theory TM_Assemble

imports Hoare_tm StateMonad

        "~~/src/HOL/Library/FinFun_Syntax"

        "~~/src/HOL/Library/Sublist"

        LetElim

begin

section {* The assembler based on Benton's x86 paper *}

text {*

  The problem with the assembler is that it is too slow to be useful.

*}

primrec pass1 :: "tpg \<Rightarrow> (unit, (nat \<times> nat \<times> (nat \<rightharpoonup> nat))) SM" 

  where 

  "pass1 (TInstr ai) = sm_map (\<lambda> (pos, lno, lmap). (pos + 1, lno, lmap))" |

  "pass1 (TSeq p1 p2) = do {pass1 p1; pass1 p2 }" |

  "pass1 (TLocal fp) = do { lno \<leftarrow> tap (\<lambda> (pos, lno, lmap). lno); 

                            sm_map (\<lambda> (pos, lno, lmap). (pos, lno+1, lmap)); 

                            pass1 (fp lno) }" |

  "pass1 (TLabel l) = sm_map ((\<lambda> (pos, lno, lmap). (pos, lno, lmap(l \<mapsto> pos))))"

declare pass1.simps[simp del]

type_synonym ('a, 'b) alist = "('a \<times> 'b) list"

primrec pass2 :: "tpg \<Rightarrow> (nat \<rightharpoonup> nat) \<Rightarrow> (unit, (nat \<times> nat \<times> (nat, tm_inst) alist)) SM" 

  where

  "pass2 (TInstr ai) lmap = sm_map (\<lambda> (pos, lno, prog). (pos + 1, lno, (pos, ai)#prog))" |

  "pass2 (TSeq p1 p2) lmap = do {pass2 p1 lmap; pass2 p2 lmap}" |

  "pass2 (TLocal fp) lmap = do { lno \<leftarrow> tap (\<lambda> (pos, lno, prog). lno);

                                 sm_map (\<lambda> (pos, lno, prog). (pos, lno + 1, prog));

                                 (case (lmap lno) of

                                    Some l => pass2 (fp l) lmap |

                                    None => (raise ''Undefined label''))} " |

  "pass2 (TLabel l) lmap = do { pos \<leftarrow> tap (\<lambda> (pos, lno, prog). pos);

                                if (l = pos) then return ()

                                             else (raise ''Label mismatch'') }"

declare pass2.simps[simp del]

definition "assembleM i tpg = 

  do {(x, (pos, lno, lmap)) \<leftarrow> execute (pass1 tpg) (i, 0, empty);

      execute (pass2 tpg lmap) (i, 0, [])}"

definition 

 "assemble i tpg = Option.map (\<lambda> (x, (j, lno, prog)).(prog, j)) (assembleM i tpg)"

lemma tprog_set_union:

  assumes "(fst ` set pg3) \<inter> (fst ` set pg2) = {}"

  shows "tprog_set (map_of pg3 ++ map_of pg2) = tprog_set (map_of pg3) \<union> tprog_set (map_of pg2)"

proof -

  from assms have "dom (map_of pg3) \<inter> dom (map_of pg2) = {}"

    by (metis dom_map_of_conv_image_fst)

  hence map_comm: "map_of pg3 ++ map_of pg2 = map_of pg2 ++ map_of pg3"

    by (metis map_add_comm)

  show ?thesis

  proof

    show "tprog_set (map_of pg3 ++ map_of pg2) \<subseteq> tprog_set (map_of pg3) \<union> tprog_set (map_of pg2)"

    proof

      fix x

      assume " x \<in> tprog_set (map_of pg3 ++ map_of pg2)"

      then obtain i inst where h:

            "x = TC i inst"

            "(map_of pg3 ++ map_of pg2) i = Some inst"

        apply (unfold tprog_set_def)

        by (smt mem_Collect_eq)

      from map_add_SomeD[OF h(2)] h(1)

      show " x \<in> tprog_set (map_of pg3) \<union> tprog_set (map_of pg2)"

        apply (unfold tprog_set_def)

        by (smt mem_Collect_eq sup1CI sup_Un_eq)

    qed

  next

    show "tprog_set (map_of pg3) \<union> tprog_set (map_of pg2) \<subseteq> tprog_set (map_of pg3 ++ map_of pg2)"

    proof

      fix x

      assume " x \<in> tprog_set (map_of pg3) \<union> tprog_set (map_of pg2)"

      then obtain i inst

        where h: "x = TC i inst" "map_of pg3 i = Some inst \<or> map_of pg2 i = Some inst"

        apply (unfold tprog_set_def)

        by (smt Un_iff mem_Collect_eq)

      from h(2)

      show "x \<in> tprog_set (map_of pg3 ++ map_of pg2)"

      proof

        assume "map_of pg2 i = Some inst"

        hence "(map_of pg3 ++ map_of pg2) i = Some inst"

          by (metis map_add_find_right)

        with h(1) show ?thesis 

          apply (unfold tprog_set_def)

          by (smt mem_Collect_eq)

      next

        assume "map_of pg3 i = Some inst"

        hence "(map_of pg2 ++ map_of pg3) i = Some inst"

          by (metis map_add_find_right)

        with h(1) show ?thesis

          apply (unfold map_comm)

          apply (unfold tprog_set_def)

          by (smt mem_Collect_eq)

      qed

    qed

  qed

qed

lemma assumes "assemble i c = Some (prog, j)"

  shows "(i:[c]:j) (tprog_set (map_of prog))"

proof -

  from assms obtain x lno

    where "(assembleM i c) = Some (x, (j, lno, prog))"

    apply(unfold assemble_def)

    by (cases "(assembleM i c)", auto)

  then obtain y pos lno' lmap where

       "execute (pass1 c) (i, 0, empty) = Some (y, (pos, lno', lmap))"

       "execute (pass2 c lmap) (i, 0, []) = Some (x, (j, lno, prog))"

    apply (unfold assembleM_def)

    by (cases "execute (pass1 c) (i, 0, Map.empty)", auto simp:Option.bind.simps)

  hence mid: "effect (pass1 c) (i, 0, empty) (pos, lno', lmap) y"

             "effect (pass2 c lmap) (i, 0, []) (j, lno, prog) x"

    by (auto intro:effectI)

  { fix lnos lmap lmap' prog1 prog2

    assume "effect (pass2 c lmap') (i, lnos, prog1) (j, lno, prog2) x"

    hence "\<exists> prog. (prog2 = prog@prog1 \<and> (i:[c]:j) (tprog_set (map_of prog)) \<and>

                   (\<forall> k \<in> fst ` (set prog). i \<le> k \<and> k < j) \<and> i \<le> j)" 

    proof(induct c arbitrary:lmap' i lnos prog1 j lno prog2 x)

      case  (TInstr instr lmap' i lnos prog1 j lno prog2 x)

      thus ?case

        apply (auto simp: effect_def assemble_def assembleM_def execute.simps sm_map_def sm_def 

                    tprog_set_def tassemble_to.simps sg_def pass1.simps pass2.simps

                     split:if_splits)

        by (cases instr, auto)

    next

      case (TLabel l lmap' i lnos prog1 j lno prog2 x)

      thus ?case 

        apply (rule_tac x = "[]" in exI)

        apply (unfold tassemble_to.simps)

        by (auto simp: effect_def assemble_def assembleM_def execute.simps sm_map_def sm_def 

                    tprog_set_def tassemble_to.simps sg_def pass1.simps pass2.simps tap_def bind_def

                    return_def raise_def sep_empty_def set_ins_def

                     split:if_splits)

    next

      case (TSeq c1 c2 lmap' i lnos prog1 j lno prog2 x)

      from TSeq(3)

      obtain h' r where 

        "effect (pass2 c1 lmap') (i, lnos, prog1) h' r"

        "effect (pass2 c2 lmap') h' (j, lno, prog2) x"

        apply (unfold pass2.simps)

        by (auto elim!:effect_elims)

      then obtain pos1 lno1 pg1

        where h:

        "effect (pass2 c1 lmap') (i, lnos, prog1) (pos1, lno1, pg1) r"

        "effect (pass2 c2 lmap') (pos1, lno1, pg1) (j, lno, prog2) x"

        by (cases h', auto)

      from TSeq(1)[OF h(1)] TSeq(2)[OF h(2)]

      obtain pg2 pg3

        where hh: "pg1 = pg2 @ prog1 \<and> (i :[ c1 ]: pos1) (tprog_set (map_of pg2))"

                  "(\<forall>k\<in> fst ` (set pg2). i \<le> k \<and> k < pos1)"

                  "i \<le> pos1"

                  "prog2 = pg3 @ pg1 \<and> (pos1 :[ c2 ]: j) (tprog_set (map_of pg3))"

                  "(\<forall>k\<in>fst ` (set pg3). pos1 \<le> k \<and> k < j)"

                  "pos1 \<le> j"

        by auto

      thus ?case

        apply (rule_tac x = "pg3 @ pg2" in exI, auto)

        apply (unfold tassemble_to.simps)

        apply (rule_tac x = pos1 in EXS_intro)

        my_block have 

          "(tprog_set (map_of pg2 ++ map_of pg3)) = tprog_set (map_of pg2) \<union> tprog_set (map_of pg3)"

          proof(rule tprog_set_union)

            from hh(2, 5) show "fst ` set pg2 \<inter> fst ` set pg3 = {}"

              by (smt disjoint_iff_not_equal)

          qed

        my_block_end

        apply (unfold this, insert this)

        my_block

          have "tprog_set (map_of pg2) \<inter>  tprog_set (map_of pg3) = {}" 

          proof -

            { fix x

              assume h: "x \<in> tprog_set (map_of pg2)" "x \<in> tprog_set (map_of pg3)"

              then obtain i inst where "x = TC i inst" 

                                       "map_of pg2 i = Some inst" 

                                       "map_of pg3 i = Some inst"

                apply (unfold tprog_set_def)

                by (smt mem_Collect_eq tresource.inject(2))

              hence "(i, inst) \<in> set pg2" "(i, inst) \<in> set pg3"

                by (metis map_of_SomeD)+

              with hh(2, 5)

              have "False"

                by (smt rev_image_eqI)

            } thus ?thesis by auto

          qed

        my_block_end

        apply (insert this)

        apply (fold set_ins_def)

        by (rule sep_conjI, assumption+, simp)

    next

      case (TLocal body lmap' i lnos prog1 j lno prog2 x)

      from TLocal(2)

      obtain l where h:

        "lmap' lnos = Some l"

        "effect (pass2 (body l) lmap') (i, Suc lnos, prog1) (j, lno, prog2) ()"

        apply (unfold pass2.simps)

        by (auto elim!:effect_elims split:option.splits simp:sm_map_def)

      from TLocal(1)[OF this(2)]

      obtain pg where hh: "prog2 = pg @ prog1 \<and> (i :[ body l ]: j) (tprog_set (map_of pg))"

                          "(\<forall>k\<in> fst ` (set pg). i \<le> k \<and> k < j)"

                          "i \<le> j"

        by auto

      thus ?case

        apply (rule_tac x = pg in exI, auto)

        apply (unfold tassemble_to.simps)

        by (rule_tac x = l in EXS_intro, auto)

    qed 

  } from this[OF mid(2)] show ?thesis by auto

qed

definition "valid_tpg tpg = (\<forall> i. \<exists> j prog. assemble i tpg = Some (j, prog))"

section {* A new method based on DB indexing *}

text {*

  In this section, we introduced a new method based on DB-indexing to provide a quick check of 

   assemblebility of TM assmbly programs in the format of @{text "tpg"}. The 

   lemma @{text "ct_left_until_zero"} at the end shows how the well-formedness of @{text "left_until_zero"}

   is proved in a modular way.

*}

datatype cpg = 

   CInstr tm_inst

 | CLabel nat

 | CSeq cpg cpg

 | CLocal cpg

datatype status = Free | Bound

definition "lift_b t i j = (if (j \<ge> t) then (j + i) else j)"

fun lift_t :: "nat \<Rightarrow> nat \<Rightarrow> cpg \<Rightarrow> cpg"

where "lift_t t i (CInstr ((act0, l0), (act1, l1))) = 

                           (CInstr ((act0, lift_b t i l0), (act1, lift_b t i l1)))" |

      "lift_t t i (CLabel l) = CLabel (lift_b t i l)" |

      "lift_t t i (CSeq c1 c2) = CSeq (lift_t t i c1) (lift_t t i c2)" |

      "lift_t t i (CLocal c) = CLocal (lift_t (t + 1) i c)"

definition "lift0 (i::nat) cpg = lift_t 0 i cpg"

definition "perm_b t i j k = (if ((k::nat) = i \<and> i < t \<and> j < t) then j else 

                              if (k = j \<and> i < t \<and> j < t) then i else k)"

lemma inj_perm_b: "inj (perm_b t i j)"

proof(induct rule:injI)

  case (1 x y)

  thus ?case

    by (unfold perm_b_def, auto split:if_splits)

qed

fun perm :: "nat \<Rightarrow> nat \<Rightarrow> nat \<Rightarrow> cpg \<Rightarrow> cpg"

where "perm t i j (CInstr ((act0, l0), (act1, l1))) = 

                           (CInstr ((act0, perm_b t i j l0), (act1, perm_b t i j l1)))" |

      "perm t i j (CLabel l) = CLabel (perm_b t i j l)" |

      "perm t i j (CSeq c1 c2) = CSeq (perm t i j c1) (perm t i j c2)" |

      "perm t i j (CLocal c) = CLocal (perm (t + 1) (i + 1) (j + 1) c)"

definition "map_idx f sts = map (\<lambda> k. sts!(f (nat k))) [0 .. int (length sts) - 1]"

definition "perm_s i j sts = map_idx (perm_b (length sts) i j) sts" 

value "perm_s 2 5 [(0::int), 1, 2, 3, 4, 5, 6, 7, 8, 9, 10]"

lemma "perm_s 2 20 [(0::int), 1, 2, 3, 4, 5, 6, 7, 8, 9, 10] = x"

  apply (unfold perm_s_def map_idx_def perm_b_def, simp add:upto.simps)

  oops

lemma upto_len: "length [i .. j] = (if j < i then 0 else (nat (j - i + 1)))"

proof(induct i j rule:upto.induct)

  case (1 i j)

  show ?case

  proof(cases "j < i")

    case True

    thus ?thesis by simp

  next

    case False

    hence eq_ij: "[i..j] = i # [i + 1..j]" by (simp add:upto.simps)

    from 1 False

    show ?thesis

      by (auto simp:eq_ij)

  qed

qed

lemma perm_s_len: "length (perm_s i j sts') = length sts'"

  apply (unfold perm_s_def map_idx_def)

  by (smt Nil_is_map_conv length_0_conv length_greater_0_conv length_map neq_if_length_neq upto_len)

fun c2t :: "nat list \<Rightarrow> cpg \<Rightarrow> tpg" where 

  "c2t env (CInstr ((act0, st0), (act1, st1))) = TInstr ((act0, env!st0), (act1, env!st1))" |

  "c2t env (CLabel l) = TLabel (env!l)" |

  "c2t env (CSeq cpg1 cpg2) = TSeq (c2t env cpg1) (c2t env cpg2)" |

  "c2t env (CLocal cpg) = TLocal (\<lambda> x. c2t (x#env) cpg)" 

instantiation status :: minus

begin

   fun minus_status :: "status \<Rightarrow> status \<Rightarrow> status" where

     "minus_status Bound Bound = Free" |

     "minus_status Bound Free = Bound" |

     "minus_status Free x = Free "

   instance ..

end

instantiation status :: plus

begin

   fun plus_status :: "status \<Rightarrow> status \<Rightarrow> status" where

     "plus_status Free x = x" |

     "plus_status Bound x = Bound"

   instance ..

end

instantiation list :: (plus)plus

begin

   fun plus_list :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where

     "plus_list [] ys = []" |

     "plus_list (x#xs) [] = []" |

     "plus_list (x#xs) (y#ys) = ((x + y)#plus_list xs ys)"

   instance ..

end

instantiation list :: (minus)minus

begin

   fun minus_list :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where

     "minus_list [] ys = []" |

     "minus_list (x#xs) [] = []" |

     "minus_list (x#xs) (y#ys) = ((x - y)#minus_list xs ys)"

   instance ..

end

(* consts castr :: "nat list \<Rightarrow> nat \<Rightarrow> cpg \<Rightarrow> nat \<Rightarrow> tassert"

definition "castr env i cpg j = (i:[c2t env cpg]:j)" *)

(*

definition 

   "c2p sts i cpg j = (\<forall> x. ((length x = length sts \<and> 

                               (\<forall> k < length sts. sts!k = Bound \<longrightarrow> (\<exists> f. x!k = f i)))

                                \<longrightarrow> (\<exists> s. (i:[(c2t x cpg)]:j) s)))"

*)

definition 

   "c2p sts i cpg j = 

           (\<exists> f. \<forall> x. ((length x = length sts \<and> 

                        (\<forall> k < length sts. sts!k = Bound \<longrightarrow> (x!k = f i k)))

                   \<longrightarrow> (\<exists> s. (i:[(c2t x cpg)]:j) s)))"

fun  wf_cpg_test :: "status list \<Rightarrow> cpg \<Rightarrow> (bool \<times> status list)" where

  "wf_cpg_test sts (CInstr ((a0, l0), (a1, l1))) = ((l0 < length sts \<and> l1 < length sts), sts)" |

  "wf_cpg_test sts (CLabel l) = ((l < length sts) \<and> sts!l = Free, sts[l:=Bound])" |

  "wf_cpg_test sts (CSeq c1 c2) = (let (b1, sts1) = wf_cpg_test sts c1;

                                  (b2, sts2) = wf_cpg_test sts1 c2 in

                                     (b1 \<and> b2, sts2))" |

  "wf_cpg_test sts (CLocal body) = (let (b, sts') = (wf_cpg_test (Free#sts) body) in 

                                   (b, tl sts'))" 

instantiation status :: order

begin

  definition less_eq_status_def: "((st1::status) \<le> st2) = (st1 = Free \<or> st2 = Bound)"

  definition less_status_def: "((st1::status) < st2) = (st1 \<le> st2 \<and> st1 \<noteq> st2)"

instance

proof

  fix x y 

  show "(x < (y::status)) = (x \<le> y \<and> \<not> y \<le> x)"

    by (metis less_eq_status_def less_status_def status.distinct(1))

next

  fix x show "x \<le> (x::status)"

    by (metis (full_types) less_eq_status_def status.exhaust)

next

  fix x y z

  assume "x \<le> y" "y \<le> (z::status)" show "x \<le> (z::status)"

    by (metis `x \<le> y` `y \<le> z` less_eq_status_def status.distinct(1))

next

  fix x y

  assume "x \<le> y" "y \<le> (x::status)" show "x = y"

    by (metis `x \<le> y` `y \<le> x` less_eq_status_def status.distinct(1))

qed

end

instantiation list :: (order)order

begin

  definition "((sts::('a::order) list)  \<le> sts') = 

                   ((length sts = length sts') \<and> (\<forall> i < length sts. sts!i \<le> sts'!i))"

  definition "((sts::('a::order) list)  < sts') = ((sts \<le> sts') \<and> sts \<noteq> sts')"

  lemma anti_sym: assumes h: "x \<le> (y::'a list)" "y \<le> x"

      shows "x = y"

  proof -

    from h have "length x = length y"

      by (metis less_eq_list_def)

    moreover from h have " (\<forall> i < length x. x!i = y!i)"

      by (metis (full_types) antisym_conv less_eq_list_def)

    ultimately show ?thesis

      by (metis nth_equalityI)

  qed

  lemma refl: "x \<le> (x::('a::order) list)"

    apply (unfold less_eq_list_def)

    by (metis order_refl)

  instance

  proof

    fix x y

    show "((x::('a::order) list) < y) = (x \<le> y \<and> \<not> y \<le> x)"

    proof

      assume h: "x \<le> y \<and> \<not> y \<le> x"

      have "x \<noteq> y"

      proof

        assume "x = y" with h have "\<not> (x \<le> x)" by simp

        with refl show False by auto

      qed

      moreover from h have "x \<le> y" by blast

      ultimately show "x < y" by (auto simp:less_list_def)

    next

      assume h: "x < y"

      hence hh: "x \<le> y"

        by (metis TM_Assemble.less_list_def)

      moreover have "\<not> y \<le> x"

      proof

        assume "y \<le> x"

        from anti_sym[OF hh this] have "x = y" .

        with h show False

          by (metis less_list_def) 

      qed

      ultimately show "x \<le> y \<and> \<not> y \<le> x" by auto

    qed

  next

    fix x from refl show "(x::'a list) \<le> x" .

  next

    fix x y assume "(x::'a list) \<le> y" "y \<le> x" 

    from anti_sym[OF this] show "x = y" .

  next

    fix x y z

    assume h: "(x::'a list) \<le> y" "y \<le> z"

    show "x \<le> z"

    proof -

      from h have "length x = length z" by (metis TM_Assemble.less_eq_list_def)

      moreover from h have "\<forall> i < length x. x!i \<le> z!i"

        by (metis TM_Assemble.less_eq_list_def order_trans)

      ultimately show "x \<le> z"

        by (metis TM_Assemble.less_eq_list_def)

    qed

  qed

end

lemma sts_bound_le: "sts \<le> sts[l := Bound]"

proof -

  have "length sts = length (sts[l := Bound])"

    by (metis length_list_update)

  moreover have "\<forall> i < length sts. sts!i \<le> (sts[l:=Bound])!i"

  proof -

    { fix i

      assume "i < length sts"

      have "sts ! i \<le> sts[l := Bound] ! i"

      proof(cases "l < length sts")

        case True

        note le_l = this

        show ?thesis

        proof(cases "l = i")

          case True with le_l

          have "sts[l := Bound] ! i = Bound" by auto

          thus ?thesis by (metis less_eq_status_def) 

        next

          case False

          with le_l have "sts[l := Bound] ! i = sts!i" by auto

          thus ?thesis by auto

        qed

      next

        case False

        hence "sts[l := Bound] = sts" by auto

        thus ?thesis by auto

      qed

    } thus ?thesis by auto

  qed

  ultimately show ?thesis by (metis less_eq_list_def) 

qed

lemma sts_tl_le:

  assumes "sts \<le> sts'"

  shows "tl sts \<le> tl sts'"

proof -

  from assms have "length (tl sts) = length (tl sts')"

    by (metis (hide_lams, no_types) length_tl less_eq_list_def)

  moreover from assms have "\<forall> i < length (tl sts). (tl sts)!i \<le> (tl sts')!i"

    by (smt calculation length_tl less_eq_list_def nth_tl)

  ultimately show ?thesis

    by (metis less_eq_list_def)

qed

lemma wf_cpg_test_le:

  assumes "wf_cpg_test sts cpg = (True, sts')"

  shows "sts \<le> sts'" using assms

proof(induct cpg arbitrary:sts sts')

  case (CInstr instr sts sts')

  obtain a0 l0 a1 l1 where eq_instr: "instr = ((a0, l0), (a1, l1))" 

    by (metis prod.exhaust)

  from CInstr[unfolded this]

  show ?case by simp

next

  case (CLabel l sts sts')

  thus ?case by (auto simp:sts_bound_le)

next

  case (CLocal body sts sts')

  from this(2)

  obtain sts1 where h: "wf_cpg_test (Free # sts) body = (True, sts1)" "sts' = tl sts1"

    by (auto split:prod.splits)

  from CLocal(1)[OF this(1)] have "Free # sts \<le> sts1" .

  from sts_tl_le[OF this]

  have "sts \<le> tl sts1" by simp

  from this[folded h(2)]

  show ?case .

next

  case (CSeq cpg1 cpg2 sts sts')

  from this(3)

  show ?case

    by (auto split:prod.splits dest!:CSeq(1, 2))

qed

lemma c2p_assert:

  assumes "(c2p [] i cpg j)"

  shows "\<exists> s. (i :[(c2t [] cpg)]: j) s"

proof -

  from assms obtain f where

    h [rule_format]: