-
Notifications
You must be signed in to change notification settings - Fork 84
/
UnsafeProofScript.sml
83 lines (72 loc) · 2.7 KB
/
UnsafeProofScript.sml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
(*
Proofs about the Unsafe module.
*)
open preamble ml_translatorTheory ml_translatorLib cfLib
mlbasicsProgTheory UnsafeProgTheory
val _ = new_theory"UnsafeProof";
val _ = translation_extends "UnsafeProg";
(* Unsafe.Array *)
fun prove_array_spec v_def =
rpt strip_tac \\
xcf_with_def v_def \\ TRY xpull \\
fs [cf_aw8alloc_def, cf_aw8sub_def, cf_aw8length_def, cf_aw8update_def,
cf_aalloc_empty_def, cf_aalloc_def, cf_asub_def, cf_alength_def, cf_aupdate_def] \\
irule local_elim \\ reduce_tac \\
fs [app_aw8alloc_def, app_aw8sub_def, app_aw8length_def, app_aw8update_def,
app_aalloc_def, app_asub_def, app_alength_def, app_aupdate_def] \\
xsimpl \\ fs [INT_def, NUM_def, WORD_def, w2w_def, UNIT_TYPE_def, REPLICATE] \\
TRY (simp_tac (arith_ss ++ intSimps.INT_ARITH_ss) [])
Theorem unsafe_array_sub_spec:
!a av n nv.
NUM n nv /\ n < LENGTH a ==>
app (p:'ffi ffi_proj) Unsafe_sub_v [av; nv]
(ARRAY av a) (POSTv v. cond (v = EL n a) * ARRAY av a)
Proof
prove_array_spec Unsafe_sub_v_def
QED
Theorem unsafe_array_update_spec:
!a av n nv v.
NUM n nv /\ n < LENGTH a ==>
app (p:'ffi ffi_proj) Unsafe_update_v
[av; nv; v]
(ARRAY av a)
(POSTv uv. cond (UNIT_TYPE () uv) * ARRAY av (LUPDATE v n a))
Proof
prove_array_spec Unsafe_update_v_def
QED
(* Unsafe.Word8Array *)
fun prove_array_spec v_def =
rpt strip_tac \\
xcf_with_def v_def \\ TRY xpull \\
fs [cf_aw8alloc_def, cf_aw8sub_def, cf_aw8length_def, cf_aw8update_def,
cf_copyaw8aw8_def, cf_aalloc_def, cf_asub_def, cf_alength_def,
cf_aupdate_def, cf_copystraw8_def, cf_copyaw8str_def] \\
irule local_elim \\ reduce_tac \\
fs [app_aw8alloc_def, app_aw8sub_def, app_aw8length_def, app_aw8update_def,
app_aalloc_def, app_asub_def, app_alength_def, app_aupdate_def,
app_copyaw8aw8_def, app_copystraw8_def, app_copyaw8str_def] \\
xsimpl \\ fs [INT_def, NUM_def, WORD_def, w2w_def, UNIT_TYPE_def] \\
TRY (simp_tac (arith_ss ++ intSimps.INT_ARITH_ss) []) \\
TRY (
qmatch_assum_rename_tac`STRING_TYPE s sv`
\\ Cases_on`s` \\ fs[STRING_TYPE_def]
\\ fs[mlstringTheory.substring_def, SEG_TAKE_DROP] )
Theorem w8array_sub_spec:
!a av n nv.
NUM n nv /\ n < LENGTH a ==>
app (p:'ffi ffi_proj) Unsafe_w8sub_v [av; nv]
(W8ARRAY av a) (POSTv v. cond (WORD (EL n a) v) * W8ARRAY av a)
Proof
prove_array_spec Unsafe_w8sub_v_def
QED
Theorem w8array_update_spec:
!a av n nv w wv.
NUM n nv /\ n < LENGTH a /\ WORD w wv ==>
app (p:'ffi ffi_proj) Unsafe_w8update_v
[av; nv; wv]
(W8ARRAY av a)
(POSTv v. cond (UNIT_TYPE () v) * W8ARRAY av (LUPDATE w n a))
Proof
prove_array_spec Unsafe_w8update_v_def
QED
val _ = export_theory();