1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
|
(in-package "JVM")
(include-book "../M6-DJVM-shared/jvm-class-table")
(include-book "../M6-DJVM-shared/jvm-type-value")
(include-book "ordinals/e0-ordinal" :dir :system)
(set-well-founded-relation e0-ord-<)
(acl2::set-verify-guards-eagerness 2)
;;; Tue Jan 13 15:43:53 2004 WE need some major fix of this. We need to reuse
;;; consistent-state's definition.
;;;
;;;; I don't think this will affect much. (It can)
;;;;
;;;;; Major dependency in in jvm-linker!!
;;;;; jvm-object-manipulation-primitives!!
;;;;; NOTE: isAssignableTo is the dynamic checking which is not using
;;;;; isSubclassOf at ALL!!
;; always need to think about whether we need to do guard verification for
;; this.
;;; we need to use djvm-class-hierachy-aux.lisp instead of this one
;;;; We keep the folllowing because jvm-linker seems to be using those
;;;; definitions quite extensively.
;;;; We just prove under he consistent-class-hierachy-hyp. those two
;;;; definitions are the same.
;;; Tue Jan 13 17:31:54 2004
(defun classClassName (class)
(declare (xargs :guard (wff-class-rep class)))
(classname class))
(defun classSuperClassName (class)
(declare (xargs :guard (wff-class-rep class)))
(super class))
;; (defun all-class-names (cl)
;; (declare (xargs :guard (wff-instance-class-table cl)))
;; (if (endp cl)
;; nil
;; (cons (classClassName (car cl))
;; (all-class-names (cdr cl)))))
;;; defined in jvm-class-table
(defun unseen-class-measure (seen cl)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp seen))))
(len (set-diff (all-class-names cl) seen)))
(defun superclass-no-loop1-measure (seen cl)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp seen))))
(len (set-diff (all-class-names cl) seen)))
(defthm class-by-name-all-class-names
(implies (isClassTerm (class-by-name n1 cl))
(mem n1 (all-class-names cl))))
(local (in-theory (disable isClassTerm class-by-name)))
;; (defthm mem-all-classname
;; (implies (consp (class-by-name n1 cl))
;; (mem n1 (all-class-names cl))))
(defun superclass-no-loop1 (n1 cl seen)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp seen))
:measure (superclass-no-loop1-measure seen cl)))
(mylet* ((theClass (class-by-name n1 cl))
(n2 (classSuperClassName theClass)))
(if (not (isClassTerm theClass)) t
(if (mem n1 seen)
nil
(superclass-no-loop1 n2 cl (cons n1 seen))))))
(defun superclass-no-loop (n1 cl)
(declare (xargs :guard (wff-instance-class-table cl)))
(superclass-no-loop1 n1 cl nil))
(defun collect-superclass-list1 (n1 cl ss)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp ss))
:measure (superclass-no-loop1-measure ss cl)))
(mylet* ((theClass (class-by-name n1 cl))
(n2 (classSuperClassName theClass)))
(if (isClassTerm theClass)
(if (mem n1 ss)
nil
(cons n1 (collect-superclass-list1 n2 cl (cons n1 ss))))
nil)))
(defun collect-superclass-list (n1 cl)
(declare (xargs :guard (wff-instance-class-table cl)))
(collect-superclass-list1 n1 cl nil))
(defun isSubClassOf1 (c1 c2 cl seen)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp seen))
:measure (superclass-no-loop1-measure seen cl)))
(mylet* ((theClass (class-by-name c1 cl))
(n1 (classSuperClassName theClass)))
(if (not (isClassTerm theClass)) nil
(if (mem c1 seen) nil
(if (equal c1 c2)
t
(isSubClassOf1 n1
c2
cl (cons c1 seen)))))))
(defun isJavaSubclassOf-guard (c1 c2 cl)
(declare (xargs :verify-guards t))
(and (consistent-class-hierachy cl)
(isClassTerm (class-by-name c1 cl))
(isClassTerm (class-by-name c2 cl))))
;; I would add isJavaSuclassOf with an extra seen parameter. We need to prove
;; that under no loop hypothesis, with seen and without seen it is the
;; same. Basically, we proved it for bytecode verifier's isAssignable check.
(defun isJavaSubClassOf-measure (cl seen)
(declare (xargs :guard (and (wff-instance-class-table cl)
(true-listp seen))))
(unseen-classes cl seen))
;;
;; (defthm consistent-class-hierachy-implies-wff-instance-class-table
;; (implies (consistent-class-hierachy cl)
;; (wff-instance-class-table cl)))
(defun isJavaSubclassof1 (c1 c2 cl seen)
(declare (xargs :guard (and (consistent-class-hierachy cl)
(true-listp seen))
:measure (isJavasubclassOf-measure cl seen)))
;; I need to wff-instance-class-table assert this class-rep
;; I think for Defensive Machine I have the liberty to define
;; isJavaSubclassof with an extra parameter of seen
;;
;; 09/08/03 This is the test of the defensive machine's Class Hierachy!!
;; need special handling of termination ...
;;
;; isJavaSubclassOf should be different from BCV's isJavaSubclassOf
;; because class table are different (can we reuse it??)
;; We can define as long as two class table are equivalent in some
;; sense. isJavaSubclassOf will return the same value.
;;
;; What do I want?
;;
;; Decision reuses BCV's definition. We will need to the use static
;; class-table?
;;
;;
;; redefining it is painful.
;;
;; We need to prove current CL has some relation with BCV's SCL --- The
;; portion of class hierachy cl describes matches what is in scl which relies
;; on the correctness of class loader (relies on something we have proved)
;;
;; The issue is whether I need to write a second class loader? should
;; defensive machine's loader check for more things? Can I reuse? Class
;; loader does not change opstack and locals, only change class table and
;; heap. and we decided to keep the heap and class table the same with
;; non-defensive version. So Good. we could reuse class-loader. (However, we
;; do we need to extend the current class loader to check class implement
;; what it declare to implement? NO. We don't. Runtime resolution will catch
;; that!!! So far so good.
;;
;;
;; All superclass of c1 appears in cl
;;
;; Reuse BCV's version (however we need to make sure BCV's class table is in
;; some sense matches with non-defensive machine's class table (which add a
;; few extra fields.)
;;
(if (not (consistent-class-hierachy cl)) nil
;;; cheat?? ;; this for termination!! ;;;
;;; Guard verification will allow get rid of it.
;;;
(and (class-exists? c1 cl) ;;
(class-exists? c2 cl) ;; this is for termination!!
(not (mem c1 seen))
(or (equal c1 c2)
(let* ((SubClass (class-by-name c1 cl))
(c3 (super SubClass)))
(isJavaSubclassOf1 c3 c2 cl (cons c1 seen)))))))
;; how guard works??
;; this function is easy to admit.
;; Shall I use this definition?
;; I could prove under the consistent-class-hierachy hyp.
;; without test on seen it is admissible
;;
;; This proof is done for "typechecker.lisp"
;; SKIP.
;;
;;
;; basically a collect-super cons subclass to seen does not matter.
;;
;; What's the point of defining consistent-class-hierachy if it is not used to
;; justify the termination? It is used elsewhere...
(defun isJavaSubclassOf (c1 c2 cl)
(declare (xargs :guard (and (consistent-class-hierachy cl)
(wff-class-rep c1)
(wff-class-rep c2)))) ;; 10/28/03
;; The parameter is class-rep instead of class name.
(isJavaSubclassOf1 (classname c1) (classname c2) cl nil))
(defun isJavaClassAssignmentCompatible (rtype type cl)
(declare (xargs :guard (and (consistent-class-hierachy cl)
(class-exists? rtype cl)
(class-exists? type cl))))
;; make sure this function is only called when we know class-exists.
;; 09/09/03
;; Assuming that rtype and type are both class names
;; the most straightforward and precise result.
;; should I return a pair as a result? (complicated), return nil if not
;; valid.
;;
;; invariant that rtype and type are bounded types.
;;
;; here rtype and type are expect to be classnames.
;;
;; This function is only used in consistent-state predicate. We don't check
;; whether interface slots have correctly labeled value. (We can't guarantee
;; that in CLDC. In J2SE, maybe we could.
;;
;; Checking implementation relation in CLDC BCV and Defensive JVM is
;; weak. and delayed to runtime.
;;
(let ((SlotType (class-by-name type cl))
(ValueType (class-by-name rtype cl))) ;; BUG 10/28/03
(cond ; ((or (class-exists? rtype cl)
; (class-exists? type cl)) nil)
;; make it explicit that above cause is nil
;;
;; Moved it to Guard. We are sure that this method is not even
;; called.
;;
((isInterface SlotType) t)
;; check for a marker in class description
;; if yes. Return t
;;
(t (isJavaSubclassOf ValueType SlotType cl)))))
;;This needs an invariant that ValueType's supers all exists in cl
;; Because this is used in consistent-state. This should be
;; guaranteed.
;;
;; Otherwise, the isSubclassOf's return value will not be accurate.
;; In consistent-state, it does not matter that we have an interface variable
;; that hold an value does not implement that interface. Check is done at the
;; runtime. BCV does not guarantee anything in that case.
;;
(defun isJavaAssignmentCompatible (rtype type cl)
(declare (xargs :guard (consistent-class-hierachy cl)))
;; in this, we won't expect to see Oneword, or Twoword, or top
;; We don't even see rtype being byte, short, boolean
;; Because there are operations that implicit convert values.
;; Do we allow to assign an int to a long? no.
;; we have explicit instructions that does the convertion. (i2l, i2d)
;; however i2b, b2i doesn't change the type of value on the OPSTACK
;; FIX. rtype and type could be just a string. not always (class <something>)
;; 10/28/03.
(cond ((primitive-type? rtype) ;;; Thu Oct 21 18:07:53 2004
(and
;;(primitive-opvalue-type rtype)
;; Mon Oct 25 11:13:02 2004. fixed to match isAssignableTo
(equal rtype type)))
((equal rtype 'NULL)
;; Do I want to write the most specific rule possible?
;; which means if type is not valid, I return nil
;; Decision, relaxing a bit.
;; We can expect that type are valid type
;;
;; reference-type-s ??
;;
;; let me check it at level of isAssignable level.
;;
(or (isClassType type)
(isArrayType type)))
;; this only assert that the synatx is
;; correct. To check whether something is really a class type, we may
;; need to check reference-type-s and array-type-s.
;; if I see NULL is type, still return nil
;; SlotType must be a valid type.
((isClassType rtype)
(and (isClassType type)
(class-exists? (classname-classtype rtype) cl)
(class-exists? (classname-classtype type) cl)
;; added to make sure the guard of isJavaAssignmentCompatible is satisfied.
(isJavaClassAssignmentCompatible (classname-classtype rtype)
(classname-classtype type)
cl)))
((isArrayType rtype)
(cond ((isClassType type)
(or (and
(class-exists? (classname-classtype type) cl)
(isInterface (class-by-name
(classname-classtype type) cl)))
;; treat differently as long as type is an interface, it
;; will be assignable.
;;
;; IN BCV this is tested as whether rtype implement Array
;; interface.
;;
(isJavaLangObject type)))
(t (and (isArrayType type)
(let ((x (component-type rtype))
(y (component-type type)))
(or (and (primitive-type? x)
(primitive-type? y)
(equal x y))
(and ;;(compound x)
;;(compound y)
;;; Mon Oct 25 10:52:40 2004. We fixed it
;;; so that class type does not have a "(class
;;; prefix)"
(isJavaAssignmentCompatible x y cl))))))))))
(defun assignmentCompatible (rtype type cl)
(declare (xargs :guard (consistent-class-hierachy cl)))
;; this assignmentCompable has to deal with interface proported to be
;; implemented actually get implemented? No. We only use the information
;; from the class hierachy's tree.
;;
;;
;; Maybe I should skip proof something to avoid the problem while still stick
;; with the dynamic loading in both defensive and non-defensive JVM?
;;
;; THIS VERSION WILL WORK LIKE ISASSIGNABLE in BCV.
;; WE NEED TO WRITE/REUSE THE VERSION IN THE NON-DEFENSIVE MACHINE
;;
;; WE WILL MAKE SURE THIS VERSION DOES NOT CAUSE CLASS LOADING.
;; BECAUSE WE USE THIS TO EXPRESS THE CONSISTENT STATE concept.
;;
;; WE still need another version for test InstanceOf, AASTORE etc
;; (reuse non-defensive version)
;;
;;
;; There are several ways to write AssignmentCompatible.
;; One is copy BCV's
;; check (which is efficient, but it is not straight forward.
(and (or (primitive-type? rtype) ;; Thu Oct 21 18:05:17 2004
(reference-type-s rtype cl))
(or (primitive-type? type) ;; Thu Oct 21 18:05:20 2004
(reference-type-s type cl))
(isJavaAssignmentCompatible rtype type cl)))
;;;; Thu Oct 21 18:03:03 2004
;;;; The problem of primitive-type vs primitive-type?!!
;; (defun assignmentCompatible (rtype type cl)
;; (declare (xargs :guard (consistent-class-hierachy cl)))
;; ;; this assignmentCompable has to deal with interface proported to be
;; ;; implemented actually get implemented? No. We only use the information
;; ;; from the class hierachy's tree.
;; ;;
;; ;;
;; ;; Maybe I should skip proof something to avoid the problem while still stick
;; ;; with the dynamic loading in both defensive and non-defensive JVM?
;; ;;
;; ;; THIS VERSION WILL WORK LIKE ISASSIGNABLE in BCV.
;; ;; WE NEED TO WRITE/REUSE THE VERSION IN THE NON-DEFENSIVE MACHINE
;; ;;
;; ;; WE WILL MAKE SURE THIS VERSION DOES NOT CAUSE CLASS LOADING.
;; ;; BECAUSE WE USE THIS TO EXPRESS THE CONSISTENT STATE concept.
;; ;;
;; ;; WE still need another version for test InstanceOf, AASTORE etc
;; ;; (reuse non-defensive version)
;; ;;
;; ;;
;; ;; There are several ways to write AssignmentCompatible.
;; ;; One is copy BCV's
;; ;; check (which is efficient, but it is not straight forward.
;; (and (or (primitive-type rtype)
;; (reference-type-s rtype cl))
;; (or (primitive-type type)
;; (reference-type-s type cl))
;; (isJavaAssignmentCompatible rtype type cl)))
; The obligation of assignmentCompatible is
;
; value of rtype is assignable to of "type" type
;
; A PROOF needs to be ESTABLISHED
;
; isAssignable? in the BCV is equal to assignmentCompatible
; when type are well formed and satisfy reference-type-s or primitive-type
;
; We need to prove assignmentCompatible is BCV's isAssignable
; When class table is correctly loaded from env's class table and type refered
; is in side the system.
;
; However isAssignable uses the full spec of type (class "java.lang.Object")
; etc. assignmentCompatible in M3 use abbreviated "java.lang.Object" instead of
; (class "java.lang.Object")
;
;
; need to get the package name right!!
;
;;; expecting some problem with the proofs in jvm-linker....
;;;; maybe we should keep it and prove these two definition will be same...
;; (defun isSubClassOf1 (c1 c2 cl seen)
;; (declare (xargs :measure (superclass-no-loop1-measure seen cl)))
;; (mylet* ((theClass (class-by-name c1 cl))
;; (n1 (classSuperClassName theClass)))
;; (if (not (isClassTerm theClass)) nil
;; (if (mem c1 seen) nil
;; (if (equal c1 c2)
;; t
;; (isSubClassOf1 n1
;; c2
;; cl (cons c1 seen)))))))
(defthm consistent-class-hierachy-implies-isSubClassOf1-is-isJavaSubclassOf1
(implies (consistent-class-hierachy cl)
(equal (isSubClassOf1 c1 c2 cl seen)
(isJavaSubclassOf1 c1 c2 cl seen))))
;--------------------------------------------------------------------
;
; collect superclass with respect to ENV classtable
;
;(i-am-here)
(defun all-class-names-s (cl)
(declare (xargs :guard (wff-static-class-table cl)))
(IF (not (consp CL))
NIL
(CONS (classname-s (CAR CL))
(ALL-CLASS-NAMES-s (CDR CL)))))
(defun collect-superclassname1-measure (env-cl seen)
(declare (xargs :guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(len (set-diff (all-class-names-s env-cl) seen)))
(defthm found-implies-mem
(mv-let (found class-desc)
(class-by-name-s n1 env-cl)
(declare (ignore class-desc))
(implies found
(mem n1 (all-class-names-s env-cl)))))
;; collect super class from env-class-table
(defun collect-superclassname1 (n1 env-cl seen)
(declare (xargs :measure (collect-superclassname1-measure env-cl seen)
:guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(mv-let (found class-desc)
(class-by-name-s n1 env-cl)
(if found
(if (mem n1 seen)
nil
(cons n1 (collect-superclassname1
(super-s class-desc) env-cl (cons n1 seen))))
nil)))
(defun collect-superinterface1-measure (env-cl seen mode)
(declare (xargs :guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(cons (cons (+ 1 (collect-superclassname1-measure env-cl seen) 1)
0)
mode))
(defun collect-interface-x-env-measusre (ns env-cl seen mode)
(declare (xargs :guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(cond ((equal mode 1)
(collect-superinterface1-measure env-cl seen 0))
((equal mode 2)
(collect-superinterface1-measure env-cl seen (len ns)))
(t 0)))
; ;;not good for proving propeties
; ;;
; ;; (mutual-recursion
; ;; (defun collect-superinterface1 (n1 env-cl seen)
; ;; (declare (xargs :measure (collect-superinterface1-measure env-cl seen 0)))
; ;; (mv-let (found class-desc)
; (class-by-name-s n1 env-cl)
; (let ((interfaces (interfaces-s class-desc))
; (super (super-s class-desc)))
; (if (not found)
; nil
; (if (mem n1 seen)
; nil
; (app (cons n1 interfaces)
; (app (collect-superinterface1 super env-cl
; (cons n1 seen))
; (collect-superinterface2 interfaces env-cl
; (cons n1 seen)))))))))
; (defun collect-superinterface2 (ns env-cl seen)
; (declare (xargs :measure (collect-superinterface1-measure env-cl seen
; (len ns))))
; (if (endp ns)
; nil
; (app (collect-superinterface1 (car ns) env-cl seen)
; (collect-superinterface2 (cdr ns) env-cl seen)))))
(defun collect-interface-x-env (n1-or-ns env-cl seen mode)
(declare (xargs :measure
(collect-interface-x-env-measusre n1-or-ns env-cl
seen mode)
:guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(let ((n1 n1-or-ns)
(ns n1-or-ns))
(cond ((equal mode 1) ;; collect-superinterface1
(mv-let (found class-desc)
(class-by-name-s n1 env-cl)
(mylet* ((interfaces (interfaces-s class-desc))
(super (super-s class-desc)))
(if (not found)
nil
(if (mem n1 seen)
nil
(app (cons n1 interfaces)
(app (collect-interface-x-env super env-cl
(cons n1 seen) 1)
(collect-interface-x-env interfaces env-cl
(cons n1 seen)
2))))))))
((equal mode 2) ;; collect-superinterface2
(if (not (consp ns))
nil
(app (collect-interface-x-env (car ns) env-cl seen 1)
(collect-interface-x-env (cdr ns) env-cl seen 2))))
(t nil))))
(defun collect-superinterface1 (n env-cl seen)
(declare (xargs :guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(collect-interface-x-env n env-cl seen 1))
(defun collect-superinterface2 (ns env-cl seen)
(declare (xargs :guard (and (wff-static-class-table env-cl)
(true-listp seen))))
(collect-interface-x-env ns env-cl seen 2))
(defun collect-superclassname (classname env-cl)
(declare (xargs :guard (wff-static-class-table env-cl)))
(collect-superclassname1 classname env-cl nil))
(defun collect-superinterface (classname env-cl)
(declare (xargs :guard (wff-static-class-table env-cl)))
(collect-superinterface1 classname env-cl nil))
(defun collect-assignableToName (classname env-cl)
(declare (xargs :guard (wff-static-class-table env-cl)))
(cons classname
(app (collect-superclassname classname env-cl)
(collect-superinterface classname env-cl))))
;---------------------------------------------------------------------------
|
