feat(formal): real-lift R-mem (kernel) — linear memory + heap tuple round-trips#666
Merged
Merged
Conversation
…ound-trips
Fifth rung of the real lift (formal/REAL-LIFT.adoc): linear memory. Establishes
the word-addressed heap and the deterministic cell layout the codegen's
elaboration nodes assume — the precondition for arrays/records/strings/floats.
Axiom-free.
Target IR (RealWasm.v):
- adds the faithful lib/wasm.ml memory instructions `I32Load (off)` /
`I32Store (off)` to `instr` (+ dead `step1` arms). Zero blast radius — the
proven wexec/cexec/compile_correct/compile_stmt_correct all still compile.
R-mem kernel (new file RealMem.v):
- word-addressed memory `mem := list Z` (cell = one i32), `mem_get`/`mem_set`
with the heap round-trip lemmas (get-after-set same/other, length) reused
directly from RealWasm's `set_nth_eq`/`set_nth_neq`/`set_nth_length`.
- a bump allocator `alloc n m = (length m, m ++ repeat 0 n)` (base = current
size) with base/length lemmas.
- the memory-aware executor `mexec`: because memory ops are *straight-line*
(no nested control), `mexec` is a **structural** Fixpoint on the instruction
list — no fuel needed, unlike R2's wexec / R2-loops' cexec. `I32Load off`
pops addr a and pushes mem[Z.to_nat a + off]; `I32Store off` pops value then
addr and writes mem[Z.to_nat a + off]; everything else defers to the
memory-free `step1`. Plus the clean structural sequencing lemma `mexec_app`.
- `mexec_store_then_load` — storing v at a fresh in-range cell then loading it
back yields v (set_nth's get-after-set lifted through mexec).
- `mexec_pair_build_proj` — build a 2-cell tuple at `base` (store v0 at base+0,
v1 at base+1) then project BOTH fields back: the `field i at base+i` heap
layout, proved as a get-after-set round-trip (Nat2Z.id discharges the
Z.of_nat/Z.to_nat address round-trip).
Whole formal/ track re-audited: **20 files, 35 `Print Assumptions` closure
reports, all "Closed under the global context" — zero axioms, no Admitted.**
Remaining R-mem (next sub-rungs): runtime `memory.grow`/`size` allocator
instruction, byte-granular layout, control-bearing field expressions (fuse
`mexec` with the R2-loops `cexec`), and the full source
`tuple`/`array`/`record` + indexing/field-access compile-correctness. Then
R-float / R-str / R-call per the ladder.
Refs REAL-LIFT.adoc, docs/PROOF-NEEDS.adoc (K-1 row).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KPG9mEQXFyA3k7NWAzMNMr
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fifth rung of the real lift (
formal/REAL-LIFT.adoc): linear memory — the word-addressed heap and the deterministic cell layout (field i at base+i) the codegen's elaboration nodes assume, the precondition for arrays/records/strings/floats. Axiom-free.What landed
Target IR (
RealWasm.v)lib/wasm.mlmemory instructionsI32Load (off)/I32Store (off)toinstr(+ deadstep1arms). Zero blast radius —wexec,cexec,compile_correct, andcompile_stmt_correctall still compile unchanged.R-mem kernel (new file
RealMem.v)mem := list Z(each cell one i32), withmem_get/mem_setand the heap round-trip lemmas (get-after-set same/other, length) reused directly from RealWasm'sset_nth_eq/set_nth_neq/set_nth_length.alloc n m = (length m, m ++ repeat 0 n)(base = current size) with base/length lemmas.mexec— because memory ops are straight-line (no nested control),mexecis a structuralFixpointon the instruction list, no fuel needed (unlike R2'swexec/ R2-loops'cexec).I32Load offpops addra, pushesmem[⌊a⌋+off];I32Store offpops value then addr, writesmem[⌊a⌋+off]; everything else defers to the memory-freestep1. Plus the clean structural sequencing lemmamexec_app.mexec_store_then_load— storingvat a fresh in-range cell then loading it back yieldsv(set_nth's get-after-set, lifted throughmexec).mexec_pair_build_proj— build a 2-cell tuple atbase(storev0atbase+0,v1atbase+1) then project both fields back: thefield i at base+iheap layout, proved as a get-after-set round-trip (Nat2Z.iddischarges theZ.of_nat/Z.to_nataddress round-trip).Verification
coqc8.18, wholeformal/track re-audited against currentmain:Print Assumptionsreports, every one "Closed under the global context" — zero axioms, noAdmitted.Docs
formal/REAL-LIFT.adoc(R-mem row ⏳ + §8 status),formal/README.adoc(RealMem row + "real lift R0 → R-mem"),docs/PROOF-NEEDS.adoc(counts 19→20 / 33→35)._CoqProject/justfile/.hypatia-ignorewireRealMem.vin.Remaining R-mem (next sub-rungs)
Runtime
memory.grow/sizeallocator instruction; byte-granular layout; control-bearing field expressions (fusemexecwith the R2-loopscexec); and the full sourcetuple/array/record+ indexing/field-access compile-correctness. Then R-float / R-str / R-call per the ladder.Refs
REAL-LIFT.adoc,docs/PROOF-NEEDS.adoc(K-1 row).🤖 Generated with Claude Code
https://claude.ai/code/session_01KPG9mEQXFyA3k7NWAzMNMr
Generated by Claude Code