simulation framework: parameterized by state relation R

- lift_result: lifts state relation R through exec_result
- inst_simulates R f / block_simulates R bt: simulation predicates
- block_map_transform / function_map_transform: 1:1 mapping transforms
- valid_state_rel: closure conditions for step_inst_preserves_R
- Instantiations: state_equiv and state_equiv_except satisfy valid_state_rel
- analysis_pass_correct: end-to-end composition theorem

All proofs cheated (stubs for proving later).

Author: charles-cooper

venom/simulation/Holmakefile

@@ -0,0 +1,2 @@
+# Pass simulation and composition: public API
+INCLUDES = defs proofs

venom/simulation/README.md

@@ -0,0 +1,36 @@
+# Pass Simulation & Composition Framework
+
+Generic infrastructure for proving compiler pass correctness.
+
+## Structure
+
+```
+defs/
+  passSimulationDefsScript.sml  — block_map_transform, function_map_transform,
+                                   inst_simulates, block_simulates
+proofs/
+  passSimulationProofsScript.sml — inst_sim_block_sim, block_sim_function,
+                                    conditional_inst_sim, block_sim_compose,
+                                    result_equiv_trans, lookup_block_map
+  passCompositionProofsScript.sml — analysis_pass_correct
+passSimulationPropsScript.sml    — re-exports simulation proofs via ACCEPT_TAC
+passCompositionPropsScript.sml   — re-exports composition proof via ACCEPT_TAC
+```
+
+## Usage
+
+For a 1:1 instruction-mapping pass:
+1. Define transform function `f : instruction → instruction`
+2. Prove `inst_simulates f` (or use `conditional_inst_sim` for partial transforms)
+3. Get block and function correctness for free via `inst_sim_block_sim` + `block_sim_function`
+
+For an analysis-driven pass:
+1. Prove dataflow framework conditions (lattice, worklist convergence)
+2. Prove analysis fixpoint implies soundness
+3. Prove soundness implies block simulation
+4. Get function correctness via `analysis_pass_correct`
+
+## Dependencies
+
+Uses `stateEquiv`/`execEquiv` from `venom/` for state and result equivalence.
+Uses `worklistProps` from `analysis/dataflow/` for convergence.

venom/simulation/defs/Holmakefile

@@ -0,0 +1,5 @@
+# Pass simulation definitions
+# From simulation/defs/ relative paths:
+#   ../..    = venom/
+#   ../../.. = project root
+INCLUDES = $(VFMDIR)/util $(VFMDIR)/spec ../.. ../../../syntax ../../../semantics

venom/simulation/defs/execEquivParamDefsScript.sml

@@ -0,0 +1,47 @@
+(*
+ * Parameterized Execution Equivalence — Definitions
+ *
+ * Closure conditions on a state relation R that enable
+ * step_inst_preserves_R (the master theorem).
+ *
+ * Both state_equiv and state_equiv_except satisfy valid_state_rel.
+ * This eliminates per-pass boilerplate (~800 LOC each for RTA, phi-elim, etc.)
+ *
+ * TOP-LEVEL:
+ *   valid_state_rel — closure conditions on R for execution preservation
+ *)
+
+Theory execEquivParamDefs
+Ancestors
+  stateEquiv venomSem venomState venomInst
+
+(* Closure conditions on a state relation R.
+   Any R satisfying these supports step_inst_preserves_R.
+
+   Conservative: requires all non-var fields equal.
+   Can be weakened later if a pass only needs partial field equality. *)
+Definition valid_state_rel_def:
+  valid_state_rel (R : venom_state -> venom_state -> bool) <=>
+    (* R preserves execution-relevant state fields *)
+    (!s1 s2. R s1 s2 ==>
+      s1.vs_call_ctx = s2.vs_call_ctx /\
+      s1.vs_tx_ctx = s2.vs_tx_ctx /\
+      s1.vs_block_ctx = s2.vs_block_ctx /\
+      s1.vs_accounts = s2.vs_accounts /\
+      s1.vs_memory = s2.vs_memory /\
+      s1.vs_storage = s2.vs_storage /\
+      s1.vs_transient = s2.vs_transient /\
+      s1.vs_returndata = s2.vs_returndata /\
+      s1.vs_halted = s2.vs_halted /\
+      s1.vs_prev_bb = s2.vs_prev_bb /\
+      s1.vs_current_bb = s2.vs_current_bb /\
+      s1.vs_inst_idx = s2.vs_inst_idx) /\
+    (* R closed under var update *)
+    (!s1 s2 x v. R s1 s2 ==> R (update_var x v s1) (update_var x v s2)) /\
+    (* R preserves eval_operand when operand var agrees *)
+    (!s1 s2 op. R s1 s2 /\
+       (!x. op = Var x ==> lookup_var x s1 = lookup_var x s2) ==>
+       eval_operand op s1 = eval_operand op s2) /\
+    (* R reflexive *)
+    (!s. R s s)
+End

venom/simulation/defs/passSimulationDefsScript.sml

@@ -0,0 +1,63 @@
+(*
+ * Pass Simulation Framework — Definitions
+ *
+ * Generic block→function lifting for pass correctness proofs,
+ * parameterized by state relation R.
+ *
+ * TOP-LEVEL:
+ *   lift_result                  — lift state relation R through exec_result
+ *   block_map_transform       — MAP f over block instructions
+ *   function_map_transform    — MAP bt over function blocks
+ *   inst_simulates            — per-instruction simulation predicate (param by R)
+ *   block_simulates           — whole-block simulation predicate (param by R)
+ *)
+
+Theory passSimulationDefs
+Ancestors
+  stateEquiv execEquiv venomSem venomInst
+
+(* ===== Result relation ===== *)
+
+(* Lift state relation R through exec_result.
+   result_equiv = lift_result state_equiv
+   result_equiv_except fresh = lift_result (state_equiv_except fresh) *)
+Definition lift_result_def:
+  lift_result R (OK s1) (OK s2) = R s1 s2 /\
+  lift_result R (Halt s1) (Halt s2) = R s1 s2 /\
+  lift_result R (Revert s1) (Revert s2) = R s1 s2 /\
+  lift_result R (Error e1) (Error e2) = T /\
+  lift_result R _ _ = F
+End
+
+(* ===== Transform definitions ===== *)
+
+(* Level 1: 1:1 instruction mapping *)
+Definition block_map_transform_def:
+  block_map_transform f bb =
+    bb with bb_instructions := MAP f bb.bb_instructions
+End
+
+(* Function transform: apply block transform to all blocks *)
+Definition function_map_transform_def:
+  function_map_transform bt fn =
+    fn with fn_blocks := MAP bt fn.fn_blocks
+End
+
+(* ===== Simulation predicates (parameterized by R) ===== *)
+
+(* Level 1: per-instruction simulation.
+   f preserves lift_result R for every instruction and state,
+   and preserves the is_terminator property. *)
+Definition inst_simulates_def:
+  inst_simulates R f <=>
+    (!inst s. lift_result R (step_inst inst s) (step_inst (f inst) s)) /\
+    (!inst. is_terminator inst.inst_opcode =
+            is_terminator (f inst).inst_opcode)
+End
+
+(* Level 2: whole-block simulation.
+   Running the transformed block gives an R-related result. *)
+Definition block_simulates_def:
+  block_simulates R bt <=>
+    !bb s. lift_result R (run_block bb s) (run_block (bt bb) s)
+End

venom/simulation/execEquivParamPropsScript.sml

@@ -0,0 +1,31 @@
+(*
+ * Parameterized Execution Equivalence — Properties (Statements Only)
+ *
+ * Re-exports from proofs/execEquivParamProofsScript.sml via ACCEPT_TAC.
+ *)
+
+Theory execEquivParamProps
+Ancestors
+  execEquivParamProofs
+
+Theorem step_inst_preserves_R:
+  !(R : venom_state -> venom_state -> bool) inst s1 s2.
+    valid_state_rel R /\ R s1 s2 /\
+    (!x. MEM (Var x) inst.inst_operands ==>
+         lookup_var x s1 = lookup_var x s2) ==>
+    lift_result R (step_inst inst s1) (step_inst inst s2)
+Proof
+  ACCEPT_TAC step_inst_preserves_R_proof
+QED
+
+Theorem state_equiv_valid_state_rel:
+  valid_state_rel state_equiv
+Proof
+  ACCEPT_TAC state_equiv_valid_state_rel_proof
+QED
+
+Theorem state_equiv_except_valid_state_rel:
+  !fresh. valid_state_rel (state_equiv_except fresh)
+Proof
+  ACCEPT_TAC state_equiv_except_valid_state_rel_proof
+QED

venom/simulation/passCompositionPropsScript.sml

@@ -0,0 +1,39 @@
+(*
+ * Analysis-Driven Pass Composition — Correctness (Statement Only)
+ *
+ * Re-exports from proofs/passCompositionProofsScript.sml via ACCEPT_TAC.
+ *)
+
+Theory passCompositionProps
+Ancestors
+  passCompositionProofs passSimulationProps
+
+Theorem analysis_pass_correct:
+  !(R : venom_state -> venom_state -> bool)
+   (leq : 'a -> 'a -> bool) m b
+   (process : 'c -> 'a -> 'a)
+   (deps : 'c -> 'c list)
+   (wl0 : 'c list) (st0 : 'a)
+   (all_lbls : 'c list)
+   (P : 'a -> bool)
+   (sound : 'a -> bool)
+   (transform : 'a -> basic_block -> basic_block).
+    (!lbl st. P st ==> leq st (process lbl st)) /\
+    (!lbl st. P st ==> P (process lbl st)) /\
+    P st0 /\
+    bounded_measure P leq m b /\
+    wl_deps_complete process deps /\
+    (!lbl. MEM lbl all_lbls ==> MEM lbl wl0) /\
+    (!st. is_fixpoint process all_lbls st ==> sound st) /\
+    (!analysis. sound analysis ==>
+       block_simulates R (transform analysis)) /\
+    (!analysis bb. (transform analysis bb).bb_label = bb.bb_label)
+  ==>
+    let analysis = SND (wl_iterate process deps wl0 st0) in
+    !fuel fn s.
+      lift_result R (run_function fuel fn s)
+                 (run_function fuel
+                   (function_map_transform (transform analysis) fn) s)
+Proof
+  ACCEPT_TAC analysis_pass_correct_proof
+QED

venom/simulation/passSimulationPropsScript.sml

@@ -0,0 +1,77 @@
+(*
+ * Pass Simulation Framework — Correctness (Statements Only)
+ *
+ * Re-exports from proofs/passSimulationProofsScript.sml via ACCEPT_TAC.
+ *)
+
+Theory passSimulationProps
+Ancestors
+  passSimulationProofs
+
+Theorem lookup_block_map:
+  !lbl bbs bt.
+    (!bb. (bt bb).bb_label = bb.bb_label) ==>
+    lookup_block lbl (MAP bt bbs) =
+      OPTION_MAP bt (lookup_block lbl bbs)
+Proof
+  ACCEPT_TAC lookup_block_map_proof
+QED
+
+Theorem lift_result_refl:
+  !(R : venom_state -> venom_state -> bool).
+    (!s. R s s) ==>
+    !r. lift_result R r r
+Proof
+  ACCEPT_TAC lift_result_refl_proof
+QED
+
+Theorem lift_result_trans:
+  !(R : venom_state -> venom_state -> bool).
+    (!s1 s2 s3. R s1 s2 /\ R s2 s3 ==> R s1 s3) ==>
+    !r1 r2 r3. lift_result R r1 r2 /\ lift_result R r2 r3 ==>
+               lift_result R r1 r3
+Proof
+  ACCEPT_TAC lift_result_trans_proof
+QED
+
+Theorem inst_sim_block_sim:
+  !(R : venom_state -> venom_state -> bool) f.
+    inst_simulates R f ==>
+    block_simulates R (block_map_transform f)
+Proof
+  ACCEPT_TAC inst_sim_block_sim_proof
+QED
+
+Theorem block_sim_function:
+  !(R : venom_state -> venom_state -> bool) bt.
+    block_simulates R bt /\
+    (!bb. (bt bb).bb_label = bb.bb_label) ==>
+    !fuel fn s.
+      lift_result R (run_function fuel fn s)
+                 (run_function fuel (function_map_transform bt fn) s)
+Proof
+  ACCEPT_TAC block_sim_function_proof
+QED
+
+Theorem conditional_inst_sim:
+  !(R : venom_state -> venom_state -> bool) f P.
+    (!s. R s s) /\
+    (!inst s. P inst ==>
+       lift_result R (step_inst inst s) (step_inst (f inst) s)) /\
+    (!inst. P inst ==>
+       is_terminator inst.inst_opcode =
+       is_terminator (f inst).inst_opcode) /\
+    (!inst. ~P inst ==> f inst = inst) ==>
+    inst_simulates R f
+Proof
+  ACCEPT_TAC conditional_inst_sim_proof
+QED
+
+Theorem block_sim_compose:
+  !(R : venom_state -> venom_state -> bool) bt1 bt2.
+    (!s1 s2 s3. R s1 s2 /\ R s2 s3 ==> R s1 s3) /\
+    block_simulates R bt1 /\ block_simulates R bt2 ==>
+    block_simulates R (bt2 o bt1)
+Proof
+  ACCEPT_TAC block_sim_compose_proof
+QED

venom/simulation/proofs/Holmakefile

@@ -0,0 +1,3 @@
+# Pass simulation and composition proofs
+INCLUDES = ../defs \
+           ../../analysis/dataflow/defs ../../analysis/dataflow/proofs ../../analysis/dataflow

venom/simulation/proofs/execEquivParamProofsScript.sml

@@ -0,0 +1,43 @@
+(*
+ * Parameterized Execution Equivalence — Proofs
+ *
+ * Master theorem: step_inst preserves any valid_state_rel R
+ * when operand variables agree.
+ *
+ * Instantiations: state_equiv and state_equiv_except both satisfy valid_state_rel.
+ *
+ * TOP-LEVEL:
+ *   step_inst_preserves_R              — master theorem
+ *   state_equiv_valid_state_rel        — state_equiv satisfies valid_state_rel
+ *   state_equiv_except_valid_state_rel — state_equiv_except satisfies valid_state_rel
+ *)
+
+Theory execEquivParamProofs
+Ancestors
+  execEquivParamDefs passSimulationDefs
+
+(* Master theorem: step_inst on R-related states with agreeing operand
+   vars produces lift_result R related results. *)
+Theorem step_inst_preserves_R_proof:
+  !(R : venom_state -> venom_state -> bool) inst s1 s2.
+    valid_state_rel R /\ R s1 s2 /\
+    (!x. MEM (Var x) inst.inst_operands ==>
+         lookup_var x s1 = lookup_var x s2) ==>
+    lift_result R (step_inst inst s1) (step_inst inst s2)
+Proof
+  cheat
+QED
+
+(* state_equiv satisfies valid_state_rel *)
+Theorem state_equiv_valid_state_rel_proof:
+  valid_state_rel state_equiv
+Proof
+  cheat
+QED
+
+(* state_equiv_except satisfies valid_state_rel for any fresh set *)
+Theorem state_equiv_except_valid_state_rel_proof:
+  !fresh. valid_state_rel (state_equiv_except fresh)
+Proof
+  cheat
+QED