1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
|
(* *********************************************************************)
(* *)
(* The Compcert verified compiler *)
(* *)
(* Xavier Leroy, INRIA Paris-Rocquencourt *)
(* *)
(* Copyright Institut National de Recherche en Informatique et en *)
(* Automatique. All rights reserved. This file is distributed *)
(* under the terms of the INRIA Non-Commercial License Agreement. *)
(* *)
(* *********************************************************************)
(** Type-checking Linear code. *)
Require Import Coqlib.
Require Import AST.
Require Import Integers.
Require Import Values.
Require Import Globalenvs.
Require Import Memory.
Require Import Events.
Require Import Op.
Require Import Machregs.
Require Import Locations.
Require Import Conventions.
Require Import LTL.
Require Import Linear.
(** The rules are presented as boolean-valued functions so that we
get an executable type-checker for free. *)
Section WT_INSTR.
Variable funct: function.
Definition slot_valid (sl: slot) (ofs: Z) (ty: typ): bool :=
match sl with
| Local => zle 0 ofs
| Outgoing => zle 0 ofs
| Incoming => In_dec Loc.eq (S Incoming ofs ty) (regs_of_rpairs (loc_parameters funct.(fn_sig)))
end
&& Zdivide_dec (typealign ty) ofs.
Definition slot_writable (sl: slot) : bool :=
match sl with
| Local => true
| Outgoing => true
| Incoming => false
end.
Definition loc_valid (l: loc) : bool :=
match l with
| R r => true
| S Local ofs ty => slot_valid Local ofs ty
| S _ _ _ => false
end.
Fixpoint wt_builtin_res (ty: typ) (res: builtin_res mreg) : bool :=
match res with
| BR r => subtype ty (mreg_type r)
| BR_none => true
| BR_splitlong hi lo => wt_builtin_res Tint hi && wt_builtin_res Tint lo
end.
Definition wt_instr (i: instruction) : bool :=
match i with
| Lgetstack sl ofs ty r =>
subtype ty (mreg_type r) && slot_valid sl ofs ty
| Lsetstack r sl ofs ty =>
slot_valid sl ofs ty && slot_writable sl
| Lop op args res =>
match is_move_operation op args with
| Some arg =>
subtype (mreg_type arg) (mreg_type res)
| None =>
let (targs, tres) := type_of_operation op in
subtype tres (mreg_type res)
end
| Lload trap chunk addr args dst =>
subtype (type_of_chunk chunk) (mreg_type dst)
| Ltailcall sg ros =>
zeq (size_arguments sg) 0
| Lbuiltin ef args res =>
wt_builtin_res (proj_sig_res (ef_sig ef)) res
&& forallb loc_valid (params_of_builtin_args args)
| _ =>
true
end.
End WT_INSTR.
Definition wt_code (f: function) (c: code) : bool :=
forallb (wt_instr f) c.
Definition wt_function (f: function) : bool :=
wt_code f f.(fn_code).
(** Typing the run-time state. *)
Definition wt_locset (ls: locset) : Prop :=
forall l, Val.has_type (ls l) (Loc.type l).
Lemma wt_setreg:
forall ls r v,
Val.has_type v (mreg_type r) -> wt_locset ls -> wt_locset (Locmap.set (R r) v ls).
Proof.
intros; red; intros.
unfold Locmap.set.
destruct (Loc.eq (R r) l).
subst l; auto.
destruct (Loc.diff_dec (R r) l). auto. red. auto.
Qed.
Lemma wt_setstack:
forall ls sl ofs ty v,
wt_locset ls -> wt_locset (Locmap.set (S sl ofs ty) v ls).
Proof.
intros; red; intros.
unfold Locmap.set.
destruct (Loc.eq (S sl ofs ty) l).
subst l. simpl.
generalize (Val.load_result_type (chunk_of_type ty) v).
replace (type_of_chunk (chunk_of_type ty)) with ty. auto.
destruct ty; reflexivity.
destruct (Loc.diff_dec (S sl ofs ty) l). auto. red. auto.
Qed.
Lemma wt_undef_regs:
forall rs ls, wt_locset ls -> wt_locset (undef_regs rs ls).
Proof.
induction rs; simpl; intros. auto. apply wt_setreg; auto. red; auto.
Qed.
Lemma wt_call_regs:
forall ls, wt_locset ls -> wt_locset (call_regs ls).
Proof.
intros; red; intros. unfold call_regs. destruct l. auto.
destruct sl.
red; auto.
change (Loc.type (S Incoming pos ty)) with (Loc.type (S Outgoing pos ty)). auto.
red; auto.
Qed.
Lemma wt_return_regs:
forall caller callee,
wt_locset caller -> wt_locset callee -> wt_locset (return_regs caller callee).
Proof.
intros; red; intros.
unfold return_regs. destruct l.
- destruct (is_callee_save r); auto.
- destruct sl; auto; red; auto.
Qed.
Lemma wt_undef_caller_save_regs:
forall ls, wt_locset ls -> wt_locset (undef_caller_save_regs ls).
Proof.
intros; red; intros. unfold undef_caller_save_regs.
destruct l.
destruct (is_callee_save r); auto; simpl; auto.
destruct sl; auto; red; auto.
Qed.
Lemma wt_init:
wt_locset (Locmap.init Vundef).
Proof.
red; intros. unfold Locmap.init. red; auto.
Qed.
Lemma wt_setpair:
forall sg v rs,
Val.has_type v (proj_sig_res sg) ->
wt_locset rs ->
wt_locset (Locmap.setpair (loc_result sg) v rs).
Proof.
intros. generalize (loc_result_pair sg) (loc_result_type sg).
destruct (loc_result sg); simpl Locmap.setpair.
- intros. apply wt_setreg; auto. eapply Val.has_subtype; eauto.
- intros A B. decompose [and] A.
apply wt_setreg. eapply Val.has_subtype; eauto. destruct v; exact I.
apply wt_setreg. eapply Val.has_subtype; eauto. destruct v; exact I.
auto.
Qed.
Lemma wt_setres:
forall res ty v rs,
wt_builtin_res ty res = true ->
Val.has_type v ty ->
wt_locset rs ->
wt_locset (Locmap.setres res v rs).
Proof.
induction res; simpl; intros.
- apply wt_setreg; auto. eapply Val.has_subtype; eauto.
- auto.
- InvBooleans. eapply IHres2; eauto. destruct v; exact I.
eapply IHres1; eauto. destruct v; exact I.
Qed.
Lemma wt_find_label:
forall f lbl c,
wt_function f = true ->
find_label lbl f.(fn_code) = Some c ->
wt_code f c = true.
Proof.
unfold wt_function; intros until c. generalize (fn_code f). induction c0; simpl; intros.
discriminate.
InvBooleans. destruct (is_label lbl a).
congruence.
auto.
Qed.
(** In addition to type preservation during evaluation, we also show
properties of the environment [ls] at call points and at return points.
These properties are used in the proof of the [Stacking] pass.
For call points, we have that the current environment [ls] and the
one from the top call stack agree on the [Outgoing] locations
used for parameter passing. *)
Definition agree_outgoing_arguments (sg: signature) (ls pls: locset) : Prop :=
forall ty ofs,
In (S Outgoing ofs ty) (regs_of_rpairs (loc_arguments sg)) ->
ls (S Outgoing ofs ty) = pls (S Outgoing ofs ty).
(** For return points, we have that all [Outgoing] stack locations have
been set to [Vundef]. *)
Definition outgoing_undef (ls: locset) : Prop :=
forall ty ofs, ls (S Outgoing ofs ty) = Vundef.
(** Soundness of the type system *)
Definition wt_fundef (fd: fundef) :=
match fd with
| Internal f => wt_function f = true
| External ef => True
end.
Inductive wt_callstack: list stackframe -> Prop :=
| wt_callstack_nil:
wt_callstack nil
| wt_callstack_cons: forall f sp rs c s
(WTSTK: wt_callstack s)
(WTF: wt_function f = true)
(WTC: wt_code f c = true)
(WTRS: wt_locset rs),
wt_callstack (Stackframe f sp rs c :: s).
Lemma wt_parent_locset:
forall s, wt_callstack s -> wt_locset (parent_locset s).
Proof.
induction 1; simpl.
- apply wt_init.
- auto.
Qed.
Inductive wt_state: state -> Prop :=
| wt_regular_state: forall s f sp c rs m
(WTSTK: wt_callstack s )
(WTF: wt_function f = true)
(WTC: wt_code f c = true)
(WTRS: wt_locset rs),
wt_state (State s f sp c rs m)
| wt_call_state: forall s fd rs m
(WTSTK: wt_callstack s)
(WTFD: wt_fundef fd)
(WTRS: wt_locset rs)
(AGCS: agree_callee_save rs (parent_locset s))
(AGARGS: agree_outgoing_arguments (funsig fd) rs (parent_locset s)),
wt_state (Callstate s fd rs m)
| wt_return_state: forall s rs m
(WTSTK: wt_callstack s)
(WTRS: wt_locset rs)
(AGCS: agree_callee_save rs (parent_locset s))
(UOUT: outgoing_undef rs),
wt_state (Returnstate s rs m).
(** Preservation of state typing by transitions *)
Section SOUNDNESS.
Variable prog: program.
Let ge := Genv.globalenv prog.
Hypothesis wt_prog:
forall i fd, In (i, Gfun fd) prog.(prog_defs) -> wt_fundef fd.
Lemma wt_find_function:
forall ros rs f, find_function ge ros rs = Some f -> wt_fundef f.
Proof.
intros.
assert (X: exists i, In (i, Gfun f) prog.(prog_defs)).
{
destruct ros as [r | s]; simpl in H.
eapply Genv.find_funct_inversion; eauto.
destruct (Genv.find_symbol ge s) as [b|]; try discriminate.
eapply Genv.find_funct_ptr_inversion; eauto.
}
destruct X as [i IN]. eapply wt_prog; eauto.
Qed.
Theorem step_type_preservation:
forall S1 t S2, step ge S1 t S2 -> wt_state S1 -> wt_state S2.
Proof.
Local Opaque mreg_type.
induction 1; intros WTS; inv WTS.
- (* getstack *)
simpl in *; InvBooleans.
econstructor; eauto.
eapply wt_setreg; eauto. eapply Val.has_subtype; eauto. apply WTRS.
apply wt_undef_regs; auto.
- (* setstack *)
simpl in *; InvBooleans.
econstructor; eauto.
apply wt_setstack. apply wt_undef_regs; auto.
- (* op *)
simpl in *. destruct (is_move_operation op args) as [src | ] eqn:ISMOVE.
+ (* move *)
InvBooleans. exploit is_move_operation_correct; eauto. intros [EQ1 EQ2]; subst.
simpl in H. inv H.
econstructor; eauto. apply wt_setreg. eapply Val.has_subtype; eauto. apply WTRS.
apply wt_undef_regs; auto.
+ (* other ops *)
destruct (type_of_operation op) as [ty_args ty_res] eqn:TYOP. InvBooleans.
econstructor; eauto.
apply wt_setreg; auto; try (apply wt_undef_regs; auto).
eapply Val.has_subtype; eauto.
change ty_res with (snd (ty_args, ty_res)). rewrite <- TYOP. eapply type_of_operation_sound; eauto.
red; intros; subst op. simpl in ISMOVE.
destruct args; try discriminate. destruct args; discriminate.
(* no longer needed apply wt_undef_regs; auto. *)
- (* load *)
simpl in *; InvBooleans.
econstructor; eauto.
apply wt_setreg. eapply Val.has_subtype; eauto.
destruct a; simpl in H0; try discriminate. eapply Mem.load_type; eauto.
apply wt_undef_regs; auto.
- (* load notrap1 *)
simpl in *; InvBooleans.
econstructor; eauto.
apply wt_setreg. eapply Val.has_subtype; eauto.
constructor.
apply wt_undef_regs; auto.
- (* load notrap2 *)
simpl in *; InvBooleans.
econstructor; eauto.
apply wt_setreg. eapply Val.has_subtype; eauto.
constructor.
apply wt_undef_regs; auto.
- (* store *)
simpl in *; InvBooleans.
econstructor. eauto. eauto. eauto.
apply wt_undef_regs; auto.
- (* call *)
simpl in *; InvBooleans.
econstructor; eauto. econstructor; eauto.
eapply wt_find_function; eauto.
red; simpl; auto.
red; simpl; auto.
- (* tailcall *)
simpl in *; InvBooleans.
econstructor; eauto.
eapply wt_find_function; eauto.
apply wt_return_regs; auto. apply wt_parent_locset; auto.
red; simpl; intros. destruct l; simpl in *. rewrite H3; auto. destruct sl; auto; congruence.
red; simpl; intros. apply zero_size_arguments_tailcall_possible in H. apply H in H3. contradiction.
- (* builtin *)
simpl in *; InvBooleans.
econstructor; eauto.
eapply wt_setres; eauto. eapply external_call_well_typed; eauto.
apply wt_undef_regs; auto.
- (* label *)
simpl in *. econstructor; eauto.
- (* goto *)
simpl in *. econstructor; eauto. eapply wt_find_label; eauto.
- (* cond branch, taken *)
simpl in *. econstructor. auto. auto. eapply wt_find_label; eauto.
apply wt_undef_regs; auto.
- (* cond branch, not taken *)
simpl in *. econstructor. auto. auto. auto.
apply wt_undef_regs; auto.
- (* jumptable *)
simpl in *. econstructor. auto. auto. eapply wt_find_label; eauto.
apply wt_undef_regs; auto.
- (* return *)
simpl in *. InvBooleans.
econstructor; eauto.
apply wt_return_regs; auto. apply wt_parent_locset; auto.
red; simpl; intros. destruct l; simpl in *. rewrite H0; auto. destruct sl; auto; congruence.
red; simpl; intros. auto.
- (* internal function *)
simpl in WTFD.
econstructor. eauto. eauto. eauto.
apply wt_undef_regs. apply wt_call_regs. auto.
- (* external function *)
econstructor. auto. apply wt_setpair.
eapply external_call_well_typed; eauto.
apply wt_undef_caller_save_regs; auto.
red; simpl; intros. destruct l; simpl in *.
rewrite locmap_get_set_loc_result by auto. simpl. rewrite H; auto.
rewrite locmap_get_set_loc_result by auto. simpl. destruct sl; auto; congruence.
red; simpl; intros. rewrite locmap_get_set_loc_result by auto. auto.
- (* return *)
inv WTSTK. econstructor; eauto.
Qed.
Theorem wt_initial_state:
forall S, initial_state prog S -> wt_state S.
Proof.
induction 1. econstructor. constructor.
unfold ge0 in H1. exploit Genv.find_funct_ptr_inversion; eauto.
intros [id IN]. eapply wt_prog; eauto.
apply wt_init.
red; auto.
red; auto.
Qed.
End SOUNDNESS.
(** Properties of well-typed states that are used in [Stackingproof]. *)
Lemma wt_state_getstack:
forall s f sp sl ofs ty rd c rs m,
wt_state (State s f sp (Lgetstack sl ofs ty rd :: c) rs m) ->
slot_valid f sl ofs ty = true.
Proof.
intros. inv H. simpl in WTC; InvBooleans. auto.
Qed.
Lemma wt_state_setstack:
forall s f sp sl ofs ty r c rs m,
wt_state (State s f sp (Lsetstack r sl ofs ty :: c) rs m) ->
slot_valid f sl ofs ty = true /\ slot_writable sl = true.
Proof.
intros. inv H. simpl in WTC; InvBooleans. intuition.
Qed.
Lemma wt_state_tailcall:
forall s f sp sg ros c rs m,
wt_state (State s f sp (Ltailcall sg ros :: c) rs m) ->
size_arguments sg = 0.
Proof.
intros. inv H. simpl in WTC; InvBooleans. auto.
Qed.
Lemma wt_state_builtin:
forall s f sp ef args res c rs m,
wt_state (State s f sp (Lbuiltin ef args res :: c) rs m) ->
forallb (loc_valid f) (params_of_builtin_args args) = true.
Proof.
intros. inv H. simpl in WTC; InvBooleans. auto.
Qed.
Lemma wt_callstate_wt_regs:
forall s f rs m,
wt_state (Callstate s f rs m) ->
forall r, Val.has_type (rs (R r)) (mreg_type r).
Proof.
intros. inv H. apply WTRS.
Qed.
Lemma wt_callstate_agree:
forall s f rs m,
wt_state (Callstate s f rs m) ->
agree_callee_save rs (parent_locset s) /\ agree_outgoing_arguments (funsig f) rs (parent_locset s).
Proof.
intros. inv H; auto.
Qed.
Lemma wt_returnstate_agree:
forall s rs m,
wt_state (Returnstate s rs m) ->
agree_callee_save rs (parent_locset s) /\ outgoing_undef rs.
Proof.
intros. inv H; auto.
Qed.
|
