author  wenzelm 
Sat, 07 Apr 2012 16:41:59 +0200  
(* Author: Tobias Nipkow *) 
header "A Compiler for IMP" 

10343  4 

5 
theory Compiler imports Big_Step 
43141  6 
begin 
12429  7 

8 
subsection "List setup" 
9 

10 
text {* 
11 
We are going to define a small machine language where programs are 
12 
lists of instructions. For nicer algebraic properties in our lemmas 
13 
later, we prefer @{typ int} to @{term nat} as program counter. 
14 

15 
Therefore, we define notation for size and indexing for lists 
16 
on @{typ int}: 
17 
*} 
18 
abbreviation "isize xs == int (length xs)" 
19 

45637  20 
fun inth :: "'a list \<Rightarrow> int \<Rightarrow> 'a" (infixl "!!" 100) where 
21 
"(x # xs) !! n = (if n = 0 then x else xs !! (n  1))" 

22 

23 
text {* 
24 
The only additional lemma we need is indexing over append: 
25 
*} 
26 
lemma inth_append [simp]: 
27 
"0 \<le> n \<Longrightarrow> 
28 
(xs @ ys) !! n = (if n < isize xs then xs !! n else ys !! (n  isize xs))" 
30 

43141  31 
subsection "Instructions and Stack Machine" 
10342  32 

43141  33 
datatype instr = 
45323  34 
LOADI int  
35 
LOAD vname  

36 
ADD  
45323  37 
STORE vname  
38 
JMP int  
39 
JMPLESS int  
654cc47f6115
JMPF(LESSGE) > JMP(LESSGE) because jumps are int now.
kleing
parents:
45200
diff
changeset

40 
JMPGE int 
10342  41 

42 
type_synonym stack = "val list" 
45637  43 
type_synonym config = "int \<times> state \<times> stack" 
43141  44 

45 
abbreviation "hd2 xs == hd(tl xs)" 

46 
abbreviation "tl2 xs == tl(tl xs)" 

11275  47 

48 
inductive iexec1 :: "instr \<Rightarrow> config \<Rightarrow> config \<Rightarrow> bool" 
44004  49 
("(_/ \<turnstile>i (_ \<rightarrow>/ _))" [59,0,59] 60) 
43141  50 
where 
51 
"LOADI n \<turnstile>i (i,s,stk) \<rightarrow> (i+1,s, n#stk)"  
52 
"LOAD x \<turnstile>i (i,s,stk) \<rightarrow> (i+1,s, s x # stk)"  
53 
"ADD \<turnstile>i (i,s,stk) \<rightarrow> (i+1,s, (hd2 stk + hd stk) # tl2 stk)"  
45616  54 
"STORE x \<turnstile>i (i,s,stk) \<rightarrow> (i+1,s(x := hd stk),tl stk)"  
55 
"JMP n \<turnstile>i (i,s,stk) \<rightarrow> (i+1+n,s,stk)"  
56 
"JMPLESS n \<turnstile>i (i,s,stk) \<rightarrow> (if hd2 stk < hd stk then i+1+n else i+1,s,tl2 stk)"  
57 
"JMPGE n \<turnstile>i (i,s,stk) \<rightarrow> (if hd2 stk >= hd stk then i+1+n else i+1,s,tl2 stk)" 
58 

59 
code_pred iexec1 . 
60 

61 
declare iexec1.intros 
62 

63 
definition 
44004  64 
exec1 :: "instr list \<Rightarrow> config \<Rightarrow> config \<Rightarrow> bool" ("(_/ \<turnstile> (_ \<rightarrow>/ _))" [59,0,59] 60) 
65 
where 
66 
"P \<turnstile> c \<rightarrow> c' = 
44004  67 
(\<exists>i s stk. c = (i,s,stk) \<and> P!!i \<turnstile>i (i,s,stk) \<rightarrow> c' \<and> 0 \<le> i \<and> i < isize P)" 
68 

69 
declare exec1_def [simp] 
70 

71 
lemma exec1I [intro, code_pred_intro]: 
44004  72 
assumes "P!!i \<turnstile>i (i,s,stk) \<rightarrow> c'" "0 \<le> i" "i < isize P" 
73 
shows "P \<turnstile> (i,s,stk) \<rightarrow> c'" 

74 
using assms by simp 

43141  75 

76 
inductive exec :: "instr list \<Rightarrow> config \<Rightarrow> config \<Rightarrow> bool" ("_/ \<turnstile> (_ \<rightarrow>*/ _)" 50) 

77 
where 

78 
refl: "P \<turnstile> c \<rightarrow>* c"  

79 
step: "P \<turnstile> c \<rightarrow> c' \<Longrightarrow> P \<turnstile> c' \<rightarrow>* c'' \<Longrightarrow> P \<turnstile> c \<rightarrow>* c''" 

80 

81 
declare refl[intro] step[intro] 
43141  82 

83 
lemmas exec_induct = exec.induct[split_format(complete)] 

84 

85 
code_pred exec by force 
43141  86 

87 
values 

88 
"{(i,map t [''x'',''y''],stk)  i t stk. 

89 
[LOAD ''y'', STORE ''x''] \<turnstile> 

44036  90 
(0, <''x'' := 3, ''y'' := 4>, []) \<rightarrow>* (i,t,stk)}" 
43141  91 

92 

93 
subsection{* Verification infrastructure *} 

94 

95 
lemma exec_trans: "P \<turnstile> c \<rightarrow>* c' \<Longrightarrow> P \<turnstile> c' \<rightarrow>* c'' \<Longrightarrow> P \<turnstile> c \<rightarrow>* c''" 

45616  96 
by (induction rule: exec.induct) fastforce+ 
97 

98 
inductive_cases iexec1_cases [elim!]: 
99 
"LOADI n \<turnstile>i c \<rightarrow> c'" 
100 
"LOAD x \<turnstile>i c \<rightarrow> c'" 
101 
"ADD \<turnstile>i c \<rightarrow> c'" 
a666b8d11252
102 
"STORE n \<turnstile>i c \<rightarrow> c'" 
103 
"JMP n \<turnstile>i c \<rightarrow> c'" 
104 
"JMPLESS n \<turnstile>i c \<rightarrow> c'" 
105 
"JMPGE n \<turnstile>i c \<rightarrow> c'" 
43141  106 

43438
107 
text {* Simplification rules for @{const iexec1}. *} 
108 
lemma iexec1_simps [simp]: 
109 
"LOADI n \<turnstile>i c \<rightarrow> c' = (\<exists>i s stk. c = (i, s, stk) \<and> c' = (i + 1, s, n # stk))" 
110 
"LOAD x \<turnstile>i c \<rightarrow> c' = (\<exists>i s stk. c = (i, s, stk) \<and> c' = (i + 1, s, s x # stk))" 
111 
"ADD \<turnstile>i c \<rightarrow> c' = 
112 
(\<exists>i s stk. c = (i, s, stk) \<and> c' = (i + 1, s, (hd2 stk + hd stk) # tl2 stk))" 
113 
"STORE x \<turnstile>i c \<rightarrow> c' = 
44036  114 
(\<exists>i s stk. c = (i, s, stk) \<and> c' = (i + 1, s(x := hd stk), tl stk))" 
115 
"JMP n \<turnstile>i c \<rightarrow> c' = (\<exists>i s stk. c = (i, s, stk) \<and> c' = (i + 1 + n, s, stk))" 
116 
"JMPLESS n \<turnstile>i c \<rightarrow> c' = 
117 
(\<exists>i s stk. c = (i, s, stk) \<and> 
118 
c' = (if hd2 stk < hd stk then i + 1 + n else i + 1, s, tl2 stk))" 
119 
"JMPGE n \<turnstile>i c \<rightarrow> c' = 
120 
(\<exists>i s stk. c = (i, s, stk) \<and> 
121 
c' = (if hd stk \<le> hd2 stk then i + 1 + n else i + 1, s, tl2 stk))" 
122 
by (auto split del: split_if intro!: iexec1.intros) 
43141  123 

124 

125 
text{* Below we need to argue about the execution of code that is embedded in 

126 
larger programs. For this purpose we show that execution is preserved by 

127 
appending code to the left or right of a program. *} 

128 

129 
lemma exec1_appendR: "P \<turnstile> c \<rightarrow> c' \<Longrightarrow> P@P' \<turnstile> c \<rightarrow> c'" 
130 
by auto 
11275  131 

43141  132 
lemma exec_appendR: "P \<turnstile> c \<rightarrow>* c' \<Longrightarrow> P@P' \<turnstile> c \<rightarrow>* c'" 
45616  133 
by (induction rule: exec.induct) (fastforce intro: exec1_appendR)+ 
134 

135 
lemma iexec1_shiftI: 
136 
assumes "X \<turnstile>i (i,s,stk) \<rightarrow> (i',s',stk')" 
137 
shows "X \<turnstile>i (n+i,s,stk) \<rightarrow> (n+i',s',stk')" 
138 
using assms by cases auto 
139 

43438
140 
lemma iexec1_shiftD: 
141 
assumes "X \<turnstile>i (n+i,s,stk) \<rightarrow> (n+i',s',stk')" 
142 
shows "X \<turnstile>i (i,s,stk) \<rightarrow> (i',s',stk')" 
143 
using assms by cases auto 
144 

145 
lemma iexec_shift [simp]: 
146 
"(X \<turnstile>i (n+i,s,stk) \<rightarrow> (n+i',s',stk')) = (X \<turnstile>i (i,s,stk) \<rightarrow> (i',s',stk'))" 
147 
by (blast intro: iexec1_shiftI dest: iexec1_shiftD) 
148 

43141  149 
lemma exec1_appendL: 
43438
150 
"P \<turnstile> (i,s,stk) \<rightarrow> (i',s',stk') \<Longrightarrow> 
151 
P' @ P \<turnstile> (isize(P')+i,s,stk) \<rightarrow> (isize(P')+i',s',stk')" 
152 
by simp 
153 

43141  154 
lemma exec_appendL: 
155 
"P \<turnstile> (i,s,stk) \<rightarrow>* (i',s',stk') \<Longrightarrow> 

43438
156 
P' @ P \<turnstile> (isize(P')+i,s,stk) \<rightarrow>* (isize(P')+i',s',stk')" 
45616  157 
by (induction rule: exec_induct) (blast intro!: exec1_appendL)+ 
158 

43141  159 
text{* Now we specialise the above lemmas to enable automatic proofs of 
160 
@{prop "P \<turnstile> c \<rightarrow>* c'"} where @{text P} is a mixture of concrete instructions and 

161 
pieces of code that we already know how they execute (by induction), combined 

162 
by @{text "@"} and @{text "#"}. Backward jumps are not supported. 

163 
The details should be skipped on a first reading. 

13095
164 

43438
165 
If we have just executed the first instruction of the program, drop it: *} 
43141  166 

43438
a666b8d11252
167 
lemma exec_Cons_1 [intro]: 
168 
"P \<turnstile> (0,s,stk) \<rightarrow>* (j,t,stk') \<Longrightarrow> 
169 
instr#P \<turnstile> (1,s,stk) \<rightarrow>* (1+j,t,stk')" 
170 
by (drule exec_appendL[where P'="[instr]"]) simp 
171 

43141  172 
lemma exec_appendL_if[intro]: 
43438
173 
"isize P' <= i 
174 
\<Longrightarrow> P \<turnstile> (i  isize P',s,stk) \<rightarrow>* (i',s',stk') 
175 
\<Longrightarrow> P' @ P \<turnstile> (i,s,stk) \<rightarrow>* (isize P' + i',s',stk')" 
176 
by (drule exec_appendL[where P'=P']) simp 
10342  177 

43141  178 
text{* Split the execution of a compound program up into the excution of its 
179 
parts: *} 

13095
180 

43141  181 
lemma exec_append_trans[intro]: 
182 
"P \<turnstile> (0,s,stk) \<rightarrow>* (i',s',stk') \<Longrightarrow> 

43438
183 
isize P \<le> i' \<Longrightarrow> 
184 
P' \<turnstile> (i'  isize P,s',stk') \<rightarrow>* (i'',s'',stk'') \<Longrightarrow> 
185 
j'' = isize P + i'' 
43141  186 
\<Longrightarrow> 
187 
P @ P' \<turnstile> (0,s,stk) \<rightarrow>* (j'',s'',stk'')" 

43438
a666b8d11252
IMP compiler with int, added reverse soundness direction
kleing
parents:
43158
diff
changeset

188 
by(metis exec_trans[OF exec_appendR exec_appendL_if]) 
13095
189 

43141  190 

43438
191 
declare Let_def[simp] 
192 

193 

43141  194 
subsection "Compilation" 
13095
195 

43141  196 
fun acomp :: "aexp \<Rightarrow> instr list" where 
197 
"acomp (N n) = [LOADI n]"  

198 
"acomp (V x) = [LOAD x]"  

199 
"acomp (Plus a1 a2) = acomp a1 @ acomp a2 @ [ADD]" 

200 

201 
lemma acomp_correct[intro]: 

43438
202 
"acomp a \<turnstile> (0,s,stk) \<rightarrow>* (isize(acomp a),s,aval a s#stk)" 
45616  203 
by (induction a arbitrary: stk) fastforce+ 
10342  204 

43438
a666b8d11252
IMP compiler with int, added reverse soundness direction
kleing
parents:
43158
diff
changeset

205 
fun bcomp :: "bexp \<Rightarrow> bool \<Rightarrow> int \<Rightarrow> instr list" where 
45200  206 
"bcomp (Bc v) c n = (if v=c then [JMP n] else [])"  
43141  207 
"bcomp (Not b) c n = bcomp b (\<not>c) n"  
208 
"bcomp (And b1 b2) c n = 

209 
(let cb2 = bcomp b2 c n; 

43438
a666b8d11252
IMP compiler with int, added reverse soundness direction
kleing
parents:
43158
diff
changeset

210 
m = (if c then isize cb2 else isize cb2+n); 
43141  211 
cb1 = bcomp b1 False m 
212 
in cb1 @ cb2)"  

213 
"bcomp (Less a1 a2) c n = 

45322
654cc47f6115
JMPF(LESSGE) > JMP(LESSGE) because jumps are int now.
kleing
parents:
45200
diff
changeset

214 
acomp a1 @ acomp a2 @ (if c then [JMPLESS n] else [JMPGE n])" 
43141  215 

216 
value 

217 
"bcomp (And (Less (V ''x'') (V ''y'')) (Not(Less (V ''u'') (V ''v'')))) 

218 
False 3" 

219 

220 
lemma bcomp_correct[intro]: 

43438
221 
"0 \<le> n \<Longrightarrow> 
222 
bcomp b c n \<turnstile> 
223 
(0,s,stk) \<rightarrow>* (isize(bcomp b c n) + (if c = bval b s then n else 0),s,stk)" 
45129
224 
proof(induction b arbitrary: c n) 
43141  225 
case Not 
44890
226 
from Not(1)[where c="~c"] Not(2) show ?case by fastforce 
13095
227 
next 
43141  228 
case (And b1 b2) 
43438
229 
from And(1)[of "if c then isize (bcomp b2 c n) else isize (bcomp b2 c n) + n" 
230 
"False"] 
231 
And(2)[of n "c"] And(3) 
changeset

232 
show ?case by fastforce 
233 
qed fastforce+ 
43141  234 

235 
fun ccomp :: "com \<Rightarrow> instr list" where 

236 
"ccomp SKIP = []"  

237 
"ccomp (x ::= a) = acomp a @ [STORE x]"  

238 
"ccomp (c\<^isub>1;c\<^isub>2) = ccomp c\<^isub>1 @ ccomp c\<^isub>2"  

239 
"ccomp (IF b THEN c\<^isub>1 ELSE c\<^isub>2) = 

43438
240 
(let cc\<^isub>1 = ccomp c\<^isub>1; cc\<^isub>2 = ccomp c\<^isub>2; cb = bcomp b False (isize cc\<^isub>1 + 1) 
241 
in cb @ cc\<^isub>1 @ JMP (isize cc\<^isub>2) # cc\<^isub>2)"  
43141  242 
"ccomp (WHILE b DO c) = 
43438
243 
(let cc = ccomp c; cb = bcomp b False (isize cc + 1) 
44004  244 
in cb @ cc @ [JMP ((isize cb + isize cc + 1))])" 
245 

43141  246 

247 
value "ccomp 

248 
(IF Less (V ''u'') (N 1) THEN ''u'' ::= Plus (V ''u'') (N 1) 

249 
ELSE ''v'' ::= V ''u'')" 

250 

251 
value "ccomp (WHILE Less (V ''u'') (N 1) DO (''u'' ::= Plus (V ''u'') (N 1)))" 

252 

253 

45114  254 
subsection "Preservation of semantics" 
43141  255 

43438
256 
lemma ccomp_bigstep: 
257 
"(c,s) \<Rightarrow> t \<Longrightarrow> ccomp c \<turnstile> (0,s,stk) \<rightarrow>* (isize(ccomp c),t,stk)" 
45015  258 
proof(induction arbitrary: stk rule: big_step_induct) 
43141  259 
case (Assign x a s) 
44890
260 
show ?case by (fastforce simp:fun_upd_def cong: if_cong) 
13095
261 
next 
43141  262 
case (Semi c1 s1 s2 c2 s3) 
263 
let ?cc1 = "ccomp c1" let ?cc2 = "ccomp c2" 

43438
264 
have "?cc1 @ ?cc2 \<turnstile> (0,s1,stk) \<rightarrow>* (isize ?cc1,s2,stk)" 
45015  265 
using Semi.IH(1) by fastforce 
43141  266 
moreover 
43438
267 
have "?cc1 @ ?cc2 \<turnstile> (isize ?cc1,s2,stk) \<rightarrow>* (isize(?cc1 @ ?cc2),s3,stk)" 
45015  268 
using Semi.IH(2) by fastforce 
43141  269 
ultimately show ?case by simp (blast intro: exec_trans) 
270 
next 

271 
case (WhileTrue b s1 c s2 s3) 

272 
let ?cc = "ccomp c" 

43438
273 
let ?cb = "bcomp b False (isize ?cc + 1)" 
43141  274 
let ?cw = "ccomp(WHILE b DO c)" 
43438
275 
have "?cw \<turnstile> (0,s1,stk) \<rightarrow>* (isize ?cb + isize ?cc,s2,stk)" 
45015  276 
using WhileTrue.IH(1) WhileTrue.hyps(1) by fastforce 
43141  277 
moreover 
43438
278 
have "?cw \<turnstile> (isize ?cb + isize ?cc,s2,stk) \<rightarrow>* (0,s2,stk)" 
44890
279 
by fastforce 
43141  280 
moreover 
45015  281 
have "?cw \<turnstile> (0,s2,stk) \<rightarrow>* (isize ?cw,s3,stk)" by(rule WhileTrue.IH(2)) 
43141  282 
ultimately show ?case by(blast intro: exec_trans) 
44890
283 
qed fastforce+ 
13095
284 

20217
285 
end 