@@ -226,8 +226,8 @@ Proof.
226
226
&& data_at Tsh (tarray tint 256) pow v_pow;
227
227
tables_uninitialized (gv _tables))).
228
228
{ (* init *)
229
- forward. forward. Exists 0. entailer!. do 2 Exists (repeat Vundef 256).
230
- entailer!.
229
+ forward. forward. Exists 0. entailer!! . do 2 Exists (repeat Vundef 256).
230
+ entailer!! .
231
231
}
232
232
{ (* body *)
233
233
(* forward. TODO floyd: "forward" should tell me to use Intros instead of just failing *)
@@ -238,26 +238,26 @@ Proof.
238
238
TODO floyd: error message should say that I have to thaw *)
239
239
thaw Fr.
240
240
forward.
241
- + entailer!. apply pow3_range; lia.
241
+ + entailer!! . apply pow3_range; lia.
242
242
+ (* t'1 = ( x & 0x80 ) ? 0x1B : 0x00 ) *)
243
243
forward_if_diff (PROP () LOCAL (temp _t'1 (Vint (
244
244
if Int.eq (Int.and (pow3 i) (Int.repr 128)) Int.zero
245
245
then Int.zero
246
246
else (Int.repr 27)
247
247
))) SEP ()).
248
248
* (* then-branch of "_ ? _ : _" *)
249
- forward. rewrite Int.eq_false by assumption. entailer!.
249
+ forward. rewrite Int.eq_false by assumption. entailer!! .
250
250
* (* else-branch of "_ ? _ : _" *)
251
251
forward.
252
252
match goal with
253
253
| H: @eq int _ _ |- _ => rewrite H
254
254
end.
255
255
rewrite Int.eq_true.
256
- entailer!.
256
+ entailer!! .
257
257
* (* after "_ ? _ : _" *)
258
258
(* x = (x ^ ((x << 1) ^ t'1)) & 0xFF *)
259
259
forward.
260
- entailer!.
260
+ entailer!! .
261
261
{ f_equal. unfold pow3. rewrite repeat_op_step by lia. reflexivity. }
262
262
{ Exists (upd_Znth i pow (Vint (pow3 i))).
263
263
Exists (upd_Znth (Int.unsigned (pow3 i)) log (Vint (Int.repr i))).
@@ -291,29 +291,29 @@ Proof.
291
291
292
292
forward_for_simple_bound 10 (rcon_loop_inv0 v_pow v_log gv Fr).
293
293
{ (* init *)
294
- forward. forward. Exists 0. entailer!.
294
+ forward. forward. Exists 0. entailer!! .
295
295
}
296
296
{ (* body *)
297
- forward. entailer!.
297
+ forward. entailer!! .
298
298
(* t'2 = ( x & 0x80 ) ? 0x1B : 0x00 ) *)
299
299
forward_if_diff (PROP () LOCAL (temp _t'2 (Vint (
300
300
if Int.eq (Int.and (pow2 i) (Int.repr 128)) Int.zero
301
301
then Int.zero
302
302
else (Int.repr 27)
303
303
))) SEP ()).
304
304
* (* then-branch of "_ ? _ : _" *)
305
- forward. rewrite Int.eq_false by assumption. entailer!.
305
+ forward. rewrite Int.eq_false by assumption. entailer!! .
306
306
* (* else-branch of "_ ? _ : _" *)
307
307
forward.
308
308
match goal with
309
309
| H: @eq int _ _ |- _ => rewrite H
310
310
end.
311
311
rewrite Int.eq_true.
312
- entailer!.
312
+ entailer!! .
313
313
* (* after "_ ? _ : _" *)
314
314
(* x = ((x << 1) ^ t'2)) & 0xFF *)
315
315
forward.
316
- entailer!.
316
+ entailer!! .
317
317
- f_equal. unfold pow2 at 1. rewrite repeat_op_step by lia. reflexivity.
318
318
- apply field_at_update_val.
319
319
rewrite upd_Znth_app2.
@@ -389,16 +389,16 @@ Proof.
389
389
forward_for_simple_bound 256 (gen_sbox_inv0 v_pow v_log (map Z_to_val log) (map Vint pow) gv Fr).
390
390
{ (* loop invariant holds initially: *)
391
391
unfold gen_sbox_inv00.
392
- entailer!.
392
+ entailer!! .
393
393
Exists (upd_Znth 99 Vundef256 (Vint (Int.repr 0))).
394
394
Exists (upd_Znth 0 Vundef256 (Vint (Int.repr 99))).
395
- entailer!.
395
+ entailer!! .
396
396
intros. assert (j = 0) by lia. subst j. rewrite upd_Znth_same.
397
397
* reflexivity.
398
398
* change (Zlength Vundef256) with 256. lia.
399
399
}
400
400
{ (* loop body preserves invariant: *)
401
- forward. { entailer!. rewrite Hlog' by lia. auto. }
401
+ forward. { entailer!! . rewrite Hlog' by lia. auto. }
402
402
pose proof (log3range i).
403
403
rewrite Hlog' by lia.
404
404
(* TODO floyd: If I don't do the above to make sure that "temp _logi" is a Vint,
@@ -426,14 +426,14 @@ Proof.
426
426
Intro fsb. Intro rsb.
427
427
forward. forward.
428
428
- (* entailment of "forward" *)
429
- entailer!.
429
+ entailer!! .
430
430
apply FSb_range.
431
431
- (* postcondition implies loop invariant *)
432
- entailer!.
432
+ entailer!! .
433
433
match goal with
434
434
| |- (field_at _ _ _ ?fsb' _ * field_at _ _ _ ?rsb' _)%logic |-- _ => Exists rsb'; Exists fsb'
435
435
end.
436
- entailer!. repeat split.
436
+ entailer!! . repeat split.
437
437
+ rewrite upd_Znth_diff; (lia || auto).
438
438
+ rewrite upd_Znth_Zlength; lia.
439
439
+ intros.
@@ -477,7 +477,7 @@ Proof.
477
477
(forall j : Z, 1 <= j < 256 ->
478
478
Znth (Int.unsigned (Znth j FSb)) rsb = Vint (Int.repr j)) /\
479
479
(Znth 99 rsb = Vint Int.zero)
480
- ) as P. { entailer!. }
480
+ ) as P. { entailer!! . }
481
481
destruct P as [?H [?H ?H]]. normalize. (*
482
482
match goal with
483
483
| |- semax ?D (PROPx ?P (LOCALx ?Q (SEPx ?R))) ?e ?Post => match R with
@@ -518,7 +518,7 @@ Proof.
518
518
forward_for_simple_bound 256 (gen_ftrt_inv0 v_pow v_log (map Z_to_val log) (map Vint pow) gv).
519
519
{ (* loop invariant holds initially: *)
520
520
unfold gen_ftrt_inv00.
521
- entailer!.
521
+ entailer!! .
522
522
}
523
523
{ (* loop body preserves invariant: *)
524
524
@@ -535,14 +535,14 @@ Proof.
535
535
else (Int.repr 27)
536
536
))) SEP ()).
537
537
* (* then-branch of "_ ? _ : _" *)
538
- forward. rewrite Int.eq_false by assumption. entailer!.
538
+ forward. rewrite Int.eq_false by assumption. entailer!! .
539
539
* (* else-branch of "_ ? _ : _" *)
540
540
forward.
541
541
match goal with
542
542
| H: @eq int _ _ |- _ => rewrite H
543
543
end.
544
544
rewrite Int.eq_true.
545
- entailer!.
545
+ entailer!! .
546
546
* (* after "_ ? _ : _" *)
547
547
forward.
548
548
match goal with
@@ -619,7 +619,7 @@ Proof.
619
619
}
620
620
pose proof (RSb_range i).
621
621
forward. forward. forward. {
622
- entailer!.
622
+ entailer!! .
623
623
(* We have to show that we're not in the case "INT_MIN % -1", because that's undefined behavior.
624
624
TODO floyd: Make sure floyd can solve this automatically, also in solve_efield_denote, so
625
625
that we don't have to factor out the modulo, but can use it directly as the array index. *)
@@ -635,13 +635,15 @@ Proof.
635
635
}
636
636
pose proof (mod_range _ 255 A).
637
637
forward.
638
- entailer!.
638
+ entailer!!.
639
+ fold Int.zero in *.
639
640
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
640
- - exfalso. apply H3. reflexivity .
641
+ - exfalso. apply H3; auto .
641
642
- simpl. reflexivity.
642
643
}
643
644
{ (* else-branch *)
644
- forward. entailer!.
645
+ forward. entailer!!.
646
+ fold Int.zero in *.
645
647
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
646
648
- simpl. reflexivity.
647
649
- discriminate.
@@ -663,7 +665,7 @@ Proof.
663
665
pose proof (RSb_range i).
664
666
forward. forward.
665
667
forward. {
666
- entailer!.
668
+ entailer!! .
667
669
split.
668
670
intros [? H99]; inv H99.
669
671
apply add_no_overflow; auto; computable.
@@ -675,13 +677,15 @@ Proof.
675
677
}
676
678
pose proof (mod_range _ 255 A).
677
679
forward.
678
- entailer!.
680
+ fold Int.zero in *.
681
+ entailer!!.
679
682
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
680
683
- exfalso. apply H3. reflexivity.
681
684
- simpl. reflexivity.
682
685
}
683
686
{ (* else-branch *)
684
- forward. entailer!.
687
+ forward. entailer!!.
688
+ fold Int.zero in *.
685
689
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
686
690
- simpl. reflexivity.
687
691
- discriminate.
@@ -703,7 +707,7 @@ Proof.
703
707
pose proof (RSb_range i).
704
708
forward. forward.
705
709
forward. {
706
- entailer!.
710
+ entailer!! .
707
711
split.
708
712
intros [? H99]; inv H99.
709
713
apply add_no_overflow; auto; computable.
@@ -716,12 +720,14 @@ Proof.
716
720
pose proof (mod_range _ 255 A).
717
721
forward.
718
722
entailer!.
723
+ fold Int.zero in *.
719
724
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
720
725
- exfalso. apply H3. reflexivity.
721
726
- simpl. reflexivity.
722
727
}
723
728
{ (* else-branch *)
724
- forward. entailer!.
729
+ forward. entailer!!.
730
+ fold Int.zero in *.
725
731
destruct (Int.eq (Znth i RSb)) eqn: E.
726
732
- simpl. reflexivity.
727
733
- discriminate.
@@ -743,7 +749,7 @@ Proof.
743
749
pose proof (RSb_range i).
744
750
forward. forward.
745
751
forward. {
746
- entailer!.
752
+ entailer!! .
747
753
split.
748
754
intros [? H99]; inv H99.
749
755
apply add_no_overflow; auto; computable.
@@ -756,12 +762,14 @@ Proof.
756
762
pose proof (mod_range _ 255 A).
757
763
forward.
758
764
entailer!.
765
+ fold Int.zero in *.
759
766
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
760
767
- exfalso. apply H3. reflexivity.
761
768
- simpl. reflexivity.
762
769
}
763
770
{ (* else-branch *)
764
771
forward. entailer!.
772
+ fold Int.zero in *.
765
773
destruct (Int.eq (Znth i RSb) Int.zero) eqn: E.
766
774
- simpl. reflexivity.
767
775
- discriminate.
@@ -814,7 +822,7 @@ Proof.
814
822
Ltac canon_load_result ::= default_canon_load_result.
815
823
816
824
(* postcondition implies loop invariant: *)
817
- entailer!.
825
+ entailer!! .
818
826
}
819
827
unfold partially_filled. change (repeat_op_table (256 - 256) Vundef id) with (@nil val).
820
828
do 8 rewrite app_nil_r.
@@ -837,11 +845,17 @@ Proof.
837
845
forget RT1 as RT1'.
838
846
forget RT2 as RT2'.
839
847
forget RT3 as RT3'.
840
-
841
- entailer!.
848
+ repeat (let j := fresh "j" in set (j := field_at _ _ _ _ _); clearbody j).
849
+ go_lowerx. cancel.
850
+ unfold stackframe_of.
851
+ simpl.
852
+ rewrite sepcon_emp.
853
+ apply sepcon_derives;
854
+ sep_apply data_at_data_at_; eapply var_block_lvar0; eauto; reflexivity.
842
855
} }
843
856
(* Show.*)
844
857
Time Qed .
845
858
(* Coq 8.5.2: 177s
846
859
Coq 8.6 : 75s
860
+ Coq 8.18 with VST 2.13+ and some tweaks to this proof, and a Mac M2: 5.6 secs
847
861
*)
0 commit comments