singrdk/base/Imported/Bartok/runtime/verified/GCs/VerifiedBitVectorsImpl.bpl

//
// Copyright (c) Microsoft Corporation.  All rights reserved.
//

// This file contains proofs of the declarations in VerifiedBitVectors.bpl.
// The proofs require assertions to guide the prover.

// Verification requires the "/bv:z" option to enable Z3 support of bit vectors

// Imports:
//   - Trusted.bpl
//   - TrustedBitVectors.bpl
//   - VerifiedBitVectorsBuiltin.bpl
// Exports:
//   - VerifiedBitVectors.bpl

// \Spec#\bin\Boogie.exe /bv:z /noinfer Trusted.bpl TrustedBitVectors.bpl VerifiedBitVectorsBuiltin.bpl VerifiedBitVectors.bpl VerifiedBitVectorsImpl.bpl

function BitIndex(i0:int, i:int) returns(int)
{
  4 * shr(i - i0, 7)
}

function BitZero(x:int, i0:int, i:int) returns(bool)
{
  0 == and(x, shl(1, and(shr(i - i0, 2), 31)))
}

function ColorIndex(i0:int, i:int) returns(int)
{
  4 * shr(i - i0, 6)
}

function ColorGet(x:int, i0:int, i:int) returns(int)
{
  and(shr(x, and(shr(i - i0, 1), 31)), 3)
}

procedure Const()
  ensures 0 == I(0bv32);
  ensures 2 == I(2bv32);
  ensures 3 == I(3bv32);
  ensures 4 == I(4bv32);
  ensures 5 == I(5bv32);
  ensures 6 == I(6bv32);
  ensures 7 == I(7bv32);
  ensures 16 == I(16bv32);
  ensures 32 == I(32bv32);
  ensures 31 == I(31bv32);
  ensures 64 == I(64bv32);
  ensures 63 == I(63bv32);
  ensures 128 == I(128bv32);
  ensures 127 == I(127bv32);
  ensures 256 == I(256bv32);
  ensures 16777215 == I(16777215bv32);
  ensures 33554431 == I(33554431bv32);
  ensures 67108863 == I(67108863bv32);
{
  call $Const();
  assert word(0);
  call _S(1bv32, 1bv32);
  assert word(2);
  call _A(1bv32, 1bv32);
  assert word(3);
  call _A(2bv32, 1bv32);
  assert word(4);
  call _A(2bv32, 2bv32);
  assert word(5);
  call _A(4bv32, 1bv32);
  assert word(6);
  call _A(5bv32, 1bv32);
  assert word(7);
  call _A(5bv32, 2bv32);
  assert word(16);
  call _M(4bv32, 4bv32);
  assert word(32);
  call _A(16bv32, 16bv32);
  assert word(31);
  call _S(32bv32, 1bv32);
  assert word(64);
  call _A(32bv32, 32bv32);
  assert word(63);
  call _S(64bv32, 1bv32);
  assert word(128);
  call _M(32bv32, 4bv32);
  assert word(127);
  call _S(128bv32, 1bv32);
  assert word(I(16bv32) * I(16bv32));
  call _M(16bv32, 16bv32);
  assert word(512);
  call _A(256bv32, 256bv32);
  assert word(65536);
  call _M(256bv32, 256bv32);
  assert word(65535);
  call _S(65536bv32, 1bv32);
  assert word(16777216);
  call _M(65536bv32, 256bv32);
  assert word(16777215);
  call _S(16777216bv32, 1bv32);
  assert word(2147483647 + 2147483647 + 2 - 65536);
  call _M(65536bv32, 65535bv32);
  assert word(33554432);
  call _M(65536bv32, 512bv32);
  assert word(33554431);
  call _S(33554432bv32, 1bv32);
  assert word(67108864);
  call _A(33554432bv32, 33554432bv32);
  assert word(67108863);
  call _S(67108864bv32, 1bv32);
}

procedure Const2()
  ensures 2147483647 + 2147483647 + 1 == I(4294967295bv32);
  ensures 2147483647 + 2147483647 - 2 == I(4294967292bv32);
{
  call Const();
  call $Const();
  assert word(2147483647 + 2147483647 + 1);
  call _A(4294901760bv32, 65535bv32);
  assert word(I(4294967295bv32) - I(3bv32));
  call _S(4294967295bv32, 3bv32);
}

procedure _A(b1:bv32, b2:bv32)
  requires word(I(b1) + I(b2));
  ensures  I(b1) + I(b2) == I($add(b1, b2));
{
  assert TBV(b1) && TBV(b2);
}

procedure _S(b1:bv32, b2:bv32)
  requires word(I(b1) - I(b2));
  ensures  I(b1) - I(b2) == I($sub(b1, b2));
{
  assert TBV(b1) && TBV(b2);
}

procedure _M(b1:bv32, b2:bv32)
  requires word(I(b1) * I(b2));
  ensures  I(b1) * I(b2) == I($mul(b1, b2));
{
  assert TBV(b1) && TBV(b2);
}

implementation __andAligned(x:int)
{
  call Const();
  call $AndAligned(B(x));
  assert Aligned(I(B(x))) <==> $Aligned(B(x));
}

implementation __addAligned(x:int, y:int)
{
  call Const();
  call $AddAligned(B(x), B(y));
  assert word(x) && word(y) && word(x + y) && Aligned(I(B(x))) ==> (Aligned(I(B(y))) <==> Aligned(I(B(x + y))));
}

implementation __subAligned(x:int, y:int)
{
  call Const();
  call $SubAligned(B(x), B(y));
  assert word(x) && word(y) && word(x - y) && Aligned(I(B(x))) ==> (Aligned(I(B(y))) <==> Aligned(I(B(x - y))));
}

implementation __notAligned(i:int)
{
  call Const();
  call Const2();
  call $NotAligned(B(i));
  assert TBV(B(i)) && TBV(4294967292bv32);
  assert i <= 2147483647 + 2147483647 - 2;
}

implementation __initialize($unitSize:int, HeapLo:int)
{
  call Const();
  assert $le(B($unitSize), B(16777215));
  call $Initialize(B($unitSize));
  assert BitIndex(HeapLo, HeapLo + 128 * $unitSize) == 4 * $unitSize;
  assert BitIndex(HeapLo, HeapLo + 256 * $unitSize) == 8 * $unitSize;
}

implementation __bb4Zero(a:[int]int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, g1:int, g2:int, idx:int)
{
  call Const();

  assert word(idx) && word(g1);
  assert word(I(B(idx)) - I(B(g1)));
  assert $le($shr(B(i2 - i0), 7bv32), 33554431bv32) ==> I($mul(128bv32, $shr(B(i2 - i0), 7bv32))) == 128 * I($shr(B(i2 - i0), 7bv32));
  assert  (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));

  call _BB4Zero(a, off, aBase, bb, i0, i1, i2, g1, g2, idx);
}

implementation __bb4GetBit(a:[int]int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, g1:int, g2:int)
{
  call Const();
  call _BB4GetBit(i0, k);
}

implementation __bb4SetBit(a:[int]int, on:int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, ret:[int]int, g1:int, g2:int)
{
  call Const();

  assert B(shr(k - i0, 7)) == $shr(B(k - i0), 7bv32);
  assert Aligned(I(B(k - i0)));
  assert  (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));

  call _BB4SetBit(a, on, off, aBase, bb, i0, i1, i2, k, idx, bbb, ret, g1, g2);

  assert $bbvec4(a[aBase + (k - i0) := on], off, aBase, ret, i0, i1, i2, g1, g2);
}

implementation __bb4Zero2(a:[int]int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, g1:int, g2:int, idx:int)
{
  call Const();

  assert word(idx) && word(g1);
  assert word(I(B(idx)) - I(B(g1)));
  assert $le($shr(B(i2 - i0), 6bv32), 67108863bv32) ==> I($mul(64bv32, $shr(B(i2 - i0), 6bv32))) == 64 * I($shr(B(i2 - i0), 6bv32));
  assert  (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));

  call _BB4Zero2(a, aBase, bb, i0, i1, i2, g1, g2, idx);
}

implementation __bb4Get2Bit(a:[int]int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, g1:int, g2:int)
{
  call Const();
  call _BB4Get2Bit(i0, k);
}

implementation __bb4Set2Bit(a:[int]int, val:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, _bbb:int, ret:[int]int, g1:int, g2:int)
{
  call Const();

  assert  (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));

  call _BB4Set2Bit(a, val, aBase, bb, i0, i1, i2, k, idx, bbb, _bbb, ret, g1, g2);
}
RDK 2.0 2008-11-17 18:29:00 -05:00			`//`
			`// Copyright (c) Microsoft Corporation. All rights reserved.`
			`//`

			`// This file contains proofs of the declarations in VerifiedBitVectors.bpl.`
			`// The proofs require assertions to guide the prover.`

			`// Verification requires the "/bv:z" option to enable Z3 support of bit vectors`

			`// Imports:`
			`// - Trusted.bpl`
			`// - TrustedBitVectors.bpl`
			`// - VerifiedBitVectorsBuiltin.bpl`
			`// Exports:`
			`// - VerifiedBitVectors.bpl`

			`// \Spec#\bin\Boogie.exe /bv:z /noinfer Trusted.bpl TrustedBitVectors.bpl VerifiedBitVectorsBuiltin.bpl VerifiedBitVectors.bpl VerifiedBitVectorsImpl.bpl`

			`function BitIndex(i0:int, i:int) returns(int)`
			`{`
			`4 * shr(i - i0, 7)`
			`}`

			`function BitZero(x:int, i0:int, i:int) returns(bool)`
			`{`
			`0 == and(x, shl(1, and(shr(i - i0, 2), 31)))`
			`}`

			`function ColorIndex(i0:int, i:int) returns(int)`
			`{`
			`4 * shr(i - i0, 6)`
			`}`

			`function ColorGet(x:int, i0:int, i:int) returns(int)`
			`{`
			`and(shr(x, and(shr(i - i0, 1), 31)), 3)`
			`}`

			`procedure Const()`
			`ensures 0 == I(0bv32);`
			`ensures 2 == I(2bv32);`
			`ensures 3 == I(3bv32);`
			`ensures 4 == I(4bv32);`
			`ensures 5 == I(5bv32);`
			`ensures 6 == I(6bv32);`
			`ensures 7 == I(7bv32);`
			`ensures 16 == I(16bv32);`
			`ensures 32 == I(32bv32);`
			`ensures 31 == I(31bv32);`
			`ensures 64 == I(64bv32);`
			`ensures 63 == I(63bv32);`
			`ensures 128 == I(128bv32);`
			`ensures 127 == I(127bv32);`
			`ensures 256 == I(256bv32);`
			`ensures 16777215 == I(16777215bv32);`
			`ensures 33554431 == I(33554431bv32);`
			`ensures 67108863 == I(67108863bv32);`
			`{`
			`call $Const();`
			`assert word(0);`
			`call _S(1bv32, 1bv32);`
			`assert word(2);`
			`call _A(1bv32, 1bv32);`
			`assert word(3);`
			`call _A(2bv32, 1bv32);`
			`assert word(4);`
			`call _A(2bv32, 2bv32);`
			`assert word(5);`
			`call _A(4bv32, 1bv32);`
			`assert word(6);`
			`call _A(5bv32, 1bv32);`
			`assert word(7);`
			`call _A(5bv32, 2bv32);`
			`assert word(16);`
			`call _M(4bv32, 4bv32);`
			`assert word(32);`
			`call _A(16bv32, 16bv32);`
			`assert word(31);`
			`call _S(32bv32, 1bv32);`
			`assert word(64);`
			`call _A(32bv32, 32bv32);`
			`assert word(63);`
			`call _S(64bv32, 1bv32);`
			`assert word(128);`
			`call _M(32bv32, 4bv32);`
			`assert word(127);`
			`call _S(128bv32, 1bv32);`
			`assert word(I(16bv32) * I(16bv32));`
			`call _M(16bv32, 16bv32);`
			`assert word(512);`
			`call _A(256bv32, 256bv32);`
			`assert word(65536);`
			`call _M(256bv32, 256bv32);`
			`assert word(65535);`
			`call _S(65536bv32, 1bv32);`
			`assert word(16777216);`
			`call _M(65536bv32, 256bv32);`
			`assert word(16777215);`
			`call _S(16777216bv32, 1bv32);`
			`assert word(2147483647 + 2147483647 + 2 - 65536);`
			`call _M(65536bv32, 65535bv32);`
			`assert word(33554432);`
			`call _M(65536bv32, 512bv32);`
			`assert word(33554431);`
			`call _S(33554432bv32, 1bv32);`
			`assert word(67108864);`
			`call _A(33554432bv32, 33554432bv32);`
			`assert word(67108863);`
			`call _S(67108864bv32, 1bv32);`
			`}`

			`procedure Const2()`
			`ensures 2147483647 + 2147483647 + 1 == I(4294967295bv32);`
			`ensures 2147483647 + 2147483647 - 2 == I(4294967292bv32);`
			`{`
			`call Const();`
			`call $Const();`
			`assert word(2147483647 + 2147483647 + 1);`
			`call _A(4294901760bv32, 65535bv32);`
			`assert word(I(4294967295bv32) - I(3bv32));`
			`call _S(4294967295bv32, 3bv32);`
			`}`

			`procedure _A(b1:bv32, b2:bv32)`
			`requires word(I(b1) + I(b2));`
			`ensures I(b1) + I(b2) == I($add(b1, b2));`
			`{`
			`assert TBV(b1) && TBV(b2);`
			`}`

			`procedure _S(b1:bv32, b2:bv32)`
			`requires word(I(b1) - I(b2));`
			`ensures I(b1) - I(b2) == I($sub(b1, b2));`
			`{`
			`assert TBV(b1) && TBV(b2);`
			`}`

			`procedure _M(b1:bv32, b2:bv32)`
			`requires word(I(b1) * I(b2));`
			`ensures I(b1) * I(b2) == I($mul(b1, b2));`
			`{`
			`assert TBV(b1) && TBV(b2);`
			`}`

			`implementation __andAligned(x:int)`
			`{`
			`call Const();`
			`call $AndAligned(B(x));`
			`assert Aligned(I(B(x))) <==> $Aligned(B(x));`
			`}`

			`implementation __addAligned(x:int, y:int)`
			`{`
			`call Const();`
			`call $AddAligned(B(x), B(y));`
			`assert word(x) && word(y) && word(x + y) && Aligned(I(B(x))) ==> (Aligned(I(B(y))) <==> Aligned(I(B(x + y))));`
			`}`

			`implementation __subAligned(x:int, y:int)`
			`{`
			`call Const();`
			`call $SubAligned(B(x), B(y));`
			`assert word(x) && word(y) && word(x - y) && Aligned(I(B(x))) ==> (Aligned(I(B(y))) <==> Aligned(I(B(x - y))));`
			`}`

			`implementation __notAligned(i:int)`
			`{`
			`call Const();`
			`call Const2();`
			`call $NotAligned(B(i));`
			`assert TBV(B(i)) && TBV(4294967292bv32);`
			`assert i <= 2147483647 + 2147483647 - 2;`
			`}`

			`implementation __initialize($unitSize:int, HeapLo:int)`
			`{`
			`call Const();`
			`assert $le(B($unitSize), B(16777215));`
			`call $Initialize(B($unitSize));`
			`assert BitIndex(HeapLo, HeapLo + 128 * $unitSize) == 4 * $unitSize;`
			`assert BitIndex(HeapLo, HeapLo + 256 * $unitSize) == 8 * $unitSize;`
			`}`

			`implementation __bb4Zero(a:[int]int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, g1:int, g2:int, idx:int)`
			`{`
			`call Const();`

			`assert word(idx) && word(g1);`
			`assert word(I(B(idx)) - I(B(g1)));`
			`assert $le($shr(B(i2 - i0), 7bv32), 33554431bv32) ==> I($mul(128bv32, $shr(B(i2 - i0), 7bv32))) == 128 * I($shr(B(i2 - i0), 7bv32));`
			`assert (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));`

			`call _BB4Zero(a, off, aBase, bb, i0, i1, i2, g1, g2, idx);`
			`}`

			`implementation __bb4GetBit(a:[int]int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, g1:int, g2:int)`
			`{`
			`call Const();`
			`call _BB4GetBit(i0, k);`
			`}`

			`implementation __bb4SetBit(a:[int]int, on:int, off:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, ret:[int]int, g1:int, g2:int)`
			`{`
			`call Const();`

			`assert B(shr(k - i0, 7)) == $shr(B(k - i0), 7bv32);`
			`assert Aligned(I(B(k - i0)));`
			`assert (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));`

			`call _BB4SetBit(a, on, off, aBase, bb, i0, i1, i2, k, idx, bbb, ret, g1, g2);`

			`assert $bbvec4(a[aBase + (k - i0) := on], off, aBase, ret, i0, i1, i2, g1, g2);`
			`}`

			`implementation __bb4Zero2(a:[int]int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, g1:int, g2:int, idx:int)`
			`{`
			`call Const();`

			`assert word(idx) && word(g1);`
			`assert word(I(B(idx)) - I(B(g1)));`
			`assert $le($shr(B(i2 - i0), 6bv32), 67108863bv32) ==> I($mul(64bv32, $shr(B(i2 - i0), 6bv32))) == 64 * I($shr(B(i2 - i0), 6bv32));`
			`assert (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));`

			`call _BB4Zero2(a, aBase, bb, i0, i1, i2, g1, g2, idx);`
			`}`

			`implementation __bb4Get2Bit(a:[int]int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, g1:int, g2:int)`
			`{`
			`call Const();`
			`call _BB4Get2Bit(i0, k);`
			`}`

			`implementation __bb4Set2Bit(a:[int]int, val:int, aBase:int, bb:[int]int, i0:int, i1:int, i2:int, k:int, idx:int, bbb:int, _bbb:int, ret:[int]int, g1:int, g2:int)`
			`{`
			`call Const();`

			`assert (forall i:int::{TV(i)} TV(i) && word(i - i0) && i1 <= i && i < i2 && Aligned(I(B(i - i0))) ==> $Aligned(B(i - i0)));`

			`call _BB4Set2Bit(a, val, aBase, bb, i0, i1, i2, k, idx, bbb, _bbb, ret, g1, g2);`
			`}`