storebytes m2 b2 (ofs + delta) bytes2 = Some n2
/\ mem_inj f n1 n2.
Proof.
- intros. inversion H.
+ intros. inversion H.
assert (range_perm m2 b2 (ofs + delta) (ofs + delta + Z_of_nat (length bytes2)) Cur Writable).
replace (ofs + delta + Z_of_nat (length bytes2))
with ((ofs + Z_of_nat (length bytes1)) + delta).
- eapply range_perm_inj; eauto with mem.
+ eapply range_perm_inj; eauto with mem.
eapply storebytes_range_perm; eauto.
rewrite (list_forall2_length H3). omega.
- destruct (range_perm_storebytes _ _ _ _ H4) as [n2 STORE].
+ destruct (range_perm_storebytes _ _ _ _ H4) as [n2 STORE].
exists n2; split. eauto.
constructor.
(* perm *)
@@ -2485,10 +2485,10 @@ Proof.
eapply perm_storebytes_2; eauto.
(* align *)
intros. eapply mi_align with (ofs := ofs0) (p := p); eauto.
- red; intros. eapply perm_storebytes_2; eauto.
+ red; intros. eapply perm_storebytes_2; eauto.
(* mem_contents *)
intros.
- assert (perm m1 b0 ofs0 Cur Readable). eapply perm_storebytes_2; eauto.
+ assert (perm m1 b0 ofs0 Cur Readable). eapply perm_storebytes_2; eauto.
rewrite (storebytes_mem_contents _ _ _ _ _ H0).
rewrite (storebytes_mem_contents _ _ _ _ _ STORE).
rewrite ! PMap.gsspec. destruct (peq b0 b1). subst b0.
@@ -2503,8 +2503,8 @@ Proof.
intros.
assert (b2 <> b2 \/ ofs0 + delta0 <> (r - delta) + delta).
eapply H1; eauto 6 with mem.
- exploit storebytes_range_perm. eexact H0.
- instantiate (1 := r - delta).
+ exploit storebytes_range_perm. eexact H0.
+ instantiate (1 := r - delta).
rewrite (list_forall2_length H3). omega.
eauto 6 with mem.
destruct H9. congruence. omega.
@@ -2522,12 +2522,12 @@ Proof.
intros. inversion H.
constructor.
(* perm *)
- intros. eapply mi_perm0; eauto. eapply perm_storebytes_2; eauto.
+ intros. eapply mi_perm0; eauto. eapply perm_storebytes_2; eauto.
(* align *)
intros. eapply mi_align with (ofs := ofs0) (p := p); eauto.
- red; intros. eapply perm_storebytes_2; eauto.
+ red; intros. eapply perm_storebytes_2; eauto.
(* mem_contents *)
- intros.
+ intros.
rewrite (storebytes_mem_contents _ _ _ _ _ H0).
rewrite PMap.gso. eapply mi_memval0; eauto. eapply perm_storebytes_2; eauto.
congruence.
@@ -2538,7 +2538,7 @@ Lemma storebytes_outside_inj:
mem_inj f m1 m2 ->
(forall b' delta ofs',
f b' = Some(b, delta) ->
- perm m1 b' ofs' Cur Readable ->
+ perm m1 b' ofs' Cur Readable ->
ofs <= ofs' + delta < ofs + Z_of_nat (length bytes2) -> False) ->
storebytes m2 b ofs bytes2 = Some m2' ->
mem_inj f m1 m2'.
@@ -2549,13 +2549,13 @@ Proof.
(* align *)
eauto.
(* mem_contents *)
- intros.
+ intros.
rewrite (storebytes_mem_contents _ _ _ _ _ H1).
rewrite PMap.gsspec. destruct (peq b2 b). subst b2.
- rewrite setN_outside. auto.
+ rewrite setN_outside. auto.
destruct (zlt (ofs0 + delta) ofs); auto.
- destruct (zle (ofs + Z_of_nat (length bytes2)) (ofs0 + delta)). omega.
- byContradiction. eapply H0; eauto. omega.
+ destruct (zle (ofs + Z_of_nat (length bytes2)) (ofs0 + delta)). omega.
+ byContradiction. eapply H0; eauto. omega.
eauto with mem.
Qed.
@@ -2566,21 +2566,21 @@ Lemma storebytes_empty_inj:
storebytes m2 b2 ofs2 nil = Some m2' ->
mem_inj f m1' m2'.
Proof.
- intros. destruct H. constructor.
+ intros. destruct H. constructor.
(* perm *)
intros.
- eapply perm_storebytes_1; eauto.
+ eapply perm_storebytes_1; eauto.
eapply mi_perm0; eauto.
eapply perm_storebytes_2; eauto.
(* align *)
intros. eapply mi_align0 with (ofs := ofs) (p := p); eauto.
- red; intros. eapply perm_storebytes_2; eauto.
+ red; intros. eapply perm_storebytes_2; eauto.
(* mem_contents *)
intros.
- assert (perm m1 b0 ofs Cur Readable). eapply perm_storebytes_2; eauto.
+ assert (perm m1 b0 ofs Cur Readable). eapply perm_storebytes_2; eauto.
rewrite (storebytes_mem_contents _ _ _ _ _ H0).
rewrite (storebytes_mem_contents _ _ _ _ _ H1).
- simpl. rewrite ! PMap.gsspec.
+ simpl. rewrite ! PMap.gsspec.
destruct (peq b0 b1); destruct (peq b3 b2); subst; eapply mi_memval0; eauto.
Qed.
@@ -2595,16 +2595,16 @@ Proof.
intros. injection H0. intros NEXT MEM.
inversion H. constructor.
(* perm *)
- intros. eapply perm_alloc_1; eauto.
+ intros. eapply perm_alloc_1; eauto.
(* align *)
eauto.
(* mem_contents *)
intros.
- assert (perm m2 b0 (ofs + delta) Cur Readable).
+ assert (perm m2 b0 (ofs + delta) Cur Readable).
eapply mi_perm0; eauto.
assert (valid_block m2 b0) by eauto with mem.
rewrite <- MEM; simpl. rewrite PMap.gso. eauto with mem.
- rewrite NEXT. eauto with mem.
+ rewrite NEXT. eauto with mem.
Qed.
Lemma alloc_left_unmapped_inj:
@@ -2616,18 +2616,18 @@ Lemma alloc_left_unmapped_inj:
Proof.
intros. inversion H. constructor.
(* perm *)
- intros. exploit perm_alloc_inv; eauto. intros.
- destruct (eq_block b0 b1). congruence. eauto.
+ intros. exploit perm_alloc_inv; eauto. intros.
+ destruct (eq_block b0 b1). congruence. eauto.
(* align *)
intros. eapply mi_align0 with (ofs := ofs) (p := p); eauto.
red; intros. exploit perm_alloc_inv; eauto.
- destruct (eq_block b0 b1); auto. congruence.
+ destruct (eq_block b0 b1); auto. congruence.
(* mem_contents *)
- injection H0; intros NEXT MEM. intros.
+ injection H0; intros NEXT MEM. intros.
rewrite <- MEM; simpl. rewrite NEXT.
exploit perm_alloc_inv; eauto. intros.
rewrite PMap.gsspec. unfold eq_block in H4. destruct (peq b0 b1).
- rewrite ZMap.gi. constructor. eauto.
+ rewrite ZMap.gi. constructor. eauto.
Qed.
Definition inj_offset_aligned (delta: Z) (size: Z) : Prop :=
@@ -2645,9 +2645,9 @@ Lemma alloc_left_mapped_inj:
Proof.
intros. inversion H. constructor.
(* perm *)
- intros.
+ intros.
exploit perm_alloc_inv; eauto. intros. destruct (eq_block b0 b1). subst b0.
- rewrite H4 in H5; inv H5. eauto. eauto.
+ rewrite H4 in H5; inv H5. eauto. eauto.
(* align *)
intros. destruct (eq_block b0 b1).
subst b0. assert (delta0 = delta) by congruence. subst delta0.
@@ -2655,14 +2655,14 @@ Proof.
{ eapply perm_alloc_3; eauto. apply H6. generalize (size_chunk_pos chunk); omega. }
assert (lo <= ofs + size_chunk chunk - 1 < hi).
{ eapply perm_alloc_3; eauto. apply H6. generalize (size_chunk_pos chunk); omega. }
- apply H2. omega.
+ apply H2. omega.
eapply mi_align0 with (ofs := ofs) (p := p); eauto.
- red; intros. eapply perm_alloc_4; eauto.
+ red; intros. eapply perm_alloc_4; eauto.
(* mem_contents *)
- injection H0; intros NEXT MEM.
+ injection H0; intros NEXT MEM.
intros. rewrite <- MEM; simpl. rewrite NEXT.
exploit perm_alloc_inv; eauto. intros.
- rewrite PMap.gsspec. unfold eq_block in H7.
+ rewrite PMap.gsspec. unfold eq_block in H7.
destruct (peq b0 b1). rewrite ZMap.gi. constructor. eauto.
Qed.
@@ -2696,10 +2696,10 @@ Proof.
forall b1 b2 delta ofs k p,
f b1 = Some (b2, delta) ->
perm m1 b1 ofs k p -> perm m2' b2 (ofs + delta) k p).
- intros.
- intros. eapply perm_free_1; eauto.
- destruct (eq_block b2 b); auto. subst b. right.
- assert (~ (lo <= ofs + delta < hi)). red; intros; eapply H1; eauto.
+ intros.
+ intros. eapply perm_free_1; eauto.
+ destruct (eq_block b2 b); auto. subst b. right.
+ assert (~ (lo <= ofs + delta < hi)). red; intros; eapply H1; eauto.
omega.
constructor.
(* perm *)
@@ -2707,7 +2707,7 @@ Proof.
(* align *)
eapply mi_align0; eauto.
(* mem_contents *)
- intros. rewrite FREE; simpl. eauto.
+ intros. rewrite FREE; simpl. eauto.
Qed.
(** Preservation of [drop_perm] operations. *)
@@ -2719,16 +2719,16 @@ Lemma drop_unmapped_inj:
f b = None ->
mem_inj f m1' m2.
Proof.
- intros. inv H. constructor.
+ intros. inv H. constructor.
(* perm *)
- intros. eapply mi_perm0; eauto. eapply perm_drop_4; eauto.
+ intros. eapply mi_perm0; eauto. eapply perm_drop_4; eauto.
(* align *)
intros. eapply mi_align0 with (ofs := ofs) (p := p0); eauto.
red; intros; eapply perm_drop_4; eauto.
(* contents *)
intros.
replace (ZMap.get ofs m1'.(mem_contents)#b1) with (ZMap.get ofs m1.(mem_contents)#b1).
- apply mi_memval0; auto. eapply perm_drop_4; eauto.
+ apply mi_memval0; auto. eapply perm_drop_4; eauto.
unfold drop_perm in H0; destruct (range_perm_dec m1 b lo hi Cur Freeable); inv H0; auto.
Qed.
@@ -2742,26 +2742,26 @@ Lemma drop_mapped_inj:
drop_perm m2 b2 (lo + delta) (hi + delta) p = Some m2'
/\ mem_inj f m1' m2'.
Proof.
- intros.
+ intros.
assert ({ m2' | drop_perm m2 b2 (lo + delta) (hi + delta) p = Some m2' }).
- apply range_perm_drop_2. red; intros.
+ apply range_perm_drop_2. red; intros.
replace ofs with ((ofs - delta) + delta) by omega.
- eapply perm_inj; eauto. eapply range_perm_drop_1; eauto. omega.
+ eapply perm_inj; eauto. eapply range_perm_drop_1; eauto. omega.
destruct X as [m2' DROP]. exists m2'; split; auto.
inv H.
constructor.
(* perm *)
- intros.
+ intros.
assert (perm m2 b3 (ofs + delta0) k p0).
- eapply mi_perm0; eauto. eapply perm_drop_4; eauto.
+ eapply mi_perm0; eauto. eapply perm_drop_4; eauto.
destruct (eq_block b1 b0).
(* b1 = b0 *)
subst b0. rewrite H2 in H; inv H.
destruct (zlt (ofs + delta0) (lo + delta0)). eapply perm_drop_3; eauto.
destruct (zle (hi + delta0) (ofs + delta0)). eapply perm_drop_3; eauto.
assert (perm_order p p0).
- eapply perm_drop_2. eexact H0. instantiate (1 := ofs). omega. eauto.
- apply perm_implies with p; auto.
+ eapply perm_drop_2. eexact H0. instantiate (1 := ofs). omega. eauto.
+ apply perm_implies with p; auto.
eapply perm_drop_1. eauto. omega.
(* b1 <> b0 *)
eapply perm_drop_3; eauto.
@@ -2769,10 +2769,10 @@ Proof.
destruct (zlt (ofs + delta0) (lo + delta)); auto.
destruct (zle (hi + delta) (ofs + delta0)); auto.
exploit H1; eauto.
- instantiate (1 := ofs + delta0 - delta).
+ instantiate (1 := ofs + delta0 - delta).
apply perm_cur_max. apply perm_implies with Freeable.
- eapply range_perm_drop_1; eauto. omega. auto with mem.
- eapply perm_drop_4; eauto. eapply perm_max. apply perm_implies with p0. eauto.
+ eapply range_perm_drop_1; eauto. omega. auto with mem.
+ eapply perm_drop_4; eauto. eapply perm_max. apply perm_implies with p0. eauto.
eauto with mem.
intuition.
(* align *)
@@ -2782,31 +2782,31 @@ Proof.
intros.
replace (m1'.(mem_contents)#b0) with (m1.(mem_contents)#b0).
replace (m2'.(mem_contents)#b3) with (m2.(mem_contents)#b3).
- apply mi_memval0; auto. eapply perm_drop_4; eauto.
+ apply mi_memval0; auto. eapply perm_drop_4; eauto.
unfold drop_perm in DROP; destruct (range_perm_dec m2 b2 (lo + delta) (hi + delta) Cur Freeable); inv DROP; auto.
unfold drop_perm in H0; destruct (range_perm_dec m1 b1 lo hi Cur Freeable); inv H0; auto.
Qed.
Lemma drop_outside_inj: forall f m1 m2 b lo hi p m2',
- mem_inj f m1 m2 ->
- drop_perm m2 b lo hi p = Some m2' ->
+ mem_inj f m1 m2 ->
+ drop_perm m2 b lo hi p = Some m2' ->
(forall b' delta ofs' k p,
f b' = Some(b, delta) ->
- perm m1 b' ofs' k p ->
+ perm m1 b' ofs' k p ->
lo <= ofs' + delta < hi -> False) ->
mem_inj f m1 m2'.
Proof.
intros. inv H. constructor.
(* perm *)
- intros. eapply perm_drop_3; eauto.
- destruct (eq_block b2 b); auto. subst b2. right.
+ intros. eapply perm_drop_3; eauto.
+ destruct (eq_block b2 b); auto. subst b2. right.
destruct (zlt (ofs + delta) lo); auto.
destruct (zle hi (ofs + delta)); auto.
byContradiction. exploit H1; eauto. omega.
(* align *)
eapply mi_align0; eauto.
(* contents *)
- intros.
+ intros.
replace (m2'.(mem_contents)#b2) with (m2.(mem_contents)#b2).
apply mi_memval0; auto.
unfold drop_perm in H0; destruct (range_perm_dec m2 b lo hi Cur Freeable); inv H0; auto.
@@ -2833,8 +2833,8 @@ Theorem extends_refl:
Proof.
intros. constructor. auto. constructor.
intros. unfold inject_id in H; inv H. replace (ofs + 0) with ofs by omega. auto.
- intros. unfold inject_id in H; inv H. apply Z.divide_0_r.
- intros. unfold inject_id in H; inv H. replace (ofs + 0) with ofs by omega.
+ intros. unfold inject_id in H; inv H. apply Z.divide_0_r.
+ intros. unfold inject_id in H; inv H. replace (ofs + 0) with ofs by omega.
apply memval_lessdef_refl.
Qed.
@@ -2844,7 +2844,7 @@ Theorem load_extends:
load chunk m1 b ofs = Some v1 ->
exists v2, load chunk m2 b ofs = Some v2 /\ Val.lessdef v1 v2.
Proof.
- intros. inv H. exploit load_inj; eauto. unfold inject_id; reflexivity.
+ intros. inv H. exploit load_inj; eauto. unfold inject_id; reflexivity.
intros [v2 [A B]]. exists v2; split.
replace (ofs + 0) with ofs in A by omega. auto.
rewrite val_inject_id in B. auto.
@@ -2857,8 +2857,8 @@ Theorem loadv_extends:
Val.lessdef addr1 addr2 ->
exists v2, loadv chunk m2 addr2 = Some v2 /\ Val.lessdef v1 v2.
Proof.
- unfold loadv; intros. inv H1.
- destruct addr2; try congruence. eapply load_extends; eauto.
+ unfold loadv; intros. inv H1.
+ destruct addr2; try congruence. eapply load_extends; eauto.
congruence.
Qed.
@@ -2870,7 +2870,7 @@ Theorem loadbytes_extends:
/\ list_forall2 memval_lessdef bytes1 bytes2.
Proof.
intros. inv H.
- replace ofs with (ofs + 0) by omega. eapply loadbytes_inj; eauto.
+ replace ofs with (ofs + 0) by omega. eapply loadbytes_inj; eauto.
Qed.
Theorem store_within_extends:
@@ -2883,7 +2883,7 @@ Theorem store_within_extends:
/\ extends m1' m2'.
Proof.
intros. inversion H.
- exploit store_mapped_inj; eauto.
+ exploit store_mapped_inj; eauto.
unfold inject_id; red; intros. inv H3; inv H4. auto.
unfold inject_id; reflexivity.
rewrite val_inject_id. eauto.
@@ -2906,7 +2906,7 @@ Proof.
intros. inversion H. constructor.
rewrite (nextblock_store _ _ _ _ _ _ H0). auto.
eapply store_outside_inj; eauto.
- unfold inject_id; intros. inv H2. eapply H1; eauto. omega.
+ unfold inject_id; intros. inv H2. eapply H1; eauto. omega.
Qed.
Theorem storev_extends:
@@ -2919,8 +2919,8 @@ Theorem storev_extends:
storev chunk m2 addr2 v2 = Some m2'
/\ extends m1' m2'.
Proof.
- unfold storev; intros. inv H1.
- destruct addr2; try congruence. eapply store_within_extends; eauto.
+ unfold storev; intros. inv H1.
+ destruct addr2; try congruence. eapply store_within_extends; eauto.
congruence.
Qed.
@@ -2934,7 +2934,7 @@ Theorem storebytes_within_extends:
/\ extends m1' m2'.
Proof.
intros. inversion H.
- exploit storebytes_mapped_inj; eauto.
+ exploit storebytes_mapped_inj; eauto.
unfold inject_id; red; intros. inv H3; inv H4. auto.
unfold inject_id; reflexivity.
intros [m2' [A B]].
@@ -2956,7 +2956,7 @@ Proof.
intros. inversion H. constructor.
rewrite (nextblock_storebytes _ _ _ _ _ H0). auto.
eapply storebytes_outside_inj; eauto.
- unfold inject_id; intros. inv H2. eapply H1; eauto. omega.
+ unfold inject_id; intros. inv H2. eapply H1; eauto. omega.
Qed.
Theorem alloc_extends:
@@ -2968,17 +2968,17 @@ Theorem alloc_extends:
alloc m2 lo2 hi2 = (m2', b)
/\ extends m1' m2'.
Proof.
- intros. inv H.
- case_eq (alloc m2 lo2 hi2); intros m2' b' ALLOC.
+ intros. inv H.
+ case_eq (alloc m2 lo2 hi2); intros m2' b' ALLOC.
assert (b' = b).
- rewrite (alloc_result _ _ _ _ _ H0).
+ rewrite (alloc_result _ _ _ _ _ H0).
rewrite (alloc_result _ _ _ _ _ ALLOC).
auto.
subst b'.
exists m2'; split; auto.
- constructor.
+ constructor.
rewrite (nextblock_alloc _ _ _ _ _ H0).
- rewrite (nextblock_alloc _ _ _ _ _ ALLOC).
+ rewrite (nextblock_alloc _ _ _ _ _ ALLOC).
congruence.
eapply alloc_left_mapped_inj with (m1 := m1) (m2 := m2') (b2 := b) (delta := 0); eauto.
eapply alloc_right_inj; eauto.
@@ -3012,7 +3012,7 @@ Proof.
rewrite (nextblock_free _ _ _ _ _ H0). auto.
eapply free_right_inj; eauto.
unfold inject_id; intros. inv H. eapply H1; eauto. omega.
-Qed.
+Qed.
Theorem free_parallel_extends:
forall m1 m2 b lo hi m1',
@@ -3022,9 +3022,9 @@ Theorem free_parallel_extends:
free m2 b lo hi = Some m2'
/\ extends m1' m2'.
Proof.
- intros. inversion H.
+ intros. inversion H.
assert ({ m2': mem | free m2 b lo hi = Some m2' }).
- apply range_perm_free. red; intros.
+ apply range_perm_free. red; intros.
replace ofs with (ofs + 0) by omega.
eapply perm_inj with (b1 := b); eauto.
eapply free_range_perm; eauto.
@@ -3032,10 +3032,10 @@ Proof.
inv H. constructor.
rewrite (nextblock_free _ _ _ _ _ H0).
rewrite (nextblock_free _ _ _ _ _ FREE). auto.
- eapply free_right_inj with (m1 := m1'); eauto.
- eapply free_left_inj; eauto.
+ eapply free_right_inj with (m1 := m1'); eauto.
+ eapply free_left_inj; eauto.
unfold inject_id; intros. inv H.
- eapply perm_free_2. eexact H0. instantiate (1 := ofs); omega. eauto.
+ eapply perm_free_2. eexact H0. instantiate (1 := ofs); omega. eauto.
Qed.
Theorem valid_block_extends:
@@ -3043,31 +3043,31 @@ Theorem valid_block_extends:
extends m1 m2 ->
(valid_block m1 b <-> valid_block m2 b).
Proof.
- intros. inv H. unfold valid_block. rewrite mext_next0. tauto.
+ intros. inv H. unfold valid_block. rewrite mext_next0. tauto.
Qed.
Theorem perm_extends:
forall m1 m2 b ofs k p,
extends m1 m2 -> perm m1 b ofs k p -> perm m2 b ofs k p.
Proof.
- intros. inv H. replace ofs with (ofs + 0) by omega.
- eapply perm_inj; eauto.
+ intros. inv H. replace ofs with (ofs + 0) by omega.
+ eapply perm_inj; eauto.
Qed.
Theorem valid_access_extends:
forall m1 m2 chunk b ofs p,
extends m1 m2 -> valid_access m1 chunk b ofs p -> valid_access m2 chunk b ofs p.
Proof.
- intros. inv H. replace ofs with (ofs + 0) by omega.
- eapply valid_access_inj; eauto. auto.
+ intros. inv H. replace ofs with (ofs + 0) by omega.
+ eapply valid_access_inj; eauto. auto.
Qed.
Theorem valid_pointer_extends:
forall m1 m2 b ofs,
extends m1 m2 -> valid_pointer m1 b ofs = true -> valid_pointer m2 b ofs = true.
Proof.
- intros.
- rewrite valid_pointer_valid_access in *.
+ intros.
+ rewrite valid_pointer_valid_access in *.
eapply valid_access_extends; eauto.
Qed.
@@ -3124,7 +3124,7 @@ Theorem valid_block_inject_1:
inject f m1 m2 ->
valid_block m1 b1.
Proof.
- intros. inv H. destruct (plt b1 (nextblock m1)). auto.
+ intros. inv H. destruct (plt b1 (nextblock m1)). auto.
assert (f b1 = None). eapply mi_freeblocks; eauto. congruence.
Qed.
@@ -3134,7 +3134,7 @@ Theorem valid_block_inject_2:
inject f m1 m2 ->
valid_block m2 b2.
Proof.
- intros. eapply mi_mappedblocks; eauto.
+ intros. eapply mi_mappedblocks; eauto.
Qed.
Local Hint Resolve valid_block_inject_1 valid_block_inject_2: mem.
@@ -3145,7 +3145,7 @@ Theorem perm_inject:
inject f m1 m2 ->
perm m1 b1 ofs k p -> perm m2 b2 (ofs + delta) k p.
Proof.
- intros. inv H0. eapply perm_inj; eauto.
+ intros. inv H0. eapply perm_inj; eauto.
Qed.
Theorem range_perm_inject:
@@ -3164,7 +3164,7 @@ Theorem valid_access_inject:
valid_access m1 chunk b1 ofs p ->
valid_access m2 chunk b2 (ofs + delta) p.
Proof.
- intros. eapply valid_access_inj; eauto. apply mi_inj; auto.
+ intros. eapply valid_access_inj; eauto. apply mi_inj; auto.
Qed.
Theorem valid_pointer_inject:
@@ -3174,7 +3174,7 @@ Theorem valid_pointer_inject:
valid_pointer m1 b1 ofs = true ->
valid_pointer m2 b2 (ofs + delta) = true.
Proof.
- intros.
+ intros.
rewrite valid_pointer_valid_access in H1.
rewrite valid_pointer_valid_access.
eapply valid_access_inject; eauto.
@@ -3217,8 +3217,8 @@ Lemma address_inject':
f b1 = Some (b2, delta) ->
Int.unsigned (Int.add ofs1 (Int.repr delta)) = Int.unsigned ofs1 + delta.
Proof.
- intros. destruct H0. eapply address_inject; eauto.
- apply H0. generalize (size_chunk_pos chunk). omega.
+ intros. destruct H0. eapply address_inject; eauto.
+ apply H0. generalize (size_chunk_pos chunk). omega.
Qed.
Theorem weak_valid_pointer_inject_no_overflow:
@@ -3228,7 +3228,7 @@ Theorem weak_valid_pointer_inject_no_overflow:
f b = Some(b', delta) ->
0 <= Int.unsigned ofs + Int.unsigned (Int.repr delta) <= Int.max_unsigned.
Proof.
- intros. rewrite weak_valid_pointer_spec in H0.
+ intros. rewrite weak_valid_pointer_spec in H0.
rewrite ! valid_pointer_nonempty_perm in H0.
exploit mi_representable; eauto. destruct H0; eauto with mem.
intros [A B].
@@ -3254,7 +3254,7 @@ Theorem valid_pointer_inject_val:
valid_pointer m2 b' (Int.unsigned ofs') = true.
Proof.
intros. inv H1.
- erewrite address_inject'; eauto.
+ erewrite address_inject'; eauto.
eapply valid_pointer_inject; eauto.
rewrite valid_pointer_valid_access in H0. eauto.
Qed.
@@ -3268,9 +3268,9 @@ Theorem weak_valid_pointer_inject_val:
Proof.
intros. inv H1.
exploit weak_valid_pointer_inject; eauto. intros W.
- rewrite weak_valid_pointer_spec in H0.
+ rewrite weak_valid_pointer_spec in H0.
rewrite ! valid_pointer_nonempty_perm in H0.
- exploit mi_representable; eauto. destruct H0; eauto with mem.
+ exploit mi_representable; eauto. destruct H0; eauto with mem.
intros [A B].
pose proof (Int.unsigned_range ofs).
unfold Int.add. repeat rewrite Int.unsigned_repr; auto; omega.
@@ -3301,11 +3301,11 @@ Theorem different_pointers_inject:
Int.unsigned (Int.add ofs1 (Int.repr delta1)) <>
Int.unsigned (Int.add ofs2 (Int.repr delta2)).
Proof.
- intros.
- rewrite valid_pointer_valid_access in H1.
- rewrite valid_pointer_valid_access in H2.
- rewrite (address_inject' _ _ _ _ _ _ _ _ H H1 H3).
- rewrite (address_inject' _ _ _ _ _ _ _ _ H H2 H4).
+ intros.
+ rewrite valid_pointer_valid_access in H1.
+ rewrite valid_pointer_valid_access in H2.
+ rewrite (address_inject' _ _ _ _ _ _ _ _ H H1 H3).
+ rewrite (address_inject' _ _ _ _ _ _ _ _ H H2 H4).
inv H1. simpl in H5. inv H2. simpl in H1.
eapply mi_no_overlap; eauto.
apply perm_cur_max. apply (H5 (Int.unsigned ofs1)). omega.
@@ -3324,23 +3324,23 @@ Theorem disjoint_or_equal_inject:
sz > 0 ->
b1 <> b2 \/ ofs1 = ofs2 \/ ofs1 + sz <= ofs2 \/ ofs2 + sz <= ofs1 ->
b1' <> b2' \/ ofs1 + delta1 = ofs2 + delta2
- \/ ofs1 + delta1 + sz <= ofs2 + delta2
+ \/ ofs1 + delta1 + sz <= ofs2 + delta2
\/ ofs2 + delta2 + sz <= ofs1 + delta1.
Proof.
- intros.
+ intros.
destruct (eq_block b1 b2).
assert (b1' = b2') by congruence. assert (delta1 = delta2) by congruence. subst.
destruct H5. congruence. right. destruct H5. left; congruence. right. omega.
- destruct (eq_block b1' b2'); auto. subst. right. right.
+ destruct (eq_block b1' b2'); auto. subst. right. right.
set (i1 := (ofs1 + delta1, ofs1 + delta1 + sz)).
set (i2 := (ofs2 + delta2, ofs2 + delta2 + sz)).
change (snd i1 <= fst i2 \/ snd i2 <= fst i1).
apply Intv.range_disjoint'; simpl; try omega.
- unfold Intv.disjoint, Intv.In; simpl; intros. red; intros.
- exploit mi_no_overlap; eauto.
+ unfold Intv.disjoint, Intv.In; simpl; intros. red; intros.
+ exploit mi_no_overlap; eauto.
instantiate (1 := x - delta1). apply H2. omega.
instantiate (1 := x - delta2). apply H3. omega.
- intuition.
+ intuition.
Qed.
Theorem aligned_area_inject:
@@ -3353,7 +3353,7 @@ Theorem aligned_area_inject:
f b = Some(b', delta) ->
(al | ofs + delta).
Proof.
- intros.
+ intros.
assert (P: al > 0) by omega.
assert (Q: Zabs al <= Zabs sz). apply Zdivide_bounds; auto. omega.
rewrite Zabs_eq in Q; try omega. rewrite Zabs_eq in Q; try omega.
@@ -3365,7 +3365,7 @@ Proof.
destruct R as [chunk [A B]].
assert (valid_access m chunk b ofs Nonempty).
split. red; intros; apply H3. omega. congruence.
- exploit valid_access_inject; eauto. intros [C D].
+ exploit valid_access_inject; eauto. intros [C D].
congruence.
Qed.
@@ -3378,7 +3378,7 @@ Theorem load_inject:
f b1 = Some (b2, delta) ->
exists v2, load chunk m2 b2 (ofs + delta) = Some v2 /\ Val.inject f v1 v2.
Proof.
- intros. inv H. eapply load_inj; eauto.
+ intros. inv H. eapply load_inj; eauto.
Qed.
Theorem loadv_inject:
@@ -3390,7 +3390,7 @@ Theorem loadv_inject:
Proof.
intros. inv H1; simpl in H0; try discriminate.
exploit load_inject; eauto. intros [v2 [LOAD INJ]].
- exists v2; split; auto. unfold loadv.
+ exists v2; split; auto. unfold loadv.
replace (Int.unsigned (Int.add ofs1 (Int.repr delta)))
with (Int.unsigned ofs1 + delta).
auto. symmetry. eapply address_inject'; eauto with mem.
@@ -3404,7 +3404,7 @@ Theorem loadbytes_inject:
exists bytes2, loadbytes m2 b2 (ofs + delta) len = Some bytes2
/\ list_forall2 (memval_inject f) bytes1 bytes2.
Proof.
- intros. inv H. eapply loadbytes_inj; eauto.
+ intros. inv H. eapply loadbytes_inj; eauto.
Qed.
(** Preservation of stores *)
@@ -3425,7 +3425,7 @@ Proof.
(* inj *)
auto.
(* freeblocks *)
- eauto with mem.
+ eauto with mem.
(* mappedblocks *)
eauto with mem.
(* no overlap *)
@@ -3447,7 +3447,7 @@ Proof.
(* inj *)
eapply store_unmapped_inj; eauto.
(* freeblocks *)
- eauto with mem.
+ eauto with mem.
(* mappedblocks *)
eauto with mem.
(* no overlap *)
@@ -3515,12 +3515,12 @@ Proof.
(* freeblocks *)
intros. apply mi_freeblocks0. red; intros; elim H3; eapply storebytes_valid_block_1; eauto.
(* mappedblocks *)
- intros. eapply storebytes_valid_block_1; eauto.
+ intros. eapply storebytes_valid_block_1; eauto.
(* no overlap *)
- red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
+ red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
(* representable *)
intros. eapply mi_representable0; eauto.
- destruct H4; eauto using perm_storebytes_2.
+ destruct H4; eauto using perm_storebytes_2.
Qed.
Theorem storebytes_unmapped_inject:
@@ -3539,7 +3539,7 @@ Proof.
(* mappedblocks *)
eauto with mem.
(* no overlap *)
- red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
+ red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
(* representable *)
intros. eapply mi_representable0; eauto.
destruct H3; eauto using perm_storebytes_2.
@@ -3561,7 +3561,7 @@ Proof.
(* freeblocks *)
auto.
(* mappedblocks *)
- intros. eapply storebytes_valid_block_1; eauto.
+ intros. eapply storebytes_valid_block_1; eauto.
(* no overlap *)
auto.
(* representable *)
@@ -3581,12 +3581,12 @@ Proof.
(* freeblocks *)
intros. apply mi_freeblocks0. red; intros; elim H2; eapply storebytes_valid_block_1; eauto.
(* mappedblocks *)
- intros. eapply storebytes_valid_block_1; eauto.
+ intros. eapply storebytes_valid_block_1; eauto.
(* no overlap *)
- red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
+ red; intros. eapply mi_no_overlap0; eauto; eapply perm_storebytes_2; eauto.
(* representable *)
intros. eapply mi_representable0; eauto.
- destruct H3; eauto using perm_storebytes_2.
+ destruct H3; eauto using perm_storebytes_2.
Qed.
(* Preservation of allocations *)
@@ -3631,31 +3631,31 @@ Proof.
inversion mi_inj0; constructor; eauto with mem.
unfold f'; intros. destruct (eq_block b0 b1). congruence. eauto.
unfold f'; intros. destruct (eq_block b0 b1). congruence. eauto.
- unfold f'; intros. destruct (eq_block b0 b1). congruence.
- apply memval_inject_incr with f; auto.
+ unfold f'; intros. destruct (eq_block b0 b1). congruence.
+ apply memval_inject_incr with f; auto.
exists f'; split. constructor.
(* inj *)
- eapply alloc_left_unmapped_inj; eauto. unfold f'; apply dec_eq_true.
+ eapply alloc_left_unmapped_inj; eauto. unfold f'; apply dec_eq_true.
(* freeblocks *)
- intros. unfold f'. destruct (eq_block b b1). auto.
- apply mi_freeblocks0. red; intro; elim H3. eauto with mem.
+ intros. unfold f'. destruct (eq_block b b1). auto.
+ apply mi_freeblocks0. red; intro; elim H3. eauto with mem.
(* mappedblocks *)
- unfold f'; intros. destruct (eq_block b b1). congruence. eauto.
+ unfold f'; intros. destruct (eq_block b b1). congruence. eauto.
(* no overlap *)
unfold f'; red; intros.
destruct (eq_block b0 b1); destruct (eq_block b2 b1); try congruence.
eapply mi_no_overlap0. eexact H3. eauto. eauto.
- exploit perm_alloc_inv. eauto. eexact H6. rewrite dec_eq_false; auto.
- exploit perm_alloc_inv. eauto. eexact H7. rewrite dec_eq_false; auto.
+ exploit perm_alloc_inv. eauto. eexact H6. rewrite dec_eq_false; auto.
+ exploit perm_alloc_inv. eauto. eexact H7. rewrite dec_eq_false; auto.
(* representable *)
unfold f'; intros.
destruct (eq_block b b1); try discriminate.
eapply mi_representable0; try eassumption.
destruct H4; eauto using perm_alloc_4.
(* incr *)
- split. auto.
+ split. auto.
(* image *)
- split. unfold f'; apply dec_eq_true.
+ split. unfold f'; apply dec_eq_true.
(* incr *)
intros; unfold f'; apply dec_eq_false; auto.
Qed.
@@ -3670,7 +3670,7 @@ Theorem alloc_left_mapped_inject:
(forall ofs k p, lo <= ofs < hi -> perm m2 b2 (ofs + delta) k p) ->
inj_offset_aligned delta (hi-lo) ->
(forall b delta' ofs k p,
- f b = Some (b2, delta') ->
+ f b = Some (b2, delta') ->
perm m1 b ofs k p ->
lo + delta <= ofs + delta' < hi + delta -> False) ->
exists f',
@@ -3688,7 +3688,7 @@ Proof.
assert (mem_inj f' m1 m2).
inversion mi_inj0; constructor; eauto with mem.
unfold f'; intros. destruct (eq_block b0 b1).
- inversion H8. subst b0 b3 delta0.
+ inversion H8. subst b0 b3 delta0.
elim (fresh_block_alloc _ _ _ _ _ H0). eauto with mem.
eauto.
unfold f'; intros. destruct (eq_block b0 b1).
@@ -3697,14 +3697,14 @@ Proof.
eapply perm_valid_block with (ofs := ofs). apply H9. generalize (size_chunk_pos chunk); omega.
eauto.
unfold f'; intros. destruct (eq_block b0 b1).
- inversion H8. subst b0 b3 delta0.
+ inversion H8. subst b0 b3 delta0.
elim (fresh_block_alloc _ _ _ _ _ H0). eauto with mem.
- apply memval_inject_incr with f; auto.
+ apply memval_inject_incr with f; auto.
exists f'. split. constructor.
(* inj *)
- eapply alloc_left_mapped_inj; eauto. unfold f'; apply dec_eq_true.
+ eapply alloc_left_mapped_inj; eauto. unfold f'; apply dec_eq_true.
(* freeblocks *)
- unfold f'; intros. destruct (eq_block b b1). subst b.
+ unfold f'; intros. destruct (eq_block b b1). subst b.
elim H9. eauto with mem.
eauto with mem.
(* mappedblocks *)
@@ -3715,10 +3715,10 @@ Proof.
exploit perm_alloc_inv. eauto. eexact H13. intros P2.
destruct (eq_block b0 b1); destruct (eq_block b3 b1).
congruence.
- inversion H10; subst b0 b1' delta1.
+ inversion H10; subst b0 b1' delta1.
destruct (eq_block b2 b2'); auto. subst b2'. right; red; intros.
eapply H6; eauto. omega.
- inversion H11; subst b3 b2' delta2.
+ inversion H11; subst b3 b2' delta2.
destruct (eq_block b1' b2); auto. subst b1'. right; red; intros.
eapply H6; eauto. omega.
eauto.
@@ -3737,9 +3737,9 @@ Proof.
(* incr *)
split. auto.
(* image of b1 *)
- split. unfold f'; apply dec_eq_true.
+ split. unfold f'; apply dec_eq_true.
(* image of others *)
- intros. unfold f'; apply dec_eq_false; auto.
+ intros. unfold f'; apply dec_eq_false; auto.
Qed.
Theorem alloc_parallel_inject:
@@ -3756,7 +3756,7 @@ Theorem alloc_parallel_inject:
Proof.
intros.
case_eq (alloc m2 lo2 hi2). intros m2' b2 ALLOC.
- exploit alloc_left_mapped_inject.
+ exploit alloc_left_mapped_inject.
eapply alloc_right_inject; eauto.
eauto.
instantiate (1 := b2). eauto with mem.
@@ -3786,7 +3786,7 @@ Proof.
(* mappedblocks *)
auto.
(* no overlap *)
- red; intros. eauto with mem.
+ red; intros. eauto with mem.
(* representable *)
intros. eapply mi_representable0; try eassumption.
destruct H2; eauto with mem.
@@ -3798,7 +3798,7 @@ Lemma free_list_left_inject:
free_list m1 l = Some m1' ->
inject f m1' m2.
Proof.
- induction l; simpl; intros.
+ induction l; simpl; intros.
inv H0. auto.
destruct a as [[b lo] hi].
destruct (free m1 b lo hi) as [m11|] eqn:E; try discriminate.
@@ -3831,11 +3831,11 @@ Lemma perm_free_list:
forall l m m' b ofs k p,
free_list m l = Some m' ->
perm m' b ofs k p ->
- perm m b ofs k p /\
+ perm m b ofs k p /\
(forall lo hi, In (b, lo, hi) l -> lo <= ofs < hi -> False).
Proof.
induction l; simpl; intros.
- inv H. auto.
+ inv H. auto.
destruct a as [[b1 lo1] hi1].
destruct (free m b1 lo1 hi1) as [m1|] eqn:E; try discriminate.
exploit IHl; eauto. intros [A B].
@@ -3851,13 +3851,13 @@ Theorem free_inject:
free_list m1 l = Some m1' ->
free m2 b lo hi = Some m2' ->
(forall b1 delta ofs k p,
- f b1 = Some(b, delta) ->
+ f b1 = Some(b, delta) ->
perm m1 b1 ofs k p -> lo <= ofs + delta < hi ->
exists lo1, exists hi1, In (b1, lo1, hi1) l /\ lo1 <= ofs < hi1) ->
inject f m1' m2'.
Proof.
- intros.
- eapply free_right_inject; eauto.
+ intros.
+ eapply free_right_inject; eauto.
eapply free_list_left_inject; eauto.
intros. exploit perm_free_list; eauto. intros [A B].
exploit H2; eauto. intros [lo1 [hi1 [C D]]]. eauto.
@@ -3872,26 +3872,26 @@ Theorem free_parallel_inject:
free m2 b' (lo + delta) (hi + delta) = Some m2'
/\ inject f m1' m2'.
Proof.
- intros.
+ intros.
destruct (range_perm_free m2 b' (lo + delta) (hi + delta)) as [m2' FREE].
eapply range_perm_inject; eauto. eapply free_range_perm; eauto.
exists m2'; split; auto.
- eapply free_inject with (m1 := m1) (l := (b,lo,hi)::nil); eauto.
+ eapply free_inject with (m1 := m1) (l := (b,lo,hi)::nil); eauto.
simpl; rewrite H0; auto.
intros. destruct (eq_block b1 b).
- subst b1. rewrite H1 in H2; inv H2.
+ subst b1. rewrite H1 in H2; inv H2.
exists lo, hi; split; auto with coqlib. omega.
exploit mi_no_overlap. eexact H. eexact n. eauto. eauto.
- eapply perm_max. eapply perm_implies. eauto. auto with mem.
- instantiate (1 := ofs + delta0 - delta).
- apply perm_cur_max. apply perm_implies with Freeable; auto with mem.
+ eapply perm_max. eapply perm_implies. eauto. auto with mem.
+ instantiate (1 := ofs + delta0 - delta).
+ apply perm_cur_max. apply perm_implies with Freeable; auto with mem.
eapply free_range_perm; eauto. omega.
intros [A|A]. congruence. omega.
Qed.
Lemma drop_outside_inject: forall f m1 m2 b lo hi p m2',
- inject f m1 m2 ->
- drop_perm m2 b lo hi p = Some m2' ->
+ inject f m1 m2 ->
+ drop_perm m2 b lo hi p = Some m2' ->
(forall b' delta ofs k p,
f b' = Some(b, delta) ->
perm m1 b' ofs k p -> lo <= ofs + delta < hi -> False) ->
@@ -3899,7 +3899,7 @@ Lemma drop_outside_inject: forall f m1 m2 b lo hi p m2',
Proof.
intros. destruct H. constructor; eauto.
eapply drop_outside_inj; eauto.
- intros. unfold valid_block in *. erewrite nextblock_drop; eauto.
+ intros. unfold valid_block in *. erewrite nextblock_drop; eauto.
Qed.
(** Composing two memory injections. *)
@@ -3911,23 +3911,23 @@ Proof.
intros. unfold compose_meminj. inv H; inv H0; constructor; intros.
(* perm *)
destruct (f b1) as [[b' delta'] |] eqn:?; try discriminate.
- destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
+ destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
replace (ofs + (delta' + delta'')) with ((ofs + delta') + delta'') by omega.
eauto.
(* align *)
destruct (f b1) as [[b' delta'] |] eqn:?; try discriminate.
- destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
+ destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
apply Z.divide_add_r.
eapply mi_align0; eauto.
eapply mi_align1 with (ofs := ofs + delta') (p := p); eauto.
red; intros. replace ofs0 with ((ofs0 - delta') + delta') by omega.
- eapply mi_perm0; eauto. apply H0. omega.
+ eapply mi_perm0; eauto. apply H0. omega.
(* memval *)
destruct (f b1) as [[b' delta'] |] eqn:?; try discriminate.
- destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
+ destruct (f' b') as [[b'' delta''] |] eqn:?; inv H.
replace (ofs + (delta' + delta'')) with ((ofs + delta') + delta'') by omega.
eapply memval_inject_compose; eauto.
-Qed.
+Qed.
Theorem inject_compose:
forall f f' m1 m2 m3,
@@ -3937,35 +3937,35 @@ Proof.
unfold compose_meminj; intros.
inv H; inv H0. constructor.
(* inj *)
- eapply mem_inj_compose; eauto.
+ eapply mem_inj_compose; eauto.
(* unmapped *)
- intros. erewrite mi_freeblocks0; eauto.
+ intros. erewrite mi_freeblocks0; eauto.
(* mapped *)
- intros.
+ intros.
destruct (f b) as [[b1 delta1] |] eqn:?; try discriminate.
- destruct (f' b1) as [[b2 delta2] |] eqn:?; inv H.
+ destruct (f' b1) as [[b2 delta2] |] eqn:?; inv H.
eauto.
(* no overlap *)
- red; intros.
+ red; intros.
destruct (f b1) as [[b1x delta1x] |] eqn:?; try discriminate.
- destruct (f' b1x) as [[b1y delta1y] |] eqn:?; inv H0.
+ destruct (f' b1x) as [[b1y delta1y] |] eqn:?; inv H0.
destruct (f b2) as [[b2x delta2x] |] eqn:?; try discriminate.
destruct (f' b2x) as [[b2y delta2y] |] eqn:?; inv H1.
exploit mi_no_overlap0; eauto. intros A.
- destruct (eq_block b1x b2x).
- subst b1x. destruct A. congruence.
+ destruct (eq_block b1x b2x).
+ subst b1x. destruct A. congruence.
assert (delta1y = delta2y) by congruence. right; omega.
exploit mi_no_overlap1. eauto. eauto. eauto.
- eapply perm_inj. eauto. eexact H2. eauto.
- eapply perm_inj. eauto. eexact H3. eauto.
+ eapply perm_inj. eauto. eexact H2. eauto.
+ eapply perm_inj. eauto. eexact H3. eauto.
intuition omega.
(* representable *)
- intros.
+ intros.
destruct (f b) as [[b1 delta1] |] eqn:?; try discriminate.
- destruct (f' b1) as [[b2 delta2] |] eqn:?; inv H.
+ destruct (f' b1) as [[b2 delta2] |] eqn:?; inv H.
exploit mi_representable0; eauto. intros [A B].
set (ofs' := Int.repr (Int.unsigned ofs + delta1)).
- assert (Int.unsigned ofs' = Int.unsigned ofs + delta1).
+ assert (Int.unsigned ofs' = Int.unsigned ofs + delta1).
unfold ofs'; apply Int.unsigned_repr. auto.
exploit mi_representable1. eauto. instantiate (1 := ofs').
rewrite H.
@@ -3996,10 +3996,10 @@ Proof.
intros. inversion H; inv H0. constructor; intros.
(* inj *)
replace f with (compose_meminj inject_id f). eapply mem_inj_compose; eauto.
- apply extensionality; intros. unfold compose_meminj, inject_id.
+ apply extensionality; intros. unfold compose_meminj, inject_id.
destruct (f x) as [[y delta] | ]; auto.
(* unmapped *)
- eapply mi_freeblocks0. erewrite <- valid_block_extends; eauto.
+ eapply mi_freeblocks0. erewrite <- valid_block_extends; eauto.
(* mapped *)
eauto.
(* no overlap *)
@@ -4016,12 +4016,12 @@ Proof.
intros. inv H; inversion H0. constructor; intros.
(* inj *)
replace f with (compose_meminj f inject_id). eapply mem_inj_compose; eauto.
- apply extensionality; intros. unfold compose_meminj, inject_id.
+ apply extensionality; intros. unfold compose_meminj, inject_id.
destruct (f x) as [[y delta] | ]; auto. decEq. decEq. omega.
(* unmapped *)
eauto.
(* mapped *)
- erewrite <- valid_block_extends; eauto.
+ erewrite <- valid_block_extends; eauto.
(* no overlap *)
red; intros. eapply mi_no_overlap0; eauto.
(* representable *)
@@ -4037,7 +4037,7 @@ Proof.
congruence.
(* meminj *)
replace inject_id with (compose_meminj inject_id inject_id).
- eapply mem_inj_compose; eauto.
+ eapply mem_inj_compose; eauto.
apply extensionality; intros. unfold compose_meminj, inject_id. auto.
Qed.
@@ -4066,9 +4066,9 @@ Proof.
auto.
(* freeblocks *)
unfold flat_inj, valid_block; intros.
- apply pred_dec_false. auto.
+ apply pred_dec_false. auto.
(* mappedblocks *)
- unfold flat_inj, valid_block; intros.
+ unfold flat_inj, valid_block; intros.
destruct (plt b (nextblock m)); inversion H0; subst. auto.
(* no overlap *)
apply flat_inj_no_overlap.
@@ -4097,14 +4097,14 @@ Theorem alloc_inject_neutral:
Plt (nextblock m) thr ->
inject_neutral thr m'.
Proof.
- intros; red.
- eapply alloc_left_mapped_inj with (m1 := m) (b2 := b) (delta := 0).
- eapply alloc_right_inj; eauto. eauto. eauto with mem.
- red. intros. apply Zdivide_0.
+ intros; red.
+ eapply alloc_left_mapped_inj with (m1 := m) (b2 := b) (delta := 0).
+ eapply alloc_right_inj; eauto. eauto. eauto with mem.
+ red. intros. apply Zdivide_0.
intros.
apply perm_implies with Freeable; auto with mem.
- eapply perm_alloc_2; eauto. omega.
- unfold flat_inj. apply pred_dec_true.
+ eapply perm_alloc_2; eauto. omega.
+ unfold flat_inj. apply pred_dec_true.
rewrite (alloc_result _ _ _ _ _ H). auto.
Qed.
@@ -4117,11 +4117,11 @@ Theorem store_inject_neutral:
inject_neutral thr m'.
Proof.
intros; red.
- exploit store_mapped_inj. eauto. eauto. apply flat_inj_no_overlap.
+ exploit store_mapped_inj. eauto. eauto. apply flat_inj_no_overlap.
unfold flat_inj. apply pred_dec_true; auto. eauto.
- replace (ofs + 0) with ofs by omega.
+ replace (ofs + 0) with ofs by omega.
intros [m'' [A B]]. congruence.
-Qed.
+Qed.
Theorem drop_inject_neutral:
forall m b lo hi p m' thr,
@@ -4131,8 +4131,8 @@ Theorem drop_inject_neutral:
inject_neutral thr m'.
Proof.
unfold inject_neutral; intros.
- exploit drop_mapped_inj; eauto. apply flat_inj_no_overlap.
- unfold flat_inj. apply pred_dec_true; eauto.
+ exploit drop_mapped_inj; eauto. apply flat_inj_no_overlap.
+ unfold flat_inj. apply pred_dec_true; eauto.
repeat rewrite Zplus_0_r. intros [m'' [A B]]. congruence.
Qed.
@@ -4165,7 +4165,7 @@ Lemma perm_unchanged_on:
unchanged_on m m' -> P b ofs -> valid_block m b ->
perm m b ofs k p -> perm m' b ofs k p.
Proof.
- intros. destruct H. apply unchanged_on_perm0; auto.
+ intros. destruct H. apply unchanged_on_perm0; auto.
Qed.
Lemma perm_unchanged_on_2:
@@ -4173,7 +4173,7 @@ Lemma perm_unchanged_on_2:
unchanged_on m m' -> P b ofs -> valid_block m b ->
perm m' b ofs k p -> perm m b ofs k p.
Proof.
- intros. destruct H. apply unchanged_on_perm0; auto.
+ intros. destruct H. apply unchanged_on_perm0; auto.
Qed.
Lemma loadbytes_unchanged_on_1:
@@ -4183,7 +4183,7 @@ Lemma loadbytes_unchanged_on_1:
(forall i, ofs <= i < ofs + n -> P b i) ->
loadbytes m' b ofs n = loadbytes m b ofs n.
Proof.
- intros.
+ intros.
destruct (zle n 0).
+ erewrite ! loadbytes_empty by assumption. auto.
+ unfold loadbytes. destruct H.
@@ -4191,7 +4191,7 @@ Proof.
rewrite pred_dec_true. f_equal.
apply getN_exten. intros. rewrite nat_of_Z_eq in H by omega.
apply unchanged_on_contents0; auto.
- red; intros. apply unchanged_on_perm0; auto.
+ red; intros. apply unchanged_on_perm0; auto.
rewrite pred_dec_false. auto.
red; intros; elim n0; red; intros. apply <- unchanged_on_perm0; auto.
Qed.
@@ -4203,11 +4203,11 @@ Lemma loadbytes_unchanged_on:
loadbytes m b ofs n = Some bytes ->
loadbytes m' b ofs n = Some bytes.
Proof.
- intros.
+ intros.
destruct (zle n 0).
+ erewrite loadbytes_empty in * by assumption. auto.
-+ rewrite <- H1. apply loadbytes_unchanged_on_1; auto.
- exploit loadbytes_range_perm; eauto. instantiate (1 := ofs). omega.
++ rewrite <- H1. apply loadbytes_unchanged_on_1; auto.
+ exploit loadbytes_range_perm; eauto. instantiate (1 := ofs). omega.
intros. eauto with mem.
Qed.
@@ -4219,11 +4219,11 @@ Lemma load_unchanged_on_1:
load chunk m' b ofs = load chunk m b ofs.
Proof.
intros. unfold load. destruct (valid_access_dec m chunk b ofs Readable).
- destruct v. rewrite pred_dec_true. f_equal. f_equal. apply getN_exten. intros.
+ destruct v. rewrite pred_dec_true. f_equal. f_equal. apply getN_exten. intros.
rewrite <- size_chunk_conv in H4. eapply unchanged_on_contents; eauto.
split; auto. red; intros. eapply perm_unchanged_on; eauto.
- rewrite pred_dec_false. auto.
- red; intros [A B]; elim n; split; auto. red; intros; eapply perm_unchanged_on_2; eauto.
+ rewrite pred_dec_false. auto.
+ red; intros [A B]; elim n; split; auto. red; intros; eapply perm_unchanged_on_2; eauto.
Qed.
Lemma load_unchanged_on:
@@ -4244,10 +4244,10 @@ Lemma store_unchanged_on:
Proof.
intros; constructor; intros.
- split; intros; eauto with mem.
-- erewrite store_mem_contents; eauto. rewrite PMap.gsspec.
- destruct (peq b0 b); auto. subst b0. apply setN_outside.
- rewrite encode_val_length. rewrite <- size_chunk_conv.
- destruct (zlt ofs0 ofs); auto.
+- erewrite store_mem_contents; eauto. rewrite PMap.gsspec.
+ destruct (peq b0 b); auto. subst b0. apply setN_outside.
+ rewrite encode_val_length. rewrite <- size_chunk_conv.
+ destruct (zlt ofs0 ofs); auto.
destruct (zlt ofs0 (ofs + size_chunk chunk)); auto.
elim (H0 ofs0). omega. auto.
Qed.
@@ -4259,23 +4259,23 @@ Lemma storebytes_unchanged_on:
unchanged_on m m'.
Proof.
intros; constructor; intros.
-- split; intros. eapply perm_storebytes_1; eauto. eapply perm_storebytes_2; eauto.
-- erewrite storebytes_mem_contents; eauto. rewrite PMap.gsspec.
- destruct (peq b0 b); auto. subst b0. apply setN_outside.
- destruct (zlt ofs0 ofs); auto.
+- split; intros. eapply perm_storebytes_1; eauto. eapply perm_storebytes_2; eauto.
+- erewrite storebytes_mem_contents; eauto. rewrite PMap.gsspec.
+ destruct (peq b0 b); auto. subst b0. apply setN_outside.
+ destruct (zlt ofs0 ofs); auto.
destruct (zlt ofs0 (ofs + Z_of_nat (length bytes))); auto.
elim (H0 ofs0). omega. auto.
Qed.
Lemma alloc_unchanged_on:
- forall m lo hi m' b,
+ forall m lo hi m' b,
alloc m lo hi = (m', b) ->
unchanged_on m m'.
Proof.
intros; constructor; intros.
- split; intros.
eapply perm_alloc_1; eauto.
- eapply perm_alloc_4; eauto.
+ eapply perm_alloc_4; eauto.
eapply valid_not_valid_diff; eauto with mem.
- injection H; intros A B. rewrite <- B; simpl.
rewrite PMap.gso; auto. rewrite A. eapply valid_not_valid_diff; eauto with mem.
@@ -4288,9 +4288,9 @@ Lemma free_unchanged_on:
unchanged_on m m'.
Proof.
intros; constructor; intros.
-- split; intros.
- eapply perm_free_1; eauto.
- destruct (eq_block b0 b); auto. destruct (zlt ofs lo); auto. destruct (zle hi ofs); auto.
+- split; intros.
+ eapply perm_free_1; eauto.
+ destruct (eq_block b0 b); auto. destruct (zlt ofs lo); auto. destruct (zle hi ofs); auto.
subst b0. elim (H0 ofs). omega. auto.
eapply perm_free_3; eauto.
- unfold free in H. destruct (range_perm_dec m b lo hi Cur Freeable); inv H.
diff --git a/common/Memtype.v b/common/Memtype.v
index 43fc708f..5dbb66dc 100644
--- a/common/Memtype.v
+++ b/common/Memtype.v
@@ -376,7 +376,7 @@ Axiom loadbytes_split:
loadbytes m b ofs (n1 + n2) = Some bytes ->
n1 >= 0 -> n2 >= 0 ->
exists bytes1, exists bytes2,
- loadbytes m b ofs n1 = Some bytes1
+ loadbytes m b ofs n1 = Some bytes1
/\ loadbytes m b (ofs + n1) n2 = Some bytes2
/\ bytes = bytes1 ++ bytes2.
@@ -636,7 +636,7 @@ Axiom perm_alloc_4:
forall b' ofs k p, perm m2 b' ofs k p -> b' <> b -> perm m1 b' ofs k p.
Axiom perm_alloc_inv:
forall m1 lo hi m2 b, alloc m1 lo hi = (m2, b) ->
- forall b' ofs k p,
+ forall b' ofs k p,
perm m2 b' ofs k p ->
if eq_block b' b then lo <= ofs < hi else perm m1 b' ofs k p.
@@ -729,7 +729,7 @@ Axiom perm_free_3:
Axiom valid_access_free_1:
forall m1 bf lo hi m2, free m1 bf lo hi = Some m2 ->
forall chunk b ofs p,
- valid_access m1 chunk b ofs p ->
+ valid_access m1 chunk b ofs p ->
b <> bf \/ lo >= hi \/ ofs + size_chunk chunk <= lo \/ hi <= ofs ->
valid_access m2 chunk b ofs p.
Axiom valid_access_free_2:
@@ -790,7 +790,7 @@ Axiom perm_drop_4:
Axiom load_drop:
forall m b lo hi p m', drop_perm m b lo hi p = Some m' ->
- forall chunk b' ofs,
+ forall chunk b' ofs,
b' <> b \/ ofs + size_chunk chunk <= lo \/ hi <= ofs \/ perm_order p Readable ->
load chunk m' b' ofs = load chunk m b' ofs.
@@ -928,10 +928,10 @@ Axiom weak_valid_pointer_extends:
a sub-block at offset [ofs] of the block [b'] in [m2].
A memory injection [f] defines a relation [Val.inject] between values
-that is the identity for integer and float values, and relocates pointer
+that is the identity for integer and float values, and relocates pointer
values as prescribed by [f]. (See module [Values].)
-Likewise, a memory injection [f] defines a relation between memory states
+Likewise, a memory injection [f] defines a relation between memory states
that we now axiomatize. *)
Parameter inject: meminj -> mem -> mem -> Prop.
@@ -1146,7 +1146,7 @@ Axiom alloc_left_mapped_inject:
(forall ofs k p, lo <= ofs < hi -> perm m2 b2 (ofs + delta) k p) ->
inj_offset_aligned delta (hi-lo) ->
(forall b delta' ofs k p,
- f b = Some (b2, delta') ->
+ f b = Some (b2, delta') ->
perm m1 b ofs k p ->
lo + delta <= ofs + delta' < hi + delta -> False) ->
exists f',
@@ -1188,8 +1188,8 @@ Axiom free_parallel_inject:
Axiom drop_outside_inject:
forall f m1 m2 b lo hi p m2',
- inject f m1 m2 ->
- drop_perm m2 b lo hi p = Some m2' ->
+ inject f m1 m2 ->
+ drop_perm m2 b lo hi p = Some m2' ->
(forall b' delta ofs k p,
f b' = Some(b, delta) ->
perm m1 b' ofs k p -> lo <= ofs + delta < hi -> False) ->
diff --git a/common/PrintAST.ml b/common/PrintAST.ml
index 67b5eb9d..39481bfb 100644
--- a/common/PrintAST.ml
+++ b/common/PrintAST.ml
@@ -57,17 +57,17 @@ let rec print_builtin_arg px oc = function
| BA_long n -> fprintf oc "long %Ld" (camlint64_of_coqint n)
| BA_float n -> fprintf oc "float %F" (camlfloat_of_coqfloat n)
| BA_single n -> fprintf oc "single %F" (camlfloat_of_coqfloat32 n)
- | BA_loadstack(chunk, ofs) ->
+ | BA_loadstack(chunk, ofs) ->
fprintf oc "%s[sp + %ld]" (name_of_chunk chunk) (camlint_of_coqint ofs)
| BA_addrstack(ofs) ->
fprintf oc "sp + %ld" (camlint_of_coqint ofs)
- | BA_loadglobal(chunk, id, ofs) ->
+ | BA_loadglobal(chunk, id, ofs) ->
fprintf oc "%s[&%s + %ld]"
(name_of_chunk chunk) (extern_atom id) (camlint_of_coqint ofs)
| BA_addrglobal(id, ofs) ->
fprintf oc "&%s + %ld" (extern_atom id) (camlint_of_coqint ofs)
| BA_splitlong(hi, lo) ->
- fprintf oc "splitlong(%a, %a)"
+ fprintf oc "splitlong(%a, %a)"
(print_builtin_arg px) hi (print_builtin_arg px) lo
let rec print_builtin_args px oc = function
@@ -80,6 +80,6 @@ let rec print_builtin_res px oc = function
| BR x -> px oc x
| BR_none -> fprintf oc "_"
| BR_splitlong(hi, lo) ->
- fprintf oc "splitlong(%a, %a)"
+ fprintf oc "splitlong(%a, %a)"
(print_builtin_res px) hi (print_builtin_res px) lo
diff --git a/common/Sections.ml b/common/Sections.ml
index cc8b0758..0400bbc4 100644
--- a/common/Sections.ml
+++ b/common/Sections.ml
@@ -57,7 +57,7 @@ let default_section_info = {
let builtin_sections = [
"CODE",
- {sec_name_init = Section_text;
+ {sec_name_init = Section_text;
sec_name_uninit = Section_text;
sec_writable = false; sec_executable = true;
sec_access = Access_default};
@@ -118,7 +118,7 @@ let initialize () =
(* Define or update a given section. *)
let define_section name ?iname ?uname ?writable ?executable ?access () =
- let si =
+ let si =
try Hashtbl.find current_section_table name
with Not_found -> default_section_info in
let writable =
@@ -217,7 +217,7 @@ let for_function env id ty_res =
with Not_found ->
assert false in
[si_code.sec_name_init; si_literal.sec_name_init; si_jumptbl.sec_name_init]
-
+
(* Determine section for a string literal *)
let for_stringlit() =
diff --git a/common/Smallstep.v b/common/Smallstep.v
index ab41d327..71cef35f 100644
--- a/common/Smallstep.v
+++ b/common/Smallstep.v
@@ -62,7 +62,7 @@ Inductive star (ge: genv): state -> trace -> state -> Prop :=
Lemma star_one:
forall ge s1 t s2, step ge s1 t s2 -> star ge s1 t s2.
Proof.
- intros. eapply star_step; eauto. apply star_refl. traceEq.
+ intros. eapply star_step; eauto. apply star_refl. traceEq.
Qed.
Lemma star_two:
@@ -70,7 +70,7 @@ Lemma star_two:
step ge s1 t1 s2 -> step ge s2 t2 s3 -> t = t1 ** t2 ->
star ge s1 t s3.
Proof.
- intros. eapply star_step; eauto. apply star_one; auto.
+ intros. eapply star_step; eauto. apply star_one; auto.
Qed.
Lemma star_three:
@@ -78,7 +78,7 @@ Lemma star_three:
step ge s1 t1 s2 -> step ge s2 t2 s3 -> step ge s3 t3 s4 -> t = t1 ** t2 ** t3 ->
star ge s1 t s4.
Proof.
- intros. eapply star_step; eauto. eapply star_two; eauto.
+ intros. eapply star_step; eauto. eapply star_two; eauto.
Qed.
Lemma star_four:
@@ -87,7 +87,7 @@ Lemma star_four:
step ge s3 t3 s4 -> step ge s4 t4 s5 -> t = t1 ** t2 ** t3 ** t4 ->
star ge s1 t s5.
Proof.
- intros. eapply star_step; eauto. eapply star_three; eauto.
+ intros. eapply star_step; eauto. eapply star_three; eauto.
Qed.
Lemma star_trans:
@@ -119,13 +119,13 @@ Lemma star_E0_ind:
(forall s1 s2 s3, step ge s1 E0 s2 -> P s2 s3 -> P s1 s3) ->
forall s1 s2, star ge s1 E0 s2 -> P s1 s2.
Proof.
- intros ge P BASE REC.
+ intros ge P BASE REC.
assert (forall s1 t s2, star ge s1 t s2 -> t = E0 -> P s1 s2).
induction 1; intros; subst.
auto.
destruct (Eapp_E0_inv _ _ H2). subst. eauto.
eauto.
-Qed.
+Qed.
(** One or several transitions. Also known as the transitive closure. *)
@@ -146,7 +146,7 @@ Lemma plus_two:
step ge s1 t1 s2 -> step ge s2 t2 s3 -> t = t1 ** t2 ->
plus ge s1 t s3.
Proof.
- intros. eapply plus_left; eauto. apply star_one; auto.
+ intros. eapply plus_left; eauto. apply star_one; auto.
Qed.
Lemma plus_three:
@@ -154,7 +154,7 @@ Lemma plus_three:
step ge s1 t1 s2 -> step ge s2 t2 s3 -> step ge s3 t3 s4 -> t = t1 ** t2 ** t3 ->
plus ge s1 t s4.
Proof.
- intros. eapply plus_left; eauto. eapply star_two; eauto.
+ intros. eapply plus_left; eauto. eapply star_two; eauto.
Qed.
Lemma plus_four:
@@ -163,14 +163,14 @@ Lemma plus_four:
step ge s3 t3 s4 -> step ge s4 t4 s5 -> t = t1 ** t2 ** t3 ** t4 ->
plus ge s1 t s5.
Proof.
- intros. eapply plus_left; eauto. eapply star_three; eauto.
+ intros. eapply plus_left; eauto. eapply star_three; eauto.
Qed.
Lemma plus_star:
forall ge s1 t s2, plus ge s1 t s2 -> star ge s1 t s2.
Proof.
intros. inversion H; subst.
- eapply star_step; eauto.
+ eapply star_step; eauto.
Qed.
Lemma plus_right:
@@ -180,7 +180,7 @@ Lemma plus_right:
Proof.
intros. inversion H; subst. simpl. apply plus_one. auto.
rewrite Eapp_assoc. eapply plus_left; eauto.
- eapply star_right; eauto.
+ eapply star_right; eauto.
Qed.
Lemma plus_left':
@@ -203,7 +203,7 @@ Lemma plus_star_trans:
forall ge s1 t1 s2 t2 s3 t,
plus ge s1 t1 s2 -> star ge s2 t2 s3 -> t = t1 ** t2 -> plus ge s1 t s3.
Proof.
- intros. inversion H; subst.
+ intros. inversion H; subst.
econstructor; eauto. eapply star_trans; eauto.
traceEq.
Qed.
@@ -214,8 +214,8 @@ Lemma star_plus_trans:
Proof.
intros. inversion H; subst.
simpl; auto.
- rewrite Eapp_assoc.
- econstructor. eauto. eapply star_trans. eauto.
+ rewrite Eapp_assoc.
+ econstructor. eauto. eapply star_trans. eauto.
apply plus_star. eauto. eauto. auto.
Qed.
@@ -227,7 +227,7 @@ Proof.
Qed.
Lemma plus_inv:
- forall ge s1 t s2,
+ forall ge s1 t s2,
plus ge s1 t s2 ->
step ge s1 t s2 \/ exists s', exists t1, exists t2, step ge s1 t1 s' /\ plus ge s' t2 s2 /\ t = t1 ** t2.
Proof.
@@ -248,7 +248,7 @@ Qed.
Lemma plus_ind2:
forall ge (P: state -> trace -> state -> Prop),
(forall s1 t s2, step ge s1 t s2 -> P s1 t s2) ->
- (forall s1 t1 s2 t2 s3 t,
+ (forall s1 t1 s2 t2 s3 t,
step ge s1 t1 s2 -> plus ge s2 t2 s3 -> P s2 t2 s3 -> t = t1 ** t2 ->
P s1 t s3) ->
forall s1 t s2, plus ge s1 t s2 -> P s1 t s2.
@@ -261,7 +261,7 @@ Proof.
rewrite E0_right. apply BASE; auto.
eapply IND. eauto. econstructor; eauto. subst t. eapply IHstar; eauto. auto.
- intros. inv H0. eauto.
+ intros. inv H0. eauto.
Qed.
Lemma plus_E0_ind:
@@ -290,7 +290,7 @@ Qed.
Remark star_starN:
forall ge s t s', star ge s t s' -> exists n, starN ge n s t s'.
Proof.
- induction 1.
+ induction 1.
exists O; constructor.
destruct IHstar as [n P]. exists (S n); econstructor; eauto.
Qed.
@@ -308,9 +308,9 @@ Lemma star_forever:
forever ge s1 (t *** T).
Proof.
induction 1; intros. simpl. auto.
- subst t. rewrite Eappinf_assoc.
+ subst t. rewrite Eappinf_assoc.
econstructor; eauto.
-Qed.
+Qed.
(** An alternate, equivalent definition of [forever] that is useful
for coinductive reasoning. *)
@@ -320,7 +320,7 @@ Variable order: A -> A -> Prop.
CoInductive forever_N (ge: genv) : A -> state -> traceinf -> Prop :=
| forever_N_star: forall s1 t s2 a1 a2 T1 T2,
- star ge s1 t s2 ->
+ star ge s1 t s2 ->
order a2 a1 ->
forever_N ge a2 s2 T2 ->
T1 = t *** T2 ->
@@ -344,7 +344,7 @@ Proof.
(* star case *)
inv H1.
(* no transition *)
- change (E0 *** T2) with T2. apply H with a2. auto. auto.
+ change (E0 *** T2) with T2. apply H with a2. auto. auto.
(* at least one transition *)
exists t1; exists s0; exists x; exists (t2 *** T2).
split. auto. split. eapply forever_N_star; eauto.
@@ -353,7 +353,7 @@ Proof.
inv H1.
exists t1; exists s0; exists a2; exists (t2 *** T2).
split. auto.
- split. inv H3. auto.
+ split. inv H3. auto.
eapply forever_N_plus. econstructor; eauto. eauto. auto.
apply Eappinf_assoc.
Qed.
@@ -363,7 +363,7 @@ Lemma forever_N_forever:
Proof.
cofix COINDHYP; intros.
destruct (forever_N_inv H) as [t [s' [a' [T' [P [Q R]]]]]].
- rewrite R. apply forever_intro with s'. auto.
+ rewrite R. apply forever_intro with s'. auto.
apply COINDHYP with a'; auto.
Qed.
@@ -371,7 +371,7 @@ Qed.
CoInductive forever_plus (ge: genv) : state -> traceinf -> Prop :=
| forever_plus_intro: forall s1 t s2 T1 T2,
- plus ge s1 t s2 ->
+ plus ge s1 t s2 ->
forever_plus ge s2 T2 ->
T1 = t *** T2 ->
forever_plus ge s1 T1.
@@ -384,8 +384,8 @@ Lemma forever_plus_inv:
Proof.
intros. inv H. inv H0. exists s0; exists t1; exists (t2 *** T2).
split. auto.
- split. exploit star_inv; eauto. intros [[P Q] | R].
- subst. simpl. auto. econstructor; eauto.
+ split. exploit star_inv; eauto. intros [[P Q] | R].
+ subst. simpl. auto. econstructor; eauto.
traceEq.
Qed.
@@ -408,7 +408,7 @@ CoInductive forever_silent (ge: genv): state -> Prop :=
CoInductive forever_silent_N (ge: genv) : A -> state -> Prop :=
| forever_silent_N_star: forall s1 s2 a1 a2,
- star ge s1 E0 s2 ->
+ star ge s1 E0 s2 ->
order a2 a1 ->
forever_silent_N ge a2 s2 ->
forever_silent_N ge a1 s1
@@ -428,15 +428,15 @@ Proof.
(* star case *)
inv H1.
(* no transition *)
- apply H with a2. auto. auto.
+ apply H with a2. auto. auto.
(* at least one transition *)
- exploit Eapp_E0_inv; eauto. intros [P Q]. subst.
+ exploit Eapp_E0_inv; eauto. intros [P Q]. subst.
exists s0; exists x.
split. auto. eapply forever_silent_N_star; eauto.
(* plus case *)
- inv H1. exploit Eapp_E0_inv; eauto. intros [P Q]. subst.
+ inv H1. exploit Eapp_E0_inv; eauto. intros [P Q]. subst.
exists s0; exists a2.
- split. auto. inv H3. auto.
+ split. auto. inv H3. auto.
eapply forever_silent_N_plus. econstructor; eauto. eauto.
Qed.
@@ -445,7 +445,7 @@ Lemma forever_silent_N_forever:
Proof.
cofix COINDHYP; intros.
destruct (forever_silent_N_inv H) as [s' [a' [P Q]]].
- apply forever_silent_intro with s'. auto.
+ apply forever_silent_intro with s'. auto.
apply COINDHYP with a'; auto.
Qed.
@@ -461,8 +461,8 @@ Lemma star_forever_reactive:
star ge s1 t s2 -> forever_reactive ge s2 T ->
forever_reactive ge s1 (t *** T).
Proof.
- intros. inv H0. rewrite <- Eappinf_assoc. econstructor.
- eapply star_trans; eauto.
+ intros. inv H0. rewrite <- Eappinf_assoc. econstructor.
+ eapply star_trans; eauto.
red; intro. exploit Eapp_E0_inv; eauto. intros [P Q]. contradiction.
auto.
Qed.
@@ -523,7 +523,7 @@ Record forward_simulation (L1 L2: semantics) : Type :=
forall s1, initial_state L1 s1 ->
exists i, exists s2, initial_state L2 s2 /\ fsim_match_states i s1 s2;
fsim_match_final_states:
- forall i s1 s2 r,
+ forall i s1 s2 r,
fsim_match_states i s1 s2 -> final_state L1 s1 r -> final_state L2 s2 r;
fsim_simulation:
forall s1 t s1', Step L1 s1 t s1' ->
@@ -546,12 +546,12 @@ Lemma fsim_simulation':
(exists i', exists s2', Plus L2 s2 t s2' /\ S i' s1' s2')
\/ (exists i', fsim_order S i' i /\ t = E0 /\ S i' s1' s2).
Proof.
- intros. exploit fsim_simulation; eauto.
- intros [i' [s2' [A B]]]. intuition.
+ intros. exploit fsim_simulation; eauto.
+ intros [i' [s2' [A B]]]. intuition.
left; exists i'; exists s2'; auto.
- inv H2.
+ inv H2.
right; exists i'; auto.
- left; exists i'; exists s2'; split; auto. econstructor; eauto.
+ left; exists i'; exists s2'; split; auto. econstructor; eauto.
Qed.
(** ** Forward simulation diagrams. *)
@@ -618,7 +618,7 @@ End SIMULATION_STAR_WF.
Section SIMULATION_STAR.
(** We now consider the case where we have a nonnegative integer measure
- associated with states of the first semantics. It must decrease when we take
+ associated with states of the first semantics. It must decrease when we take
a stuttering step. *)
Variable measure: state L1 -> nat.
@@ -670,7 +670,7 @@ Hypothesis simulation:
Lemma forward_simulation_step: forward_simulation L1 L2.
Proof.
- apply forward_simulation_plus.
+ apply forward_simulation_plus.
intros. exploit simulation; eauto. intros [s2' [A B]].
exists s2'; split; auto. apply plus_one; auto.
Qed.
@@ -723,7 +723,7 @@ Proof.
exploit fsim_simulation; eauto. intros [i' [s2' [A B]]].
exploit IHstar; eauto. intros [i'' [s2'' [C D]]].
exists i''; exists s2''; split; auto. eapply star_trans; eauto.
- intuition. apply plus_star; auto.
+ intuition. apply plus_star; auto.
Qed.
Lemma simulation_plus:
@@ -736,10 +736,10 @@ Proof.
(* base case *)
exploit fsim_simulation'; eauto. intros [A | [i' A]].
left; auto.
- right; exists i'; intuition.
+ right; exists i'; intuition.
(* inductive case *)
exploit fsim_simulation'; eauto. intros [[i' [s2' [A B]]] | [i' [A [B C]]]].
- exploit simulation_star. apply plus_star; eauto. eauto.
+ exploit simulation_star. apply plus_star; eauto. eauto.
intros [i'' [s2'' [P Q]]].
left; exists i''; exists s2''; split; auto. eapply plus_star_trans; eauto.
exploit IHplus; eauto. intros [[i'' [s2'' [P Q]]] | [i'' [P [Q R]]]].
@@ -770,7 +770,7 @@ Lemma simulation_forever_reactive:
Forever_reactive L2 s2 T.
Proof.
cofix COINDHYP; intros.
- inv H.
+ inv H.
destruct (simulation_star H1 i _ H0) as [i' [st2' [A B]]].
econstructor; eauto.
Qed.
@@ -803,7 +803,7 @@ Proof.
(* initial states *)
intros. exploit (fsim_match_initial_states S12); eauto. intros [i [s2 [A B]]].
exploit (fsim_match_initial_states S23); eauto. intros [i' [s3 [C D]]].
- exists (i', i); exists s3; split; auto. exists s2; auto.
+ exists (i', i); exists s3; split; auto. exists s2; auto.
(* final states *)
intros. destruct H as [s3 [A B]].
eapply (fsim_match_final_states S23); eauto.
@@ -816,12 +816,12 @@ Proof.
(* L3 makes one or several steps *)
exists (i2', i1'); exists s2'; split. auto. exists s3'; auto.
(* L3 makes no step *)
- exists (i2', i1'); exists s2; split.
+ exists (i2', i1'); exists s2; split.
right; split. subst t; apply star_refl. red. left. auto.
- exists s3'; auto.
+ exists s3'; auto.
(* L2 makes no step *)
exists (i2, i1'); exists s2; split.
- right; split. subst t; apply star_refl. red. right. auto.
+ right; split. subst t; apply star_refl. red. right. auto.
exists s3; auto.
(* symbols *)
intros. transitivity (Senv.public_symbol (symbolenv L2) id); apply fsim_public_preserved; auto.
@@ -867,7 +867,7 @@ Lemma sd_determ_1:
Step L s t1 s1 -> Step L s t2 s2 -> match_traces (symbolenv L) t1 t2.
Proof.
intros. eapply sd_determ; eauto.
-Qed.
+Qed.
Lemma sd_determ_2:
forall s t s1 s2,
@@ -880,7 +880,7 @@ Lemma star_determinacy:
forall s t s', Star L s t s' ->
forall s'', Star L s t s'' -> Star L s' E0 s'' \/ Star L s'' E0 s'.
Proof.
- induction 1; intros.
+ induction 1; intros.
auto.
inv H2.
right. eapply star_step; eauto.
@@ -888,12 +888,12 @@ Proof.
exploit (sd_traces DET). eexact H. intros L1.
exploit (sd_traces DET). eexact H3. intros L2.
assert (t1 = t0 /\ t2 = t3).
- destruct t1. inv MT. auto.
- destruct t1; simpl in L1; try omegaContradiction.
+ destruct t1. inv MT. auto.
+ destruct t1; simpl in L1; try omegaContradiction.
destruct t0. inv MT. destruct t0; simpl in L2; try omegaContradiction.
simpl in H5. split. congruence. congruence.
destruct H1; subst.
- assert (s2 = s4) by (eapply sd_determ_2; eauto). subst s4.
+ assert (s2 = s4) by (eapply sd_determ_2; eauto). subst s4.
auto.
Qed.
@@ -903,7 +903,7 @@ End DETERMINACY.
Definition safe (L: semantics) (s: state L) : Prop :=
forall s',
- Star L s E0 s' ->
+ Star L s E0 s' ->
(exists r, final_state L s' r)
\/ (exists t, exists s'', Step L s' t s'').
@@ -912,7 +912,7 @@ Lemma star_safe:
Star L s E0 s' -> safe L s -> safe L s'.
Proof.
intros; red; intros. apply H0. eapply star_trans; eauto.
-Qed.
+Qed.
(** The general form of a backward simulation. *)
@@ -928,11 +928,11 @@ Record backward_simulation (L1 L2: semantics) : Type :=
forall s1 s2, initial_state L1 s1 -> initial_state L2 s2 ->
exists i, exists s1', initial_state L1 s1' /\ bsim_match_states i s1' s2;
bsim_match_final_states:
- forall i s1 s2 r,
- bsim_match_states i s1 s2 -> safe L1 s1 -> final_state L2 s2 r ->
+ forall i s1 s2 r,
+ bsim_match_states i s1 s2 -> safe L1 s1 -> final_state L2 s2 r ->
exists s1', Star L1 s1 E0 s1' /\ final_state L1 s1' r;
bsim_progress:
- forall i s1 s2,
+ forall i s1 s2,
bsim_match_states i s1 s2 -> safe L1 s1 ->
(exists r, final_state L2 s2 r) \/
(exists t, exists s2', Step L2 s2 t s2');
@@ -955,12 +955,12 @@ Lemma bsim_simulation':
(exists i', exists s1', Plus L1 s1 t s1' /\ S i' s1' s2')
\/ (exists i', bsim_order S i' i /\ t = E0 /\ S i' s1 s2').
Proof.
- intros. exploit bsim_simulation; eauto.
- intros [i' [s1' [A B]]]. intuition.
+ intros. exploit bsim_simulation; eauto.
+ intros [i' [s1' [A B]]]. intuition.
left; exists i'; exists s1'; auto.
- inv H3.
+ inv H3.
right; exists i'; auto.
- left; exists i'; exists s1'; split; auto. econstructor; eauto.
+ left; exists i'; exists s1'; split; auto. econstructor; eauto.
Qed.
(** ** Backward simulation diagrams. *)
@@ -985,11 +985,11 @@ Hypothesis match_initial_states:
exists s1', initial_state L1 s1' /\ match_states s1' s2.
Hypothesis match_final_states:
- forall s1 s2 r,
+ forall s1 s2 r,
match_states s1 s2 -> final_state L2 s2 r -> final_state L1 s1 r.
Hypothesis progress:
- forall s1 s2,
+ forall s1 s2,
match_states s1 s2 -> safe L1 s1 ->
(exists r, final_state L2 s2 r) \/
(exists t, exists s2', Step L2 s2 t s2').
@@ -1009,8 +1009,8 @@ Proof.
auto.
red; intros; constructor; intros. contradiction.
intros. exists tt; eauto.
- intros. exists s1; split. apply star_refl. eauto.
- intros. exploit simulation; eauto. intros [s1' [A B]].
+ intros. exists s1; split. apply star_refl. eauto.
+ intros. exploit simulation; eauto. intros [s1' [A B]].
exists tt; exists s1'; auto.
Qed.
@@ -1036,7 +1036,7 @@ Proof.
intros. exists i; exists s1; split; auto. apply star_refl.
(* inductive case *)
intros. exploit bsim_simulation; eauto. intros [i' [s1' [A B]]].
- assert (Star L1 s0 E0 s1'). intuition. apply plus_star; auto.
+ assert (Star L1 s0 E0 s1'). intuition. apply plus_star; auto.
exploit H0. eauto. eapply star_safe; eauto. intros [i'' [s1'' [C D]]].
exists i''; exists s1''; split; auto. eapply star_trans; eauto.
Qed.
@@ -1045,7 +1045,7 @@ Lemma bsim_safe:
forall i s1 s2,
S i s1 s2 -> safe L1 s1 -> safe L2 s2.
Proof.
- intros; red; intros.
+ intros; red; intros.
exploit bsim_E0_star; eauto. intros [i' [s1' [A B]]].
eapply bsim_progress; eauto. eapply star_safe; eauto.
Qed.
@@ -1065,8 +1065,8 @@ Proof.
exploit Eapp_E0_inv; eauto. intros [EQ1 EQ2]; subst.
exploit bsim_simulation'; eauto. intros [[i' [s1' [A B]]] | [i' [A [B C]]]].
exploit bsim_E0_star. apply plus_star; eauto. eauto. eapply star_safe; eauto. apply plus_star; auto.
- intros [i'' [s1'' [P Q]]].
- left; exists i''; exists s1''; intuition. eapply plus_star_trans; eauto.
+ intros [i'' [s1'' [P Q]]].
+ left; exists i''; exists s1''; intuition. eapply plus_star_trans; eauto.
exploit IHplus; eauto. intros [P | [i'' [P Q]]].
left; auto.
right; exists i''; intuition. eapply t_trans; eauto. apply t_step; auto.
@@ -1079,12 +1079,12 @@ Proof.
induction 1; intros.
simpl in H; discriminate.
subst t.
- assert (EITHER: t1 = E0 \/ t2 = E0).
- unfold Eapp in H2; rewrite app_length in H2.
+ assert (EITHER: t1 = E0 \/ t2 = E0).
+ unfold Eapp in H2; rewrite app_length in H2.
destruct t1; auto. destruct t2; auto. simpl in H2; omegaContradiction.
- destruct EITHER; subst.
- exploit IHstar; eauto. intros [s2x [s2y [A [B C]]]].
- exists s2x; exists s2y; intuition. eapply star_left; eauto.
+ destruct EITHER; subst.
+ exploit IHstar; eauto. intros [s2x [s2y [A [B C]]]].
+ exists s2x; exists s2y; intuition. eapply star_left; eauto.
rewrite E0_right. exists s1; exists s2; intuition. apply star_refl.
Qed.
@@ -1116,7 +1116,7 @@ Lemma bb_match_at: forall i1 i2 s1 s3 s2,
bb_match_states (i1, i2) s1 s3.
Proof.
intros. econstructor; eauto. apply star_refl.
-Qed.
+Qed.
Lemma bb_simulation_base:
forall s3 t s3', Step L3 s3 t s3' ->
@@ -1130,29 +1130,29 @@ Proof.
intros [ [i2' [s2' [PLUS2 MATCH2]]] | [i2' [ORD2 [EQ MATCH2]]]].
(* 1 L2 makes one or several transitions *)
assert (EITHER: t = E0 \/ (length t = 1)%nat).
- exploit L3_single_events; eauto.
+ exploit L3_single_events; eauto.
destruct t; auto. destruct t; auto. simpl. intros. omegaContradiction.
destruct EITHER.
(* 1.1 these are silent transitions *)
- subst t. exploit bsim_E0_plus; eauto.
+ subst t. exploit bsim_E0_plus; eauto.
intros [ [i1' [s1' [PLUS1 MATCH1]]] | [i1' [ORD1 MATCH1]]].
(* 1.1.1 L1 makes one or several transitions *)
- exists (i1', i2'); exists s1'; split. auto. eapply bb_match_at; eauto.
+ exists (i1', i2'); exists s1'; split. auto. eapply bb_match_at; eauto.
(* 1.1.2 L1 makes no transitions *)
- exists (i1', i2'); exists s1; split.
- right; split. apply star_refl. left; auto.
- eapply bb_match_at; eauto.
+ exists (i1', i2'); exists s1; split.
+ right; split. apply star_refl. left; auto.
+ eapply bb_match_at; eauto.
(* 1.2 non-silent transitions *)
- exploit star_non_E0_split. apply plus_star; eauto. auto.
+ exploit star_non_E0_split. apply plus_star; eauto. auto.
intros [s2x [s2y [P [Q R]]]].
exploit bsim_E0_star. eexact P. eauto. auto. intros [i1' [s1x [X Y]]].
- exploit bsim_simulation'. eexact Q. eauto. eapply star_safe; eauto.
+ exploit bsim_simulation'. eexact Q. eauto. eapply star_safe; eauto.
intros [[i1'' [s1y [U V]]] | [i1'' [U [V W]]]]; try (subst t; discriminate).
exists (i1'', i2'); exists s1y; split.
left. eapply star_plus_trans; eauto. eapply bb_match_later; eauto.
(* 2. L2 makes no transitions *)
subst. exists (i1, i2'); exists s1; split.
- right; split. apply star_refl. right; auto.
+ right; split. apply star_refl. right; auto.
eapply bb_match_at; eauto.
Qed.
@@ -1163,12 +1163,12 @@ Lemma bb_simulation:
(Plus L1 s1 t s1' \/ (Star L1 s1 t s1' /\ bb_order i' i))
/\ bb_match_states i' s1' s3'.
Proof.
- intros. inv H0.
+ intros. inv H0.
exploit star_inv; eauto. intros [[EQ1 EQ2] | PLUS].
(* 1. match at *)
subst. eapply bb_simulation_base; eauto.
(* 2. match later *)
- exploit bsim_E0_plus; eauto.
+ exploit bsim_E0_plus; eauto.
intros [[i1' [s1' [A B]]] | [i1' [A B]]].
(* 2.1 one or several silent transitions *)
exploit bb_simulation_base. eauto. auto. eexact B. eauto.
@@ -1176,13 +1176,13 @@ Proof.
intros [i'' [s1'' [C D]]].
exists i''; exists s1''; split; auto.
left. eapply plus_star_trans; eauto.
- destruct C as [P | [P Q]]. apply plus_star; eauto. eauto.
+ destruct C as [P | [P Q]]. apply plus_star; eauto. eauto.
traceEq.
(* 2.2 no silent transition *)
exploit bb_simulation_base. eauto. auto. eexact B. eauto. auto.
intros [i'' [s1'' [C D]]].
exists i''; exists s1''; split; auto.
- intuition. right; intuition.
+ intuition. right; intuition.
inv H6. left. eapply t_trans; eauto. left; auto.
Qed.
@@ -1202,17 +1202,17 @@ Proof.
exists (i1, i2); exists s1'; intuition. eapply bb_match_at; eauto.
(* match final states *)
intros i s1 s3 r MS SAFE FIN. inv MS.
- exploit (bsim_match_final_states S23); eauto.
- eapply star_safe; eauto. eapply bsim_safe; eauto.
+ exploit (bsim_match_final_states S23); eauto.
+ eapply star_safe; eauto. eapply bsim_safe; eauto.
intros [s2' [A B]].
exploit bsim_E0_star. eapply star_trans. eexact H0. eexact A. auto. eauto. auto.
intros [i1' [s1' [C D]]].
- exploit (bsim_match_final_states S12); eauto. eapply star_safe; eauto.
- intros [s1'' [P Q]].
+ exploit (bsim_match_final_states S12); eauto. eapply star_safe; eauto.
+ intros [s1'' [P Q]].
exists s1''; split; auto. eapply star_trans; eauto.
(* progress *)
intros i s1 s3 MS SAFE. inv MS.
- eapply (bsim_progress S23). eauto. eapply star_safe; eauto. eapply bsim_safe; eauto.
+ eapply (bsim_progress S23). eauto. eapply star_safe; eauto. eapply bsim_safe; eauto.
(* simulation *)
exact bb_simulation.
(* symbols *)
@@ -1243,21 +1243,21 @@ Inductive f2b_transitions: state L1 -> state L2 -> Prop :=
Star L1 s1 E0 s1' ->
Step L1 s1' t s1'' ->
Plus L2 s2 t s2' ->
- FS i' s1' s2 ->
+ FS i' s1' s2 ->
FS i'' s1'' s2' ->
f2b_transitions s1 s2.
Lemma f2b_progress:
forall i s1 s2, FS i s1 s2 -> safe L1 s1 -> f2b_transitions s1 s2.
Proof.
- intros i0; pattern i0. apply well_founded_ind with (R := fsim_order FS).
+ intros i0; pattern i0. apply well_founded_ind with (R := fsim_order FS).
apply fsim_order_wf.
intros i REC s1 s2 MATCH SAFE.
destruct (SAFE s1) as [[r FINAL] | [t [s1' STEP1]]]. apply star_refl.
(* final state reached *)
- eapply f2b_trans_final; eauto.
+ eapply f2b_trans_final; eauto.
apply star_refl.
- eapply fsim_match_final_states; eauto.
+ eapply fsim_match_final_states; eauto.
(* L1 can make one step *)
exploit (fsim_simulation FS); eauto. intros [i' [s2' [A MATCH']]].
assert (B: Plus L2 s2 t s2' \/ (s2' = s2 /\ t = E0 /\ fsim_order FS i' i)).
@@ -1267,7 +1267,7 @@ Proof.
eapply f2b_trans_step; eauto. apply star_refl.
subst. exploit REC; eauto. eapply star_safe; eauto. apply star_one; auto.
intros TRANS; inv TRANS.
- eapply f2b_trans_final; eauto. eapply star_left; eauto.
+ eapply f2b_trans_final; eauto. eapply star_left; eauto.
eapply f2b_trans_step; eauto. eapply star_left; eauto.
Qed.
@@ -1293,7 +1293,7 @@ Qed.
Remark not_silent_length:
forall t1 t2, (length (t1 ** t2) <= 1)%nat -> t1 = E0 \/ t2 = E0.
Proof.
- unfold Eapp, E0; intros. rewrite app_length in H.
+ unfold Eapp, E0; intros. rewrite app_length in H.
destruct t1; destruct t2; auto. simpl in H. omegaContradiction.
Qed.
@@ -1303,21 +1303,21 @@ Lemma f2b_determinacy_inv:
(t' = E0 /\ t'' = E0 /\ s2' = s2'')
\/ (t' <> E0 /\ t'' <> E0 /\ match_traces (symbolenv L1) t' t'').
Proof.
- intros.
+ intros.
assert (match_traces (symbolenv L2) t' t'').
- eapply sd_determ_1; eauto.
+ eapply sd_determ_1; eauto.
destruct (silent_or_not_silent t').
- subst. inv H1.
+ subst. inv H1.
left; intuition. eapply sd_determ_2; eauto.
destruct (silent_or_not_silent t'').
- subst. inv H1. elim H2; auto.
- right; intuition.
- eapply match_traces_preserved with (ge1 := (symbolenv L2)); auto.
- intros; symmetry; apply (fsim_public_preserved FS).
+ subst. inv H1. elim H2; auto.
+ right; intuition.
+ eapply match_traces_preserved with (ge1 := (symbolenv L2)); auto.
+ intros; symmetry; apply (fsim_public_preserved FS).
Qed.
Lemma f2b_determinacy_star:
- forall s s1, Star L2 s E0 s1 ->
+ forall s s1, Star L2 s E0 s1 ->
forall t s2 s3,
Step L2 s1 t s2 -> t <> E0 ->
Star L2 s t s3 ->
@@ -1327,7 +1327,7 @@ Proof.
intros. inv H3. congruence.
exploit f2b_determinacy_inv. eexact H. eexact H4.
intros [[EQ1 [EQ2 EQ3]] | [NEQ1 [NEQ2 MT]]].
- subst. simpl in *. eauto.
+ subst. simpl in *. eauto.
congruence.
Qed.
@@ -1352,10 +1352,10 @@ Lemma wf_f2b_order:
Proof.
assert (ACC1: forall n, Acc f2b_order (F2BI_before n)).
intros n0; pattern n0; apply lt_wf_ind; intros.
- constructor; intros. inv H0. auto.
+ constructor; intros. inv H0. auto.
assert (ACC2: forall n, Acc f2b_order (F2BI_after n)).
intros n0; pattern n0; apply lt_wf_ind; intros.
- constructor; intros. inv H0. auto. auto.
+ constructor; intros. inv H0. auto. auto.
red; intros. destruct a; auto.
Qed.
@@ -1382,7 +1382,7 @@ Remark f2b_match_after':
FS i s1 s2a ->
f2b_match_states (F2BI_after n) s1 s2.
Proof.
- intros. inv H.
+ intros. inv H.
econstructor; eauto.
econstructor; eauto. econstructor; eauto.
Qed.
@@ -1403,7 +1403,7 @@ Proof.
(* 1.1 L1 can reach final state and L2 is at final state: impossible! *)
exploit (sd_final_nostep L2_determinate); eauto. contradiction.
(* 1.2 L1 can make 0 or several steps; L2 can make 1 or several matching steps. *)
- inv H2.
+ inv H2.
exploit f2b_determinacy_inv. eexact H5. eexact STEP2.
intros [[EQ1 [EQ2 EQ3]] | [NOT1 [NOT2 MT]]].
(* 1.2.1 L2 makes a silent transition *)
@@ -1417,24 +1417,24 @@ Proof.
subst. simpl in *. destruct (star_starN H6) as [n STEPS2].
exists (F2BI_before n); exists s1'; split.
right; split. auto. constructor.
- econstructor. eauto. auto. apply star_one; eauto. eauto. eauto.
+ econstructor. eauto. auto. apply star_one; eauto. eauto. eauto.
(* 1.2.2 L2 makes a non-silent transition, and so does L1 *)
exploit not_silent_length. eapply (sr_traces L1_receptive); eauto. intros [EQ | EQ].
congruence.
- subst t2. rewrite E0_right in H1.
+ subst t2. rewrite E0_right in H1.
(* Use receptiveness to equate the traces *)
exploit (sr_receptive L1_receptive); eauto. intros [s1''' STEP1].
- exploit fsim_simulation_not_E0. eexact STEP1. auto. eauto.
+ exploit fsim_simulation_not_E0. eexact STEP1. auto. eauto.
intros [i''' [s2''' [P Q]]]. inv P.
(* Exploit determinacy *)
exploit not_silent_length. eapply (sr_traces L1_receptive); eauto. intros [EQ | EQ].
- subst t0. simpl in *. exploit sd_determ_1. eauto. eexact STEP2. eexact H2.
+ subst t0. simpl in *. exploit sd_determ_1. eauto. eexact STEP2. eexact H2.
intros. elim NOT2. inv H8. auto.
- subst t2. rewrite E0_right in *.
- assert (s4 = s2'). eapply sd_determ_2; eauto. subst s4.
+ subst t2. rewrite E0_right in *.
+ assert (s4 = s2'). eapply sd_determ_2; eauto. subst s4.
(* Perform transition now and go to "after" state *)
destruct (star_starN H7) as [n STEPS2]. exists (F2BI_after n); exists s1'''; split.
- left. eapply plus_right; eauto.
+ left. eapply plus_right; eauto.
eapply f2b_match_after'; eauto.
(* 2. Before *)
@@ -1444,22 +1444,22 @@ Proof.
(* 2.1 L2 makes a silent transition: remain in "before" state *)
subst. simpl in *. exists (F2BI_before n0); exists s1; split.
right; split. apply star_refl. constructor. omega.
- econstructor; eauto. eapply star_right; eauto.
+ econstructor; eauto. eapply star_right; eauto.
(* 2.2 L2 make a non-silent transition *)
exploit not_silent_length. eapply (sr_traces L1_receptive); eauto. intros [EQ | EQ].
congruence.
subst. rewrite E0_right in *.
(* Use receptiveness to equate the traces *)
exploit (sr_receptive L1_receptive); eauto. intros [s1''' STEP1].
- exploit fsim_simulation_not_E0. eexact STEP1. auto. eauto.
+ exploit fsim_simulation_not_E0. eexact STEP1. auto. eauto.
intros [i''' [s2''' [P Q]]].
(* Exploit determinacy *)
- exploit f2b_determinacy_star. eauto. eexact STEP2. auto. apply plus_star; eauto.
- intro R. inv R. congruence.
+ exploit f2b_determinacy_star. eauto. eexact STEP2. auto. apply plus_star; eauto.
+ intro R. inv R. congruence.
exploit not_silent_length. eapply (sr_traces L1_receptive); eauto. intros [EQ | EQ].
- subst. simpl in *. exploit sd_determ_1. eauto. eexact STEP2. eexact H2.
- intros. elim NOT2. inv H7; auto.
- subst. rewrite E0_right in *.
+ subst. simpl in *. exploit sd_determ_1. eauto. eexact STEP2. eexact H2.
+ intros. elim NOT2. inv H7; auto.
+ subst. rewrite E0_right in *.
assert (s3 = s2'). eapply sd_determ_2; eauto. subst s3.
(* Perform transition now and go to "after" state *)
destruct (star_starN H6) as [n STEPS2]. exists (F2BI_after n); exists s1'''; split.
@@ -1467,7 +1467,7 @@ Proof.
eapply f2b_match_after'; eauto.
(* 3. After *)
- inv H. exploit Eapp_E0_inv; eauto. intros [EQ1 EQ2]; subst.
+ inv H. exploit Eapp_E0_inv; eauto. intros [EQ1 EQ2]; subst.
exploit f2b_determinacy_inv. eexact H2. eexact STEP2.
intros [[EQ1 [EQ2 EQ3]] | [NOT1 [NOT2 MT]]].
subst. exists (F2BI_after n); exists s1; split.
@@ -1498,9 +1498,9 @@ Proof.
inv H5. congruence. exploit (sd_final_nostep L2_determinate); eauto. contradiction.
inv H2. exploit (sd_final_nostep L2_determinate); eauto. contradiction.
(* progress *)
- intros. inv H.
- exploit f2b_progress; eauto. intros TRANS; inv TRANS.
- left; exists r; auto.
+ intros. inv H.
+ exploit f2b_progress; eauto. intros TRANS; inv TRANS.
+ left; exists r; auto.
inv H3. right; econstructor; econstructor; eauto.
inv H4. congruence. right; econstructor; econstructor; eauto.
inv H1. right; econstructor; econstructor; eauto.
@@ -1566,20 +1566,20 @@ Inductive ffs_match: fsim_index sim -> (trace * state L1) -> state L2 -> Prop :=
ffs_match i (ev :: t, s1) s2.
Lemma star_non_E0_split':
- forall s2 t s2', Star L2 s2 t s2' ->
+ forall s2 t s2', Star L2 s2 t s2' ->
match t with
| nil => True
| ev :: t' => exists s2x, Plus L2 s2 (ev :: nil) s2x /\ Star L2 s2x t' s2'
end.
Proof.
induction 1. simpl. auto.
- exploit L2single; eauto. intros LEN.
- destruct t1. simpl in *. subst. destruct t2. auto.
+ exploit L2single; eauto. intros LEN.
+ destruct t1. simpl in *. subst. destruct t2. auto.
destruct IHstar as [s2x [A B]]. exists s2x; split; auto.
- eapply plus_left. eauto. apply plus_star; eauto. auto.
+ eapply plus_left. eauto. apply plus_star; eauto. auto.
destruct t1. simpl in *. subst t. exists s2; split; auto. apply plus_one; auto.
simpl in LEN. omegaContradiction.
-Qed.
+Qed.
Lemma ffs_simulation:
forall s1 t s1', Step (atomic L1) s1 t s1' ->
@@ -1590,27 +1590,27 @@ Lemma ffs_simulation:
Proof.
induction 1; intros.
(* silent step *)
- inv H0.
- exploit (fsim_simulation sim); eauto.
- intros [i' [s2' [A B]]].
+ inv H0.
+ exploit (fsim_simulation sim); eauto.
+ intros [i' [s2' [A B]]].
exists i'; exists s2'; split. auto. constructor; auto.
(* start step *)
- inv H0.
- exploit (fsim_simulation sim); eauto.
+ inv H0.
+ exploit (fsim_simulation sim); eauto.
intros [i' [s2' [A B]]].
- destruct t as [ | ev' t].
+ destruct t as [ | ev' t].
(* single event *)
exists i'; exists s2'; split. auto. constructor; auto.
(* multiple events *)
- assert (C: Star L2 s2 (ev :: ev' :: t) s2'). intuition. apply plus_star; auto.
- exploit star_non_E0_split'. eauto. simpl. intros [s2x [P Q]].
+ assert (C: Star L2 s2 (ev :: ev' :: t) s2'). intuition. apply plus_star; auto.
+ exploit star_non_E0_split'. eauto. simpl. intros [s2x [P Q]].
exists i'; exists s2x; split. auto. econstructor; eauto.
(* continue step *)
- inv H0.
- exploit star_non_E0_split'. eauto. simpl. intros [s2x [P Q]].
- destruct t.
- exists i; exists s2'; split. left. eapply plus_star_trans; eauto. constructor; auto.
- exists i; exists s2x; split. auto. econstructor; eauto.
+ inv H0.
+ exploit star_non_E0_split'. eauto. simpl. intros [s2x [P Q]].
+ destruct t.
+ exists i; exists s2'; split. left. eapply plus_star_trans; eauto. constructor; auto.
+ exists i; exists s2x; split. auto. econstructor; eauto.
Qed.
Theorem factor_forward_simulation:
@@ -1620,11 +1620,11 @@ Proof.
(* wf *)
apply fsim_order_wf.
(* initial states *)
- intros. destruct s1 as [t1 s1]. simpl in H. destruct H. subst.
- exploit (fsim_match_initial_states sim); eauto. intros [i [s2 [A B]]].
+ intros. destruct s1 as [t1 s1]. simpl in H. destruct H. subst.
+ exploit (fsim_match_initial_states sim); eauto. intros [i [s2 [A B]]].
exists i; exists s2; split; auto. constructor; auto.
(* final states *)
- intros. destruct s1 as [t1 s1]. simpl in H0; destruct H0; subst. inv H.
+ intros. destruct s1 as [t1 s1]. simpl in H0; destruct H0; subst. inv H.
eapply (fsim_match_final_states sim); eauto.
(* simulation *)
exact ffs_simulation.
@@ -1661,47 +1661,47 @@ Proof.
induction 1; intros.
(* silent step *)
inv H0.
- exploit (bsim_simulation sim); eauto. eapply star_safe; eauto.
+ exploit (bsim_simulation sim); eauto. eapply star_safe; eauto.
intros [i' [s1'' [A B]]].
exists i'; exists s1''; split.
- destruct A as [P | [P Q]]. left. eapply star_plus_trans; eauto. right; split; auto. eapply star_trans; eauto.
+ destruct A as [P | [P Q]]. left. eapply star_plus_trans; eauto. right; split; auto. eapply star_trans; eauto.
econstructor. apply star_refl. auto. auto.
(* start step *)
inv H0.
- exploit (bsim_simulation sim); eauto. eapply star_safe; eauto.
+ exploit (bsim_simulation sim); eauto. eapply star_safe; eauto.
intros [i' [s1'' [A B]]].
assert (C: Star L1 s1 (ev :: t) s1'').
- eapply star_trans. eauto. destruct A as [P | [P Q]]. apply plus_star; eauto. eauto. auto.
+ eapply star_trans. eauto. destruct A as [P | [P Q]]. apply plus_star; eauto. eauto. auto.
exploit star_non_E0_split'; eauto. simpl. intros [s1x [P Q]].
exists i'; exists s1x; split.
left; auto.
econstructor; eauto.
- exploit L2wb; eauto.
+ exploit L2wb; eauto.
(* continue step *)
inv H0. unfold E0 in H8; destruct H8; try congruence.
exploit star_non_E0_split'; eauto. simpl. intros [s1x [P Q]].
- exists i; exists s1x; split. left; auto. econstructor; eauto. simpl in H0; tauto.
+ exists i; exists s1x; split. left; auto. econstructor; eauto. simpl in H0; tauto.
Qed.
Lemma fbs_progress:
- forall i s1 s2,
+ forall i s1 s2,
fbs_match i s1 s2 -> safe L1 s1 ->
(exists r, final_state (atomic L2) s2 r) \/
(exists t, exists s2', Step (atomic L2) s2 t s2').
Proof.
- intros. inv H. destruct t.
+ intros. inv H. destruct t.
(* 1. no buffered events *)
exploit (bsim_progress sim); eauto. eapply star_safe; eauto.
- intros [[r A] | [t [s2' A]]].
+ intros [[r A] | [t [s2' A]]].
(* final state *)
left; exists r; simpl; auto.
-(* L2 can step *)
- destruct t.
+(* L2 can step *)
+ destruct t.
right; exists E0; exists (nil, s2'). constructor. auto.
right; exists (e :: nil); exists (t, s2'). constructor. auto.
(* 2. some buffered events *)
- unfold E0 in H3; destruct H3. congruence.
- right; exists (e :: nil); exists (t, s3). constructor. auto.
+ unfold E0 in H3; destruct H3. congruence.
+ right; exists (e :: nil); exists (t, s3). constructor. auto.
Qed.
Theorem factor_backward_simulation:
@@ -1712,14 +1712,14 @@ Proof.
apply bsim_order_wf.
(* initial states exist *)
intros. exploit (bsim_initial_states_exist sim); eauto. intros [s2 A].
- exists (E0, s2). simpl; auto.
+ exists (E0, s2). simpl; auto.
(* initial states match *)
intros. destruct s2 as [t s2]; simpl in H0; destruct H0; subst.
- exploit (bsim_match_initial_states sim); eauto. intros [i [s1' [A B]]].
+ exploit (bsim_match_initial_states sim); eauto. intros [i [s1' [A B]]].
exists i; exists s1'; split. auto. econstructor. apply star_refl. auto. auto.
(* final states match *)
intros. destruct s2 as [t s2]; simpl in H1; destruct H1; subst.
- inv H. exploit (bsim_match_final_states sim); eauto. eapply star_safe; eauto.
+ inv H. exploit (bsim_match_final_states sim); eauto. eapply star_safe; eauto.
intros [s1'' [A B]]. exists s1''; split; auto. eapply star_trans; eauto.
(* progress *)
exact fbs_progress.
@@ -1748,19 +1748,19 @@ Theorem atomic_receptive:
Proof.
intros. constructor; intros.
(* receptive *)
- inv H0.
+ inv H0.
(* silent step *)
inv H1. exists (E0, s'). constructor; auto.
(* start step *)
- assert (exists ev2, t2 = ev2 :: nil). inv H1; econstructor; eauto.
+ assert (exists ev2, t2 = ev2 :: nil). inv H1; econstructor; eauto.
destruct H0 as [ev2 EQ]; subst t2.
exploit ssr_receptive; eauto. intros [s2 [t2 P]].
- exploit ssr_well_behaved. eauto. eexact P. simpl; intros Q.
+ exploit ssr_well_behaved. eauto. eexact P. simpl; intros Q.
exists (t2, s2). constructor; auto.
(* continue step *)
- simpl in H2; destruct H2.
+ simpl in H2; destruct H2.
assert (t2 = ev :: nil). inv H1; simpl in H0; tauto.
- subst t2. exists (t, s0). constructor; auto. simpl; auto.
+ subst t2. exists (t, s0). constructor; auto. simpl; auto.
(* single-event *)
red. intros. inv H0; simpl; omega.
Qed.
diff --git a/common/Subtyping.v b/common/Subtyping.v
index e1bf61af..c09226e0 100644
--- a/common/Subtyping.v
+++ b/common/Subtyping.v
@@ -207,7 +207,7 @@ Definition type_move (e: typenv) (r1 r2: positive) : res (bool * typenv) :=
(** Solve the remaining subtyping constraints by iteration. *)
Fixpoint solve_rec (e: typenv) (changed: bool) (q: list constraint) : res (typenv * bool) :=
- match q with
+ match q with
| nil =>
OK (e, changed)
| (r1, r2) :: q' =>
@@ -222,7 +222,7 @@ Definition weight_bounds (ob: option bounds) : nat :=
Lemma weight_bounds_1:
forall lo hi s, weight_bounds (Some (B lo hi s)) < weight_bounds None.
Proof.
- intros; simpl. generalize (T.weight_range hi); omega.
+ intros; simpl. generalize (T.weight_range hi); omega.
Qed.
Lemma weight_bounds_2:
@@ -230,7 +230,7 @@ Lemma weight_bounds_2:
T.sub lo2 lo1 -> T.sub hi1 hi2 -> lo1 <> lo2 \/ hi1 <> hi2 ->
weight_bounds (Some (B lo1 hi1 s1)) < weight_bounds (Some (B lo2 hi2 s2)).
Proof.
- intros; simpl.
+ intros; simpl.
generalize (T.weight_sub _ _ s1) (T.weight_sub _ _ s2) (T.weight_sub _ _ H) (T.weight_sub _ _ H0); intros.
destruct H1.
assert (T.weight lo2 < T.weight lo1) by (apply T.weight_sub_strict; auto). omega.
@@ -245,7 +245,7 @@ Lemma weight_type_move:
(e'.(te_sub) = e.(te_sub) \/ e'.(te_sub) = (r1, r2) :: e.(te_sub))
/\ (forall r, weight_bounds e'.(te_typ)!r <= weight_bounds e.(te_typ)!r)
/\ (changed = true ->
- weight_bounds e'.(te_typ)!r1 + weight_bounds e'.(te_typ)!r2
+ weight_bounds e'.(te_typ)!r1 + weight_bounds e'.(te_typ)!r2
< weight_bounds e.(te_typ)!r1 + weight_bounds e.(te_typ)!r2).
Proof.
unfold type_move; intros.
@@ -267,22 +267,22 @@ Local Opaque weight_bounds.
+ split; auto. split; intros. omega. discriminate.
+ assert (weight_bounds (Some b1) < weight_bounds (Some (B lo1 hi1 s1)))
by (apply weight_bounds_2; auto with ty).
- split; auto. split; intros.
+ split; auto. split; intros.
rewrite PTree.gsspec. destruct (peq r r1). subst r. rewrite E1. omega. omega.
- rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E2. omega.
+ rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E2. omega.
+ assert (weight_bounds (Some b2) < weight_bounds (Some (B lo2 hi2 s2)))
by (apply weight_bounds_2; auto with ty).
- split; auto. split; intros.
+ split; auto. split; intros.
rewrite PTree.gsspec. destruct (peq r r2). subst r. rewrite E2. omega. omega.
rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E1. omega.
+ assert (weight_bounds (Some b1) < weight_bounds (Some (B lo1 hi1 s1)))
by (apply weight_bounds_2; auto with ty).
assert (weight_bounds (Some b2) < weight_bounds (Some (B lo2 hi2 s2)))
by (apply weight_bounds_2; auto with ty).
- split; auto. split; intros.
+ split; auto. split; intros.
rewrite ! PTree.gsspec.
destruct (peq r r2). subst r. rewrite E2. omega.
- destruct (peq r r1). subst r. rewrite E1. omega.
+ destruct (peq r r1). subst r. rewrite E1. omega.
omega.
rewrite PTree.gss. rewrite PTree.gso by auto. rewrite PTree.gss. omega.
@@ -290,15 +290,15 @@ Local Opaque weight_bounds.
assert (weight_bounds (Some b2) < weight_bounds None) by (apply weight_bounds_1).
inv H; simpl.
split. destruct (T.sub_dec hi1 lo1); auto.
- split; intros.
+ split; intros.
rewrite PTree.gsspec. destruct (peq r r2). subst r; rewrite E2; omega. omega.
- rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E1. omega.
+ rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E1. omega.
- set (b1 := B (T.low_bound hi2) hi2 (T.low_bound_sub hi2)) in *.
assert (weight_bounds (Some b1) < weight_bounds None) by (apply weight_bounds_1).
inv H; simpl.
split. destruct (T.sub_dec hi2 lo2); auto.
- split; intros.
+ split; intros.
rewrite PTree.gsspec. destruct (peq r r1). subst r; rewrite E1; omega. omega.
rewrite PTree.gss. rewrite PTree.gso by auto. rewrite E2. omega.
@@ -323,7 +323,7 @@ Lemma weight_solve_rec:
<= weight_constraints e.(te_typ) e.(te_sub) + weight_constraints e.(te_typ) q.
Proof.
induction q; simpl; intros.
-- inv H. split. intros; omega. replace (changed' && negb changed') with false.
+- inv H. split. intros; omega. replace (changed' && negb changed') with false.
omega. destruct changed'; auto.
- destruct a as [r1 r2]; monadInv H; simpl.
rename x into changed1. rename x0 into e1.
@@ -334,7 +334,7 @@ Proof.
weight_constraints (te_typ e) (te_sub e))
by (apply weight_constraints_tighter; auto).
assert (Q: weight_constraints (te_typ e1) (te_sub e1) <=
- weight_constraints (te_typ e1) (te_sub e) +
+ weight_constraints (te_typ e1) (te_sub e) +
weight_bounds (te_typ e1)!r1 + weight_bounds (te_typ e1)!r2).
{ destruct A as [Q|Q]; rewrite Q. omega. simpl. omega. }
assert (R: weight_constraints (te_typ e1) q <= weight_constraints (te_typ e) q)
@@ -342,16 +342,16 @@ Proof.
set (ch1 := if changed' && negb (changed || changed1) then 1 else 0) in *.
set (ch2 := if changed' && negb changed then 1 else 0) in *.
destruct changed1.
- assert (ch2 <= ch1 + 1).
- { unfold ch2, ch1. rewrite orb_true_r. simpl. rewrite andb_false_r.
+ assert (ch2 <= ch1 + 1).
+ { unfold ch2, ch1. rewrite orb_true_r. simpl. rewrite andb_false_r.
destruct (changed' && negb changed); omega. }
exploit C; eauto. omega.
assert (ch2 <= ch1).
{ unfold ch2, ch1. rewrite orb_false_r. omega. }
- generalize (B r1) (B r2); omega.
+ generalize (B r1) (B r2); omega.
Qed.
-Definition weight_typenv (e: typenv) : nat :=
+Definition weight_typenv (e: typenv) : nat :=
weight_constraints e.(te_typ) e.(te_sub).
(** Iterative solving of the remaining constraints *)
@@ -364,7 +364,7 @@ Function solve_constraints (e: typenv) {measure weight_typenv e}: res typenv :=
end.
Proof.
intros. exploit weight_solve_rec; eauto. simpl. intros [A B].
- unfold weight_typenv. omega.
+ unfold weight_typenv. omega.
Qed.
Definition typassign := positive -> T.t.
@@ -383,7 +383,7 @@ Definition satisf (te: typassign) (e: typenv) : Prop :=
Lemma satisf_initial: forall te, satisf te initial.
Proof.
- unfold initial; intros; split; simpl; intros.
+ unfold initial; intros; split; simpl; intros.
rewrite PTree.gempty in H; discriminate.
contradiction.
Qed.
@@ -398,11 +398,11 @@ Proof.
destruct (T.eq lo (T.lub lo ty)); monadInv H.
subst e'; auto.
destruct H0 as [P Q]; split; auto; intros.
- destruct (peq x x0).
+ destruct (peq x x0).
+ subst x0. rewrite E in H; inv H.
- exploit (P x); simpl. rewrite PTree.gss; eauto. intuition.
- apply T.sub_trans with (T.lub lo0 ty); auto. eapply T.lub_left; eauto.
- + eapply P; simpl. rewrite PTree.gso; eauto.
+ exploit (P x); simpl. rewrite PTree.gss; eauto. intuition.
+ apply T.sub_trans with (T.lub lo0 ty); auto. eapply T.lub_left; eauto.
+ + eapply P; simpl. rewrite PTree.gso; eauto.
- inv H. destruct H0 as [P Q]; split; auto; intros.
eapply P; simpl. rewrite PTree.gso; eauto. congruence.
Qed.
@@ -416,12 +416,12 @@ Proof.
destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
- destruct (T.sub_dec ty hi); try discriminate.
destruct (T.eq lo (T.lub lo ty)); monadInv H.
- + subst e'. apply T.sub_trans with lo.
+ + subst e'. apply T.sub_trans with lo.
rewrite e0. eapply T.lub_right; eauto. eapply P; eauto.
- + apply T.sub_trans with (T.lub lo ty).
- eapply T.lub_right; eauto.
- eapply (P x). simpl. rewrite PTree.gss; eauto.
-- inv H. eapply (P x); simpl. rewrite PTree.gss; eauto.
+ + apply T.sub_trans with (T.lub lo ty).
+ eapply T.lub_right; eauto.
+ eapply (P x). simpl. rewrite PTree.gss; eauto.
+- inv H. eapply (P x); simpl. rewrite PTree.gss; eauto.
Qed.
Lemma type_defs_incr:
@@ -448,11 +448,11 @@ Proof.
destruct (T.eq hi (T.glb hi ty)); monadInv H.
subst e'; auto.
destruct H0 as [P Q]; split; auto; intros.
- destruct (peq x x0).
+ destruct (peq x x0).
+ subst x0. rewrite E in H; inv H.
- exploit (P x); simpl. rewrite PTree.gss; eauto. intuition.
- apply T.sub_trans with (T.glb hi0 ty); auto. eapply T.glb_left; eauto.
- + eapply P; simpl. rewrite PTree.gso; eauto.
+ exploit (P x); simpl. rewrite PTree.gss; eauto. intuition.
+ apply T.sub_trans with (T.glb hi0 ty); auto. eapply T.glb_left; eauto.
+ + eapply P; simpl. rewrite PTree.gso; eauto.
- inv H. destruct H0 as [P Q]; split; auto; intros.
eapply P; simpl. rewrite PTree.gso; eauto. congruence.
Qed.
@@ -466,12 +466,12 @@ Proof.
destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
- destruct (T.sub_dec lo ty); try discriminate.
destruct (T.eq hi (T.glb hi ty)); monadInv H.
- + subst e'. apply T.sub_trans with hi.
- eapply P; eauto. rewrite e0. eapply T.glb_right; eauto.
- + apply T.sub_trans with (T.glb hi ty).
- eapply (P x). simpl. rewrite PTree.gss; eauto.
- eapply T.glb_right; eauto.
-- inv H. eapply (P x); simpl. rewrite PTree.gss; eauto.
+ + subst e'. apply T.sub_trans with hi.
+ eapply P; eauto. rewrite e0. eapply T.glb_right; eauto.
+ + apply T.sub_trans with (T.glb hi ty).
+ eapply (P x). simpl. rewrite PTree.gss; eauto.
+ eapply T.glb_right; eauto.
+- inv H. eapply (P x); simpl. rewrite PTree.gss; eauto.
Qed.
Lemma type_uses_incr:
@@ -502,27 +502,27 @@ Proof.
destruct (T.sub_dec lo1 hi2); try discriminate.
set (lo := T.lub lo1 lo2) in *. set (hi := T.glb hi1 hi2) in *.
destruct (T.eq lo2 lo); destruct (T.eq hi1 hi); monadInv H; simpl in *.
- + subst e'; simpl in *. split; auto.
+ + subst e'; simpl in *. split; auto.
+ subst e'; simpl in *. split; auto. intros. destruct (peq x r1).
- subst x.
- rewrite E1 in H. injection H; intros; subst lo0 hi0.
- exploit (P r1). rewrite PTree.gss; eauto. intuition.
+ subst x.
+ rewrite E1 in H. injection H; intros; subst lo0 hi0.
+ exploit (P r1). rewrite PTree.gss; eauto. intuition.
apply T.sub_trans with (T.glb hi1 hi2); auto. eapply T.glb_left; eauto.
eapply P. rewrite PTree.gso; eauto.
+ subst e'; simpl in *. split; auto. intros. destruct (peq x r2).
- subst x.
- rewrite E2 in H. injection H; intros; subst lo0 hi0.
- exploit (P r2). rewrite PTree.gss; eauto. intuition.
+ subst x.
+ rewrite E2 in H. injection H; intros; subst lo0 hi0.
+ exploit (P r2). rewrite PTree.gss; eauto. intuition.
apply T.sub_trans with (T.lub lo1 lo2); auto. eapply T.lub_right; eauto.
eapply P. rewrite PTree.gso; eauto.
- + split; auto. intros.
- destruct (peq x r1). subst x.
- rewrite E1 in H. injection H; intros; subst lo0 hi0.
- exploit (P r1). rewrite PTree.gso; eauto. rewrite PTree.gss; eauto. intuition.
+ + split; auto. intros.
+ destruct (peq x r1). subst x.
+ rewrite E1 in H. injection H; intros; subst lo0 hi0.
+ exploit (P r1). rewrite PTree.gso; eauto. rewrite PTree.gss; eauto. intuition.
apply T.sub_trans with (T.glb hi1 hi2); auto. eapply T.glb_left; eauto.
- destruct (peq x r2). subst x.
- rewrite E2 in H. injection H; intros; subst lo0 hi0.
- exploit (P r2). rewrite PTree.gss; eauto. intuition.
+ destruct (peq x r2). subst x.
+ rewrite E2 in H. injection H; intros; subst lo0 hi0.
+ exploit (P r2). rewrite PTree.gss; eauto. intuition.
apply T.sub_trans with (T.lub lo1 lo2); auto. eapply T.lub_right; eauto.
eapply P. rewrite ! PTree.gso; eauto.
- inv H; simpl in *. split; intros.
@@ -531,7 +531,7 @@ Proof.
- inv H; simpl in *. split; intros.
eapply P. rewrite PTree.gso; eauto. congruence.
apply Q. destruct (T.sub_dec hi2 lo2); auto with coqlib.
-- inv H; simpl in *. split; auto.
+- inv H; simpl in *. split; auto.
Qed.
Hint Resolve type_move_incr: ty.
@@ -544,24 +544,24 @@ Proof.
destruct (peq r1 r2). subst r2. apply T.sub_refl.
destruct (te_typ e)!r1 as [[lo1 hi1 s1]|] eqn:E1;
destruct (te_typ e)!r2 as [[lo2 hi2 s2]|] eqn:E2.
-- destruct (T.sub_dec hi1 lo2).
+- destruct (T.sub_dec hi1 lo2).
inv H. apply T.sub_trans with hi1. eapply P; eauto. apply T.sub_trans with lo2; auto. eapply P; eauto.
destruct (T.sub_dec lo1 hi2); try discriminate.
set (lo := T.lub lo1 lo2) in *. set (hi := T.glb hi1 hi2) in *.
destruct (T.eq lo2 lo); destruct (T.eq hi1 hi); monadInv H; simpl in *.
+ subst e'; simpl in *. apply Q; auto.
- + subst e'; simpl in *. apply Q; auto.
- + subst e'; simpl in *. apply Q; auto.
+ + subst e'; simpl in *. apply Q; auto.
+ + subst e'; simpl in *. apply Q; auto.
+ apply Q; auto.
- inv H; simpl in *. destruct (T.sub_dec hi1 lo1).
- + apply T.sub_trans with hi1. eapply P; eauto. rewrite PTree.gso; eauto.
- apply T.sub_trans with lo1; auto. eapply P. rewrite PTree.gss; eauto.
+ + apply T.sub_trans with hi1. eapply P; eauto. rewrite PTree.gso; eauto.
+ apply T.sub_trans with lo1; auto. eapply P. rewrite PTree.gss; eauto.
+ auto with coqlib.
- inv H; simpl in *. destruct (T.sub_dec hi2 lo2).
- + apply T.sub_trans with hi2. eapply P. rewrite PTree.gss; eauto.
- apply T.sub_trans with lo2; auto. eapply P. rewrite PTree.gso; eauto.
+ + apply T.sub_trans with hi2. eapply P. rewrite PTree.gss; eauto.
+ apply T.sub_trans with lo2; auto. eapply P. rewrite PTree.gso; eauto.
+ auto with coqlib.
-- inv H. simpl in Q; auto.
+- inv H. simpl in Q; auto.
Qed.
Lemma solve_rec_incr:
@@ -575,12 +575,12 @@ Qed.
Lemma solve_rec_sound:
forall te r1 r2 q e changed e' changed',
- solve_rec e changed q = OK(e', changed') -> In (r1, r2) q -> satisf te e' ->
+ solve_rec e changed q = OK(e', changed') -> In (r1, r2) q -> satisf te e' ->
T.sub (te r1) (te r2).
Proof.
induction q; simpl; intros.
- contradiction.
-- destruct a as [r3 r4]; monadInv H. destruct H0.
+- destruct a as [r3 r4]; monadInv H. destruct H0.
+ inv H. eapply type_move_sound; eauto. eapply solve_rec_incr; eauto.
+ eapply IHq; eauto with ty.
Qed.
@@ -590,12 +590,12 @@ Lemma type_move_false:
type_move e r1 r2 = OK(false, e') ->
te_typ e' = te_typ e /\ T.sub (makeassign e r1) (makeassign e r2).
Proof.
- unfold type_move; intros.
+ unfold type_move; intros.
destruct (peq r1 r2). inv H. split; auto. apply T.sub_refl.
unfold makeassign;
destruct (te_typ e)!r1 as [[lo1 hi1 s1]|] eqn:E1;
destruct (te_typ e)!r2 as [[lo2 hi2 s2]|] eqn:E2.
-- destruct (T.sub_dec hi1 lo2).
+- destruct (T.sub_dec hi1 lo2).
inv H. split; auto. eapply T.sub_trans; eauto.
destruct (T.sub_dec lo1 hi2); try discriminate.
set (lo := T.lub lo1 lo2) in *. set (hi := T.glb hi1 hi2) in *.
@@ -609,17 +609,17 @@ Qed.
Lemma solve_rec_false:
forall r1 r2 q e changed e',
solve_rec e changed q = OK(e', false) ->
- changed = false /\
+ changed = false /\
(In (r1, r2) q -> T.sub (makeassign e r1) (makeassign e r2)).
Proof.
induction q; simpl; intros.
-- inv H. tauto.
+- inv H. tauto.
- destruct a as [r3 r4]; monadInv H.
exploit IHq; eauto. intros [P Q].
destruct changed; try discriminate. destruct x; try discriminate.
exploit type_move_false; eauto. intros [U V].
- split. auto. intros [A|A]. inv A. auto. exploit Q; auto.
- unfold makeassign; rewrite U; auto.
+ split. auto. intros [A|A]. inv A. auto. exploit Q; auto.
+ unfold makeassign; rewrite U; auto.
Qed.
Lemma solve_constraints_incr:
@@ -638,7 +638,7 @@ Proof.
intros e0; functional induction (solve_constraints e0); intros.
- inv H. split; intros.
unfold makeassign; rewrite H. split; auto with ty.
- exploit solve_rec_false. eauto. intros [A B]. eapply B; eauto.
+ exploit solve_rec_false. eauto. intros [A B]. eapply B; eauto.
- eauto.
- discriminate.
Qed.
@@ -646,7 +646,7 @@ Qed.
Theorem solve_sound:
forall e te, solve e = OK te -> satisf te e.
Proof.
- unfold solve; intros. monadInv H.
+ unfold solve; intros. monadInv H.
eapply solve_constraints_incr. eauto. eapply solve_constraints_sound; eauto.
Qed.
@@ -657,17 +657,17 @@ Lemma type_def_complete:
satisf te e -> T.sub ty (te x) -> exists e', type_def e x ty = OK e' /\ satisf te e'.
Proof.
unfold type_def; intros. destruct H as [P Q].
- destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
-- destruct (T.sub_dec ty hi).
+ destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
+- destruct (T.sub_dec ty hi).
destruct (T.eq lo (T.lub lo ty)).
exists e; split; auto. split; auto.
- econstructor; split; eauto. split; simpl; auto; intros.
- rewrite PTree.gsspec in H. destruct (peq x0 x).
- inv H. exploit P; eauto. intuition. eapply T.lub_min; eauto.
+ econstructor; split; eauto. split; simpl; auto; intros.
+ rewrite PTree.gsspec in H. destruct (peq x0 x).
+ inv H. exploit P; eauto. intuition. eapply T.lub_min; eauto.
eapply P; eauto.
elim n. apply T.sub_trans with (te x); auto. eapply P; eauto.
- econstructor; split; eauto. split; simpl; auto; intros.
- rewrite PTree.gsspec in H. destruct (peq x0 x).
+ rewrite PTree.gsspec in H. destruct (peq x0 x).
inv H. split; auto. apply T.high_bound_majorant; auto.
eapply P; eauto.
Qed.
@@ -689,17 +689,17 @@ Lemma type_use_complete:
satisf te e -> T.sub (te x) ty -> exists e', type_use e x ty = OK e' /\ satisf te e'.
Proof.
unfold type_use; intros. destruct H as [P Q].
- destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
-- destruct (T.sub_dec lo ty).
+ destruct (te_typ e)!x as [[lo hi s1]|] eqn:E.
+- destruct (T.sub_dec lo ty).
destruct (T.eq hi (T.glb hi ty)).
exists e; split; auto. split; auto.
- econstructor; split; eauto. split; simpl; auto; intros.
- rewrite PTree.gsspec in H. destruct (peq x0 x).
- inv H. exploit P; eauto. intuition. eapply T.glb_max; eauto.
+ econstructor; split; eauto. split; simpl; auto; intros.
+ rewrite PTree.gsspec in H. destruct (peq x0 x).
+ inv H. exploit P; eauto. intuition. eapply T.glb_max; eauto.
eapply P; eauto.
elim n. apply T.sub_trans with (te x); auto. eapply P; eauto.
- econstructor; split; eauto. split; simpl; auto; intros.
- rewrite PTree.gsspec in H. destruct (peq x0 x).
+ rewrite PTree.gsspec in H. destruct (peq x0 x).
inv H. split; auto. apply T.low_bound_minorant; auto.
eapply P; eauto.
Qed.
@@ -730,15 +730,15 @@ Proof.
- exploit (P r1); eauto. intros [L1 U1].
exploit (P r2); eauto. intros [L2 U2].
destruct (T.sub_dec hi1 lo2). econstructor; econstructor; eauto.
- destruct (T.sub_dec lo1 hi2).
+ destruct (T.sub_dec lo1 hi2).
destruct (T.eq lo2 (T.lub lo1 lo2)); destruct (T.eq hi1 (T.glb hi1 hi2));
econstructor; econstructor; split; eauto; split; auto; simpl; intros.
- + rewrite PTree.gsspec in H1. destruct (peq x r1).
- clear e0. inv H1. split; auto.
+ + rewrite PTree.gsspec in H1. destruct (peq x r1).
+ clear e0. inv H1. split; auto.
apply T.glb_max. auto. apply T.sub_trans with (te r2); auto.
eapply P; eauto.
- + rewrite PTree.gsspec in H1. destruct (peq x r2).
- clear e0. inv H1. split; auto.
+ + rewrite PTree.gsspec in H1. destruct (peq x r2).
+ clear e0. inv H1. split; auto.
apply T.lub_min. apply T.sub_trans with (te r1); auto. auto.
eapply P; eauto.
+ rewrite ! PTree.gsspec in H1. destruct (peq x r2).
@@ -746,18 +746,18 @@ Proof.
destruct (peq x r1).
inv H1. split; auto. apply T.glb_max; auto. apply T.sub_trans with (te r2); auto.
eapply P; eauto.
- + elim n1. apply T.sub_trans with (te r1); auto.
- apply T.sub_trans with (te r2); auto.
+ + elim n1. apply T.sub_trans with (te r1); auto.
+ apply T.sub_trans with (te r2); auto.
- econstructor; econstructor; split; eauto; split.
+ simpl; intros. rewrite PTree.gsspec in H1. destruct (peq x r2).
- inv H1. exploit P; eauto. intuition.
+ inv H1. exploit P; eauto. intuition.
apply T.sub_trans with (te r1); auto.
apply T.high_bound_majorant. apply T.sub_trans with (te r1); auto.
eapply P; eauto.
+ destruct (T.sub_dec hi1 lo1); auto.
- econstructor; econstructor; split; eauto; split.
+ simpl; intros. rewrite PTree.gsspec in H1. destruct (peq x r1).
- inv H1. exploit P; eauto. intuition.
+ inv H1. exploit P; eauto. intuition.
apply T.low_bound_minorant. apply T.sub_trans with (te r2); auto.
apply T.sub_trans with (te r2); auto.
eapply P; eauto.
@@ -773,7 +773,7 @@ Lemma solve_rec_complete:
Proof.
induction q; simpl; intros.
- econstructor; econstructor; eauto.
-- destruct a as [r1 r2].
+- destruct a as [r1 r2].
exploit (type_move_complete te e r1 r2); auto. intros (changed1 & e1 & A & B).
exploit (IHq e1 (changed || changed1)); auto. intros (e' & changed' & C & D).
exists e'; exists changed'. rewrite A; simpl; rewrite C; auto.
@@ -782,26 +782,26 @@ Qed.
Lemma solve_constraints_complete:
forall te e, satisf te e -> exists e', solve_constraints e = OK e' /\ satisf te e'.
Proof.
- intros te e. functional induction (solve_constraints e); intros.
+ intros te e. functional induction (solve_constraints e); intros.
- exists e; auto.
- exploit (solve_rec_complete te (te_sub e) {| te_typ := te_typ e; te_sub := nil |} false).
destruct H; split; auto. simpl; tauto.
destruct H; auto.
- intros (e1 & changed1 & P & Q).
- apply IHr. congruence.
+ intros (e1 & changed1 & P & Q).
+ apply IHr. congruence.
- exploit (solve_rec_complete te (te_sub e) {| te_typ := te_typ e; te_sub := nil |} false).
destruct H; split; auto. simpl; tauto.
destruct H; auto.
- intros (e1 & changed1 & P & Q).
+ intros (e1 & changed1 & P & Q).
congruence.
Qed.
Lemma solve_complete:
forall te e, satisf te e -> exists te', solve e = OK te'.
Proof.
- intros. unfold solve.
- destruct (solve_constraints_complete te e H) as (e' & P & Q).
- econstructor. rewrite P. simpl. eauto.
+ intros. unfold solve.
+ destruct (solve_constraints_complete te e H) as (e' & P & Q).
+ econstructor. rewrite P. simpl. eauto.
Qed.
End SubSolver.
diff --git a/common/Switch.v b/common/Switch.v
index e5b3827e..0df2bbc8 100644
--- a/common/Switch.v
+++ b/common/Switch.v
@@ -118,7 +118,7 @@ Definition refine_low_bound (v lo: Z) :=
Definition refine_high_bound (v hi: Z) :=
if zeq v hi then hi - 1 else hi.
-Fixpoint validate_jumptable (cases: ZMap.t nat)
+Fixpoint validate_jumptable (cases: ZMap.t nat)
(tbl: list nat) (n: Z) {struct tbl} : bool :=
match tbl with
| nil => true
@@ -143,7 +143,7 @@ Fixpoint validate (default: nat) (cases: table) (t: comptree)
| (None, _) =>
false
| (Some act', others) =>
- beq_nat act act'
+ beq_nat act act'
&& validate default others t'
(refine_low_bound pivot lo)
(refine_high_bound pivot hi)
@@ -192,10 +192,10 @@ Proof.
induction t; simpl; intros; InvBooleans.
- constructor.
- destruct (split_eq key cases) as [[act'|] others]; try discriminate; InvBooleans.
- constructor; eauto.
+ constructor; eauto.
- destruct (split_lt key cases) as [lc rc]; InvBooleans.
constructor; eauto.
-- destruct (split_between default ofs sz cases) as [ins out]; InvBooleans.
+- destruct (split_between default ofs sz cases) as [ins out]; InvBooleans.
constructor; eauto.
Qed.
@@ -213,10 +213,10 @@ Proof.
- intros. inv H. simpl. destruct (zeq v n); auto.
- destruct a as [key act].
destruct (split_eq n cases) as [same other] eqn:SEQ.
- rewrite (IHcases same other) by auto.
+ rewrite (IHcases same other) by auto.
destruct (zeq key n); intros EQ; inv EQ.
-+ destruct (zeq v n); auto.
-+ simpl. destruct (zeq v key).
++ destruct (zeq v n); auto.
++ simpl. destruct (zeq v key).
* subst v. rewrite zeq_false by auto. auto.
* auto.
Qed.
@@ -231,7 +231,7 @@ Lemma split_lt_prop:
Proof.
induction cases; intros until rcases; simpl.
- intros. inv H. simpl. destruct (zlt v n); auto.
-- destruct a as [key act].
+- destruct a as [key act].
destruct (split_lt n cases) as [lc rc] eqn:SEQ.
rewrite (IHcases lc rc) by auto.
destruct (zlt key n); intros EQ; inv EQ; simpl.
@@ -249,7 +249,7 @@ Lemma split_between_prop:
Proof.
induction cases; intros until outside; simpl; intros SEQ.
- inv SEQ. rewrite ZMap.gi. simpl. destruct (zlt ((v - ofs) mod modulus) sz); auto.
-- destruct a as [key act].
+- destruct a as [key act].
destruct (split_between default ofs sz cases) as [ins outs].
erewrite IHcases; eauto.
destruct (zlt ((key - ofs) mod modulus) sz); inv SEQ.
@@ -257,7 +257,7 @@ Proof.
destruct (zeq v key).
subst v. rewrite zlt_true by auto. auto.
auto.
-+ simpl. destruct (zeq v key).
++ simpl. destruct (zeq v key).
subst v. rewrite zlt_false by auto. auto.
auto.
Qed.
@@ -270,11 +270,11 @@ Lemma validate_jumptable_correct_rec:
Proof.
induction tbl; simpl; intros.
- unfold list_length_z in H0. simpl in H0. omegaContradiction.
-- InvBooleans. rewrite list_length_z_cons in H0. apply beq_nat_true in H1.
+- InvBooleans. rewrite list_length_z_cons in H0. apply beq_nat_true in H1.
destruct (zeq v 0).
+ replace (base + v) with base by omega. congruence.
- + replace (base + v) with (Z.succ base + Z.pred v) by omega.
- apply IHtbl. auto. omega.
+ + replace (base + v) with (Z.succ base + Z.pred v) by omega.
+ apply IHtbl. auto. omega.
Qed.
Lemma validate_jumptable_correct:
@@ -288,12 +288,12 @@ Lemma validate_jumptable_correct:
Proof.
intros.
rewrite (validate_jumptable_correct_rec cases tbl ofs); auto.
-- f_equal. f_equal. rewrite Zmod_small. omega.
- destruct (zle ofs v). omega.
+- f_equal. f_equal. rewrite Zmod_small. omega.
+ destruct (zle ofs v). omega.
assert (M: ((v - ofs) + 1 * modulus) mod modulus = (v - ofs) + modulus).
{ rewrite Zmod_small. omega. omega. }
rewrite Z_mod_plus in M by auto. rewrite M in H0. omega.
-- generalize (Z_mod_lt (v - ofs) modulus modulus_pos). omega.
+- generalize (Z_mod_lt (v - ofs) modulus modulus_pos). omega.
Qed.
Lemma validate_correct_rec:
@@ -307,23 +307,23 @@ Proof.
intros default v VRANGE. induction t; simpl; intros until hi.
- (* base case *)
destruct cases as [ | [key1 act1] cases1]; intros.
-+ apply beq_nat_true in H. subst act. reflexivity.
-+ InvBooleans. apply beq_nat_true in H2. subst. simpl.
++ apply beq_nat_true in H. subst act. reflexivity.
++ InvBooleans. apply beq_nat_true in H2. subst. simpl.
destruct (zeq v hi). auto. omegaContradiction.
- (* eq node *)
destruct (split_eq key cases) as [optact others] eqn:EQ. intros.
destruct optact as [act1|]; InvBooleans; try discriminate.
apply beq_nat_true in H.
rewrite (split_eq_prop v default _ _ _ _ EQ).
- destruct (zeq v key).
+ destruct (zeq v key).
+ congruence.
- + eapply IHt; eauto.
+ + eapply IHt; eauto.
unfold refine_low_bound, refine_high_bound. split.
- destruct (zeq key lo); omega.
+ destruct (zeq key lo); omega.
destruct (zeq key hi); omega.
- (* lt node *)
destruct (split_lt key cases) as [lcases rcases] eqn:EQ; intros; InvBooleans.
- rewrite (split_lt_prop v default _ _ _ _ EQ). destruct (zlt v key).
+ rewrite (split_lt_prop v default _ _ _ _ EQ). destruct (zlt v key).
eapply IHt1. eauto. omega.
eapply IHt2. eauto. omega.
- (* jumptable node *)
@@ -331,8 +331,8 @@ Proof.
rewrite (split_between_prop v _ _ _ _ _ _ EQ).
assert (0 <= (v - ofs) mod modulus < modulus) by (apply Z_mod_lt; omega).
destruct (zlt ((v - ofs) mod modulus) sz).
- rewrite Zmod_small by omega. eapply validate_jumptable_correct; eauto.
- eapply IHt; eauto.
+ rewrite Zmod_small by omega. eapply validate_jumptable_correct; eauto.
+ eapply IHt; eauto.
Qed.
Definition table_tree_agree
@@ -345,8 +345,8 @@ Theorem validate_switch_correct:
wf_comptree t /\ table_tree_agree default cases t.
Proof.
unfold validate_switch, table_tree_agree; split.
- eapply validate_wf; eauto.
- intros; eapply validate_correct_rec; eauto. omega.
+ eapply validate_wf; eauto.
+ intros; eapply validate_correct_rec; eauto. omega.
Qed.
End COMPTREE.
diff --git a/common/Switchaux.ml b/common/Switchaux.ml
index 39b484c7..0d4901bf 100644
--- a/common/Switchaux.ml
+++ b/common/Switchaux.ml
@@ -50,7 +50,7 @@ let compile_switch_as_tree modulus default tbl =
let (key1, act1) = sw.(lo)
and (key2, act2) = sw.(lo+1)
and (key3, act3) = sw.(lo+2) in
- CTifeq(key1, act1,
+ CTifeq(key1, act1,
CTifeq(key2, act2,
if Z.sub maxval minval = Z.of_uint 2
then CTaction act3
diff --git a/common/Unityping.v b/common/Unityping.v
index d108c870..f9c9d72c 100644
--- a/common/Unityping.v
+++ b/common/Unityping.v
@@ -96,7 +96,7 @@ Definition move (e: typenv) (r1 r2: positive) : res (bool * typenv) :=
(** Solve the remaining subtyping constraints by iteration. *)
Fixpoint solve_rec (e: typenv) (changed: bool) (q: list constraint) : res (typenv * bool) :=
- match q with
+ match q with
| nil =>
OK (e, changed)
| (r1, r2) :: q' =>
@@ -112,7 +112,7 @@ Lemma move_shape:
/\ (changed = true -> e'.(te_equ) = e.(te_equ)).
Proof.
unfold move; intros.
- destruct (peq r1 r2). inv H. auto.
+ destruct (peq r1 r2). inv H. auto.
destruct e.(te_typ)!r1 as [ty1|]; destruct e.(te_typ)!r2 as [ty2|]; inv H; simpl.
destruct (T.eq ty1 ty2); inv H1. auto.
auto.
@@ -163,8 +163,8 @@ Function solve_constraints (e: typenv) {measure weight_typenv e}: res typenv :=
| Error msg => Error msg
end.
Proof.
- intros. exploit length_solve_rec; eauto. simpl. intros.
- unfold weight_typenv. omega.
+ intros. exploit length_solve_rec; eauto. simpl. intros.
+ unfold weight_typenv. omega.
Qed.
Definition typassign := positive -> T.t.
@@ -183,7 +183,7 @@ Definition satisf (te: typassign) (e: typenv) : Prop :=
Lemma satisf_initial: forall te, satisf te initial.
Proof.
- unfold initial; intros; split; simpl; intros.
+ unfold initial; intros; split; simpl; intros.
rewrite PTree.gempty in H; discriminate.
contradiction.
Qed.
@@ -235,11 +235,11 @@ Proof.
destruct (te_typ e)!r1 as [ty1|] eqn:E1;
destruct (te_typ e)!r2 as [ty2|] eqn:E2.
- destruct (T.eq ty1 ty2); inv H. split; auto.
-- inv H; simpl in *; split; auto. intros. apply P.
+- inv H; simpl in *; split; auto. intros. apply P.
rewrite PTree.gso by congruence. auto.
-- inv H; simpl in *; split; auto. intros. apply P.
+- inv H; simpl in *; split; auto. intros. apply P.
rewrite PTree.gso by congruence. auto.
-- inv H; simpl in *; split; auto.
+- inv H; simpl in *; split; auto.
Qed.
Hint Resolve move_incr: ty.
@@ -253,11 +253,11 @@ Proof.
destruct (te_typ e)!r1 as [ty1|] eqn:E1;
destruct (te_typ e)!r2 as [ty2|] eqn:E2.
- destruct (T.eq ty1 ty2); inv H. erewrite ! P by eauto. auto.
-- inv H; simpl in *. rewrite (P r1 ty1). rewrite (P r2 ty1). auto.
+- inv H; simpl in *. rewrite (P r1 ty1). rewrite (P r2 ty1). auto.
apply PTree.gss. rewrite PTree.gso by congruence. auto.
-- inv H; simpl in *. rewrite (P r1 ty2). rewrite (P r2 ty2). auto.
+- inv H; simpl in *. rewrite (P r1 ty2). rewrite (P r2 ty2). auto.
rewrite PTree.gso by congruence. auto. apply PTree.gss.
-- inv H; simpl in *. apply Q; auto.
+- inv H; simpl in *. apply Q; auto.
Qed.
Lemma solve_rec_incr:
@@ -271,12 +271,12 @@ Qed.
Lemma solve_rec_sound:
forall te r1 r2 q e changed e' changed',
- solve_rec e changed q = OK(e', changed') -> In (r1, r2) q -> satisf te e' ->
+ solve_rec e changed q = OK(e', changed') -> In (r1, r2) q -> satisf te e' ->
te r1 = te r2.
Proof.
induction q; simpl; intros.
- contradiction.
-- destruct a as [r3 r4]; monadInv H. destruct H0.
+- destruct a as [r3 r4]; monadInv H. destruct H0.
+ inv H. eapply move_sound; eauto. eapply solve_rec_incr; eauto.
+ eapply IHq; eauto with ty.
Qed.
@@ -286,7 +286,7 @@ Lemma move_false:
move e r1 r2 = OK(false, e') ->
te_typ e' = te_typ e /\ makeassign e r1 = makeassign e r2.
Proof.
- unfold move; intros.
+ unfold move; intros.
destruct (peq r1 r2). inv H. split; auto.
unfold makeassign;
destruct (te_typ e)!r1 as [ty1|] eqn:E1;
@@ -300,17 +300,17 @@ Qed.
Lemma solve_rec_false:
forall r1 r2 q e changed e',
solve_rec e changed q = OK(e', false) ->
- changed = false /\
+ changed = false /\
(In (r1, r2) q -> makeassign e r1 = makeassign e r2).
Proof.
induction q; simpl; intros.
-- inv H. tauto.
+- inv H. tauto.
- destruct a as [r3 r4]; monadInv H.
exploit IHq; eauto. intros [P Q].
destruct changed; try discriminate. destruct x; try discriminate.
exploit move_false; eauto. intros [U V].
- split. auto. intros [A|A]. inv A. auto. exploit Q; auto.
- unfold makeassign; rewrite U; auto.
+ split. auto. intros [A|A]. inv A. auto. exploit Q; auto.
+ unfold makeassign; rewrite U; auto.
Qed.
Lemma solve_constraints_incr:
@@ -329,7 +329,7 @@ Proof.
intros e0; functional induction (solve_constraints e0); intros.
- inv H. split; intros.
unfold makeassign; rewrite H. split; auto with ty.
- exploit solve_rec_false. eauto. intros [A B]. eapply B; eauto.
+ exploit solve_rec_false. eauto. intros [A B]. eapply B; eauto.
- eauto.
- discriminate.
Qed.
@@ -337,7 +337,7 @@ Qed.
Theorem solve_sound:
forall e te, solve e = OK te -> satisf te e.
Proof.
- unfold solve; intros. monadInv H.
+ unfold solve; intros. monadInv H.
eapply solve_constraints_incr. eauto. eapply solve_constraints_sound; eauto.
Qed.
@@ -347,12 +347,12 @@ Lemma set_complete:
forall te e x ty,
satisf te e -> te x = ty -> exists e', set e x ty = OK e' /\ satisf te e'.
Proof.
- unfold set; intros. generalize H; intros [P Q].
- destruct (te_typ e)!x as [ty1|] eqn:E.
-- replace ty1 with ty. rewrite dec_eq_true. exists e; auto.
- exploit P; eauto. congruence.
-- econstructor; split; eauto. split; simpl; intros; auto.
- rewrite PTree.gsspec in H1. destruct (peq x0 x). congruence. eauto.
+ unfold set; intros. generalize H; intros [P Q].
+ destruct (te_typ e)!x as [ty1|] eqn:E.
+- replace ty1 with ty. rewrite dec_eq_true. exists e; auto.
+ exploit P; eauto. congruence.
+- econstructor; split; eauto. split; simpl; intros; auto.
+ rewrite PTree.gsspec in H1. destruct (peq x0 x). congruence. eauto.
Qed.
Lemma set_list_complete:
@@ -379,16 +379,16 @@ Proof.
destruct (te_typ e)!r1 as [ty1|] eqn:E1;
destruct (te_typ e)!r2 as [ty2|] eqn:E2.
- replace ty2 with ty1. rewrite dec_eq_true. econstructor; econstructor; eauto.
- exploit (P r1); eauto. exploit (P r2); eauto. congruence.
-- econstructor; econstructor; split; eauto.
- split; simpl; intros; auto. rewrite PTree.gsspec in H1. destruct (peq x r2).
- inv H1. rewrite <- H0. eauto.
+ exploit (P r1); eauto. exploit (P r2); eauto. congruence.
+- econstructor; econstructor; split; eauto.
+ split; simpl; intros; auto. rewrite PTree.gsspec in H1. destruct (peq x r2).
+ inv H1. rewrite <- H0. eauto.
eauto.
-- econstructor; econstructor; split; eauto.
- split; simpl; intros; auto. rewrite PTree.gsspec in H1. destruct (peq x r1).
- inv H1. rewrite H0. eauto.
+- econstructor; econstructor; split; eauto.
+ split; simpl; intros; auto. rewrite PTree.gsspec in H1. destruct (peq x r1).
+ inv H1. rewrite H0. eauto.
eauto.
-- econstructor; econstructor; split; eauto.
+- econstructor; econstructor; split; eauto.
split; eauto.
Qed.
@@ -400,7 +400,7 @@ Lemma solve_rec_complete:
Proof.
induction q; simpl; intros.
- econstructor; econstructor; eauto.
-- destruct a as [r1 r2].
+- destruct a as [r1 r2].
exploit (move_complete te e r1 r2); auto. intros (changed1 & e1 & A & B).
exploit (IHq e1 (changed || changed1)); auto. intros (e' & changed' & C & D).
exists e'; exists changed'. rewrite A; simpl; rewrite C; auto.
@@ -409,26 +409,26 @@ Qed.
Lemma solve_constraints_complete:
forall te e, satisf te e -> exists e', solve_constraints e = OK e' /\ satisf te e'.
Proof.
- intros te e. functional induction (solve_constraints e); intros.
+ intros te e. functional induction (solve_constraints e); intros.
- exists e; auto.
- exploit (solve_rec_complete te (te_equ e) {| te_typ := te_typ e; te_equ := nil |} false).
destruct H; split; auto. simpl; tauto.
destruct H; auto.
- intros (e1 & changed1 & P & Q).
- apply IHr. congruence.
+ intros (e1 & changed1 & P & Q).
+ apply IHr. congruence.
- exploit (solve_rec_complete te (te_equ e) {| te_typ := te_typ e; te_equ := nil |} false).
destruct H; split; auto. simpl; tauto.
destruct H; auto.
- intros (e1 & changed1 & P & Q).
+ intros (e1 & changed1 & P & Q).
congruence.
Qed.
Lemma solve_complete:
forall te e, satisf te e -> exists te', solve e = OK te'.
Proof.
- intros. unfold solve.
- destruct (solve_constraints_complete te e H) as (e' & P & Q).
- econstructor. rewrite P. simpl. eauto.
+ intros. unfold solve.
+ destruct (solve_constraints_complete te e H) as (e' & P & Q).
+ econstructor. rewrite P. simpl. eauto.
Qed.
End UniSolver.
diff --git a/common/Values.v b/common/Values.v
index 8877f9a7..688e63ed 100644
--- a/common/Values.v
+++ b/common/Values.v
@@ -58,7 +58,7 @@ Module Val.
Definition eq (x y: val): {x=y} + {x<>y}.
Proof.
- decide equality.
+ decide equality.
apply Int.eq_dec.
apply Int64.eq_dec.
apply Float.eq_dec.
@@ -809,14 +809,14 @@ Qed.
Theorem cast8unsigned_and:
forall x, zero_ext 8 x = and x (Vint(Int.repr 255)).
Proof.
- destruct x; simpl; auto. decEq.
- change 255 with (two_p 8 - 1). apply Int.zero_ext_and. omega.
+ destruct x; simpl; auto. decEq.
+ change 255 with (two_p 8 - 1). apply Int.zero_ext_and. omega.
Qed.
Theorem cast16unsigned_and:
forall x, zero_ext 16 x = and x (Vint(Int.repr 65535)).
Proof.
- destruct x; simpl; auto. decEq.
+ destruct x; simpl; auto. decEq.
change 65535 with (two_p 16 - 1). apply Int.zero_ext_and. omega.
Qed.
@@ -829,7 +829,7 @@ Qed.
Theorem bool_of_val_of_optbool:
forall ob b, bool_of_val (of_optbool ob) b -> ob = Some b.
Proof.
- intros. destruct ob; simpl in H.
+ intros. destruct ob; simpl in H.
destruct b0; simpl in H; inv H; auto.
inv H.
Qed.
@@ -861,7 +861,7 @@ Qed.
Theorem notbool_idem3:
forall x, notbool(notbool(notbool x)) = notbool x.
Proof.
- destruct x; simpl; auto.
+ destruct x; simpl; auto.
case (Int.eq i Int.zero); reflexivity.
Qed.
@@ -883,7 +883,7 @@ Proof.
rewrite Int.add_assoc; auto.
rewrite Int.add_assoc; auto.
decEq. decEq. apply Int.add_commut.
- decEq. rewrite Int.add_commut. rewrite <- Int.add_assoc.
+ decEq. rewrite Int.add_commut. rewrite <- Int.add_assoc.
decEq. apply Int.add_commut.
decEq. rewrite Int.add_assoc. auto.
Qed.
@@ -896,8 +896,8 @@ Qed.
Theorem add_permut_4:
forall x y z t, add (add x y) (add z t) = add (add x z) (add y t).
Proof.
- intros. rewrite add_permut. rewrite add_assoc.
- rewrite add_permut. symmetry. apply add_assoc.
+ intros. rewrite add_permut. rewrite add_assoc.
+ rewrite add_permut. symmetry. apply add_assoc.
Qed.
Theorem neg_zero: neg Vzero = Vzero.
@@ -912,7 +912,7 @@ Qed.
Theorem sub_zero_r: forall x, sub Vzero x = neg x.
Proof.
- destruct x; simpl; auto.
+ destruct x; simpl; auto.
Qed.
Theorem sub_add_opp: forall x y, sub x (Vint y) = add x (Vint (Int.neg y)).
@@ -940,11 +940,11 @@ Theorem sub_add_r:
Proof.
destruct v1; destruct v2; intros; simpl; auto.
rewrite Int.sub_add_r. auto.
- repeat rewrite Int.sub_add_opp. decEq.
+ repeat rewrite Int.sub_add_opp. decEq.
repeat rewrite Int.add_assoc. decEq. apply Int.add_commut.
- decEq. repeat rewrite Int.sub_add_opp.
+ decEq. repeat rewrite Int.sub_add_opp.
rewrite Int.add_assoc. decEq. apply Int.neg_add_distr.
- case (eq_block b b0); intro. simpl. decEq.
+ case (eq_block b b0); intro. simpl. decEq.
repeat rewrite Int.sub_add_opp. rewrite Int.add_assoc. decEq.
apply Int.neg_add_distr.
reflexivity.
@@ -984,7 +984,7 @@ Proof.
intros; destruct x; simpl; auto.
change 32 with Int.zwordsize.
rewrite (Int.is_power2_range _ _ H). decEq. apply Int.mul_pow2. auto.
-Qed.
+Qed.
Theorem mods_divs:
forall x y z,
@@ -993,7 +993,7 @@ Proof.
intros. destruct x; destruct y; simpl in *; try discriminate.
destruct (Int.eq i0 Int.zero
|| Int.eq i (Int.repr Int.min_signed) && Int.eq i0 Int.mone); inv H.
- exists (Vint (Int.divs i i0)); split; auto.
+ exists (Vint (Int.divs i i0)); split; auto.
simpl. rewrite Int.mods_divs. auto.
Qed.
@@ -1002,10 +1002,10 @@ Theorem modu_divu:
modu x y = Some z -> exists v, divu x y = Some v /\ z = sub x (mul v y).
Proof.
intros. destruct x; destruct y; simpl in *; try discriminate.
- destruct (Int.eq i0 Int.zero) eqn:?; inv H.
- exists (Vint (Int.divu i i0)); split; auto.
+ destruct (Int.eq i0 Int.zero) eqn:?; inv H.
+ exists (Vint (Int.divu i i0)); split; auto.
simpl. rewrite Int.modu_divu. auto.
- generalize (Int.eq_spec i0 Int.zero). rewrite Heqb; auto.
+ generalize (Int.eq_spec i0 Int.zero). rewrite Heqb; auto.
Qed.
Theorem divs_pow2:
@@ -1027,8 +1027,8 @@ Theorem divu_pow2:
shru x (Vint logn) = y.
Proof.
intros; destruct x; simpl in H0; inv H0.
- destruct (Int.eq n Int.zero); inv H2.
- simpl.
+ destruct (Int.eq n Int.zero); inv H2.
+ simpl.
rewrite (Int.is_power2_range _ _ H).
decEq. symmetry. apply Int.divu_pow2. auto.
Qed.
@@ -1040,7 +1040,7 @@ Theorem modu_pow2:
and x (Vint (Int.sub n Int.one)) = y.
Proof.
intros; destruct x; simpl in H0; inv H0.
- destruct (Int.eq n Int.zero); inv H2.
+ destruct (Int.eq n Int.zero); inv H2.
simpl. decEq. symmetry. eapply Int.modu_and; eauto.
Qed.
@@ -1079,12 +1079,12 @@ Qed.
Theorem not_xor: forall x, notint x = xor x (Vint Int.mone).
Proof.
- destruct x; simpl; auto.
+ destruct x; simpl; auto.
Qed.
Theorem shl_mul: forall x y, mul x (shl Vone y) = shl x y.
Proof.
- destruct x; destruct y; simpl; auto.
+ destruct x; destruct y; simpl; auto.
case (Int.ltu i0 Int.iwordsize); auto.
decEq. symmetry. apply Int.shl_mul.
Qed.
@@ -1112,11 +1112,11 @@ Theorem shrx_carry:
shrx x y = Some z ->
add (shr x y) (shr_carry x y) = z.
Proof.
- intros. destruct x; destruct y; simpl in H; inv H.
+ intros. destruct x; destruct y; simpl in H; inv H.
destruct (Int.ltu i0 (Int.repr 31)) eqn:?; inv H1.
exploit Int.ltu_inv; eauto. change (Int.unsigned (Int.repr 31)) with 31. intros.
- assert (Int.ltu i0 Int.iwordsize = true).
- unfold Int.ltu. apply zlt_true. change (Int.unsigned Int.iwordsize) with 32. omega.
+ assert (Int.ltu i0 Int.iwordsize = true).
+ unfold Int.ltu. apply zlt_true. change (Int.unsigned Int.iwordsize) with 32. omega.
simpl. rewrite H0. simpl. decEq. rewrite Int.shrx_carry; auto.
Qed.
@@ -1127,12 +1127,12 @@ Theorem shrx_shr:
x = Vint p /\ y = Vint q /\
z = shr (if Int.lt p Int.zero then add x (Vint (Int.sub (Int.shl Int.one q) Int.one)) else x) (Vint q).
Proof.
- intros. destruct x; destruct y; simpl in H; inv H.
+ intros. destruct x; destruct y; simpl in H; inv H.
destruct (Int.ltu i0 (Int.repr 31)) eqn:?; inv H1.
exploit Int.ltu_inv; eauto. change (Int.unsigned (Int.repr 31)) with 31. intros.
- assert (Int.ltu i0 Int.iwordsize = true).
- unfold Int.ltu. apply zlt_true. change (Int.unsigned Int.iwordsize) with 32. omega.
- exists i; exists i0; intuition.
+ assert (Int.ltu i0 Int.iwordsize = true).
+ unfold Int.ltu. apply zlt_true. change (Int.unsigned Int.iwordsize) with 32. omega.
+ exists i; exists i0; intuition.
rewrite Int.shrx_shr; auto. destruct (Int.lt i Int.zero); simpl; rewrite H0; auto.
Qed.
@@ -1151,7 +1151,7 @@ Theorem rolm_rolm:
(Int.and (Int.rol m1 n2) m2).
Proof.
intros; destruct x; simpl; auto.
- decEq.
+ decEq.
apply Int.rolm_rolm. apply int_wordsize_divides_modulus.
Qed.
@@ -1174,10 +1174,10 @@ Theorem negate_cmpu_bool:
Proof.
assert (forall c,
cmp_different_blocks (negate_comparison c) = option_map negb (cmp_different_blocks c)).
- destruct c; auto.
+ destruct c; auto.
destruct x; destruct y; simpl; auto.
rewrite Int.negate_cmpu. auto.
- destruct (Int.eq i Int.zero && (valid_ptr b (Int.unsigned i0) || valid_ptr b (Int.unsigned i0 - 1))); auto.
+ destruct (Int.eq i Int.zero && (valid_ptr b (Int.unsigned i0) || valid_ptr b (Int.unsigned i0 - 1))); auto.
destruct (Int.eq i0 Int.zero && (valid_ptr b (Int.unsigned i) || valid_ptr b (Int.unsigned i - 1))); auto.
destruct (eq_block b b0).
destruct ((valid_ptr b (Int.unsigned i) || valid_ptr b (Int.unsigned i - 1)) &&
@@ -1190,7 +1190,7 @@ Qed.
Lemma not_of_optbool:
forall ob, of_optbool (option_map negb ob) = notbool (of_optbool ob).
Proof.
- destruct ob; auto. destruct b; auto.
+ destruct ob; auto. destruct b; auto.
Qed.
Theorem negate_cmp:
@@ -1240,21 +1240,21 @@ Qed.
Theorem negate_cmpf_eq:
forall v1 v2, notbool (cmpf Cne v1 v2) = cmpf Ceq v1 v2.
Proof.
- destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
+ destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
rewrite Float.cmp_ne_eq. destruct (Float.cmp Ceq f f0); auto.
Qed.
Theorem negate_cmpf_ne:
forall v1 v2, notbool (cmpf Ceq v1 v2) = cmpf Cne v1 v2.
Proof.
- destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
+ destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
rewrite Float.cmp_ne_eq. destruct (Float.cmp Ceq f f0); auto.
Qed.
Theorem cmpf_le:
forall v1 v2, cmpf Cle v1 v2 = or (cmpf Clt v1 v2) (cmpf Ceq v1 v2).
Proof.
- destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
+ destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
rewrite Float.cmp_le_lt_eq.
destruct (Float.cmp Clt f f0); destruct (Float.cmp Ceq f f0); auto.
Qed.
@@ -1262,7 +1262,7 @@ Qed.
Theorem cmpf_ge:
forall v1 v2, cmpf Cge v1 v2 = or (cmpf Cgt v1 v2) (cmpf Ceq v1 v2).
Proof.
- destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
+ destruct v1; destruct v2; auto. unfold cmpf, cmpf_bool.
rewrite Float.cmp_ge_gt_eq.
destruct (Float.cmp Cgt f f0); destruct (Float.cmp Ceq f f0); auto.
Qed.
@@ -1270,57 +1270,57 @@ Qed.
Theorem cmp_ne_0_optbool:
forall ob, cmp Cne (of_optbool ob) (Vint Int.zero) = of_optbool ob.
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmp_eq_1_optbool:
forall ob, cmp Ceq (of_optbool ob) (Vint Int.one) = of_optbool ob.
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmp_eq_0_optbool:
forall ob, cmp Ceq (of_optbool ob) (Vint Int.zero) = of_optbool (option_map negb ob).
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmp_ne_1_optbool:
forall ob, cmp Cne (of_optbool ob) (Vint Int.one) = of_optbool (option_map negb ob).
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmpu_ne_0_optbool:
forall valid_ptr ob,
cmpu valid_ptr Cne (of_optbool ob) (Vint Int.zero) = of_optbool ob.
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmpu_eq_1_optbool:
forall valid_ptr ob,
cmpu valid_ptr Ceq (of_optbool ob) (Vint Int.one) = of_optbool ob.
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmpu_eq_0_optbool:
forall valid_ptr ob,
cmpu valid_ptr Ceq (of_optbool ob) (Vint Int.zero) = of_optbool (option_map negb ob).
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Theorem cmpu_ne_1_optbool:
forall valid_ptr ob,
cmpu valid_ptr Cne (of_optbool ob) (Vint Int.one) = of_optbool (option_map negb ob).
Proof.
- intros. destruct ob; simpl; auto. destruct b; auto.
+ intros. destruct ob; simpl; auto. destruct b; auto.
Qed.
Lemma zero_ext_and:
- forall n v,
+ forall n v,
0 < n < Int.zwordsize ->
Val.zero_ext n v = Val.and v (Vint (Int.repr (two_p n - 1))).
Proof.
@@ -1332,8 +1332,8 @@ Lemma rolm_lt_zero:
Proof.
intros. unfold cmp, cmp_bool; destruct v; simpl; auto.
transitivity (Vint (Int.shru i (Int.repr (Int.zwordsize - 1)))).
- decEq. symmetry. rewrite Int.shru_rolm. auto. auto.
- rewrite Int.shru_lt_zero. destruct (Int.lt i Int.zero); auto.
+ decEq. symmetry. rewrite Int.shru_rolm. auto. auto.
+ rewrite Int.shru_lt_zero. destruct (Int.lt i Int.zero); auto.
Qed.
Lemma rolm_ge_zero:
@@ -1344,7 +1344,7 @@ Proof.
unfold cmp; simpl. destruct (Int.lt i Int.zero); auto.
Qed.
-(** The ``is less defined'' relation between values.
+(** The ``is less defined'' relation between values.
A value is less defined than itself, and [Vundef] is
less defined than any value. *)
@@ -1379,7 +1379,7 @@ Lemma lessdef_list_inv:
Proof.
induction 1; simpl.
tauto.
- inv H. destruct IHlessdef_list.
+ inv H. destruct IHlessdef_list.
left; congruence. tauto. tauto.
Qed.
@@ -1430,7 +1430,7 @@ Lemma cmpu_bool_lessdef:
cmpu_bool valid_ptr c v1 v2 = Some b ->
cmpu_bool valid_ptr' c v1' v2' = Some b.
Proof.
- intros.
+ intros.
assert (A: forall b ofs, valid_ptr b ofs || valid_ptr b (ofs - 1) = true ->
valid_ptr' b ofs || valid_ptr' b (ofs - 1) = true).
{ intros until ofs. rewrite ! orb_true_iff. intuition. }
@@ -1438,9 +1438,9 @@ Proof.
destruct v2; simpl in H2; try discriminate;
inv H0; inv H1; simpl; auto.
destruct (Int.eq i Int.zero && (valid_ptr b0 (Int.unsigned i0) || valid_ptr b0 (Int.unsigned i0 - 1))) eqn:E; try discriminate.
- InvBooleans. rewrite H0, A by auto. auto.
+ InvBooleans. rewrite H0, A by auto. auto.
destruct (Int.eq i0 Int.zero && (valid_ptr b0 (Int.unsigned i) || valid_ptr b0 (Int.unsigned i - 1))) eqn:E; try discriminate.
- InvBooleans. rewrite H0, A by auto. auto.
+ InvBooleans. rewrite H0, A by auto. auto.
destruct (eq_block b0 b1).
destruct (valid_ptr b0 (Int.unsigned i) || valid_ptr b0 (Int.unsigned i - 1)) eqn:?; try discriminate.
destruct (valid_ptr b1 (Int.unsigned i0) || valid_ptr b1 (Int.unsigned i0 - 1)) eqn:?; try discriminate.
@@ -1455,7 +1455,7 @@ Lemma of_optbool_lessdef:
(forall b, ob = Some b -> ob' = Some b) ->
lessdef (of_optbool ob) (of_optbool ob').
Proof.
- intros. destruct ob; simpl; auto. rewrite (H b); auto.
+ intros. destruct ob; simpl; auto. rewrite (H b); auto.
Qed.
Lemma longofwords_lessdef:
@@ -1468,13 +1468,13 @@ Qed.
Lemma loword_lessdef:
forall v v', lessdef v v' -> lessdef (loword v) (loword v').
Proof.
- intros. inv H; auto.
+ intros. inv H; auto.
Qed.
Lemma hiword_lessdef:
forall v v', lessdef v v' -> lessdef (hiword v) (hiword v').
Proof.
- intros. inv H; auto.
+ intros. inv H; auto.
Qed.
(** * Values and memory injections *)
@@ -1513,12 +1513,12 @@ Inductive inject (mi: meminj): val -> val -> Prop :=
Hint Constructors inject.
-Inductive inject_list (mi: meminj): list val -> list val-> Prop:=
+Inductive inject_list (mi: meminj): list val -> list val-> Prop:=
| inject_list_nil :
inject_list mi nil nil
- | inject_list_cons : forall v v' vl vl' ,
+ | inject_list_cons : forall v v' vl vl' ,
inject mi v v' -> inject_list mi vl vl'->
- inject_list mi (v :: vl) (v' :: vl').
+ inject_list mi (v :: vl) (v' :: vl').
Hint Resolve inject_list_nil inject_list_cons.
@@ -1553,7 +1553,7 @@ Remark sub_inject:
Proof.
intros. inv H; inv H0; simpl; auto.
econstructor; eauto. rewrite Int.sub_add_l. auto.
- destruct (eq_block b1 b0); auto. subst. rewrite H1 in H. inv H. rewrite dec_eq_true.
+ destruct (eq_block b1 b0); auto. subst. rewrite H1 in H. inv H. rewrite dec_eq_true.
rewrite Int.sub_shifted. auto.
Qed.
@@ -1613,16 +1613,16 @@ Proof.
fold (weak_valid_ptr2 b2 (Int.unsigned (Int.add ofs1 (Int.repr delta)))).
destruct (Int.eq i Int.zero); auto.
destruct (weak_valid_ptr1 b1 (Int.unsigned ofs1)) eqn:E; try discriminate.
- erewrite weak_valid_ptr_inj by eauto. auto.
+ erewrite weak_valid_ptr_inj by eauto. auto.
- fold (weak_valid_ptr1 b1 (Int.unsigned ofs1)) in H1.
fold (weak_valid_ptr2 b2 (Int.unsigned (Int.add ofs1 (Int.repr delta)))).
destruct (Int.eq i Int.zero); auto.
destruct (weak_valid_ptr1 b1 (Int.unsigned ofs1)) eqn:E; try discriminate.
- erewrite weak_valid_ptr_inj by eauto. auto.
+ erewrite weak_valid_ptr_inj by eauto. auto.
- fold (weak_valid_ptr1 b1 (Int.unsigned ofs1)) in H1.
fold (weak_valid_ptr1 b0 (Int.unsigned ofs0)) in H1.
fold (weak_valid_ptr2 b2 (Int.unsigned (Int.add ofs1 (Int.repr delta)))).
- fold (weak_valid_ptr2 b3 (Int.unsigned (Int.add ofs0 (Int.repr delta0)))).
+ fold (weak_valid_ptr2 b3 (Int.unsigned (Int.add ofs0 (Int.repr delta0)))).
destruct (eq_block b1 b0); subst.
rewrite H in H2. inv H2. rewrite dec_eq_true.
destruct (weak_valid_ptr1 b0 (Int.unsigned ofs1)) eqn:?; try discriminate.
@@ -1633,7 +1633,7 @@ Proof.
destruct (valid_ptr1 b0 (Int.unsigned ofs0)) eqn:?; try discriminate.
destruct (eq_block b2 b3); subst.
assert (valid_ptr_implies: forall b ofs, valid_ptr1 b ofs = true -> weak_valid_ptr1 b ofs = true).
- intros. unfold weak_valid_ptr1. rewrite H0; auto.
+ intros. unfold weak_valid_ptr1. rewrite H0; auto.
erewrite !weak_valid_ptr_inj by eauto using valid_ptr_implies. simpl.
exploit valid_different_ptrs_inj; eauto. intros [?|?]; [congruence |].
destruct c; simpl in H1; inv H1.
@@ -1652,13 +1652,13 @@ Qed.
Lemma loword_inject:
forall v v', inject f v v' -> inject f (Val.loword v) (Val.loword v').
Proof.
- intros. unfold Val.loword; inv H; auto.
+ intros. unfold Val.loword; inv H; auto.
Qed.
Lemma hiword_inject:
forall v v', inject f v v' -> inject f (Val.hiword v) (Val.hiword v').
Proof.
- intros. unfold Val.hiword; inv H; auto.
+ intros. unfold Val.hiword; inv H; auto.
Qed.
End VAL_INJ_OPS.
@@ -1677,10 +1677,10 @@ Lemma inject_incr_refl :
Proof. unfold inject_incr. auto. Qed.
Lemma inject_incr_trans :
- forall f1 f2 f3,
+ forall f1 f2 f3,
inject_incr f1 f2 -> inject_incr f2 f3 -> inject_incr f1 f3 .
Proof.
- unfold inject_incr; intros. eauto.
+ unfold inject_incr; intros. eauto.
Qed.
Lemma val_inject_incr:
@@ -1707,7 +1707,7 @@ Lemma val_inject_lessdef:
forall v1 v2, Val.lessdef v1 v2 <-> Val.inject (fun b => Some(b, 0)) v1 v2.
Proof.
intros; split; intros.
- inv H; auto. destruct v2; econstructor; eauto. rewrite Int.add_zero; auto.
+ inv H; auto. destruct v2; econstructor; eauto. rewrite Int.add_zero; auto.
inv H; auto. inv H0. rewrite Int.add_zero; auto.
Qed.
@@ -1728,7 +1728,7 @@ Lemma val_inject_id:
Val.inject inject_id v1 v2 <-> Val.lessdef v1 v2.
Proof.
intros; split; intros.
- inv H; auto.
+ inv H; auto.
unfold inject_id in H0. inv H0. rewrite Int.add_zero. constructor.
inv H. destruct v2; econstructor. unfold inject_id; reflexivity. rewrite Int.add_zero; auto.
constructor.
@@ -1753,6 +1753,6 @@ Lemma val_inject_compose:
Val.inject (compose_meminj f f') v1 v3.
Proof.
intros. inv H; auto; inv H0; auto. econstructor.
- unfold compose_meminj; rewrite H1; rewrite H3; eauto.
+ unfold compose_meminj; rewrite H1; rewrite H3; eauto.
rewrite Int.add_assoc. decEq. unfold Int.add. apply Int.eqm_samerepr. auto with ints.
-Qed.
+Qed.
generated by cgit (git 2.34.1) at 2024-06-11 22:52:03 +0000