Specification #
This module provides the per-instruction Hoare specifications.
Specification for Instr.LoadImmediate.
For certifying the instruction, the rule of assignment (P ⟦x[dst] ← val; pc++⟧) is used.
The hoare triples state that if you start in a state where the precondition P holds,
and you execute the instruction, the precondition P will still
hold after the execution. The precondition is applied after simulating the
effects of the instruction.
theorem
specification_AddImmediate
(P : Assertion)
(pc dst regAddend val : UInt64)
(L : Set UInt64)
:
theorem
specification_AddRegister
(P : Assertion)
(pc dst regAddend1 regAddend2 : UInt64)
(L : Set UInt64)
:
theorem
specification_SubImmediate
(P : Assertion)
(pc dst regMinuend subtrahend : UInt64)
(L : Set UInt64)
:
theorem
specification_SubRegister
(P : Assertion)
(pc dst regMinuend regSubtrahend : UInt64)
(L : Set UInt64)
:
theorem
specification_StoreWordImmediate
(P : Assertion)
(pc regWithAddr regWithValue : UInt64)
(L : Set UInt64)
:
theorem
specification_JumpEq_true
(P : Assertion)
(pc newPc reg1 reg2 : UInt64)
(s : String)
(L : Set UInt64)
:
L = {n : UInt64 | n ≠ newPc} →
hoare_triple_up_1
(fun (st : MState) =>
P (st.setPc newPc) ∧ st.getLabelAt s = some newPc ∧ st.getRegisterAt reg1 = st.getRegisterAt reg2 ∧ ¬st.terminated = true)
(fun (st : MState) => P st ∧ st.getLabelAt s = some newPc ∧ ¬st.terminated = true) pc {newPc} L
(Instr.JumpEq reg1 reg2 s)
theorem
specification_JumpNeq_true
(P : Assertion)
(pc newPc reg1 reg2 : UInt64)
(s : String)
(L : Set UInt64)
:
L = {n : UInt64 | n ≠ newPc} →
hoare_triple_up_1
(fun (st : MState) =>
P (st.setPc newPc) ∧ st.getLabelAt s = some newPc ∧ st.getRegisterAt reg1 ≠ st.getRegisterAt reg2 ∧ ¬st.terminated = true)
(fun (st : MState) => P st ∧ st.getLabelAt s = some newPc ∧ ¬st.terminated = true) pc {newPc} L
(Instr.JumpNeq reg1 reg2 s)
theorem
specification_JumpGt_true
(P : Assertion)
(pc newPc reg1 reg2 : UInt64)
(s : String)
(L : Set UInt64)
:
L = {n : UInt64 | n ≠ newPc} →
hoare_triple_up_1
(fun (st : MState) =>
P (st.setPc newPc) ∧ st.getLabelAt s = some newPc ∧ st.getRegisterAt reg1 > st.getRegisterAt reg2 ∧ ¬st.terminated = true)
(fun (st : MState) => P st ∧ st.getLabelAt s = some newPc ∧ ¬st.terminated = true) pc {newPc} L
(Instr.JumpGt reg1 reg2 s)
theorem
specification_JumpLe_true
(P : Assertion)
(pc newPc reg1 reg2 : UInt64)
(s : String)
(L : Set UInt64)
:
L = {n : UInt64 | n ≠ newPc} →
hoare_triple_up_1
(fun (st : MState) =>
P (st.setPc newPc) ∧ st.getLabelAt s = some newPc ∧ st.getRegisterAt reg1 ≤ st.getRegisterAt reg2 ∧ ¬st.terminated = true)
(fun (st : MState) => P st ∧ st.getLabelAt s = some newPc ∧ ¬st.terminated = true) pc {newPc} L
(Instr.JumpLe reg1 reg2 s)