2026-06-09 20:14:53 -07:00
|
|
|
|
import Spa.Analysis.Forward.Lattices
|
|
|
|
|
|
import Spa.Analysis.Forward.Evaluation
|
|
|
|
|
|
import Spa.Analysis.Forward.Adapters
|
|
|
|
|
|
import Spa.Fixedpoint
|
|
|
|
|
|
|
|
|
|
|
|
namespace Spa
|
|
|
|
|
|
|
2026-06-24 13:54:37 -05:00
|
|
|
|
namespace Forward
|
|
|
|
|
|
|
2026-06-25 18:42:28 -05:00
|
|
|
|
variable {L : Type} [FiniteHeightLattice L] {prog : Program} [E : StmtEvaluator L prog]
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
|
|
|
|
|
def updateVariablesForState (s : prog.State) (sv : StateVariables L prog) :
|
2026-06-30 23:21:00 -05:00
|
|
|
|
VariableValues L prog := E.eval s (variablesAt s sv)
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma updateVariablesForState_mono (s : prog.State) :
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
Monotone (updateVariablesForState (L := L) s) := fun _ _ hle =>
|
2026-06-30 23:21:00 -05:00
|
|
|
|
E.eval_mono s (variablesAt_le hle s)
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
|
|
|
|
|
def updateAll (sv : StateVariables L prog) : StateVariables L prog :=
|
2026-06-23 11:44:50 -05:00
|
|
|
|
FiniteMap.generalizedUpdate id updateVariablesForState
|
2026-06-09 20:14:53 -07:00
|
|
|
|
prog.states sv
|
|
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma updateAll_mono : Monotone (updateAll (L := L) (prog := prog)) :=
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
FiniteMap.generalizedUpdate_monotone monotone_id updateVariablesForState_mono
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma updateAll_mem_eq {s : prog.State} {vs : VariableValues L prog}
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
{sv : StateVariables L prog} (hmem : (s, vs) ∈ updateAll sv) :
|
|
|
|
|
|
vs = updateVariablesForState s sv :=
|
2026-06-09 20:14:53 -07:00
|
|
|
|
FiniteMap.generalizedUpdate_mem_eq (prog.states_complete s) hmem
|
|
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma variablesAt_updateAll (s : prog.State) (sv : StateVariables L prog) :
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
variablesAt s (updateAll sv) = updateVariablesForState s sv :=
|
|
|
|
|
|
updateAll_mem_eq (variablesAt_mem s (updateAll sv))
|
|
|
|
|
|
|
2026-06-09 20:14:53 -07:00
|
|
|
|
def analyze (sv : StateVariables L prog) : StateVariables L prog :=
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
updateAll (joinAll sv)
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma analyze_mono : Monotone (analyze (L := L) (prog := prog)) := fun _ _ hle =>
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
updateAll_mono (joinAll_mono hle)
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
variable [DecidableEq L]
|
|
|
|
|
|
|
|
|
|
|
|
variable (L prog) in
|
2026-06-09 20:14:53 -07:00
|
|
|
|
def result : StateVariables L prog :=
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
Fixedpoint.aFix analyze analyze_mono
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
variable (L prog) in
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma result_eq : result L prog = analyze (result L prog) :=
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
Fixedpoint.aFix_eq analyze analyze_mono
|
|
|
|
|
|
|
2026-06-25 13:59:08 -05:00
|
|
|
|
lemma joinForKey_initialState :
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
joinForKey prog.initialState (result L prog) = botV L prog := by
|
|
|
|
|
|
rw [joinForKey, prog.incoming_initialState_eq_nil]
|
|
|
|
|
|
rfl
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-06-27 16:29:16 -05:00
|
|
|
|
class ValidStateEvaluator (L : Type) [FiniteHeightLattice L] (prog : Program)
|
2026-06-29 10:00:01 -05:00
|
|
|
|
[E : StmtEvaluator L prog] [S : StateInterpretation L prog] where
|
2026-07-01 22:56:29 -05:00
|
|
|
|
valid : ∀ (s₁ s₂ : prog.State) {ρ₁ ρ₂ ρ₃: Env}
|
|
|
|
|
|
{vs : VariableValues L prog},
|
|
|
|
|
|
(tr : Traceₗ prog.cfg s₁ s₂ ρ₁ ρ₂) →
|
|
|
|
|
|
(hbs : EvalBasicStmtOpt ρ₂ (prog.cfg.nodes s₂) ρ₃) → ⟦ vs ⟧ (S.Pre tr) →
|
|
|
|
|
|
⟦ E.eval s₂ vs ⟧ (S.Post (tr ++ hbs))
|
|
|
|
|
|
botV_init : ⟦ botV L prog ⟧ (S.Pre (Traceₗ.single prog.cfg prog.initialState []))
|
2026-06-27 16:29:16 -05:00
|
|
|
|
|
|
|
|
|
|
instance [LatticeInterpretation L] [ValidStmtEvaluator L prog] :
|
|
|
|
|
|
ValidStateEvaluator L prog where
|
2026-07-01 22:56:29 -05:00
|
|
|
|
valid := by intro _ _ _ _ _ _ tr hbs hvs; exact ValidStmtEvaluator.valid hbs hvs
|
2026-06-27 16:29:16 -05:00
|
|
|
|
botV_init := by intro k l _ v hmem; cases hmem
|
|
|
|
|
|
|
|
|
|
|
|
section
|
2026-06-29 10:00:01 -05:00
|
|
|
|
variable [S : StateInterpretation L prog] [V : ValidStateEvaluator L prog]
|
2026-06-27 16:29:16 -05:00
|
|
|
|
|
2026-06-25 18:42:28 -05:00
|
|
|
|
omit [DecidableEq L] in
|
2026-07-01 22:56:29 -05:00
|
|
|
|
lemma updateAll_matches {s₁ s₂ : prog.State} {sv : StateVariables L prog}
|
|
|
|
|
|
{ρ₁ ρ₂ ρ₃ : Env}
|
|
|
|
|
|
(tr : Traceₗ prog.cfg s₁ s₂ ρ₁ ρ₂)
|
|
|
|
|
|
(hnode : EvalBasicStmtOpt ρ₂ (prog.code s₂) ρ₃)
|
|
|
|
|
|
(hvs : ⟦ variablesAt s₂ sv ⟧ (S.Pre tr)) :
|
|
|
|
|
|
⟦ variablesAt s₂ (updateAll sv) ⟧ (S.Post (tr ++ hnode)) := by
|
2026-06-09 20:14:53 -07:00
|
|
|
|
rw [variablesAt_updateAll]
|
2026-07-01 22:56:29 -05:00
|
|
|
|
exact V.valid s₁ s₂ tr hnode hvs
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-07-01 22:56:29 -05:00
|
|
|
|
lemma stepTrace {s₁ s₂ : prog.State} {ρ₁ ρ₂ : Env}
|
|
|
|
|
|
(tr : Traceₗ prog.cfg s₁ s₂ ρ₁ ρ₂)
|
|
|
|
|
|
(hjoin : ⟦ joinForKey s₂ (result L prog) ⟧ (S.Pre tr))
|
|
|
|
|
|
(hnode : EvalBasicStmtOpt ρ₂ (prog.code s₂) ρ₃) :
|
|
|
|
|
|
⟦ variablesAt s₂ (result L prog) ⟧ (S.Post (tr ++ hnode)) := by
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
rw [result_eq L prog]
|
2026-07-01 22:56:29 -05:00
|
|
|
|
refine updateAll_matches tr hnode ?_
|
2026-06-09 20:14:53 -07:00
|
|
|
|
rw [variablesAt_joinAll]
|
|
|
|
|
|
exact hjoin
|
|
|
|
|
|
|
2026-06-28 14:24:46 -05:00
|
|
|
|
/-- Soundness at *every* visited node: if the analysis result over-approximates the
|
|
|
|
|
|
incoming environment at the start of the trace, then at each node reached along the
|
|
|
|
|
|
way it over-approximates both the environment entering that node (via `joinForKey`)
|
|
|
|
|
|
and the environment leaving it (via `variablesAt`). The intermediate `variablesAt`
|
|
|
|
|
|
evidence used to be computed and discarded inside `walkTrace`; here it is returned. -/
|
2026-07-01 22:56:29 -05:00
|
|
|
|
lemma walkTrace_reaches {s₁ s₂ s₃: prog.State} {ρ₁ ρ₂ ρ₃: Env}
|
|
|
|
|
|
{s : prog.State} {ρin ρout : Env}
|
|
|
|
|
|
{tr : Trace prog.cfg s₂ s₃ ρ₂ ρ₃}
|
|
|
|
|
|
(hr : Reaches tr s ρin ρout)
|
|
|
|
|
|
(trₗ : Traceₗ prog.cfg s₁ s₂ ρ₁ ρ₂)
|
|
|
|
|
|
(hjoin : ⟦ joinForKey s₂ (result L prog) ⟧ (S.Pre trₗ)) :
|
|
|
|
|
|
⟦ joinForKey s (result L prog) ⟧ (S.Pre (trₗ ++ hr.pre))
|
|
|
|
|
|
∧ ⟦ variablesAt s (result L prog) ⟧ (S.Post (trₗ ++ hr.post)) := by
|
2026-06-28 14:24:46 -05:00
|
|
|
|
induction hr with
|
2026-07-01 22:56:29 -05:00
|
|
|
|
| single_here hnode =>
|
|
|
|
|
|
simp [Reaches.pre, Reaches.post]
|
|
|
|
|
|
refine ⟨?_, ?_⟩ <;> try simpa [HAppend.hAppend]
|
|
|
|
|
|
exact stepTrace trₗ hjoin hnode
|
|
|
|
|
|
| edge_here hnode hedge rest =>
|
|
|
|
|
|
simp [Reaches.pre, Reaches.post]
|
|
|
|
|
|
refine ⟨?_, ?_⟩ <;> try simpa [HAppend.hAppend]
|
|
|
|
|
|
exact stepTrace trₗ hjoin hnode
|
2026-06-28 14:24:46 -05:00
|
|
|
|
| edge_there hnode hedge rest hr' ih =>
|
2026-07-01 22:56:29 -05:00
|
|
|
|
have hstep := stepTrace trₗ hjoin hnode
|
2026-06-28 14:24:46 -05:00
|
|
|
|
have hmem := FiniteMap.mem_valuesAt prog.states_nodup
|
|
|
|
|
|
(prog.mem_incoming_of_edge hedge) (variablesAt_mem _ (result L prog))
|
2026-07-01 22:56:29 -05:00
|
|
|
|
simpa [Reaches.pre, Reaches.post, HAppend.hAppend] using
|
|
|
|
|
|
ih ((trₗ ++ hnode).addEdge hedge)
|
|
|
|
|
|
(interp_foldr (S.post_pre (trₗ ++ hnode) hedge hstep) hmem)
|
2026-06-28 14:24:46 -05:00
|
|
|
|
|
|
|
|
|
|
omit [DecidableEq L] in
|
|
|
|
|
|
/-- The final node of a trace is always reached, with the environment/state the trace
|
|
|
|
|
|
ends in. Used to recover the final-state soundness theorem from `walkTrace_reaches`. -/
|
2026-07-01 22:56:29 -05:00
|
|
|
|
def reaches_final {s₁ s₂ : prog.State} {ρ₁ ρ₂ : Env}
|
2026-06-25 09:45:30 -05:00
|
|
|
|
(tr : Trace prog.cfg s₁ s₂ ρ₁ ρ₂) :
|
2026-07-01 22:56:29 -05:00
|
|
|
|
Σ ρin, Reaches tr s₂ ρin ρ₂ :=
|
|
|
|
|
|
match tr with
|
|
|
|
|
|
| .single hnode => ⟨_, .single_here hnode⟩
|
|
|
|
|
|
| .edge hnode hedge rest =>
|
|
|
|
|
|
let ⟨ρin, r'⟩ := reaches_final rest; ⟨ρin, .edge_there hnode hedge _ r'⟩
|
2026-06-27 16:29:16 -05:00
|
|
|
|
|
2026-07-02 09:01:09 -05:00
|
|
|
|
omit [DecidableEq L] in
|
|
|
|
|
|
/-- Reaching the final node covers the whole trace. -/
|
|
|
|
|
|
@[simp] lemma reaches_final_post {s₁ s₂ : prog.State} {ρ₁ ρ₂ : Env}
|
|
|
|
|
|
(tr : Trace prog.cfg s₁ s₂ ρ₁ ρ₂) :
|
|
|
|
|
|
(reaches_final tr).2.post = tr := by
|
|
|
|
|
|
induction tr with
|
|
|
|
|
|
| single hnode => rfl
|
|
|
|
|
|
| edge hnode hedge rest ih => simp [reaches_final, Reaches.post, ih]
|
|
|
|
|
|
|
2026-06-28 14:24:46 -05:00
|
|
|
|
variable (L prog) in
|
|
|
|
|
|
/-- Soundness at every program point reached during execution: for any node `s` visited
|
|
|
|
|
|
by the run `hrun` (witnessed by `hr`), the analysis result over-approximates both the
|
|
|
|
|
|
environment entering `s` and the one leaving it. The final-state theorem
|
|
|
|
|
|
`analyze_correct_state` is the special case where `s` is `prog.finalState`. -/
|
|
|
|
|
|
theorem analyze_correct_at {ρf : Env} (hrun : EvalStmt [] prog.rootStmt ρf)
|
2026-07-01 22:56:29 -05:00
|
|
|
|
{s : prog.State} {ρin ρout : Env}
|
|
|
|
|
|
(hr : Reaches (prog.trace hrun) s ρin ρout) :
|
|
|
|
|
|
⟦ joinForKey s (result L prog) ⟧ (S.Pre hr.pre)
|
|
|
|
|
|
∧ ⟦ variablesAt s (result L prog) ⟧ (S.Post hr.post) := by
|
|
|
|
|
|
refine walkTrace_reaches hr (Traceₗ.single _ _ []) ?_
|
2026-06-28 14:24:46 -05:00
|
|
|
|
rw [joinForKey_initialState]
|
|
|
|
|
|
exact ValidStateEvaluator.botV_init
|
|
|
|
|
|
|
2026-07-01 22:56:29 -05:00
|
|
|
|
variable (L prog) in
|
|
|
|
|
|
theorem analyze_correct'
|
|
|
|
|
|
{ρ : Env} (hrun : EvalStmt [] prog.rootStmt ρ) :
|
2026-07-02 09:01:09 -05:00
|
|
|
|
⟦ variablesAt prog.finalState (result L prog) ⟧ (S.Post (prog.trace hrun)) := by
|
|
|
|
|
|
have h := (analyze_correct_at L prog hrun (reaches_final (prog.trace hrun)).2).2
|
|
|
|
|
|
rwa [reaches_final_post] at h
|
2026-07-01 22:56:29 -05:00
|
|
|
|
|
2026-06-27 16:29:16 -05:00
|
|
|
|
end
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
Lean migration: typeclass-based parameter passing, as in the Agda original
The port had flattened Agda's instance arguments ({{flA}}, {{evaluator}},
{{latticeInterpretation}}, {{validEvaluator}}) into explicitly threaded
values (fhL, E, I, hE). Restore them as typeclasses:
- Spa.FiniteHeightLattice: now actually used — Fixedpoint takes the
instance instead of a FixedHeight value; FiniteMap gets the missing
instance (height = ks.length * height B), so varsFixedHeight /
statesFixedHeight / signFixedHeight / constFixedHeight plumbing
disappears (instance bottoms are defeq to the old ones)
- Spa.Analysis.Forward.Evaluation: StmtEvaluator/ExprEvaluator become
classes; the Valid* Props become Prop-classes, as in Agda
- Spa.Analysis.Forward.Adapters: the expr→stmt adapter and its validity
are instances (Agda: the ExprToStmtAdapter instances)
- LatticeInterpretation is a class; sign/const interpretations,
evaluators and validity proofs are instances; use sites read like the
Agda module applications: result SignLattice prog
Proof simplifications (same theorems, proofs factored):
- Spa.Lattice.AboveBelow.monotone₂_of_strict: any ⊥-strict/⊤-dominated
operation on a flat lattice is monotone — replaces the four near-
identical case bashes per analysis (postulates in Agda)
- Spa.Lattice.AboveBelow.interp_sup_of/interp_inf_of: the shared flat-
lattice interpretation case analysis, making interpSign_sup/inf and
interpConst_sup/inf one-liners
lake build green with zero warnings; lake exe spa output verified
byte-identical (diff) to the previous, Agda-verified output.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 23:32:38 -07:00
|
|
|
|
variable (L prog) in
|
2026-06-27 16:29:16 -05:00
|
|
|
|
theorem analyze_correct [LatticeInterpretation L] [ValidStmtEvaluator L prog]
|
|
|
|
|
|
{ρ : Env} (hrun : EvalStmt [] prog.rootStmt ρ) :
|
2026-07-01 22:56:29 -05:00
|
|
|
|
⟦ variablesAt prog.finalState (result L prog) ⟧ ρ :=
|
|
|
|
|
|
analyze_correct' L prog hrun
|
2026-06-09 20:14:53 -07:00
|
|
|
|
|
2026-06-24 13:54:37 -05:00
|
|
|
|
end Forward
|
|
|
|
|
|
|
2026-06-09 20:14:53 -07:00
|
|
|
|
end Spa
|