1 (**************************************************************************)
4 (* ||A|| A project by Andrea Asperti *)
6 (* ||I|| Developers: *)
7 (* ||T|| The HELM team. *)
8 (* ||A|| http://helm.cs.unibo.it *)
10 (* \ / This file is distributed under the terms of the *)
11 (* v GNU General Public License Version 2 *)
13 (**************************************************************************)
15 (* ********************************************************************** *)
16 (* Progetto FreeScale *)
19 (* Cosimo Oliboni, oliboni@cs.unibo.it *)
21 (* Questo materiale fa parte della tesi: *)
22 (* "Formalizzazione Interattiva dei Microcontroller a 8bit FreeScale" *)
24 (* data ultima modifica 15/11/2007 *)
25 (* ********************************************************************** *)
27 include "freescale/byte8.ma".
29 (* ********************** *)
30 (* DEFINIZIONE DELLE WORD *)
31 (* ********************** *)
33 record word16 : Type ≝
40 notation "〈x:y〉" non associative with precedence 80
41 for @{ 'mk_word16 $x $y }.
42 interpretation "mk_word16" 'mk_word16 x y =
43 (cic:/matita/freescale/word16/word16.ind#xpointer(1/1/1) x y).
46 definition eq_w16 ≝ λw1,w2.(eq_b8 (w16h w1) (w16h w2)) ⊗ (eq_b8 (w16l w1) (w16l w2)).
50 λw1,w2:word16.match lt_b8 (w16h w1) (w16h w2) with
52 | false ⇒ match gt_b8 (w16h w1) (w16h w2) with
54 | false ⇒ lt_b8 (w16l w1) (w16l w2) ]].
57 definition le_w16 ≝ λw1,w2:word16.(eq_w16 w1 w2) ⊕ (lt_w16 w1 w2).
60 definition gt_w16 ≝ λw1,w2:word16.⊖ (le_w16 w1 w2).
63 definition ge_w16 ≝ λw1,w2:word16.⊖ (lt_w16 w1 w2).
67 λw1,w2:word16.mk_word16 (and_b8 (w16h w1) (w16h w2)) (and_b8 (w16l w1) (w16l w2)).
71 λw1,w2:word16.mk_word16 (or_b8 (w16h w1) (w16h w2)) (or_b8 (w16l w1) (w16l w2)).
75 λw1,w2:word16.mk_word16 (xor_b8 (w16h w1) (w16h w2)) (xor_b8 (w16l w1) (w16l w2)).
77 (* operatore rotazione destra con carry *)
79 λw:word16.λc:bool.match rcr_b8 (w16h w) c with
80 [ pair wh' c' ⇒ match rcr_b8 (w16l w) c' with
81 [ pair wl' c'' ⇒ pair ?? (mk_word16 wh' wl') c'' ]].
83 (* operatore shift destro *)
85 λw:word16.match rcr_b8 (w16h w) false with
86 [ pair wh' c' ⇒ match rcr_b8 (w16l w) c' with
87 [ pair wl' c'' ⇒ pair ?? (mk_word16 wh' wl') c'' ]].
89 (* operatore rotazione destra *)
91 λw:word16.match rcr_b8 (w16h w) false with
92 [ pair wh' c' ⇒ match rcr_b8 (w16l w) c' with
93 [ pair wl' c'' ⇒ match c'' with
94 [ true ⇒ mk_word16 (or_b8 (mk_byte8 x8 x0) wh') wl'
95 | false ⇒ mk_word16 wh' wl' ]]].
97 (* operatore rotazione destra n-volte *)
98 let rec ror_w16_n (w:word16) (n:nat) on n ≝
101 | S n' ⇒ ror_w16_n (ror_w16 w) n' ].
103 (* operatore rotazione sinistra con carry *)
105 λw:word16.λc:bool.match rcl_b8 (w16l w) c with
106 [ pair wl' c' ⇒ match rcl_b8 (w16h w) c' with
107 [ pair wh' c'' ⇒ pair ?? (mk_word16 wh' wl') c'' ]].
109 (* operatore shift sinistro *)
111 λw:word16.match rcl_b8 (w16l w) false with
112 [ pair wl' c' ⇒ match rcl_b8 (w16h w) c' with
113 [ pair wh' c'' ⇒ pair ?? (mk_word16 wh' wl') c'' ]].
115 (* operatore rotazione sinistra *)
117 λw:word16.match rcl_b8 (w16l w) false with
118 [ pair wl' c' ⇒ match rcl_b8 (w16h w) c' with
119 [ pair wh' c'' ⇒ match c'' with
120 [ true ⇒ mk_word16 wh' (or_b8 (mk_byte8 x0 x1) wl')
121 | false ⇒ mk_word16 wh' wl' ]]].
123 (* operatore rotazione sinistra n-volte *)
124 let rec rol_w16_n (w:word16) (n:nat) on n ≝
127 | S n' ⇒ rol_w16_n (rol_w16 w) n' ].
129 (* operatore not/complemento a 1 *)
131 λw:word16.mk_word16 (not_b8 (w16h w)) (not_b8 (w16l w)).
133 (* operatore somma con carry *)
134 definition plus_w16 ≝
135 λw1,w2:word16.λc:bool.
136 match plus_b8 (w16l w1) (w16l w2) c with
137 [ pair l c' ⇒ match plus_b8 (w16h w1) (w16h w2) c' with
138 [ pair h c'' ⇒ pair ?? (mk_word16 h l) c'' ]].
140 (* operatore somma senza carry *)
141 definition plus_w16nc ≝
142 λw1,w2:word16.fst ?? (plus_w16 w1 w2 false).
144 (* operatore carry della somma *)
145 definition plus_w16c ≝
146 λw1,w2:word16.snd ?? (plus_w16 w1 w2 false).
148 (* operatore Most Significant Bit *)
149 definition MSB_w16 ≝ λw:word16.eq_ex x8 (and_ex x8 (b8h (w16h w))).
151 (* word → naturali *)
152 definition nat_of_word16 ≝ λw:word16. 256 * (w16h w) + (nat_of_byte8 (w16l w)).
154 coercion cic:/matita/freescale/word16/nat_of_word16.con.
156 (* naturali → word *)
157 definition word16_of_nat ≝
158 λn.mk_word16 (byte8_of_nat (n / 256)) (byte8_of_nat n).
160 (* operatore predecessore *)
161 definition pred_w16 ≝
162 λw:word16.match eq_b8 (w16l w) (mk_byte8 x0 x0) with
163 [ true ⇒ mk_word16 (pred_b8 (w16h w)) (pred_b8 (w16l w))
164 | false ⇒ mk_word16 (w16h w) (pred_b8 (w16l w)) ].
166 (* operatore successore *)
167 definition succ_w16 ≝
168 λw:word16.match eq_b8 (w16l w) (mk_byte8 xF xF) with
169 [ true ⇒ mk_word16 (succ_b8 (w16h w)) (succ_b8 (w16l w))
170 | false ⇒ mk_word16 (w16h w) (succ_b8 (w16l w)) ].
172 (* operatore neg/complemento a 2 *)
173 definition compl_w16 ≝
174 λw:word16.match MSB_w16 w with
175 [ true ⇒ succ_w16 (not_w16 w)
176 | false ⇒ not_w16 (pred_w16 w) ].
179 operatore moltiplicazione senza segno: b*b=[0x0000,0xFE01]
180 ... in pratica (〈a,b〉*〈c,d〉) = (a*c)<<8+(a*d)<<4+(b*c)<<4+(b*d)
183 λb1,b2:byte8.match b1 with
184 [ mk_byte8 b1h b1l ⇒ match b2 with
185 [ mk_byte8 b2h b2l ⇒ match mul_ex b1l b2l with
186 [ mk_byte8 t1_h t1_l ⇒ match mul_ex b1h b2l with
187 [ mk_byte8 t2_h t2_l ⇒ match mul_ex b2h b1l with
188 [ mk_byte8 t3_h t3_l ⇒ match mul_ex b1h b2h with
189 [ mk_byte8 t4_h t4_l ⇒
192 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉
195 (* divisione senza segno (secondo la logica delle ALU): (quoziente resto) overflow *)
197 λw:word16.λb:byte8.match eq_b8 b 〈x0,x0〉 with
199 la combinazione n/0 e' illegale, segnala solo overflow senza dare risultato
201 [ true ⇒ tripleT ??? 〈xF,xF〉 (w16l w) true
202 | false ⇒ match eq_w16 w 〈〈x0,x0〉:〈x0,x0〉〉 with
203 (* 0 diviso qualsiasi cosa diverso da 0 da' q=0 r=0 o=false *)
204 [ true ⇒ tripleT ??? 〈x0,x0〉 〈x0,x0〉 false
205 (* 1) e' una divisione sensata che produrra' overflow/risultato *)
206 (* 2) parametri: dividendo, divisore, moltiplicatore, quoziente, contatore *)
207 (* 3) ad ogni ciclo il divisore e il moltiplicatore vengono scalati di 1 a dx *)
208 (* 4) il moltiplicatore e' la quantita' aggiunta al quoziente se il divisore *)
209 (* puo' essere sottratto al dividendo *)
210 | false ⇒ let rec aux (divd:word16) (divs:word16) (molt:byte8) (q:byte8) (c:nat) on c ≝
211 let w' ≝ plus_w16nc divd (compl_w16 divs) in
213 [ O ⇒ match le_w16 divs divd with
214 [ true ⇒ tripleT ??? (or_b8 molt q) (w16l w') (⊖ (eq_b8 (w16h w') 〈x0,x0〉))
215 | false ⇒ tripleT ??? q (w16l divd) (⊖ (eq_b8 (w16h divd) 〈x0,x0〉)) ]
216 | S c' ⇒ match le_w16 divs divd with
217 [ true ⇒ aux w' (ror_w16 divs) (ror_b8 molt) (or_b8 molt q) c'
218 | false ⇒ aux divd (ror_w16 divs) (ror_b8 molt) q c' ]]
219 in aux w (rol_w16_n 〈〈x0,x0〉:b〉 7) 〈x8,x0〉 〈x0,x0〉 7 ]].
221 (* operatore x in [inf,sup] *)
222 definition in_range ≝
223 λx,inf,sup:word16.(le_w16 inf sup) ⊗ (ge_w16 x inf) ⊗ (le_w16 x sup).
225 (* iteratore sulle word *)
226 definition forall_word16 ≝
230 P (mk_word16 bh bl ))).
232 (* ********************** *)
233 (* TEOREMI/LEMMMI/ASSIOMI *)
234 (* ********************** *)
236 (* TODO: dimostrare diversamente *)
237 axiom word16_of_nat_nat_of_word16: ∀b. word16_of_nat (nat_of_word16 b) = b.
239 (* TODO: dimostrare diversamente *)
240 axiom lt_nat_of_word16_65536: ∀b. nat_of_word16 b < (256 * 256).
242 (* TODO: dimostrare diversamente *)
243 axiom nat_of_word16_word16_of_nat: ∀n. nat_of_word16 (word16_of_nat n) = n \mod (256 * 256).
245 (* TODO: dimostrare diversamente *)
246 axiom eq_nat_of_word16_n_nat_of_word16_mod_n_65536:
247 ∀n. word16_of_nat n = word16_of_nat (n \mod (256 * 256)).
251 match plus_w16 b1 b2 c with
252 [ pair r c' ⇒ b1 + b2 + nat_of_bool c = nat_of_word16 r + nat_of_bool c' * (256 * 256)
257 (* TODO: dimostrare diversamente *)
259 ∀b. plus_w16 (mk_word16 (mk_byte8 x0 x0) (mk_byte8 x0 x0)) b false = pair ?? b false.
262 ∀x. plus_w16nc (mk_word16 (mk_byte8 x0 x0) (mk_byte8 x0 x0)) x = x.
265 rewrite > plusw16_O_x;
269 (* TODO: dimostrare diversamente *)
270 axiom eq_nat_of_word16_mod: ∀b. nat_of_word16 b = nat_of_word16 b \mod (256 * 256).
272 (* TODO: dimostrare diversamente *)
274 ∀b1,b2:word16. nat_of_word16 (plus_w16nc b1 b2) = (b1 + b2) \mod (256 * 256).
276 (* TODO: dimostrare diversamente *)
277 axiom eq_eqw16_x0_x0_x0_x0_word16_of_nat_S_false:
278 ∀b. b < (256 * 256 - 1) → eq_w16 (mk_word16 (mk_byte8 x0 x0) (mk_byte8 x0 x0)) (word16_of_nat (S b)) = false.
280 axiom eq_mod_O_to_exists: ∀n,m. n \mod m = 0 → ∃z. n = z*m.
282 (* TODO: dimostrare diversamente *)
283 axiom eq_w16pred_S_a_a:
284 ∀a. a < (256 * 256 - 1) → pred_w16 (word16_of_nat (S a)) = word16_of_nat a.
286 (* TODO: dimostrare diversamente *)
288 ∀x:word16.∀n.plus_w16nc (word16_of_nat (x*n)) x = word16_of_nat (x * S n).
290 (* TODO: dimostrare diversamente *)
291 axiom eq_plusw16c_x0_x0_x0_x0_x_false:
292 ∀x.plus_w16c (mk_word16 (mk_byte8 x0 x0) (mk_byte8 x0 x0)) x = false.
294 (* TODO: dimostrare diversamente *)
295 axiom eqw16_true_to_eq: ∀b,b'. eq_w16 b b' = true → b=b'.
297 (* TODO: dimostrare diversamente *)
298 axiom eqw16_false_to_not_eq: ∀b,b'. eq_w16 b b' = false → b ≠ b'.
300 (* TODO: dimostrare diversamente *)
301 axiom word16_of_nat_mod: ∀n.word16_of_nat n = word16_of_nat (n \mod (256 * 256)).
306 lemma ok_mul_b8: ∀b1,b2:byte8. nat_of_word16 (mul_b8 b1 b2) = b1 * b2.
310 change in ⊢ (? ? (? %) ?) with
311 (match mul_ex b1l b2l with
312 [ mk_byte8 t1_h t1_l ⇒ match mul_ex b1h b2l with
313 [ mk_byte8 t2_h t2_l ⇒ match mul_ex b2h b1l with
314 [ mk_byte8 t3_h t3_l ⇒ match mul_ex b1h b2h with
315 [ mk_byte8 t4_h t4_l ⇒
318 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉
320 lapply (ok_mul_ex b1l b2l) as ll;
321 lapply (ok_mul_ex b1h b2l) as hl;
322 lapply (ok_mul_ex b2h b1l) as lh;
323 lapply (ok_mul_ex b1h b2h) as hh;
324 elim (mul_ex b1l b2l) (t1_h t1_l);
325 change in ⊢ (? ? (? %) ?) with
326 (match mul_ex b1h b2l with
327 [ mk_byte8 t2_h t2_l ⇒ match mul_ex b2h b1l with
328 [ mk_byte8 t3_h t3_l ⇒ match mul_ex b1h b2h with
329 [ mk_byte8 t4_h t4_l ⇒
332 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉
334 elim (mul_ex b1h b2l) (t2_h t2_l);
335 change in ⊢ (? ? (? %) ?) with
336 (match mul_ex b2h b1l with
337 [ mk_byte8 t3_h t3_l ⇒ match mul_ex b1h b2h with
338 [ mk_byte8 t4_h t4_l ⇒
341 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉
343 elim (mul_ex b2h b1l) (t3_h t3_l);
344 change in ⊢ (? ? (? %) ?) with
345 (match mul_ex b1h b2h with
346 [ mk_byte8 t4_h t4_l ⇒
349 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉
351 elim (mul_ex b1h b2h) (t4_h t4_l);
352 change in ⊢ (? ? (? %) ?) with
355 (plus_w16nc 〈〈t4_h,t4_l〉:〈x0,x0〉〉 〈〈x0,t3_h〉:〈t3_l,x0〉〉) 〈〈x0,t2_h〉:〈t2_l,x0〉〉)〈〈x0,x0〉:〈t1_h,t1_l〉〉);
356 do 3 (rewrite > plusw16nc_ok);
357 unfold nat_of_word16;
359 simplify in ⊢ (? ? (? (? (? (? (? (? (? (? ? (? (? ? (? (? %))) ?)) ?) ?) ?) ?) ?) ?) ?) ?);
360 simplify in ⊢ (? ? (? (? (? (? (? (? (? ? (? (? ? (? (? %))) ?)) ?) ?) ?) ?) ?) ?) ?);
361 simplify in ⊢ (? ? (? (? (? (? (? (? (? ? (? ? (? (? %)))) ?) ?) ?) ?) ?) ?) ?);
362 whd in ⊢ (? ? (? (? (? (? (? (? (? ? (? ? %)) ?) ?) ?) ?) ?) ?) ?);
363 whd in ⊢ (? ? (? (? (? (? (? (? (? ? %) ?) ?) ?) ?) ?) ?) ?);
364 simplify in ⊢ (? ? (? (? ? (? (? ? (? (? ? (? %)) ?)) ?)) ?) ?);
365 simplify in ⊢ (? ? (? (? ? (? (? ? (? ? (? (? %)))) ?)) ?) ?);
366 simplify in ⊢ (? ? (? (? ? (? (? ? (? ? %)) ?)) ?) ?);
367 whd in ⊢ (? ? (? (? ? (? % ?)) ?) ?);
368 simplify in ⊢ (? ? (? (? ? (? ? (? (? ? (? (? %))) ?))) ?) ?);
369 simplify in ⊢ (? ? (? (? ? (? ? (? ? (? (? %))))) ?) ?);
370 simplify in ⊢ (? ? ? (? (? (? ? (? %)) ?) ?));
371 simplify in ⊢ (? ? ? (? (? ? (? %)) ?));
372 simplify in ⊢ (? ? ? (? ? (? (? ? (? %)) ?)));
373 simplify in ⊢ (? ? ? (? ? (? ? (? %))));
374 simplify in ⊢ (? ? (? (? ? (? ? (? (? ? (? %)) ?))) ?) ?);
375 simplify in ⊢ (? ? (? (? ? (? ? (? ? (? %)))) ?) ?);
376 simplify in ⊢ (? ? (? (? (? (? ? (? ? (? ? (? %)))) ?) ?) ?) ?);
377 simplify in ⊢ (? ? (? (? (? (? ? (? ? (? (? ? (? %)) ?))) ?) ?) ?) ?);
378 simplify in ⊢ (? ? (? (? (? (? ? (? (? ? (? ? (? %))) ?)) ?) ?) ?) ?);
379 simplify in ⊢ (? ? (? (? (? (? ? (? (? ? (? (? ? (? %)) ?)) ?)) ?) ?) ?) ?);
380 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? ? (? ? (? %)))) ?) ?) ?) ?) ?) ?);
381 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? (? ? (? ? (? %))) ?)) ?) ?) ?) ?) ?) ?);
382 simplify in ⊢ (? ? (? (? (? (? (? (? (? (? ? (? (? ? (? %)) ?)) ?) ?) ?) ?) ?) ?) ?) ?);
383 simplify in ⊢ (? ? (? (? (? (? (? (? (? (? ? (? ? (? %))) ?) ?) ?) ?) ?) ?) ?) ?);
384 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? ? (? (? ? (? %)) ?))) ?) ?) ?) ?) ?) ?);
385 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? (? ? (? (? ? (? %)) ?)) ?)) ?) ?) ?) ?) ?) ?);
387 change in ⊢ (? ? (? (? ? %) ?) ?) with (16*nat_of_exadecim t1_h+nat_of_exadecim t1_l);
388 unfold nat_of_byte8 in H H1 H2 H3;
389 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? (? ? (? (? ? %) ?)) ?)) ?) ?) ?) ?) ?) ?);
390 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? ? (? ? %))) ?) ?) ?) ?) ?) ?);
391 simplify in ⊢ (? ? (? (? (? (? ? (? (? ? (? (? ? %) ?)) ?)) ?) ?) ?) ?);
392 simplify in ⊢ (? ? (? (? (? (? ? (? ? (? ? %))) ?) ?) ?) ?);
395 simplify in ⊢ (? ? (? (? (? (? (? (? ? (? (? ? %) ?)) ?) ?) ?) ?) ?) ?);
396 simplify in ⊢ (? ? (? (? (? (? ? (? (? ? %) ?)) ?) ?) ?) ?);