-
Notifications
You must be signed in to change notification settings - Fork 2
/
Adequacy.v
206 lines (171 loc) · 5.34 KB
/
Adequacy.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
(** Adequacy of the bridge semantics w.r.t. standard semantics for
well-typed programs.
*)
(*
Author: Aslan Askarov
Created: 2016-07-27
- Note: that well-typedness is required may potentially be relaxed,
but we leave that for future investigation.
*)
Require Import Bool Arith List CpdtTactics SfLib LibTactics.
Require Import Coq.Program.Equality.
Require Import Omega.
Set Implicit Arguments.
Require Import Identifier Environment Imperative Types Augmented Bridge.
Require Import WellFormedness.
Require Import InductionPrinciple.
Require Import UtilTactics.
Require Import BridgeTactics.
Require Import BridgeProperties.
(** We start with a simple lemma stipulating that the augemented semantics is adequate *)
Lemma adequacy_of_event_steps:
forall Γ pc c m cfg',
wf_mem m Γ ->
-{ Γ, pc ⊢ c }- ->
〈c, m 〉 ⇒ cfg' ->
exists ev, event_step Γ ev 〈c, m 〉 cfg'.
Proof.
intros Γ pc c m [c' m']; intros.
cmd_cases (dependent induction c) Case.
Case "STOP".
{ invert_step. }
Case "SKIP".
{ exists EmptyEvent.
assert (c' = STOP /\ m' = m).
{
inverts H1.
splits~.
}
super_destruct. subst.
constructor; auto.
}
Case "::=".
{
inverts keep H1.
inverts H0.
exists (AssignmentEvent ℓ' i v).
constructor~.
}
Case ";;".
{ assert (-{ Γ, pc ⊢ c1 }-) by
(match goal with [ H: -{ Γ, pc ⊢ c1;; c2 }- |- _ ] => inverts keep H end; auto).
inverts H1;
repeat match goal
with
| [ H: 〈 c1, m 〉 ⇒ 〈 ?c1', m' 〉|- _ ] =>
(specializes IHc1 m c1' m' H;
destruct IHc1 as [ev];
(exists ev);
constructor~ )
| [ H: -{ Γ, pc ⊢ c1;; c' }- |- _ ] =>
( inverts H;
applys* wt_programs_are_not_stop
)
end.
}
Case "IFB".
{
exists EmptyEvent.
assert (c' = c1 \/ c' = c2) as H_cmd
by (inverts keep H1; tauto).
match goal with
| [ H: -{ Γ, pc ⊢ IFB e THEN c1 ELSE c2 FI }- |- _ ]
=> inverts keep H
end.
assert ( -{ Γ, pc ⊢ c' }- )
by ( destruct H_cmd; subst; applys* pc_lowering).
assert ( m = m') by (inverts* H1); subst.
constructor~ .
applys* wt_programs_are_not_stop.
}
Case "WHILE".
{
exists EmptyEvent.
inverts keep H1.
constructor~ .
}
Qed.
(* TODO: 2016-07-28: simplify the above lemma *)
Theorem bridge_adequacy:
forall Γ (n:nat) c m m_end ,
〈c, m 〉 ⇒/+ n +/ 〈STOP, m_end 〉 ->
forall pc, -{ Γ, pc ⊢ c }- ->
wf_mem m Γ ->
(c = STOP \/
exists ev n' cfg' k,
〈 c, m 〉 ⇨+/(SL, Γ, ev, n') cfg' /\
cfg' ⇒/+ k +/ 〈STOP, m_end 〉 /\ k < n).
Proof.
intros Γ n.
dependent induction n.
(* n = 0 *)
{
left~.
inverts H. auto.
}
(* inductive case *)
{
right; subst.
inversion H.
match goal with [ H : 〈 c, m 〉 ⇒ ?y |- _ ] => destruct y as [c' m'] end; subst.
match goal with [ H: 〈 c', m' 〉 ⇒/+ n +/ 〈 STOP, m_end 〉 |- _ ] => rename H into H_n end.
match goal with [ H: 〈 c, m 〉 ⇒ 〈c', m' 〉 |- _ ] => rename H into H_step end.
specialize (IHn c' m' m_end H_n pc).
lets* (ev & H_ev) : adequacy_of_event_steps H_step.
(* We define two auxiliary local propositions that consider the
cases of a high and a low event respectively; these are then
used in the case analysis afterwards *)
assert ( low_event Γ Low ev ->
exists ev0 n' cfg' k,
〈 c, m 〉 ⇨+/(SL, Γ, ev0, n') cfg' /\ cfg' ⇒/+ k +/ 〈 STOP, m_end 〉/\ k < S n) as LemmaLowEvent.
{
intros H_low.
inversion H_low.
assert (ℓ' = Low) by
( destruct ℓ'; auto; try impossible_flows; subst ); subst.
(exists (AssignmentEvent Low x u) 0).
forwards* (H_wf' & H_wt' ): preservation.
compare c' STOP; intros;subst.
* clear IHn.
lets : multi_idx_stop_trivial H_n; subst.
(exists*〈STOP, m_end 〉0).
splits~ ; try omega.
applys~ bridge_low_num.
* specializes~ H_wt' __ .
specializes~ H_n.
exists 〈c', m' 〉.
exists n.
splits~ .
applys* bridge_low_num.
}
assert ( high_event Γ Low ev ->
exists ev0 n' cfg' k,
〈 c, m 〉 ⇨+/(SL, Γ, ev0, n') cfg' /\ cfg' ⇒/+ k +/ 〈 STOP, m_end 〉/\ k < S n) as LemmaHighEvent.
{ clear LemmaLowEvent.
intros H_high.
compare c' STOP; intros; subst.
- (exists ev 0 〈STOP, m' 〉 0).
lets : multi_idx_stop_trivial H_n; subst.
splits~ ; try omega.
applys* bridge_stop_num.
- forwards* (H_wf' & H_wt') : preservation.
specializes~ H_wt'.
specializes~ IHn.
destruct* IHn as [? | ?IHH_multi].
lets (?ev' & ?n' & ?cfg' & k & ?H_bridge & ?H_tail & ?H_k ): IHH_multi.
exists ev' (S n') cfg' k.
splits~ ; try omega.
applys* bridge_trans_num.
}
(* now we are ready to do the case analysis of the event, using the above assertions *)
destruct ev.
- (* Empty Event *)
apply* LemmaHighEvent.
- (* Assignment Event *)
destruct l.
+ (* l is Low *)
apply* LemmaLowEvent.
+ (* l is High *)
applys* LemmaHighEvent.
}
Qed.