Package m0-model: M0 model
Information
| name | m0-model |
| version | 1.0 |
| description | M0 model |
| author | HOL OpenTheory Packager <opentheory-packager@hol-theorem-prover.org> |
| license | MIT |
| checksum | b0f8e11bf1ea11b8133b9f5375fd2f48dbd4676c |
| requires | base hol-base hol-words hol-string hol-integer hol-monad hol-floating-point |
| show | Data.Bool Data.List Data.Option Data.Pair Data.Unit Function HOL4 Number.Natural Relation |
Files
- Package tarball m0-model-1.0.tgz
- Theory source file m0-model.thy (included in the package tarball)
Defined Type Operators
- HOL4
- m0
- m0.exception
- m0.instruction
- m0.m0_state
- m0.offset
- m0.AIRCR
- m0.ARM_Exception
- m0.Branch
- m0.CCR
- m0.CONTROL
- m0.Data
- m0.Hint
- m0.IPR
- m0.Load
- m0.MachineCode
- m0.Media
- m0.Mode
- m0.Multiply
- m0.PRIMASK
- m0.PSR
- m0.RName
- m0.SHPR2
- m0.SHPR3
- m0.SRType
- m0.Store
- m0.System
- m0
Defined Constants
- HOL4
- m0
- m0.bitify16
- m0.bitify4
- m0.boolify16
- m0.boolify4
- m0.dfn'ArithLogicImmediate
- m0.dfn'BranchExchange
- m0.dfn'BranchLinkExchangeRegister
- m0.dfn'BranchLinkImmediate
- m0.dfn'BranchTarget
- m0.dfn'Breakpoint
- m0.dfn'ByteReverse
- m0.dfn'ByteReversePackedHalfword
- m0.dfn'ByteReverseSignedHalfword
- m0.dfn'ChangeProcessorState
- m0.dfn'CompareImmediate
- m0.dfn'DataMemoryBarrier
- m0.dfn'DataSynchronizationBarrier
- m0.dfn'ExtendByte
- m0.dfn'ExtendHalfword
- m0.dfn'InstructionSynchronizationBarrier
- m0.dfn'LoadByte
- m0.dfn'LoadHalf
- m0.dfn'LoadLiteral
- m0.dfn'LoadMultiple
- m0.dfn'LoadWord
- m0.dfn'Move
- m0.dfn'MoveToRegisterFromSpecial
- m0.dfn'MoveToSpecialRegister
- m0.dfn'Multiply32
- m0.dfn'NoOperation
- m0.dfn'Push
- m0.dfn'Register
- m0.dfn'SendEvent
- m0.dfn'ShiftImmediate
- m0.dfn'ShiftRegister
- m0.dfn'StoreByte
- m0.dfn'StoreHalf
- m0.dfn'StoreMultiple
- m0.dfn'StoreWord
- m0.dfn'SupervisorCall
- m0.dfn'TestCompareRegister
- m0.dfn'Undefined
- m0.dfn'WaitForEvent
- m0.dfn'WaitForInterrupt
- m0.dfn'Yield
- m0.doRegister
- m0.exception_CASE
- m0.exception_size
- m0.immediate_form
- m0.instruction_CASE
- m0.instruction_size
- m0.m0_state_AIRCR
- m0.m0_state_AIRCR_fupd
- m0.m0_state_CASE
- m0.m0_state_CCR
- m0.m0_state_CCR_fupd
- m0.m0_state_CONTROL
- m0.m0_state_CONTROL_fupd
- m0.m0_state_CurrentMode
- m0.m0_state_CurrentMode_fupd
- m0.m0_state_ExceptionActive
- m0.m0_state_ExceptionActive_fupd
- m0.m0_state_MEM
- m0.m0_state_MEM_fupd
- m0.m0_state_NVIC_IPR
- m0.m0_state_NVIC_IPR_fupd
- m0.m0_state_PRIMASK
- m0.m0_state_PRIMASK_fupd
- m0.m0_state_PSR
- m0.m0_state_PSR_fupd
- m0.m0_state_REG
- m0.m0_state_REG_fupd
- m0.m0_state_SHPR2
- m0.m0_state_SHPR2_fupd
- m0.m0_state_SHPR3
- m0.m0_state_SHPR3_fupd
- m0.m0_state_VTOR
- m0.m0_state_VTOR_fupd
- m0.m0_state_count
- m0.m0_state_count_fupd
- m0.m0_state_exception
- m0.m0_state_exception_fupd
- m0.m0_state_pcinc
- m0.m0_state_pcinc_fupd
- m0.m0_state_pending
- m0.m0_state_pending_fupd
- m0.m0_state_size
- m0.mem
- m0.mem1
- m0.num2Mode
- m0.num2RName
- m0.num2SRType
- m0.offset_CASE
- m0.offset_size
- m0.raise'exception
- m0.rec'AIRCR
- m0.rec'CCR
- m0.rec'CONTROL
- m0.rec'IPR
- m0.rec'PRIMASK
- m0.rec'PSR
- m0.rec'SHPR2
- m0.rec'SHPR3
- m0.recordtype.AIRCR
- m0.recordtype.CCR
- m0.recordtype.CONTROL
- m0.recordtype.IPR
- m0.recordtype.PRIMASK
- m0.recordtype.PSR
- m0.recordtype.SHPR2
- m0.recordtype.SHPR3
- m0.recordtype.m0_state
- m0.reg'AIRCR
- m0.reg'CCR
- m0.reg'CONTROL
- m0.reg'IPR
- m0.reg'PRIMASK
- m0.reg'PSR
- m0.reg'SHPR2
- m0.reg'SHPR3
- m0.register_form
- m0.write'LR
- m0.write'MemA
- m0.write'MemU
- m0.write'PC
- m0.write'R
- m0.write'SP
- m0.write'SP_main
- m0.write'SP_process
- m0.write'mem
- m0.write'rec'AIRCR
- m0.write'rec'CCR
- m0.write'rec'CONTROL
- m0.write'rec'IPR
- m0.write'rec'PRIMASK
- m0.write'rec'PSR
- m0.write'rec'SHPR2
- m0.write'rec'SHPR3
- m0.write'reg'AIRCR
- m0.write'reg'CCR
- m0.write'reg'CONTROL
- m0.write'reg'IPR
- m0.write'reg'PRIMASK
- m0.write'reg'PSR
- m0.write'reg'SHPR2
- m0.write'reg'SHPR3
- m0.AIRCR_CASE
- m0.AIRCR_ENDIANNESS
- m0.AIRCR_ENDIANNESS_fupd
- m0.AIRCR_SYSRESETREQ
- m0.AIRCR_SYSRESETREQ_fupd
- m0.AIRCR_VECTCLRACTIVE
- m0.AIRCR_VECTCLRACTIVE_fupd
- m0.AIRCR_VECTKEY
- m0.AIRCR_VECTKEY_fupd
- m0.AIRCR_aircr'rst
- m0.AIRCR_aircr'rst_fupd
- m0.AIRCR_size
- m0.ALUWritePC
- m0.ARM_Exception_CASE
- m0.ARM_Exception_size
- m0.ASR
- m0.ASR_C
- m0.ASSERT
- m0.AddWithCarry
- m0.Align
- m0.Aligned
- m0.ArithLogicImmediate
- m0.ArithmeticOpcode
- m0.BLXWritePC
- m0.BXWritePC
- m0.BigEndianReverse
- m0.BitCount
- m0.Branch
- m0.BranchExchange
- m0.BranchLinkExchangeRegister
- m0.BranchLinkImmediate
- m0.BranchTarget
- m0.BranchTo
- m0.BranchWritePC
- m0.Branch_CASE
- m0.Branch_size
- m0.Breakpoint
- m0.ByteReverse
- m0.ByteReversePackedHalfword
- m0.ByteReverseSignedHalfword
- m0.CCR_CASE
- m0.CCR_STKALIGN
- m0.CCR_STKALIGN_fupd
- m0.CCR_UNALIGN_TRP
- m0.CCR_UNALIGN_TRP_fupd
- m0.CCR_ccr'rst
- m0.CCR_ccr'rst_fupd
- m0.CCR_size
- m0.CONTROL_CASE
- m0.CONTROL_SPSEL
- m0.CONTROL_SPSEL_fupd
- m0.CONTROL_control'rst
- m0.CONTROL_control'rst_fupd
- m0.CONTROL_nPRIV
- m0.CONTROL_nPRIV_fupd
- m0.CONTROL_size
- m0.CallSupervisor
- m0.ChangeProcessorState
- m0.CompareImmediate
- m0.ConditionPassed
- m0.CountLeadingZeroBits
- m0.CurrentModeIsPrivileged
- m0.DECODE_UNPREDICTABLE
- m0.Data
- m0.DataMemoryBarrier
- m0.DataProcessing
- m0.DataProcessingALU
- m0.DataProcessingPC
- m0.DataSynchronizationBarrier
- m0.Data_CASE
- m0.Data_size
- m0.DeActivate
- m0.Decode
- m0.DecodeImmShift
- m0.DecodeRegShift
- m0.DecodeThumb
- m0.DecodeThumb2
- m0.ExcNumber
- m0.ExceptionActiveBitCount
- m0.ExceptionEntry
- m0.ExceptionPriority
- m0.ExceptionReturn
- m0.ExceptionTaken
- m0.ExecutionPriority
- m0.Extend
- m0.ExtendByte
- m0.ExtendHalfword
- m0.ExternalInterrupt
- m0.Fetch
- m0.HardFault
- m0.HighestSetBit
- m0.Hint
- m0.Hint_CASE
- m0.Hint_size
- m0.IPR_CASE
- m0.IPR_PRI_N0
- m0.IPR_PRI_N0_fupd
- m0.IPR_PRI_N1
- m0.IPR_PRI_N1_fupd
- m0.IPR_PRI_N2
- m0.IPR_PRI_N2_fupd
- m0.IPR_PRI_N3
- m0.IPR_PRI_N3_fupd
- m0.IPR_ipr'rst
- m0.IPR_ipr'rst_fupd
- m0.IPR_size
- m0.IncPC
- m0.InstructionSynchronizationBarrier
- m0.IsOnes
- m0.LR
- m0.LSL
- m0.LSL_C
- m0.LSR
- m0.LSR_C
- m0.Load
- m0.LoadByte
- m0.LoadHalf
- m0.LoadLiteral
- m0.LoadMultiple
- m0.LoadWord
- m0.LoadWritePC
- m0.Load_CASE
- m0.Load_size
- m0.LookUpSP
- m0.LowestSetBit
- m0.MachineCode_CASE
- m0.MachineCode_size
- m0.Media
- m0.Media_CASE
- m0.Media_size
- m0.MemA
- m0.MemU
- m0.Mode2num
- m0.Mode_CASE
- m0.Mode_Handler
- m0.Mode_Thread
- m0.Mode_size
- m0.Move
- m0.MoveToRegisterFromSpecial
- m0.MoveToSpecialRegister
- m0.Multiply
- m0.Multiply32
- m0.Multiply_CASE
- m0.Multiply_size
- m0.NMI
- m0.Next
- m0.NoException
- m0.NoOperation
- m0.PC
- m0.PRIMASK_CASE
- m0.PRIMASK_PM
- m0.PRIMASK_PM_fupd
- m0.PRIMASK_primask'rst
- m0.PRIMASK_primask'rst_fupd
- m0.PRIMASK_size
- m0.PSR_C
- m0.PSR_CASE
- m0.PSR_C_fupd
- m0.PSR_ExceptionNumber
- m0.PSR_ExceptionNumber_fupd
- m0.PSR_N
- m0.PSR_N_fupd
- m0.PSR_T
- m0.PSR_T_fupd
- m0.PSR_V
- m0.PSR_V_fupd
- m0.PSR_Z
- m0.PSR_Z_fupd
- m0.PSR_psr'rst
- m0.PSR_psr'rst_fupd
- m0.PSR_size
- m0.PendSV
- m0.PopStack
- m0.ProcessorID
- m0.Push
- m0.PushStack
- m0.R
- m0.RName2num
- m0.RName_0
- m0.RName_1
- m0.RName_10
- m0.RName_11
- m0.RName_12
- m0.RName_2
- m0.RName_3
- m0.RName_4
- m0.RName_5
- m0.RName_6
- m0.RName_7
- m0.RName_8
- m0.RName_9
- m0.RName_CASE
- m0.RName_LR
- m0.RName_PC
- m0.RName_SP_main
- m0.RName_SP_process
- m0.RName_size
- m0.ROR
- m0.ROR_C
- m0.RRX
- m0.RRX_C
- m0.Raise
- m0.Register
- m0.Reset
- m0.ReturnAddress
- m0.Run
- m0.SHPR2_CASE
- m0.SHPR2_PRI_11
- m0.SHPR2_PRI_11_fupd
- m0.SHPR2_shpr2'rst
- m0.SHPR2_shpr2'rst_fupd
- m0.SHPR2_size
- m0.SHPR3_CASE
- m0.SHPR3_PRI_14
- m0.SHPR3_PRI_14_fupd
- m0.SHPR3_PRI_15
- m0.SHPR3_PRI_15_fupd
- m0.SHPR3_shpr3'rst
- m0.SHPR3_shpr3'rst_fupd
- m0.SHPR3_size
- m0.SP
- m0.SP_main
- m0.SP_process
- m0.SRType2num
- m0.SRType_ASR
- m0.SRType_CASE
- m0.SRType_LSL
- m0.SRType_LSR
- m0.SRType_ROR
- m0.SRType_RRX
- m0.SRType_size
- m0.SVCall
- m0.SendEvent
- m0.Shift
- m0.ShiftImmediate
- m0.ShiftRegister
- m0.Shift_C
- m0.SignExtendFrom
- m0.Store
- m0.StoreByte
- m0.StoreHalf
- m0.StoreMultiple
- m0.StoreWord
- m0.Store_CASE
- m0.Store_size
- m0.SupervisorCall
- m0.SysTick
- m0.System
- m0.System_CASE
- m0.System_size
- m0.TakeReset
- m0.TestCompareRegister
- m0.Thumb
- m0.Thumb2
- m0.UInt
- m0.UNPREDICTABLE
- m0.Undefined
- m0.WaitForEvent
- m0.WaitForInterrupt
- m0.Yield
- m0
Theorems
⊦ ¬(m0.Mode_Thread = m0.Mode_Handler)
⊦ m0.Mode_Thread = m0.num2Mode 0
⊦ m0.RName_0 = m0.num2RName 0
⊦ m0.SRType_LSL = m0.num2SRType 0
⊦ m0.Mode_Handler = m0.num2Mode 1
⊦ m0.RName_1 = m0.num2RName 1
⊦ m0.RName_2 = m0.num2RName (arithmetic.BIT2 0)
⊦ m0.SRType_ASR = m0.num2SRType (arithmetic.BIT2 0)
⊦ m0.SRType_LSR = m0.num2SRType 1
⊦ ∀x. m0.Mode_size x = 0
⊦ ∀x. m0.RName_size x = 0
⊦ ∀x. m0.SRType_size x = 0
⊦ m0.RName_3 = m0.num2RName 3
⊦ m0.RName_4 = m0.num2RName (arithmetic.BIT2 1)
⊦ m0.RName_5 = m0.num2RName (bit1 (arithmetic.BIT2 0))
⊦ m0.RName_6 = m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 0))
⊦ m0.SRType_ROR = m0.num2SRType 3
⊦ m0.SRType_RRX = m0.num2SRType (arithmetic.BIT2 1)
⊦ ∀_. m0.ProcessorID _ = integer.int_of_num 0
⊦ ∀a. m0.num2Mode (m0.Mode2num a) = a
⊦ ∀a. m0.num2RName (m0.RName2num a) = a
⊦ ∀a. m0.num2SRType (m0.SRType2num a) = a
⊦ ∀w. m0.bitify4 (m0.boolify4 w) = w
⊦ ∀x. m0.boolify4 (m0.bitify4 x) = x
⊦ ∀w. m0.bitify16 (m0.boolify16 w) = w
⊦ ∀x. m0.boolify16 (m0.bitify16 x) = x
⊦ ∀_. m0.ReturnAddress _ = λstate. m0.PC state
⊦ ∀x. ∃p. x = m0.Multiply32 p
⊦ m0.RName_10 = m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 1))
⊦ m0.RName_11 = m0.num2RName (bit1 (bit1 (arithmetic.BIT2 0)))
⊦ m0.RName_12 = m0.num2RName (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
⊦ m0.RName_7 = m0.num2RName 7
⊦ m0.RName_8 = m0.num2RName (arithmetic.BIT2 3)
⊦ m0.RName_9 = m0.num2RName (bit1 (arithmetic.BIT2 1))
⊦ m0.RName_SP_main =
m0.num2RName (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
⊦ m0.RName_SP_process =
m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))
⊦ ∀state. m0.SP_main state = m0.m0_state_REG state m0.RName_SP_main
⊦ ∀state. m0.SP_process state = m0.m0_state_REG state m0.RName_SP_process
⊦ ∀w. m0.UInt w = integer.int_of_num (words.w2n w)
⊦ ∀w. m0.LowestSetBit w = m0.CountLeadingZeroBits (words.word_reverse w)
⊦ ∀_. m0.CallSupervisor _ = λstate. m0.Raise m0.SVCall state
⊦ ∀imm32. m0.dfn'Undefined imm32 = λstate. m0.Raise m0.HardFault state
⊦ ∀address. m0.ALUWritePC address = λstate. m0.BranchWritePC address state
⊦ ∀address. m0.BranchTo address = λstate. m0.write'PC address state
⊦ ∀address. m0.LoadWritePC address = λstate. m0.BXWritePC address state
⊦ m0.RName_LR = m0.num2RName 15
⊦ m0.RName_PC = m0.num2RName (arithmetic.BIT2 7)
⊦ ∀a. a = m0.Mode_Thread ∨ a = m0.Mode_Handler
⊦ ∀b c. m0.PRIMASK_PM (m0.recordtype.PRIMASK b c) ⇔ b
⊦ ∀b c. m0.PRIMASK_primask'rst (m0.recordtype.PRIMASK b c) = c
⊦ ∀c c0. m0.SHPR2_PRI_11 (m0.recordtype.SHPR2 c c0) = c
⊦ ∀c c0. m0.SHPR2_shpr2'rst (m0.recordtype.SHPR2 c c0) = c0
⊦ ∀a' a. ¬(m0.immediate_form a = m0.register_form a')
⊦ ∀address.
m0.mem1 address = λstate. bitstring.w2v (m0.m0_state_MEM state address)
⊦ ∀a' a. ¬(m0.Thumb a = m0.Thumb2 a')
⊦ ∀x. ∃b c. x = m0.recordtype.PRIMASK b c
⊦ ∀x. ∃c c0. x = m0.recordtype.SHPR2 c c0
⊦ ∀_ x. m0.write'reg'AIRCR (_, x) = m0.rec'AIRCR x
⊦ ∀e. m0.Raise e = λstate. m0.m0_state_pending_fupd (const (some e)) state
⊦ ∀_ x. m0.write'reg'CCR (_, x) = m0.rec'CCR x
⊦ ∀_ x. m0.write'reg'CONTROL (_, x) = m0.rec'CONTROL x
⊦ ∀_ x. m0.write'reg'IPR (_, x) = m0.rec'IPR x
⊦ ∀_ x. m0.write'reg'PRIMASK (_, x) = m0.rec'PRIMASK x
⊦ ∀_ x. m0.write'reg'PSR (_, x) = m0.rec'PSR x
⊦ ∀_ x. m0.write'reg'SHPR2 (_, x) = m0.rec'SHPR2 x
⊦ ∀_ x. m0.write'reg'SHPR3 (_, x) = m0.rec'SHPR3 x
⊦ ∀a0 a1. m0.SHPR2_size (m0.recordtype.SHPR2 a0 a1) = 1
⊦ ∀_ x. m0.write'rec'CONTROL (_, x) = m0.reg'CONTROL x
⊦ ∀_ x. m0.write'rec'AIRCR (_, x) = m0.reg'AIRCR x
⊦ ∀_ x. m0.write'rec'CCR (_, x) = m0.reg'CCR x
⊦ ∀_ x. m0.write'rec'IPR (_, x) = m0.reg'IPR x
⊦ ∀_ x. m0.write'rec'PRIMASK (_, x) = m0.reg'PRIMASK x
⊦ ∀_ x. m0.write'rec'PSR (_, x) = m0.reg'PSR x
⊦ ∀_ x. m0.write'rec'SHPR2 (_, x) = m0.reg'SHPR2 x
⊦ ∀_ x. m0.write'rec'SHPR3 (_, x) = m0.reg'SHPR3 x
⊦ ∀a f. m0.Multiply_CASE (m0.Multiply32 a) f = f a
⊦ m0.num2Mode 0 = m0.Mode_Thread ∧ m0.num2Mode 1 = m0.Mode_Handler
⊦ m0.Mode2num m0.Mode_Thread = 0 ∧ m0.Mode2num m0.Mode_Handler = 1
⊦ ∀x.
m0.reg'SHPR2 x =
m0.SHPR2_CASE x (λPRI_11 shpr2'rst. words.word_concat PRI_11 shpr2'rst)
⊦ ∀P. (∀a. P (m0.Multiply32 a)) ⇒ ∀x. P x
⊦ ∀w. m0.IsOnes w ⇔ w = words.word_2comp (words.n2w 1)
⊦ ∀f. ∃fn. ∀a. fn (m0.Multiply32 a) = f a
⊦ ∀_.
m0.LookUpSP _ =
λstate.
if m0.CONTROL_SPSEL (m0.m0_state_CONTROL state) then
m0.RName_SP_process
else m0.RName_SP_main
⊦ ∀P. P m0.Mode_Handler ∧ P m0.Mode_Thread ⇒ ∀a. P a
⊦ ∀b b0 b1. m0.CONTROL_SPSEL (m0.recordtype.CONTROL b b0 b1) ⇔ b
⊦ ∀b b0 b1. m0.CONTROL_control'rst (m0.recordtype.CONTROL b b0 b1) ⇔ b0
⊦ ∀b b0 b1. m0.CONTROL_nPRIV (m0.recordtype.CONTROL b b0 b1) ⇔ b1
⊦ ∀b b0 c. m0.CCR_STKALIGN (m0.recordtype.CCR b b0 c) ⇔ b
⊦ ∀b b0 c. m0.CCR_UNALIGN_TRP (m0.recordtype.CCR b b0 c) ⇔ b0
⊦ ∀b b0 c. m0.CCR_ccr'rst (m0.recordtype.CCR b b0 c) = c
⊦ ∀state.
m0.LR state =
m0.R
(words.n2w (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))))
state
⊦ ∀state.
m0.SP state =
m0.R (words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))) state
⊦ ∀r. r < arithmetic.BIT2 0 ⇔ m0.Mode2num (m0.num2Mode r) = r
⊦ ∀c c0 c1. m0.SHPR3_PRI_14 (m0.recordtype.SHPR3 c c0 c1) = c
⊦ ∀c c0 c1. m0.SHPR3_PRI_15 (m0.recordtype.SHPR3 c c0 c1) = c0
⊦ ∀c c0 c1. m0.SHPR3_shpr3'rst (m0.recordtype.SHPR3 c c0 c1) = c1
⊦ ∀x. ∃b b0 c. x = m0.recordtype.CCR b b0 c
⊦ ∀x. ∃b b0 b1. x = m0.recordtype.CONTROL b b0 b1
⊦ ∀a a'. a = a' ⇔ m0.Mode2num a = m0.Mode2num a'
⊦ ∀a a'. m0.Mode2num a = m0.Mode2num a' ⇔ a = a'
⊦ ∀a. ∃r. a = m0.num2Mode r ∧ r < arithmetic.BIT2 0
⊦ ∀a a'. a = a' ⇔ m0.RName2num a = m0.RName2num a'
⊦ ∀a a'. m0.RName2num a = m0.RName2num a' ⇔ a = a'
⊦ ∀x. ∃c c0 c1. x = m0.recordtype.SHPR3 c c0 c1
⊦ ∀a a'. a = a' ⇔ m0.SRType2num a = m0.SRType2num a'
⊦ ∀a a'. m0.SRType2num a = m0.SRType2num a' ⇔ a = a'
⊦ ∀r. r < arithmetic.BIT2 0 ⇔ ∃a. r = m0.Mode2num a
⊦ ∀a a'. m0.ExternalInterrupt a = m0.ExternalInterrupt a' ⇔ a = a'
⊦ ∀a a'. m0.Multiply32 a = m0.Multiply32 a' ⇔ a = a'
⊦ ∀state. m0.PC state = m0.R (words.n2w 15) state
⊦ ∀r. r < bit1 (arithmetic.BIT2 0) ⇔ m0.SRType2num (m0.num2SRType r) = r
⊦ ∀a0 a1 a2. m0.SHPR3_size (m0.recordtype.SHPR3 a0 a1 a2) = 1
⊦ ∀a0 a1.
m0.PRIMASK_size (m0.recordtype.PRIMASK a0 a1) =
1 + basicSize.bool_size a0
⊦ ∀_.
m0.IncPC _ =
λstate.
m0.BranchTo
(words.word_add (m0.m0_state_REG state m0.RName_PC)
(m0.m0_state_pcinc state)) state
⊦ ∀a. ∃r. a = m0.num2SRType r ∧ r < bit1 (arithmetic.BIT2 0)
⊦ ∀r. r < bit1 (arithmetic.BIT2 0) ⇔ ∃a. r = m0.SRType2num a
⊦ ∀P. (∀a0 a1. P (m0.recordtype.PRIMASK a0 a1)) ⇒ ∀x. P x
⊦ ∀P. (∀a0 a1. P (m0.recordtype.SHPR2 a0 a1)) ⇒ ∀x. P x
⊦ ∀x carry_in. m0.RRX (x, carry_in) = fst (m0.RRX_C (x, carry_in))
⊦ ∀ReturningExceptionNumber.
m0.DeActivate ReturningExceptionNumber =
λstate.
m0.m0_state_ExceptionActive_fupd
(const
(combin.UPDATE ReturningExceptionNumber ⊥
(m0.m0_state_ExceptionActive state))) state
⊦ ∀value.
m0.write'PC value =
λstate.
m0.m0_state_REG_fupd
(const (combin.UPDATE m0.RName_PC value (m0.m0_state_REG state)))
state
⊦ ∀value.
m0.write'SP_main value =
λstate.
m0.m0_state_REG_fupd
(const
(combin.UPDATE m0.RName_SP_main value (m0.m0_state_REG state)))
state
⊦ ∀value.
m0.write'SP_process value =
λstate.
m0.m0_state_REG_fupd
(const
(combin.UPDATE m0.RName_SP_process value
(m0.m0_state_REG state))) state
⊦ ∀x0 x1. ∃f. f m0.Mode_Thread = x0 ∧ f m0.Mode_Handler = x1
⊦ ∀a0 a1 f. m0.PRIMASK_CASE (m0.recordtype.PRIMASK a0 a1) f = f a0 a1
⊦ ∀x. (∃c. x = m0.immediate_form c) ∨ ∃c. x = m0.register_form c
⊦ ∀x. (∃c. x = m0.Thumb c) ∨ ∃p. x = m0.Thumb2 p
⊦ ∀P.
∃b c.
P =
m0.PRIMASK_PM_fupd (const b)
(m0.PRIMASK_primask'rst_fupd (const c) bool.ARB)
⊦ ∀x.
m0.reg'PRIMASK x =
m0.PRIMASK_CASE x
(λPM primask'rst.
words.word_concat primask'rst (bitstring.v2w (PM :: [])))
⊦ ∀S.
∃c0 c.
S =
m0.SHPR2_PRI_11_fupd (const c0)
(m0.SHPR2_shpr2'rst_fupd (const c) bool.ARB)
⊦ ∀a0 a1 f. m0.SHPR2_CASE (m0.recordtype.SHPR2 a0 a1) f = f a0 a1
⊦ ∀address size.
m0.MemU (address, size) = λstate. m0.MemA (address, size) state
⊦ ∀unsigned w.
m0.Extend (unsigned, w) =
if unsigned then words.w2w w else words.sw2sw w
⊦ ∀_.
m0.CurrentModeIsPrivileged _ =
λstate.
m0.m0_state_CurrentMode state = m0.Mode_Handler ∨
¬m0.CONTROL_nPRIV (m0.m0_state_CONTROL state)
⊦ ∀w n. m0.Aligned (w, n) ⇔ w = m0.Align (w, n)
⊦ ∀value.
m0.write'LR value =
λstate.
m0.write'R
(value,
words.n2w (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))))
state
⊦ ∀value.
m0.write'SP value =
λstate.
m0.write'R
(value, words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
state
⊦ ∀f. ∃fn. ∀a0 a1. fn (m0.recordtype.PRIMASK a0 a1) = f a0 a1
⊦ ∀f. ∃fn. ∀a0 a1. fn (m0.recordtype.SHPR2 a0 a1) = f a0 a1
⊦ ∀r. r < bit1 (arithmetic.BIT2 3) ⇔ m0.RName2num (m0.num2RName r) = r
⊦ ∀f b c.
m0.PRIMASK_PM_fupd f (m0.recordtype.PRIMASK b c) =
m0.recordtype.PRIMASK (f b) c
⊦ ∀f c c0.
m0.SHPR2_PRI_11_fupd f (m0.recordtype.SHPR2 c c0) =
m0.recordtype.SHPR2 (f c) c0
⊦ ∀f c c0.
m0.SHPR2_shpr2'rst_fupd f (m0.recordtype.SHPR2 c c0) =
m0.recordtype.SHPR2 c (f c0)
⊦ ∀f b c.
m0.PRIMASK_primask'rst_fupd f (m0.recordtype.PRIMASK b c) =
m0.recordtype.PRIMASK b (f c)
⊦ ∀a. ∃r. a = m0.num2RName r ∧ r < bit1 (arithmetic.BIT2 3)
⊦ ∀r. r < bit1 (arithmetic.BIT2 3) ⇔ ∃a. r = m0.RName2num a
⊦ ∀w n. m0.Align (w, n) = words.n2w (n * (words.w2n w div n))
⊦ ∀_.
m0.ExceptionEntry _ =
λstate.
option.option_CASE (m0.m0_state_pending state) state
(λe. m0.ExceptionTaken (m0.ExcNumber e) (m0.PushStack () state))
⊦ ∀g f P.
m0.PRIMASK_primask'rst_fupd f (m0.PRIMASK_PM_fupd g P) =
m0.PRIMASK_PM_fupd g (m0.PRIMASK_primask'rst_fupd f P)
⊦ ∀P. (∀a0 a1 a2. P (m0.recordtype.CCR a0 a1 a2)) ⇒ ∀x. P x
⊦ ∀P. (∀a0 a1 a2. P (m0.recordtype.CONTROL a0 a1 a2)) ⇒ ∀x. P x
⊦ ∀P. (∀a0 a1 a2. P (m0.recordtype.SHPR3 a0 a1 a2)) ⇒ ∀x. P x
⊦ ∀g f S.
m0.SHPR2_shpr2'rst_fupd f (m0.SHPR2_PRI_11_fupd g S) =
m0.SHPR2_PRI_11_fupd g (m0.SHPR2_shpr2'rst_fupd f S)
⊦ ∀P.
(∀a. P (m0.immediate_form a)) ∧ (∀a. P (m0.register_form a)) ⇒ ∀x. P x
⊦ ∀P. (∀a. P (m0.Thumb a)) ∧ (∀a. P (m0.Thumb2 a)) ⇒ ∀x. P x
⊦ ∀a.
m0.Multiply_size (m0.Multiply32 a) =
1 + basicSize.pair_size (λv. 0) (basicSize.pair_size (λv. 0) (λv. 0)) a
⊦ (∀a. m0.offset_size (m0.immediate_form a) = 1) ∧
∀a. m0.offset_size (m0.register_form a) = 1
⊦ ∀b b0 b1 c c0. m0.AIRCR_ENDIANNESS (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b
⊦ ∀b b0 b1 c c0.
m0.AIRCR_SYSRESETREQ (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b0
⊦ ∀b b0 b1 c c0.
m0.AIRCR_VECTCLRACTIVE (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b1
⊦ ∀b b0 b1 c c0. m0.AIRCR_aircr'rst (m0.recordtype.AIRCR b b0 b1 c c0) = c0
⊦ ∀b b0 b1 c c0. m0.AIRCR_VECTKEY (m0.recordtype.AIRCR b b0 b1 c c0) = c
⊦ ∀w.
m0.HighestSetBit w =
if w = words.n2w 0 then integer.int_neg (integer.int_of_num 1)
else integer_word.w2i (words.word_log2 w)
⊦ ∀w.
m0.CountLeadingZeroBits w =
integer.Num
(integer.int_sub
(integer.int_sub
(integer.int_of_num (words.word_len (words.n2w 0)))
(integer.int_of_num 1)) (m0.HighestSetBit w))
⊦ ∀c c0 c1 c2 c3. m0.IPR_PRI_N0 (m0.recordtype.IPR c c0 c1 c2 c3) = c
⊦ ∀c c0 c1 c2 c3. m0.IPR_PRI_N1 (m0.recordtype.IPR c c0 c1 c2 c3) = c0
⊦ ∀c c0 c1 c2 c3. m0.IPR_PRI_N2 (m0.recordtype.IPR c c0 c1 c2 c3) = c1
⊦ ∀c c0 c1 c2 c3. m0.IPR_PRI_N3 (m0.recordtype.IPR c c0 c1 c2 c3) = c2
⊦ ∀c c0 c1 c2 c3. m0.IPR_ipr'rst (m0.recordtype.IPR c c0 c1 c2 c3) = c3
⊦ ∀x.
m0.rec'CONTROL x =
m0.recordtype.CONTROL (words.word_bit 1 x)
(words.word_bit (arithmetic.BIT2 0) x) (words.word_bit 0 x)
⊦ ∀imm32.
m0.dfn'Breakpoint imm32 =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd (const (m0.m0_state_count s + bool.ARB))
s) (m0.IncPC () state)
⊦ ∀imm32.
m0.dfn'SupervisorCall imm32 =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd (const (m0.m0_state_count s + bool.ARB))
s) (m0.CallSupervisor () state)
⊦ ∀a0 a1 a2 f.
m0.CONTROL_CASE (m0.recordtype.CONTROL a0 a1 a2) f = f a0 a1 a2
⊦ ∀a0 a1 a2 f. m0.CCR_CASE (m0.recordtype.CCR a0 a1 a2) f = f a0 a1 a2
⊦ ∀e.
m0.raise'exception e =
λstate.
(bool.ARB,
(if m0.m0_state_exception state = m0.NoException then
m0.m0_state_exception_fupd (const e) state
else state))
⊦ ∀x. ∃b b0 b1 c c0. x = m0.recordtype.AIRCR b b0 b1 c c0
⊦ ∀x. ∃c c0 c1 c2 c3. x = m0.recordtype.IPR c c0 c1 c2 c3
⊦ ∀P0.
(∀P. P0 P) ⇔
∀b c.
P0
(m0.PRIMASK_PM_fupd (const b)
(m0.PRIMASK_primask'rst_fupd (const c) bool.ARB))
⊦ ∀P0.
(∃P. P0 P) ⇔
∃b c.
P0
(m0.PRIMASK_PM_fupd (const b)
(m0.PRIMASK_primask'rst_fupd (const c) bool.ARB))
⊦ ∀P.
(∀x. P x) ⇔
∀c0 c.
P
(m0.SHPR2_PRI_11_fupd (const c0)
(m0.SHPR2_shpr2'rst_fupd (const c) bool.ARB))
⊦ ∀P.
(∃x. P x) ⇔
∃c0 c.
P
(m0.SHPR2_PRI_11_fupd (const c0)
(m0.SHPR2_shpr2'rst_fupd (const c) bool.ARB))
⊦ ∀a0 a1 a2 f. m0.SHPR3_CASE (m0.recordtype.SHPR3 a0 a1 a2) f = f a0 a1 a2
⊦ ∀_.
m0.dfn'NoOperation _ =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC () state)
⊦ ∀_.
m0.dfn'SendEvent _ =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC () state)
⊦ ∀_.
m0.dfn'WaitForEvent _ =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC () state)
⊦ ∀_.
m0.dfn'WaitForInterrupt _ =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC () state)
⊦ ∀_.
m0.dfn'Yield _ =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC () state)
⊦ ∀x.
(∃s. x = m0.ASSERT s) ∨ x = m0.NoException ∨ ∃s. x = m0.UNPREDICTABLE s
⊦ ∀a0 a1 a2 a3 a4. m0.IPR_size (m0.recordtype.IPR a0 a1 a2 a3 a4) = 1
⊦ ∀f. ∃fn. ∀a0 a1 a2. fn (m0.recordtype.CONTROL a0 a1 a2) = f a0 a1 a2
⊦ ∀f. ∃fn. ∀a0 a1 a2. fn (m0.recordtype.CCR a0 a1 a2) = f a0 a1 a2
⊦ ∀f. ∃fn. ∀a0 a1 a2. fn (m0.recordtype.SHPR3 a0 a1 a2) = f a0 a1 a2
⊦ ∀C.
∃b0 b c.
C =
m0.CCR_STKALIGN_fupd (const b0)
(m0.CCR_UNALIGN_TRP_fupd (const b)
(m0.CCR_ccr'rst_fupd (const c) bool.ARB))
⊦ ∀C.
∃b1 b0 b.
C =
m0.CONTROL_SPSEL_fupd (const b1)
(m0.CONTROL_control'rst_fupd (const b0)
(m0.CONTROL_nPRIV_fupd (const b) bool.ARB))
⊦ ∀x v0 v1.
m0.Mode_CASE x v0 v1 =
let m ← m0.Mode2num x in if m = 0 then v0 else v1
⊦ ∀P1 P2.
P1 = P2 ⇔
(m0.PRIMASK_PM P1 ⇔ m0.PRIMASK_PM P2) ∧
m0.PRIMASK_primask'rst P1 = m0.PRIMASK_primask'rst P2
⊦ ∀S1 S2.
S1 = S2 ⇔
m0.SHPR2_PRI_11 S1 = m0.SHPR2_PRI_11 S2 ∧
m0.SHPR2_shpr2'rst S1 = m0.SHPR2_shpr2'rst S2
⊦ ∀S.
∃c1 c0 c.
S =
m0.SHPR3_PRI_14_fupd (const c1)
(m0.SHPR3_PRI_15_fupd (const c0)
(m0.SHPR3_shpr3'rst_fupd (const c) bool.ARB))
⊦ ∀f b b0 b1.
m0.CONTROL_SPSEL_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL (f b) b0 b1
⊦ ∀f b b0 b1.
m0.CONTROL_control'rst_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL b (f b0) b1
⊦ ∀f b b0 b1.
m0.CONTROL_nPRIV_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL b b0 (f b1)
⊦ ∀f b b0 c.
m0.CCR_STKALIGN_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR (f b) b0 c
⊦ ∀f b b0 c.
m0.CCR_UNALIGN_TRP_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR b (f b0) c
⊦ ∀f c c0 c1.
m0.SHPR3_PRI_14_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 (f c) c0 c1
⊦ ∀f c c0 c1.
m0.SHPR3_PRI_15_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 c (f c0) c1
⊦ ∀f c c0 c1.
m0.SHPR3_shpr3'rst_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 c c0 (f c1)
⊦ ∀f b b0 c.
m0.CCR_ccr'rst_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR b b0 (f c)
⊦ ∀a0 a1 a2.
m0.CCR_size (m0.recordtype.CCR a0 a1 a2) =
1 + (basicSize.bool_size a0 + basicSize.bool_size a1)
⊦ ∀state.
m0.Next state =
bool.LET
(pair.UNCURRY
(λv s.
bool.LET (pair.UNCURRY (λv s. m0.Run v s)) (m0.Decode v s)))
(m0.Fetch state)
⊦ ∀option.
m0.dfn'DataMemoryBarrier option =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.IncPC () state)
⊦ ∀option.
m0.dfn'DataSynchronizationBarrier option =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.IncPC () state)
⊦ ∀option.
m0.dfn'InstructionSynchronizationBarrier option =
λstate.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.IncPC () state)
⊦ ∀x.
m0.rec'PRIMASK x =
m0.recordtype.PRIMASK (words.word_bit 0 x) (words.word_extract 31 1 x)
⊦ ∀P.
(∀a. P (m0.ASSERT a)) ∧ P m0.NoException ∧
(∀a. P (m0.UNPREDICTABLE a)) ⇒ ∀x. P x
⊦ ∀value address size.
m0.write'MemU (value, address, size) =
λstate. m0.write'MemA (value, address, size) state
⊦ (∀v0 v1. m0.Mode_CASE m0.Mode_Thread v0 v1 = v0) ∧
∀v0 v1. m0.Mode_CASE m0.Mode_Handler v0 v1 = v1
⊦ (∀b c. m0.PRIMASK_PM (m0.recordtype.PRIMASK b c) ⇔ b) ∧
∀b c. m0.PRIMASK_primask'rst (m0.recordtype.PRIMASK b c) = c
⊦ (∀c c0. m0.SHPR2_PRI_11 (m0.recordtype.SHPR2 c c0) = c) ∧
∀c c0. m0.SHPR2_shpr2'rst (m0.recordtype.SHPR2 c c0) = c0
⊦ ∀P b c.
m0.PRIMASK_PM_fupd (const b)
(m0.PRIMASK_primask'rst_fupd (const c) P) =
m0.PRIMASK_PM_fupd (const b)
(m0.PRIMASK_primask'rst_fupd (const c) bool.ARB)
⊦ ∀S c0 c.
m0.SHPR2_PRI_11_fupd (const c0) (m0.SHPR2_shpr2'rst_fupd (const c) S) =
m0.SHPR2_PRI_11_fupd (const c0)
(m0.SHPR2_shpr2'rst_fupd (const c) bool.ARB)
⊦ ∀w p.
m0.SignExtendFrom (w, p) =
bool.LET (λs. words.word_asr (words.word_lsl w s) s)
(arithmetic.- (words.word_len (words.n2w 0)) p)
⊦ ∀P.
P m0.SRType_ASR ∧ P m0.SRType_LSL ∧ P m0.SRType_LSR ∧ P m0.SRType_ROR ∧
P m0.SRType_RRX ⇒ ∀a. P a
⊦ ∀address.
m0.BranchWritePC address =
λstate.
m0.BranchTo
(words.word_concat (words.word_extract 31 1 address) (words.n2w 0))
state
⊦ ∀a.
a = m0.SRType_LSL ∨ a = m0.SRType_LSR ∨ a = m0.SRType_ASR ∨
a = m0.SRType_ROR ∨ a = m0.SRType_RRX
⊦ ∀P. (∀a0 a1 a2 a3 a4. P (m0.recordtype.AIRCR a0 a1 a2 a3 a4)) ⇒ ∀x. P x
⊦ ∀P. (∀a0 a1 a2 a3 a4. P (m0.recordtype.IPR a0 a1 a2 a3 a4)) ⇒ ∀x. P x
⊦ ∀m.
m0.dfn'BranchExchange m =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 3)) s)
(m0.BXWritePC (m0.R m state) state)
⊦ ∀f0 f1. ∃fn. (∀a. fn (m0.Thumb a) = f0 a) ∧ ∀a. fn (m0.Thumb2 a) = f1 a
⊦ ∀f0 f1.
∃fn.
(∀a. fn (m0.immediate_form a) = f0 a) ∧
∀a. fn (m0.register_form a) = f1 a
⊦ (∀a. m0.num2Mode (m0.Mode2num a) = a) ∧
∀r.
(let n ← r in n < arithmetic.BIT2 0) ⇔ m0.Mode2num (m0.num2Mode r) = r
⊦ ∀a0 a1 a0' a1'.
m0.recordtype.PRIMASK a0 a1 = m0.recordtype.PRIMASK a0' a1' ⇔
(a0 ⇔ a0') ∧ a1 = a1'
⊦ ∀a0 a1 a0' a1'.
m0.recordtype.SHPR2 a0 a1 = m0.recordtype.SHPR2 a0' a1' ⇔
a0 = a0' ∧ a1 = a1'
⊦ ∀a0 a1 a2.
m0.CONTROL_size (m0.recordtype.CONTROL a0 a1 a2) =
1 +
(basicSize.bool_size a0 +
(basicSize.bool_size a1 + basicSize.bool_size a2))
⊦ ∀b c b0 b1 b2 b3 c0. m0.PSR_C (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b
⊦ ∀b c b0 b1 b2 b3 c0. m0.PSR_N (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b0
⊦ ∀b c b0 b1 b2 b3 c0. m0.PSR_T (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b1
⊦ ∀b c b0 b1 b2 b3 c0. m0.PSR_V (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b2
⊦ ∀b c b0 b1 b2 b3 c0. m0.PSR_Z (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b3
⊦ ∀b c b0 b1 b2 b3 c0.
m0.PSR_ExceptionNumber (m0.recordtype.PSR b c b0 b1 b2 b3 c0) = c
⊦ ∀b c b0 b1 b2 b3 c0.
m0.PSR_psr'rst (m0.recordtype.PSR b c b0 b1 b2 b3 c0) = c0
⊦ ∀P.
(∀x. P x) ⇔
∀b0 b c.
P
(m0.CCR_STKALIGN_fupd (const b0)
(m0.CCR_UNALIGN_TRP_fupd (const b)
(m0.CCR_ccr'rst_fupd (const c) bool.ARB)))
⊦ ∀P.
(∃x. P x) ⇔
∃b0 b c.
P
(m0.CCR_STKALIGN_fupd (const b0)
(m0.CCR_UNALIGN_TRP_fupd (const b)
(m0.CCR_ccr'rst_fupd (const c) bool.ARB)))
⊦ ∀P.
(∀x. P x) ⇔
∀b1 b0 b.
P
(m0.CONTROL_SPSEL_fupd (const b1)
(m0.CONTROL_control'rst_fupd (const b0)
(m0.CONTROL_nPRIV_fupd (const b) bool.ARB)))
⊦ ∀P.
(∃x. P x) ⇔
∃b1 b0 b.
P
(m0.CONTROL_SPSEL_fupd (const b1)
(m0.CONTROL_control'rst_fupd (const b0)
(m0.CONTROL_nPRIV_fupd (const b) bool.ARB)))
⊦ ∀P.
(∀x. P x) ⇔
∀c1 c0 c.
P
(m0.SHPR3_PRI_14_fupd (const c1)
(m0.SHPR3_PRI_15_fupd (const c0)
(m0.SHPR3_shpr3'rst_fupd (const c) bool.ARB)))
⊦ ∀P.
(∃x. P x) ⇔
∃c1 c0 c.
P
(m0.SHPR3_PRI_14_fupd (const c1)
(m0.SHPR3_PRI_15_fupd (const c0)
(m0.SHPR3_shpr3'rst_fupd (const c) bool.ARB)))
⊦ ∀imm32.
m0.dfn'BranchTarget imm32 =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 3)) s)
(m0.BranchWritePC (words.word_add (m0.PC state) imm32) state)
⊦ (∀a. m0.num2SRType (m0.SRType2num a) = a) ∧
∀r.
(let n ← r in n < bit1 (arithmetic.BIT2 0)) ⇔
m0.SRType2num (m0.num2SRType r) = r
⊦ ∀x.
m0.reg'CONTROL x =
m0.CONTROL_CASE x
(λSPSEL control'rst nPRIV.
words.word_concat (bitstring.v2w (control'rst :: []))
(words.word_concat (bitstring.v2w (SPSEL :: []))
(bitstring.v2w (nPRIV :: []))))
⊦ ∀x. ∃b c b0 b1 b2 b3 c0. x = m0.recordtype.PSR b c b0 b1 b2 b3 c0
⊦ ∀r r'.
r < arithmetic.BIT2 0 ⇒ r' < arithmetic.BIT2 0 ⇒
(m0.num2Mode r = m0.num2Mode r' ⇔ r = r')
⊦ (∀a. m0.MachineCode_size (m0.Thumb a) = 1) ∧
∀a.
m0.MachineCode_size (m0.Thumb2 a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a
⊦ ∀w.
m0.boolify4 w =
(words.word_bit 3 w, words.word_bit (arithmetic.BIT2 0) w,
words.word_bit 1 w, words.word_bit 0 w)
⊦ (∀a. m0.num2RName (m0.RName2num a) = a) ∧
∀r.
(let n ← r in n < bit1 (arithmetic.BIT2 3)) ⇔
m0.RName2num (m0.num2RName r) = r
⊦ ∀a0 a1 a2 a3 a4 f.
m0.AIRCR_CASE (m0.recordtype.AIRCR a0 a1 a2 a3 a4) f = f a0 a1 a2 a3 a4
⊦ ∀C1 C2.
C1 = C2 ⇔
(m0.CCR_STKALIGN C1 ⇔ m0.CCR_STKALIGN C2) ∧
(m0.CCR_UNALIGN_TRP C1 ⇔ m0.CCR_UNALIGN_TRP C2) ∧
m0.CCR_ccr'rst C1 = m0.CCR_ccr'rst C2
⊦ ∀C1 C2.
C1 = C2 ⇔
(m0.CONTROL_SPSEL C1 ⇔ m0.CONTROL_SPSEL C2) ∧
(m0.CONTROL_control'rst C1 ⇔ m0.CONTROL_control'rst C2) ∧
(m0.CONTROL_nPRIV C1 ⇔ m0.CONTROL_nPRIV C2)
⊦ ∀S1 S2.
S1 = S2 ⇔
m0.SHPR3_PRI_14 S1 = m0.SHPR3_PRI_14 S2 ∧
m0.SHPR3_PRI_15 S1 = m0.SHPR3_PRI_15 S2 ∧
m0.SHPR3_shpr3'rst S1 = m0.SHPR3_shpr3'rst S2
⊦ ∀r r'.
r < bit1 (arithmetic.BIT2 0) ⇒ r' < bit1 (arithmetic.BIT2 0) ⇒
(m0.num2SRType r = m0.num2SRType r' ⇔ r = r')
⊦ ∀a0 a1 a2 a3 a4 f.
m0.IPR_CASE (m0.recordtype.IPR a0 a1 a2 a3 a4) f = f a0 a1 a2 a3 a4
⊦ (∀a. ¬(m0.ASSERT a = m0.NoException)) ∧
(∀a' a. ¬(m0.ASSERT a = m0.UNPREDICTABLE a')) ∧
∀a. ¬(m0.NoException = m0.UNPREDICTABLE a)
⊦ ∀f.
∃fn.
∀a0 a1 a2 a3 a4.
fn (m0.recordtype.AIRCR a0 a1 a2 a3 a4) = f a0 a1 a2 a3 a4
⊦ ∀f.
∃fn.
∀a0 a1 a2 a3 a4.
fn (m0.recordtype.IPR a0 a1 a2 a3 a4) = f a0 a1 a2 a3 a4
⊦ ∀b3 b2 b1 b0.
m0.bitify4 (b3, b2, b1, b0) =
bitstring.v2w (b3 :: b2 :: b1 :: b0 :: [])
⊦ ∀b3 b2 b1 b0.
m0.boolify4 (bitstring.v2w (b3 :: b2 :: b1 :: b0 :: [])) =
(b3, b2, b1, b0)
⊦ ∀mc.
m0.Decode mc =
λstate.
m0.MachineCode_CASE mc
(λh.
m0.DecodeThumb h
(m0.m0_state_pcinc_fupd
(const (words.n2w (arithmetic.BIT2 0))) state))
(λhs.
m0.DecodeThumb2 hs
(m0.m0_state_pcinc_fupd
(const (words.n2w (arithmetic.BIT2 1))) state))
⊦ ∀f b b0 b1 c c0.
m0.AIRCR_ENDIANNESS_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR (f b) b0 b1 c c0
⊦ ∀f b b0 b1 c c0.
m0.AIRCR_SYSRESETREQ_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b (f b0) b1 c c0
⊦ ∀f b b0 b1 c c0.
m0.AIRCR_VECTCLRACTIVE_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 (f b1) c c0
⊦ ∀f c c0 c1 c2 c3.
m0.IPR_PRI_N0_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR (f c) c0 c1 c2 c3
⊦ ∀f c c0 c1 c2 c3.
m0.IPR_PRI_N1_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c (f c0) c1 c2 c3
⊦ ∀f c c0 c1 c2 c3.
m0.IPR_PRI_N2_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 (f c1) c2 c3
⊦ ∀f c c0 c1 c2 c3.
m0.IPR_PRI_N3_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 c1 (f c2) c3
⊦ ∀f b b0 b1 c c0.
m0.AIRCR_aircr'rst_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 b1 c (f c0)
⊦ ∀f b b0 b1 c c0.
m0.AIRCR_VECTKEY_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 b1 (f c) c0
⊦ ∀f c c0 c1 c2 c3.
m0.IPR_ipr'rst_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 c1 c2 (f c3)
⊦ (∀a a'. m0.ASSERT a = m0.ASSERT a' ⇔ a = a') ∧
∀a a'. m0.UNPREDICTABLE a = m0.UNPREDICTABLE a' ⇔ a = a'
⊦ (∀a a'. m0.Thumb a = m0.Thumb a' ⇔ a = a') ∧
∀a a'. m0.Thumb2 a = m0.Thumb2 a' ⇔ a = a'
⊦ (∀a a'. m0.immediate_form a = m0.immediate_form a' ⇔ a = a') ∧
∀a a'. m0.register_form a = m0.register_form a' ⇔ a = a'
⊦ ∀P.
(∀a0 a1 a2 a3 a4 a5 a6. P (m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6)) ⇒
∀x. P x
⊦ ∀opc.
m0.ArithmeticOpcode opc ⇔
(words.word_bit (arithmetic.BIT2 0) opc ∨ words.word_bit 1 opc) ∧
¬(words.word_bit 3 opc ∧ words.word_bit (arithmetic.BIT2 0) opc)
⊦ (∀a f f1. m0.MachineCode_CASE (m0.Thumb a) f f1 = f a) ∧
∀a f f1. m0.MachineCode_CASE (m0.Thumb2 a) f f1 = f1 a
⊦ (∀a f f1. m0.offset_CASE (m0.immediate_form a) f f1 = f a) ∧
∀a f f1. m0.offset_CASE (m0.register_form a) f f1 = f1 a
⊦ ∀a0 a1 a2 a3 a4.
m0.AIRCR_size (m0.recordtype.AIRCR a0 a1 a2 a3 a4) =
1 +
(basicSize.bool_size a0 +
(basicSize.bool_size a1 + basicSize.bool_size a2))
⊦ ∀x.
(∃c. x = m0.BranchExchange c) ∨
(∃c. x = m0.BranchLinkExchangeRegister c) ∨
(∃c. x = m0.BranchLinkImmediate c) ∨ ∃c. x = m0.BranchTarget c
⊦ ∀x.
(∃b. x = m0.ChangeProcessorState b) ∨
(∃p. x = m0.MoveToRegisterFromSpecial p) ∨
(∃p. x = m0.MoveToSpecialRegister p) ∨ ∃c. x = m0.SupervisorCall c
⊦ ∀x.
m0.rec'SHPR2 x =
m0.recordtype.SHPR2
(words.word_extract 31
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_extract
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) 0
x)
⊦ ∀A.
∃b1 b0 b c0 c.
A =
m0.AIRCR_ENDIANNESS_fupd (const b1)
(m0.AIRCR_SYSRESETREQ_fupd (const b0)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b)
(m0.AIRCR_VECTKEY_fupd (const c0)
(m0.AIRCR_aircr'rst_fupd (const c) bool.ARB))))
⊦ ∀C b0 b c.
m0.CCR_STKALIGN_fupd (const b0)
(m0.CCR_UNALIGN_TRP_fupd (const b)
(m0.CCR_ccr'rst_fupd (const c) C)) =
m0.CCR_STKALIGN_fupd (const b0)
(m0.CCR_UNALIGN_TRP_fupd (const b)
(m0.CCR_ccr'rst_fupd (const c) bool.ARB))
⊦ ∀C b1 b0 b.
m0.CONTROL_SPSEL_fupd (const b1)
(m0.CONTROL_control'rst_fupd (const b0)
(m0.CONTROL_nPRIV_fupd (const b) C)) =
m0.CONTROL_SPSEL_fupd (const b1)
(m0.CONTROL_control'rst_fupd (const b0)
(m0.CONTROL_nPRIV_fupd (const b) bool.ARB))
⊦ ∀I.
∃c3 c2 c1 c0 c.
I =
m0.IPR_PRI_N0_fupd (const c3)
(m0.IPR_PRI_N1_fupd (const c2)
(m0.IPR_PRI_N2_fupd (const c1)
(m0.IPR_PRI_N3_fupd (const c0)
(m0.IPR_ipr'rst_fupd (const c) bool.ARB))))
⊦ ∀S c1 c0 c.
m0.SHPR3_PRI_14_fupd (const c1)
(m0.SHPR3_PRI_15_fupd (const c0)
(m0.SHPR3_shpr3'rst_fupd (const c) S)) =
m0.SHPR3_PRI_14_fupd (const c1)
(m0.SHPR3_PRI_15_fupd (const c0)
(m0.SHPR3_shpr3'rst_fupd (const c) bool.ARB))
⊦ ∀n.
m0.boolify4 (words.n2w n) =
bool.LET
(λn1.
bool.LET
(λn2.
bool.LET (λn3. (odd n3, odd n2, odd n1, odd n))
(arithmetic.DIV2 n2)) (arithmetic.DIV2 n1))
(arithmetic.DIV2 n)
⊦ ∀P.
(∀a. P (m0.BranchExchange a)) ∧
(∀a. P (m0.BranchLinkExchangeRegister a)) ∧
(∀a. P (m0.BranchLinkImmediate a)) ∧ (∀a. P (m0.BranchTarget a)) ⇒
∀x. P x
⊦ ∀P.
(∀a. P (m0.ChangeProcessorState a)) ∧
(∀a. P (m0.MoveToRegisterFromSpecial a)) ∧
(∀a. P (m0.MoveToSpecialRegister a)) ∧ (∀a. P (m0.SupervisorCall a)) ⇒
∀x. P x
⊦ ∀f0 f1 f2.
∃fn.
(∀a. fn (m0.ASSERT a) = f0 a) ∧ fn m0.NoException = f1 ∧
∀a. fn (m0.UNPREDICTABLE a) = f2 a
⊦ ∀x shift.
m0.ASR (x, shift) =
λstate.
if shift = 0 then (x, state)
else
bool.LET (pair.UNCURRY (λv s. (fst v, s)))
(m0.ASR_C (x, shift) state)
⊦ ∀x shift.
m0.LSL (x, shift) =
λstate.
if shift = 0 then (x, state)
else
bool.LET (pair.UNCURRY (λv s. (fst v, s)))
(m0.LSL_C (x, shift) state)
⊦ ∀x shift.
m0.LSR (x, shift) =
λstate.
if shift = 0 then (x, state)
else
bool.LET (pair.UNCURRY (λv s. (fst v, s)))
(m0.LSR_C (x, shift) state)
⊦ ∀x shift.
m0.ROR (x, shift) =
λstate.
if shift = 0 then (x, state)
else
bool.LET (pair.UNCURRY (λv s. (fst v, s)))
(m0.ROR_C (x, shift) state)
⊦ ∀n imm32.
m0.dfn'CompareImmediate (n, imm32) =
λstate.
m0.DataProcessing
(words.n2w (arithmetic.BIT2 (arithmetic.BIT2 1)), ⊤, bool.ARB, n,
imm32, m0.PSR_C (m0.m0_state_PSR state)) state
⊦ ∀M M' f.
M = M' ∧ (∀a. M' = m0.Multiply32 a ⇒ f a = f' a) ⇒
m0.Multiply_CASE M f = m0.Multiply_CASE M' f'
⊦ ∀r r'.
r < bit1 (arithmetic.BIT2 3) ⇒ r' < bit1 (arithmetic.BIT2 3) ⇒
(m0.num2RName r = m0.num2RName r' ⇔ r = r')
⊦ ∀x carry_in.
m0.RRX_C (x, carry_in) =
(bitstring.v2w
((carry_in :: []) @
bitstring.field (arithmetic.- (words.word_len (words.n2w 0)) 1) 1
(bitstring.w2v x)), words.word_bit 0 x)
⊦ ∀address.
m0.BLXWritePC address =
λstate.
m0.BranchTo
(words.word_concat (words.word_extract 31 1 address) (words.n2w 0))
(if ¬words.word_bit 0 address then m0.Raise m0.HardFault state
else state)
⊦ ∀P.
(∀a. P (m0.ExternalInterrupt a)) ∧ P m0.HardFault ∧ P m0.NMI ∧
P m0.PendSV ∧ P m0.Reset ∧ P m0.SVCall ∧ P m0.SysTick ⇒ ∀x. P x
⊦ ∀b1 c1 b2 c2.
m0.PRIMASK_PM_fupd (const b1)
(m0.PRIMASK_primask'rst_fupd (const c1) bool.ARB) =
m0.PRIMASK_PM_fupd (const b2)
(m0.PRIMASK_primask'rst_fupd (const c2) bool.ARB) ⇔
(b1 ⇔ b2) ∧ c1 = c2
⊦ ∀x.
m0.reg'SHPR3 x =
m0.SHPR3_CASE x
(λPRI_14 PRI_15 shpr3'rst.
words.word_concat PRI_15
(words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 0)) 0 shpr3'rst)
(words.word_concat PRI_14
(words.word_extract
(bit1 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 0)) shpr3'rst))))
⊦ ∀c01 c1 c02 c2.
m0.SHPR2_PRI_11_fupd (const c01)
(m0.SHPR2_shpr2'rst_fupd (const c1) bool.ARB) =
m0.SHPR2_PRI_11_fupd (const c02)
(m0.SHPR2_shpr2'rst_fupd (const c2) bool.ARB) ⇔ c01 = c02 ∧ c1 = c2
⊦ (∀a.
m0.exception_size (m0.ASSERT a) =
1 + list.list_size string.char_size a) ∧
m0.exception_size m0.NoException = 0 ∧
∀a.
m0.exception_size (m0.UNPREDICTABLE a) =
1 + list.list_size string.char_size a
⊦ ∀im.
m0.dfn'ChangeProcessorState im =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(if m0.CurrentModeIsPrivileged () state then
m0.m0_state_PRIMASK_fupd
(const
(m0.PRIMASK_PM_fupd (const im)
(m0.m0_state_PRIMASK state))) state
else state))
⊦ ∀a0 a1 a2 a0' a1' a2'.
m0.recordtype.CONTROL a0 a1 a2 = m0.recordtype.CONTROL a0' a1' a2' ⇔
(a0 ⇔ a0') ∧ (a1 ⇔ a1') ∧ (a2 ⇔ a2')
⊦ ∀a0 a1 a2 a0' a1' a2'.
m0.recordtype.CCR a0 a1 a2 = m0.recordtype.CCR a0' a1' a2' ⇔
(a0 ⇔ a0') ∧ (a1 ⇔ a1') ∧ a2 = a2'
⊦ ∀a0 a1 a2 a0' a1' a2'.
m0.recordtype.SHPR3 a0 a1 a2 = m0.recordtype.SHPR3 a0' a1' a2' ⇔
a0 = a0' ∧ a1 = a1' ∧ a2 = a2'
⊦ m0.num2SRType 0 = m0.SRType_LSL ∧ m0.num2SRType 1 = m0.SRType_LSR ∧
m0.num2SRType (arithmetic.BIT2 0) = m0.SRType_ASR ∧
m0.num2SRType 3 = m0.SRType_ROR ∧
m0.num2SRType (arithmetic.BIT2 1) = m0.SRType_RRX
⊦ m0.SRType2num m0.SRType_LSL = 0 ∧ m0.SRType2num m0.SRType_LSR = 1 ∧
m0.SRType2num m0.SRType_ASR = arithmetic.BIT2 0 ∧
m0.SRType2num m0.SRType_ROR = 3 ∧
m0.SRType2num m0.SRType_RRX = arithmetic.BIT2 1
⊦ (∀f b c.
m0.PRIMASK_PM_fupd f (m0.recordtype.PRIMASK b c) =
m0.recordtype.PRIMASK (f b) c) ∧
∀f b c.
m0.PRIMASK_primask'rst_fupd f (m0.recordtype.PRIMASK b c) =
m0.recordtype.PRIMASK b (f c)
⊦ (∀f c c0.
m0.SHPR2_PRI_11_fupd f (m0.recordtype.SHPR2 c c0) =
m0.recordtype.SHPR2 (f c) c0) ∧
∀f c c0.
m0.SHPR2_shpr2'rst_fupd f (m0.recordtype.SHPR2 c c0) =
m0.recordtype.SHPR2 c (f c0)
⊦ ∀P.
(∀x. P x) ⇔
∀b1 b0 b c0 c.
P
(m0.AIRCR_ENDIANNESS_fupd (const b1)
(m0.AIRCR_SYSRESETREQ_fupd (const b0)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b)
(m0.AIRCR_VECTKEY_fupd (const c0)
(m0.AIRCR_aircr'rst_fupd (const c) bool.ARB)))))
⊦ ∀P.
(∃x. P x) ⇔
∃b1 b0 b c0 c.
P
(m0.AIRCR_ENDIANNESS_fupd (const b1)
(m0.AIRCR_SYSRESETREQ_fupd (const b0)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b)
(m0.AIRCR_VECTKEY_fupd (const c0)
(m0.AIRCR_aircr'rst_fupd (const c) bool.ARB)))))
⊦ ∀P.
(∀x. P x) ⇔
∀c3 c2 c1 c0 c.
P
(m0.IPR_PRI_N0_fupd (const c3)
(m0.IPR_PRI_N1_fupd (const c2)
(m0.IPR_PRI_N2_fupd (const c1)
(m0.IPR_PRI_N3_fupd (const c0)
(m0.IPR_ipr'rst_fupd (const c) bool.ARB)))))
⊦ ∀P.
(∃x. P x) ⇔
∃c3 c2 c1 c0 c.
P
(m0.IPR_PRI_N0_fupd (const c3)
(m0.IPR_PRI_N1_fupd (const c2)
(m0.IPR_PRI_N2_fupd (const c1)
(m0.IPR_PRI_N3_fupd (const c0)
(m0.IPR_ipr'rst_fupd (const c) bool.ARB)))))
⊦ ∀a0 a1 a2 a3 a4 a5 a6 f.
m0.PSR_CASE (m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6) f =
f a0 a1 a2 a3 a4 a5 a6
⊦ ∀x.
(∃c. x = m0.ExternalInterrupt c) ∨ x = m0.HardFault ∨ x = m0.NMI ∨
x = m0.PendSV ∨ x = m0.Reset ∨ x = m0.SVCall ∨ x = m0.SysTick
⊦ ∀value typ amount carry_in.
m0.Shift (value, typ, amount, carry_in) =
λstate.
bool.LET (pair.UNCURRY (λv s. (fst v, s)))
(m0.Shift_C (value, typ, amount, carry_in) state)
⊦ ∀f.
∃fn.
∀a0 a1 a2 a3 a4 a5 a6.
fn (m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6) =
f a0 a1 a2 a3 a4 a5 a6
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_C_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR (f b) c b0 b1 b2 b3 c0
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_N_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c (f b0) b1 b2 b3 c0
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_T_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 (f b1) b2 b3 c0
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_V_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 (f b2) b3 c0
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_Z_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 b2 (f b3) c0
⊦ ∀opc n m.
m0.dfn'TestCompareRegister (opc, n, m) =
λstate.
m0.doRegister
(words.word_concat (words.n2w (arithmetic.BIT2 0)) opc, ⊤,
words.n2w 0, n, m, m0.SRType_LSL, 0) state
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_ExceptionNumber_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b (f c) b0 b1 b2 b3 c0
⊦ ∀f b c b0 b1 b2 b3 c0.
m0.PSR_psr'rst_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 b2 b3 (f c0)
⊦ (∀g f P.
m0.PRIMASK_PM_fupd f (m0.PRIMASK_PM_fupd g P) =
m0.PRIMASK_PM_fupd (f ∘ g) P) ∧
∀g f P.
m0.PRIMASK_primask'rst_fupd f (m0.PRIMASK_primask'rst_fupd g P) =
m0.PRIMASK_primask'rst_fupd (f ∘ g) P
⊦ (∀g f S.
m0.SHPR2_PRI_11_fupd f (m0.SHPR2_PRI_11_fupd g S) =
m0.SHPR2_PRI_11_fupd (f ∘ g) S) ∧
∀g f S.
m0.SHPR2_shpr2'rst_fupd f (m0.SHPR2_shpr2'rst_fupd g S) =
m0.SHPR2_shpr2'rst_fupd (f ∘ g) S
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1. M' = m0.recordtype.PRIMASK a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
m0.PRIMASK_CASE M f = m0.PRIMASK_CASE M' f'
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1. M' = m0.recordtype.SHPR2 a0 a1 ⇒ f a0 a1 = f' a0 a1) ⇒
m0.SHPR2_CASE M f = m0.SHPR2_CASE M' f'
⊦ ∀P.
(∀a. P (m0.LoadByte a)) ∧ (∀a. P (m0.LoadHalf a)) ∧
(∀a. P (m0.LoadLiteral a)) ∧ (∀a. P (m0.LoadMultiple a)) ∧
(∀a. P (m0.LoadWord a)) ⇒ ∀x. P x
⊦ ∀P.
(∀a. P (m0.ByteReverse a)) ∧ (∀a. P (m0.ByteReversePackedHalfword a)) ∧
(∀a. P (m0.ByteReverseSignedHalfword a)) ∧ (∀a. P (m0.ExtendByte a)) ∧
(∀a. P (m0.ExtendHalfword a)) ⇒ ∀x. P x
⊦ ∀P.
(∀a. P (m0.Push a)) ∧ (∀a. P (m0.StoreByte a)) ∧
(∀a. P (m0.StoreHalf a)) ∧ (∀a. P (m0.StoreMultiple a)) ∧
(∀a. P (m0.StoreWord a)) ⇒ ∀x. P x
⊦ ∀d imm32.
m0.dfn'Move (d, imm32) =
λstate.
m0.DataProcessing
(words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))), ⊤, d,
words.n2w 15, imm32, m0.PSR_C (m0.m0_state_PSR state)) state
⊦ ∀x0 x1 x2 x3 x4.
∃f.
f m0.SRType_LSL = x0 ∧ f m0.SRType_LSR = x1 ∧ f m0.SRType_ASR = x2 ∧
f m0.SRType_ROR = x3 ∧ f m0.SRType_RRX = x4
⊦ ∀x.
(∃p. x = m0.LoadByte p) ∨ (∃p. x = m0.LoadHalf p) ∨
(∃p. x = m0.LoadLiteral p) ∨ (∃p. x = m0.LoadMultiple p) ∨
∃p. x = m0.LoadWord p
⊦ ∀x.
(∃p. x = m0.ByteReverse p) ∨ (∃p. x = m0.ByteReversePackedHalfword p) ∨
(∃p. x = m0.ByteReverseSignedHalfword p) ∨ (∃p. x = m0.ExtendByte p) ∨
∃p. x = m0.ExtendHalfword p
⊦ ∀x.
(∃c. x = m0.Push c) ∨ (∃p. x = m0.StoreByte p) ∨
(∃p. x = m0.StoreHalf p) ∨ (∃p. x = m0.StoreMultiple p) ∨
∃p. x = m0.StoreWord p
⊦ (∀a. m0.Branch_size (m0.BranchExchange a) = 1) ∧
(∀a. m0.Branch_size (m0.BranchLinkExchangeRegister a) = 1) ∧
(∀a. m0.Branch_size (m0.BranchLinkImmediate a) = 1) ∧
∀a. m0.Branch_size (m0.BranchTarget a) = 1
⊦ ∀opc setflags d n m.
m0.dfn'Register (opc, setflags, d, n, m) =
λstate. m0.doRegister (opc, setflags, d, n, m, m0.SRType_LSL, 0) state
⊦ ∀opc setflags d n imm32.
m0.dfn'ArithLogicImmediate (opc, setflags, d, n, imm32) =
λstate.
m0.DataProcessing
(opc, setflags, d, n, imm32, m0.PSR_C (m0.m0_state_PSR state))
state
⊦ ∀w.
m0.BitCount w =
fst
(snd
(state_transformer.FOR
(0, arithmetic.- (words.word_len (words.n2w 0)) 1,
(λi state.
((),
(if words.word_bit i w then (fst state + 1, ())
else state)))) (0, ())))
⊦ (∀g f.
m0.PRIMASK_primask'rst_fupd f ∘ m0.PRIMASK_PM_fupd g =
m0.PRIMASK_PM_fupd g ∘ m0.PRIMASK_primask'rst_fupd f) ∧
∀h g f.
m0.PRIMASK_primask'rst_fupd f ∘ (m0.PRIMASK_PM_fupd g ∘ h) =
m0.PRIMASK_PM_fupd g ∘ (m0.PRIMASK_primask'rst_fupd f ∘ h)
⊦ (∀g f.
m0.SHPR2_shpr2'rst_fupd f ∘ m0.SHPR2_PRI_11_fupd g =
m0.SHPR2_PRI_11_fupd g ∘ m0.SHPR2_shpr2'rst_fupd f) ∧
∀h g f.
m0.SHPR2_shpr2'rst_fupd f ∘ (m0.SHPR2_PRI_11_fupd g ∘ h) =
m0.SHPR2_PRI_11_fupd g ∘ (m0.SHPR2_shpr2'rst_fupd f ∘ h)
⊦ ∀M M' v0 v1.
M = M' ∧ (M' = m0.Mode_Thread ⇒ v0 = v0') ∧
(M' = m0.Mode_Handler ⇒ v1 = v1') ⇒
m0.Mode_CASE M v0 v1 = m0.Mode_CASE M' v0' v1'
⊦ ∀A1 A2.
A1 = A2 ⇔
(m0.AIRCR_ENDIANNESS A1 ⇔ m0.AIRCR_ENDIANNESS A2) ∧
(m0.AIRCR_SYSRESETREQ A1 ⇔ m0.AIRCR_SYSRESETREQ A2) ∧
(m0.AIRCR_VECTCLRACTIVE A1 ⇔ m0.AIRCR_VECTCLRACTIVE A2) ∧
m0.AIRCR_VECTKEY A1 = m0.AIRCR_VECTKEY A2 ∧
m0.AIRCR_aircr'rst A1 = m0.AIRCR_aircr'rst A2
⊦ ∀I1 I2.
I1 = I2 ⇔
m0.IPR_PRI_N0 I1 = m0.IPR_PRI_N0 I2 ∧
m0.IPR_PRI_N1 I1 = m0.IPR_PRI_N1 I2 ∧
m0.IPR_PRI_N2 I1 = m0.IPR_PRI_N2 I2 ∧
m0.IPR_PRI_N3 I1 = m0.IPR_PRI_N3 I2 ∧
m0.IPR_ipr'rst I1 = m0.IPR_ipr'rst I2
⊦ ∀P.
∃b3 c0 b2 b1 b0 b c.
P =
m0.PSR_C_fupd (const b3)
(m0.PSR_ExceptionNumber_fupd (const c0)
(m0.PSR_N_fupd (const b2)
(m0.PSR_T_fupd (const b1)
(m0.PSR_V_fupd (const b0)
(m0.PSR_Z_fupd (const b)
(m0.PSR_psr'rst_fupd (const c) bool.ARB))))))
⊦ ∀typ.
m0.DecodeRegShift typ =
bool.literal_case
(λv.
if v = words.n2w 0 then m0.SRType_LSL
else if v = words.n2w 1 then m0.SRType_LSR
else if v = words.n2w (arithmetic.BIT2 0) then m0.SRType_ASR
else if v = words.n2w 3 then m0.SRType_ROR
else bool.ARB) typ
⊦ (∀b b0 b1. m0.CONTROL_SPSEL (m0.recordtype.CONTROL b b0 b1) ⇔ b) ∧
(∀b b0 b1. m0.CONTROL_control'rst (m0.recordtype.CONTROL b b0 b1) ⇔ b0) ∧
∀b b0 b1. m0.CONTROL_nPRIV (m0.recordtype.CONTROL b b0 b1) ⇔ b1
⊦ (∀b b0 c. m0.CCR_STKALIGN (m0.recordtype.CCR b b0 c) ⇔ b) ∧
(∀b b0 c. m0.CCR_UNALIGN_TRP (m0.recordtype.CCR b b0 c) ⇔ b0) ∧
∀b b0 c. m0.CCR_ccr'rst (m0.recordtype.CCR b b0 c) = c
⊦ (∀c c0 c1. m0.SHPR3_PRI_14 (m0.recordtype.SHPR3 c c0 c1) = c) ∧
(∀c c0 c1. m0.SHPR3_PRI_15 (m0.recordtype.SHPR3 c c0 c1) = c0) ∧
∀c c0 c1. m0.SHPR3_shpr3'rst (m0.recordtype.SHPR3 c c0 c1) = c1
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2.
M' = m0.recordtype.CCR a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ⇒
m0.CCR_CASE M f = m0.CCR_CASE M' f'
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2.
M' = m0.recordtype.CONTROL a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ⇒
m0.CONTROL_CASE M f = m0.CONTROL_CASE M' f'
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2.
M' = m0.recordtype.SHPR3 a0 a1 a2 ⇒ f a0 a1 a2 = f' a0 a1 a2) ⇒
m0.SHPR3_CASE M f = m0.SHPR3_CASE M' f'
⊦ ∀a0 a1 a2 a3 a4 a5 a6.
m0.PSR_size (m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6) =
1 +
(basicSize.bool_size a0 +
(basicSize.bool_size a2 +
(basicSize.bool_size a3 +
(basicSize.bool_size a4 + basicSize.bool_size a5))))
⊦ (∀a. m0.ARM_Exception_size (m0.ExternalInterrupt a) = 1) ∧
m0.ARM_Exception_size m0.HardFault = 0 ∧
m0.ARM_Exception_size m0.NMI = 0 ∧ m0.ARM_Exception_size m0.PendSV = 0 ∧
m0.ARM_Exception_size m0.Reset = 0 ∧
m0.ARM_Exception_size m0.SVCall = 0 ∧
m0.ARM_Exception_size m0.SysTick = 0
⊦ ∀unsigned d m.
m0.dfn'ExtendByte (unsigned, d, m) =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.write'R
(m0.Extend (unsigned, words.word_extract 7 0 (m0.R m state)),
d) state))
⊦ ∀P0.
(∀P. P0 P) ⇔
∀b3 c0 b2 b1 b0 b c.
P0
(m0.PSR_C_fupd (const b3)
(m0.PSR_ExceptionNumber_fupd (const c0)
(m0.PSR_N_fupd (const b2)
(m0.PSR_T_fupd (const b1)
(m0.PSR_V_fupd (const b0)
(m0.PSR_Z_fupd (const b)
(m0.PSR_psr'rst_fupd (const c) bool.ARB)))))))
⊦ ∀P0.
(∃P. P0 P) ⇔
∃b3 c0 b2 b1 b0 b c.
P0
(m0.PSR_C_fupd (const b3)
(m0.PSR_ExceptionNumber_fupd (const c0)
(m0.PSR_N_fupd (const b2)
(m0.PSR_T_fupd (const b1)
(m0.PSR_V_fupd (const b0)
(m0.PSR_Z_fupd (const b)
(m0.PSR_psr'rst_fupd (const c) bool.ARB)))))))
⊦ ∀unsigned d m.
m0.dfn'ExtendHalfword (unsigned, d, m) =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.write'R
(m0.Extend
(unsigned, words.word_extract 15 0 (m0.R m state)), d)
state))
⊦ ∀f0 f1 f2 f3.
∃fn.
(∀a. fn (m0.ChangeProcessorState a) = f0 a) ∧
(∀a. fn (m0.MoveToRegisterFromSpecial a) = f1 a) ∧
(∀a. fn (m0.MoveToSpecialRegister a) = f2 a) ∧
∀a. fn (m0.SupervisorCall a) = f3 a
⊦ ∀m.
m0.dfn'BranchLinkExchangeRegister m =
λstate.
bool.LET
(λs. m0.m0_state_count_fupd (const (m0.m0_state_count s + 3)) s)
(m0.BLXWritePC (m0.R m state)
(m0.write'LR
(words.word_concat
(words.word_extract 31 1
(words.word_sub (m0.PC state)
(words.n2w (arithmetic.BIT2 0)))) (words.n2w 1))
state))
⊦ ∀f0 f1 f2 f3.
∃fn.
(∀a. fn (m0.BranchExchange a) = f0 a) ∧
(∀a. fn (m0.BranchLinkExchangeRegister a) = f1 a) ∧
(∀a. fn (m0.BranchLinkImmediate a) = f2 a) ∧
∀a. fn (m0.BranchTarget a) = f3 a
⊦ ∀e.
m0.ExcNumber e =
m0.ARM_Exception_CASE e
(λn. words.word_add (words.n2w (arithmetic.BIT2 7)) n) (words.n2w 3)
(words.n2w (arithmetic.BIT2 0))
(words.n2w (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))))
(words.n2w 1) (words.n2w (bit1 (bit1 (arithmetic.BIT2 0))))
(words.n2w 15)
⊦ ∀b11 b01 b1 b12 b02 b2.
m0.CONTROL_SPSEL_fupd (const b11)
(m0.CONTROL_control'rst_fupd (const b01)
(m0.CONTROL_nPRIV_fupd (const b1) bool.ARB)) =
m0.CONTROL_SPSEL_fupd (const b12)
(m0.CONTROL_control'rst_fupd (const b02)
(m0.CONTROL_nPRIV_fupd (const b2) bool.ARB)) ⇔
(b11 ⇔ b12) ∧ (b01 ⇔ b02) ∧ (b1 ⇔ b2)
⊦ ∀b01 b1 c1 b02 b2 c2.
m0.CCR_STKALIGN_fupd (const b01)
(m0.CCR_UNALIGN_TRP_fupd (const b1)
(m0.CCR_ccr'rst_fupd (const c1) bool.ARB)) =
m0.CCR_STKALIGN_fupd (const b02)
(m0.CCR_UNALIGN_TRP_fupd (const b2)
(m0.CCR_ccr'rst_fupd (const c2) bool.ARB)) ⇔
(b01 ⇔ b02) ∧ (b1 ⇔ b2) ∧ c1 = c2
⊦ ∀A b1 b0 b c0 c.
m0.AIRCR_ENDIANNESS_fupd (const b1)
(m0.AIRCR_SYSRESETREQ_fupd (const b0)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b)
(m0.AIRCR_VECTKEY_fupd (const c0)
(m0.AIRCR_aircr'rst_fupd (const c) A)))) =
m0.AIRCR_ENDIANNESS_fupd (const b1)
(m0.AIRCR_SYSRESETREQ_fupd (const b0)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b)
(m0.AIRCR_VECTKEY_fupd (const c0)
(m0.AIRCR_aircr'rst_fupd (const c) bool.ARB))))
⊦ ∀I c3 c2 c1 c0 c.
m0.IPR_PRI_N0_fupd (const c3)
(m0.IPR_PRI_N1_fupd (const c2)
(m0.IPR_PRI_N2_fupd (const c1)
(m0.IPR_PRI_N3_fupd (const c0)
(m0.IPR_ipr'rst_fupd (const c) I)))) =
m0.IPR_PRI_N0_fupd (const c3)
(m0.IPR_PRI_N1_fupd (const c2)
(m0.IPR_PRI_N2_fupd (const c1)
(m0.IPR_PRI_N3_fupd (const c0)
(m0.IPR_ipr'rst_fupd (const c) bool.ARB))))
⊦ ∀c11 c01 c1 c12 c02 c2.
m0.SHPR3_PRI_14_fupd (const c11)
(m0.SHPR3_PRI_15_fupd (const c01)
(m0.SHPR3_shpr3'rst_fupd (const c1) bool.ARB)) =
m0.SHPR3_PRI_14_fupd (const c12)
(m0.SHPR3_PRI_15_fupd (const c02)
(m0.SHPR3_shpr3'rst_fupd (const c2) bool.ARB)) ⇔
c11 = c12 ∧ c01 = c02 ∧ c1 = c2
⊦ ∀t imm32.
m0.dfn'LoadLiteral (t, imm32) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC () (m0.write'R (v, t) s))))
(m0.MemU
(words.word_add (m0.Align (m0.PC state, arithmetic.BIT2 1))
imm32, arithmetic.BIT2 1) state)
⊦ ∀P.
(∀a. P (m0.ArithLogicImmediate a)) ∧ (∀a. P (m0.CompareImmediate a)) ∧
(∀a. P (m0.Move a)) ∧ (∀a. P (m0.Register a)) ∧
(∀a. P (m0.ShiftImmediate a)) ∧ (∀a. P (m0.ShiftRegister a)) ∧
(∀a. P (m0.TestCompareRegister a)) ⇒ ∀x. P x
⊦ (∀a f v f1. m0.exception_CASE (m0.ASSERT a) f v f1 = f a) ∧
(∀f v f1. m0.exception_CASE m0.NoException f v f1 = v) ∧
∀a f v f1. m0.exception_CASE (m0.UNPREDICTABLE a) f v f1 = f1 a
⊦ ∀M M' f f1.
M = M' ∧ (∀a. M' = m0.immediate_form a ⇒ f a = f' a) ∧
(∀a. M' = m0.register_form a ⇒ f1 a = f1' a) ⇒
m0.offset_CASE M f f1 = m0.offset_CASE M' f' f1'
⊦ ∀x.
m0.reg'AIRCR x =
m0.AIRCR_CASE x
(λENDIANNESS SYSRESETREQ VECTCLRACTIVE VECTKEY aircr'rst.
words.word_concat VECTKEY
(words.word_concat (bitstring.v2w (ENDIANNESS :: []))
(words.word_concat
(words.word_extract (bit1 (bit1 (arithmetic.BIT2 0))) 0
aircr'rst)
(words.word_concat (bitstring.v2w (SYSRESETREQ :: []))
(words.word_concat
(bitstring.v2w (VECTCLRACTIVE :: []))
(words.word_extract
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
aircr'rst))))))
⊦ ∀M M' f f1.
M = M' ∧ (∀a. M' = m0.Thumb a ⇒ f a = f' a) ∧
(∀a. M' = m0.Thumb2 a ⇒ f1 a = f1' a) ⇒
m0.MachineCode_CASE M f f1 = m0.MachineCode_CASE M' f' f1'
⊦ ∀x.
m0.rec'CCR x =
m0.recordtype.CCR (words.word_bit (bit1 (arithmetic.BIT2 1)) x)
(words.word_bit 3 x)
(words.word_concat (words.word_extract (arithmetic.BIT2 0) 0 x)
(words.word_concat
(words.word_extract (arithmetic.BIT2 3) (arithmetic.BIT2 1) x)
(words.word_extract 31 (arithmetic.BIT2 (arithmetic.BIT2 1))
x)))
⊦ (∀f S.
m0.SHPR2_PRI_11 (m0.SHPR2_shpr2'rst_fupd f S) = m0.SHPR2_PRI_11 S) ∧
(∀f S.
m0.SHPR2_shpr2'rst (m0.SHPR2_PRI_11_fupd f S) =
m0.SHPR2_shpr2'rst S) ∧
(∀f S.
m0.SHPR2_PRI_11 (m0.SHPR2_PRI_11_fupd f S) = f (m0.SHPR2_PRI_11 S)) ∧
∀f S.
m0.SHPR2_shpr2'rst (m0.SHPR2_shpr2'rst_fupd f S) =
f (m0.SHPR2_shpr2'rst S)
⊦ (∀f P.
m0.PRIMASK_PM (m0.PRIMASK_primask'rst_fupd f P) ⇔ m0.PRIMASK_PM P) ∧
(∀f P.
m0.PRIMASK_primask'rst (m0.PRIMASK_PM_fupd f P) =
m0.PRIMASK_primask'rst P) ∧
(∀f P. m0.PRIMASK_PM (m0.PRIMASK_PM_fupd f P) ⇔ f (m0.PRIMASK_PM P)) ∧
∀f P.
m0.PRIMASK_primask'rst (m0.PRIMASK_primask'rst_fupd f P) =
f (m0.PRIMASK_primask'rst P)
⊦ ∀x v0 v1 v2 v3 v4.
m0.SRType_CASE x v0 v1 v2 v3 v4 =
let m ← m0.SRType2num x in
if m < arithmetic.BIT2 0 then if m = 0 then v0 else v1
else if m < 3 then v2
else if m = 3 then v3
else v4
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2 a3 a4.
M' = m0.recordtype.AIRCR a0 a1 a2 a3 a4 ⇒
f a0 a1 a2 a3 a4 = f' a0 a1 a2 a3 a4) ⇒
m0.AIRCR_CASE M f = m0.AIRCR_CASE M' f'
⊦ ∀x.
(∃p. x = m0.ArithLogicImmediate p) ∨ (∃p. x = m0.CompareImmediate p) ∨
(∃p. x = m0.Move p) ∨ (∃p. x = m0.Register p) ∨
(∃p. x = m0.ShiftImmediate p) ∨ (∃p. x = m0.ShiftRegister p) ∨
∃p. x = m0.TestCompareRegister p
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2 a3 a4.
M' = m0.recordtype.IPR a0 a1 a2 a3 a4 ⇒
f a0 a1 a2 a3 a4 = f' a0 a1 a2 a3 a4) ⇒
m0.IPR_CASE M f = m0.IPR_CASE M' f'
⊦ ∀imm32.
m0.dfn'BranchLinkImmediate imm32 =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.BranchWritePC (words.word_add v imm32) s)))
(bool.LET (λs0. (m0.PC s0, s0))
(m0.write'LR
(words.word_concat (words.word_extract 31 1 (m0.PC state))
(words.n2w 1)) state))
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_exception
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = e
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_AIRCR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = A
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CCR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = C
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CONTROL
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
C0
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CurrentMode
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = M
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PRIMASK
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = P
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PSR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
P0
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR2
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = S
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
S0
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_count
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = n
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pending
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = o
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_NVIC_IPR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f1
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_ExceptionActive
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = f
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_VTOR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = c
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pcinc
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
c0
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_REG
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f2
⊦ ∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_MEM
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f0
⊦ ∀address size.
m0.MemA (address, size) =
λstate.
if ¬m0.Aligned (address, size) then
(bool.ARB, m0.Raise m0.HardFault state)
else
bool.LET
(pair.UNCURRY
(λv s.
bool.LET (pair.UNCURRY (λv s. (bitstring.v2w v, s)))
(if m0.AIRCR_ENDIANNESS (m0.m0_state_AIRCR s) then
m0.BigEndianReverse (v, size) s
else (v, s)))) (m0.mem (address, size) state)
⊦ ∀x.
∃A C' C0 M f f0 f1 P0 P1 f2 S' S0 c n e c0 o'.
x =
m0.recordtype.m0_state A C' C0 M f f0 f1 P0 P1 f2 S' S0 c n e c0 o'
⊦ ∀x.
m0.rec'AIRCR x =
m0.recordtype.AIRCR (words.word_bit 15 x)
(words.word_bit (arithmetic.BIT2 0) x) (words.word_bit 1 x)
(words.word_extract 31 (arithmetic.BIT2 7) x)
(words.word_concat (words.word_extract 0 0 x)
(words.word_extract
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))) 3 x))
⊦ ∀a0 a1 a2 a3 a4 a0' a1' a2' a3' a4'.
m0.recordtype.AIRCR a0 a1 a2 a3 a4 =
m0.recordtype.AIRCR a0' a1' a2' a3' a4' ⇔
(a0 ⇔ a0') ∧ (a1 ⇔ a1') ∧ (a2 ⇔ a2') ∧ a3 = a3' ∧ a4 = a4'
⊦ ∀P1 P2.
P1 = P2 ⇔
(m0.PSR_C P1 ⇔ m0.PSR_C P2) ∧
m0.PSR_ExceptionNumber P1 = m0.PSR_ExceptionNumber P2 ∧
(m0.PSR_N P1 ⇔ m0.PSR_N P2) ∧ (m0.PSR_T P1 ⇔ m0.PSR_T P2) ∧
(m0.PSR_V P1 ⇔ m0.PSR_V P2) ∧ (m0.PSR_Z P1 ⇔ m0.PSR_Z P2) ∧
m0.PSR_psr'rst P1 = m0.PSR_psr'rst P2
⊦ ∀a0 a1 a2 a3 a4 a0' a1' a2' a3' a4'.
m0.recordtype.IPR a0 a1 a2 a3 a4 =
m0.recordtype.IPR a0' a1' a2' a3' a4' ⇔
a0 = a0' ∧ a1 = a1' ∧ a2 = a2' ∧ a3 = a3' ∧ a4 = a4'
⊦ (∀a.
m0.System_size (m0.ChangeProcessorState a) =
1 + basicSize.bool_size a) ∧
(∀a.
m0.System_size (m0.MoveToRegisterFromSpecial a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.System_size (m0.MoveToSpecialRegister a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
∀a. m0.System_size (m0.SupervisorCall a) = 1
⊦ ∀d m.
m0.dfn'ByteReverseSignedHalfword (d, m) =
λstate.
bool.LET
(λv.
bool.LET
(λs.
m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.write'R
(words.word_concat
(words.sw2sw (words.word_extract 7 0 v))
(words.word_extract 15 (arithmetic.BIT2 3) v), d)
state))) (m0.R m state)
⊦ (∀g f C.
m0.CCR_STKALIGN_fupd f (m0.CCR_STKALIGN_fupd g C) =
m0.CCR_STKALIGN_fupd (f ∘ g) C) ∧
(∀g f C.
m0.CCR_UNALIGN_TRP_fupd f (m0.CCR_UNALIGN_TRP_fupd g C) =
m0.CCR_UNALIGN_TRP_fupd (f ∘ g) C) ∧
∀g f C.
m0.CCR_ccr'rst_fupd f (m0.CCR_ccr'rst_fupd g C) =
m0.CCR_ccr'rst_fupd (f ∘ g) C
⊦ (∀g f C.
m0.CCR_UNALIGN_TRP_fupd f (m0.CCR_STKALIGN_fupd g C) =
m0.CCR_STKALIGN_fupd g (m0.CCR_UNALIGN_TRP_fupd f C)) ∧
(∀g f C.
m0.CCR_ccr'rst_fupd f (m0.CCR_STKALIGN_fupd g C) =
m0.CCR_STKALIGN_fupd g (m0.CCR_ccr'rst_fupd f C)) ∧
∀g f C.
m0.CCR_ccr'rst_fupd f (m0.CCR_UNALIGN_TRP_fupd g C) =
m0.CCR_UNALIGN_TRP_fupd g (m0.CCR_ccr'rst_fupd f C)
⊦ (∀g f C.
m0.CONTROL_SPSEL_fupd f (m0.CONTROL_SPSEL_fupd g C) =
m0.CONTROL_SPSEL_fupd (f ∘ g) C) ∧
(∀g f C.
m0.CONTROL_control'rst_fupd f (m0.CONTROL_control'rst_fupd g C) =
m0.CONTROL_control'rst_fupd (f ∘ g) C) ∧
∀g f C.
m0.CONTROL_nPRIV_fupd f (m0.CONTROL_nPRIV_fupd g C) =
m0.CONTROL_nPRIV_fupd (f ∘ g) C
⊦ (∀g f C.
m0.CONTROL_control'rst_fupd f (m0.CONTROL_SPSEL_fupd g C) =
m0.CONTROL_SPSEL_fupd g (m0.CONTROL_control'rst_fupd f C)) ∧
(∀g f C.
m0.CONTROL_nPRIV_fupd f (m0.CONTROL_SPSEL_fupd g C) =
m0.CONTROL_SPSEL_fupd g (m0.CONTROL_nPRIV_fupd f C)) ∧
∀g f C.
m0.CONTROL_nPRIV_fupd f (m0.CONTROL_control'rst_fupd g C) =
m0.CONTROL_control'rst_fupd g (m0.CONTROL_nPRIV_fupd f C)
⊦ (∀g f S.
m0.SHPR3_PRI_14_fupd f (m0.SHPR3_PRI_14_fupd g S) =
m0.SHPR3_PRI_14_fupd (f ∘ g) S) ∧
(∀g f S.
m0.SHPR3_PRI_15_fupd f (m0.SHPR3_PRI_15_fupd g S) =
m0.SHPR3_PRI_15_fupd (f ∘ g) S) ∧
∀g f S.
m0.SHPR3_shpr3'rst_fupd f (m0.SHPR3_shpr3'rst_fupd g S) =
m0.SHPR3_shpr3'rst_fupd (f ∘ g) S
⊦ (∀g f S.
m0.SHPR3_PRI_15_fupd f (m0.SHPR3_PRI_14_fupd g S) =
m0.SHPR3_PRI_14_fupd g (m0.SHPR3_PRI_15_fupd f S)) ∧
(∀g f S.
m0.SHPR3_shpr3'rst_fupd f (m0.SHPR3_PRI_14_fupd g S) =
m0.SHPR3_PRI_14_fupd g (m0.SHPR3_shpr3'rst_fupd f S)) ∧
∀g f S.
m0.SHPR3_shpr3'rst_fupd f (m0.SHPR3_PRI_15_fupd g S) =
m0.SHPR3_PRI_15_fupd g (m0.SHPR3_shpr3'rst_fupd f S)
⊦ ∀P.
(∀a. P (m0.Breakpoint a)) ∧ (∀a. P (m0.DataMemoryBarrier a)) ∧
(∀a. P (m0.DataSynchronizationBarrier a)) ∧
(∀a. P (m0.InstructionSynchronizationBarrier a)) ∧
(∀a. P (m0.SendEvent a)) ∧ (∀a. P (m0.WaitForEvent a)) ∧
(∀a. P (m0.WaitForInterrupt a)) ∧ (∀a. P (m0.Yield a)) ⇒ ∀x. P x
⊦ ¬(m0.SRType_LSL = m0.SRType_LSR) ∧ ¬(m0.SRType_LSL = m0.SRType_ASR) ∧
¬(m0.SRType_LSL = m0.SRType_ROR) ∧ ¬(m0.SRType_LSL = m0.SRType_RRX) ∧
¬(m0.SRType_LSR = m0.SRType_ASR) ∧ ¬(m0.SRType_LSR = m0.SRType_ROR) ∧
¬(m0.SRType_LSR = m0.SRType_RRX) ∧ ¬(m0.SRType_ASR = m0.SRType_ROR) ∧
¬(m0.SRType_ASR = m0.SRType_RRX) ∧ ¬(m0.SRType_ROR = m0.SRType_RRX)
⊦ ∀f0 f1 f2 f3 f4 f5 f6.
∃fn.
(∀a. fn (m0.ExternalInterrupt a) = f0 a) ∧ fn m0.HardFault = f1 ∧
fn m0.NMI = f2 ∧ fn m0.PendSV = f3 ∧ fn m0.Reset = f4 ∧
fn m0.SVCall = f5 ∧ fn m0.SysTick = f6
⊦ ∀_.
m0.ExceptionActiveBitCount _ =
λstate.
bool.LET (pair.UNCURRY (λr s1. (r, snd s1)))
(bool.LET (λs. (fst s, s))
(snd
(state_transformer.FOR
(0, 63,
(λi state.
((),
(if m0.m0_state_ExceptionActive (snd state)
(words.n2w i)
then (fst state + 1, snd state)
else state)))) (0, state))))
⊦ ∀P.
(∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16.
P
(m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12
a13 a14 a15 a16)) ⇒ ∀x. P x
⊦ ∀f0 f1 f2 f3 f4.
∃fn.
(∀a. fn (m0.Push a) = f0 a) ∧ (∀a. fn (m0.StoreByte a) = f1 a) ∧
(∀a. fn (m0.StoreHalf a) = f2 a) ∧
(∀a. fn (m0.StoreMultiple a) = f3 a) ∧ ∀a. fn (m0.StoreWord a) = f4 a
⊦ ∀f0 f1 f2 f3 f4.
∃fn.
(∀a. fn (m0.ByteReverse a) = f0 a) ∧
(∀a. fn (m0.ByteReversePackedHalfword a) = f1 a) ∧
(∀a. fn (m0.ByteReverseSignedHalfword a) = f2 a) ∧
(∀a. fn (m0.ExtendByte a) = f3 a) ∧
∀a. fn (m0.ExtendHalfword a) = f4 a
⊦ ∀f0 f1 f2 f3 f4.
∃fn.
(∀a. fn (m0.LoadByte a) = f0 a) ∧ (∀a. fn (m0.LoadHalf a) = f1 a) ∧
(∀a. fn (m0.LoadLiteral a) = f2 a) ∧
(∀a. fn (m0.LoadMultiple a) = f3 a) ∧ ∀a. fn (m0.LoadWord a) = f4 a
⊦ ∀value address size.
m0.write'MemA (value, address, size) =
λstate.
if ¬m0.Aligned (address, size) then m0.Raise m0.HardFault state
else
bool.LET (pair.UNCURRY (λv s. m0.write'mem v s))
(bool.LET (pair.UNCURRY (λv s. ((v, address, size), s)))
(if m0.AIRCR_ENDIANNESS (m0.m0_state_AIRCR state) then
m0.BigEndianReverse (bitstring.w2v value, size) state
else (bitstring.w2v value, state)))
⊦ ∀n.
m0.R n =
λstate.
if n = words.n2w 15 then
words.word_add (m0.m0_state_REG state m0.RName_PC)
(words.n2w (arithmetic.BIT2 1))
else if n =
words.n2w
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then m0.m0_state_REG state m0.RName_LR
else if n = words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then m0.m0_state_REG state (m0.LookUpSP () state)
else m0.m0_state_REG state (m0.num2RName (words.w2n n))
⊦ (∀a a'.
m0.ChangeProcessorState a = m0.ChangeProcessorState a' ⇔ a ⇔ a') ∧
(∀a a'.
m0.MoveToRegisterFromSpecial a = m0.MoveToRegisterFromSpecial a' ⇔
a = a') ∧
(∀a a'.
m0.MoveToSpecialRegister a = m0.MoveToSpecialRegister a' ⇔ a = a') ∧
∀a a'. m0.SupervisorCall a = m0.SupervisorCall a' ⇔ a = a'
⊦ (∀a a'. m0.BranchExchange a = m0.BranchExchange a' ⇔ a = a') ∧
(∀a a'.
m0.BranchLinkExchangeRegister a = m0.BranchLinkExchangeRegister a' ⇔
a = a') ∧
(∀a a'. m0.BranchLinkImmediate a = m0.BranchLinkImmediate a' ⇔ a = a') ∧
∀a a'. m0.BranchTarget a = m0.BranchTarget a' ⇔ a = a'
⊦ ∀x.
m0.rec'SHPR3 x =
m0.recordtype.SHPR3
(words.word_extract (bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 1))) x)
(words.word_extract 31
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 (arithmetic.BIT2 1))) 0
x)
(words.word_extract
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (bit1 (bit1 (arithmetic.BIT2 0)))) x))
⊦ ∀x.
m0.reg'CCR x =
m0.CCR_CASE x
(λSTKALIGN UNALIGN_TRP ccr'rst.
words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))
0 ccr'rst)
(words.word_concat (bitstring.v2w (STKALIGN :: []))
(words.word_concat
(words.word_extract
(arithmetic.BIT2
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 1)))
ccr'rst)
(words.word_concat (bitstring.v2w (UNALIGN_TRP :: []))
(words.word_extract
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))
(bit1 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
ccr'rst)))))
⊦ ∀x.
(∃c. x = m0.Breakpoint c) ∨ (∃c. x = m0.DataMemoryBarrier c) ∨
(∃c. x = m0.DataSynchronizationBarrier c) ∨
(∃c. x = m0.InstructionSynchronizationBarrier c) ∨
(∃o'. x = m0.SendEvent o') ∨ (∃o'. x = m0.WaitForEvent o') ∨
(∃o'. x = m0.WaitForInterrupt o') ∨ ∃o'. x = m0.Yield o'
⊦ ∀value typ amount carry_in.
m0.Shift_C (value, typ, amount, carry_in) =
λstate.
if amount = 0 then ((value, carry_in), state)
else
m0.SRType_CASE typ (m0.LSL_C (value, amount) state)
(m0.LSR_C (value, amount) state) (m0.ASR_C (value, amount) state)
(m0.ROR_C (value, amount) state)
(m0.RRX_C (value, carry_in), state)
⊦ ∀x y carry_in.
m0.AddWithCarry (x, y, carry_in) =
bool.LET
(λunsigned_sum.
bool.LET
(λresult.
(result, ¬(words.w2n result = unsigned_sum),
¬(integer_word.w2i result =
integer.int_add
(integer.int_add (integer_word.w2i x)
(integer_word.w2i y))
(if carry_in then integer.int_of_num 1
else integer.int_of_num 0))))
(words.n2w unsigned_sum))
(words.w2n x + words.w2n y + if carry_in then 1 else 0)
⊦ ∀x.
m0.reg'PSR x =
m0.PSR_CASE x
(λC_1 ExceptionNumber N T_1 V Z psr'rst.
words.word_concat (bitstring.v2w (N :: []))
(words.word_concat (bitstring.v2w (Z :: []))
(words.word_concat (bitstring.v2w (C_1 :: []))
(words.word_concat (bitstring.v2w (V :: []))
(words.word_concat
(words.word_extract (arithmetic.BIT2 0) 0 psr'rst)
(words.word_concat (bitstring.v2w (T_1 :: []))
(words.word_concat
(words.word_extract
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))) 3 psr'rst)
ExceptionNumber)))))))
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2 a3 a4 a5 a6.
M' = m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6 ⇒
f a0 a1 a2 a3 a4 a5 a6 = f' a0 a1 a2 a3 a4 a5 a6) ⇒
m0.PSR_CASE M f = m0.PSR_CASE M' f'
⊦ ∀M M' f v f1.
M = M' ∧ (∀a. M' = m0.ASSERT a ⇒ f a = f' a) ∧
(M' = m0.NoException ⇒ v = v') ∧
(∀a. M' = m0.UNPREDICTABLE a ⇒ f1 a = f1' a) ⇒
m0.exception_CASE M f v f1 = m0.exception_CASE M' f' v' f1'
⊦ ∀P.
P m0.RName_0 ∧ P m0.RName_1 ∧ P m0.RName_10 ∧ P m0.RName_11 ∧
P m0.RName_12 ∧ P m0.RName_2 ∧ P m0.RName_3 ∧ P m0.RName_4 ∧
P m0.RName_5 ∧ P m0.RName_6 ∧ P m0.RName_7 ∧ P m0.RName_8 ∧
P m0.RName_9 ∧ P m0.RName_LR ∧ P m0.RName_PC ∧ P m0.RName_SP_main ∧
P m0.RName_SP_process ⇒ ∀a. P a
⊦ (∀f b b0 b1.
m0.CONTROL_SPSEL_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL (f b) b0 b1) ∧
(∀f b b0 b1.
m0.CONTROL_control'rst_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL b (f b0) b1) ∧
∀f b b0 b1.
m0.CONTROL_nPRIV_fupd f (m0.recordtype.CONTROL b b0 b1) =
m0.recordtype.CONTROL b b0 (f b1)
⊦ (∀f b b0 c.
m0.CCR_STKALIGN_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR (f b) b0 c) ∧
(∀f b b0 c.
m0.CCR_UNALIGN_TRP_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR b (f b0) c) ∧
∀f b b0 c.
m0.CCR_ccr'rst_fupd f (m0.recordtype.CCR b b0 c) =
m0.recordtype.CCR b b0 (f c)
⊦ (∀f c c0 c1.
m0.SHPR3_PRI_14_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 (f c) c0 c1) ∧
(∀f c c0 c1.
m0.SHPR3_PRI_15_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 c (f c0) c1) ∧
∀f c c0 c1.
m0.SHPR3_shpr3'rst_fupd f (m0.recordtype.SHPR3 c c0 c1) =
m0.recordtype.SHPR3 c c0 (f c1)
⊦ ∀P b3 c0 b2 b1 b0 b c.
m0.PSR_C_fupd (const b3)
(m0.PSR_ExceptionNumber_fupd (const c0)
(m0.PSR_N_fupd (const b2)
(m0.PSR_T_fupd (const b1)
(m0.PSR_V_fupd (const b0)
(m0.PSR_Z_fupd (const b)
(m0.PSR_psr'rst_fupd (const c) P)))))) =
m0.PSR_C_fupd (const b3)
(m0.PSR_ExceptionNumber_fupd (const c0)
(m0.PSR_N_fupd (const b2)
(m0.PSR_T_fupd (const b1)
(m0.PSR_V_fupd (const b0)
(m0.PSR_Z_fupd (const b)
(m0.PSR_psr'rst_fupd (const c) bool.ARB))))))
⊦ ∀x.
m0.reg'IPR x =
m0.IPR_CASE x
(λPRI_N0 PRI_N1 PRI_N2 PRI_N3 ipr'rst.
words.word_concat PRI_N3
(words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 0)) 0 ipr'rst)
(words.word_concat PRI_N2
(words.word_concat
(words.word_extract (bit1 (bit1 (arithmetic.BIT2 0)))
(arithmetic.BIT2 (arithmetic.BIT2 0)) ipr'rst)
(words.word_concat PRI_N1
(words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 3))
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
ipr'rst)
(words.word_concat PRI_N0
(words.word_extract
(bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 3))
ipr'rst))))))))
⊦ (∀a' a. ¬(m0.BranchExchange a = m0.BranchLinkExchangeRegister a')) ∧
(∀a' a. ¬(m0.BranchExchange a = m0.BranchLinkImmediate a')) ∧
(∀a' a. ¬(m0.BranchExchange a = m0.BranchTarget a')) ∧
(∀a' a. ¬(m0.BranchLinkExchangeRegister a = m0.BranchLinkImmediate a')) ∧
(∀a' a. ¬(m0.BranchLinkExchangeRegister a = m0.BranchTarget a')) ∧
∀a' a. ¬(m0.BranchLinkImmediate a = m0.BranchTarget a')
⊦ (∀a' a. ¬(m0.ChangeProcessorState a = m0.MoveToRegisterFromSpecial a')) ∧
(∀a' a. ¬(m0.ChangeProcessorState a = m0.MoveToSpecialRegister a')) ∧
(∀a' a. ¬(m0.ChangeProcessorState a = m0.SupervisorCall a')) ∧
(∀a' a.
¬(m0.MoveToRegisterFromSpecial a = m0.MoveToSpecialRegister a')) ∧
(∀a' a. ¬(m0.MoveToRegisterFromSpecial a = m0.SupervisorCall a')) ∧
∀a' a. ¬(m0.MoveToSpecialRegister a = m0.SupervisorCall a')
⊦ ∀P.
(∀a. P (m0.Branch a)) ∧ (∀a. P (m0.Data a)) ∧ (∀a. P (m0.Hint a)) ∧
(∀a. P (m0.Load a)) ∧ (∀a. P (m0.Media a)) ∧ (∀a. P (m0.Multiply a)) ∧
(∀a. P (m0.NoOperation a)) ∧ (∀a. P (m0.Store a)) ∧
(∀a. P (m0.System a)) ∧ (∀a. P (m0.Undefined a)) ⇒ ∀x. P x
⊦ ∀t n m.
m0.dfn'StoreWord (t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC ()
(m0.write'MemU
(m0.R t s, words.word_add (m0.R n s) v,
arithmetic.BIT2 1) s))))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀d n shift_t m.
m0.dfn'ShiftRegister (d, n, shift_t, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λshifted carry.
m0.DataProcessing
(words.n2w
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))), ⊤,
d, bool.ARB, shifted, carry) s)) v))
(m0.Shift_C
(m0.R n state, shift_t,
words.w2n (words.word_extract 7 0 (m0.R m state)),
m0.PSR_C (m0.m0_state_PSR state)) state)
⊦ ∀address.
m0.BXWritePC address =
λstate.
if m0.m0_state_CurrentMode state = m0.Mode_Handler ∧
words.word_extract 31
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
address = words.n2w 15
then
m0.ExceptionReturn
(words.word_extract
(bit1 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))) 0 address)
state
else
m0.BranchTo
(words.word_concat (words.word_extract 31 1 address)
(words.n2w 0))
(if ¬words.word_bit 0 address then m0.Raise m0.HardFault state
else state)
⊦ (∀a a'. m0.Push a = m0.Push a' ⇔ a = a') ∧
(∀a a'. m0.StoreByte a = m0.StoreByte a' ⇔ a = a') ∧
(∀a a'. m0.StoreHalf a = m0.StoreHalf a' ⇔ a = a') ∧
(∀a a'. m0.StoreMultiple a = m0.StoreMultiple a' ⇔ a = a') ∧
∀a a'. m0.StoreWord a = m0.StoreWord a' ⇔ a = a'
⊦ (∀a a'. m0.ByteReverse a = m0.ByteReverse a' ⇔ a = a') ∧
(∀a a'.
m0.ByteReversePackedHalfword a = m0.ByteReversePackedHalfword a' ⇔
a = a') ∧
(∀a a'.
m0.ByteReverseSignedHalfword a = m0.ByteReverseSignedHalfword a' ⇔
a = a') ∧ (∀a a'. m0.ExtendByte a = m0.ExtendByte a' ⇔ a = a') ∧
∀a a'. m0.ExtendHalfword a = m0.ExtendHalfword a' ⇔ a = a'
⊦ (∀a a'. m0.LoadByte a = m0.LoadByte a' ⇔ a = a') ∧
(∀a a'. m0.LoadHalf a = m0.LoadHalf a' ⇔ a = a') ∧
(∀a a'. m0.LoadLiteral a = m0.LoadLiteral a' ⇔ a = a') ∧
(∀a a'. m0.LoadMultiple a = m0.LoadMultiple a' ⇔ a = a') ∧
∀a a'. m0.LoadWord a = m0.LoadWord a' ⇔ a = a'
⊦ ∀t n m.
m0.dfn'LoadWord (t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const
(m0.m0_state_count s + arithmetic.BIT2 0))
s) (m0.IncPC () (m0.write'R (v, t) s))))
(m0.MemU (words.word_add (m0.R n s) v, arithmetic.BIT2 1)
s)))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀opc n imm32 C.
m0.DataProcessingPC (opc, n, imm32, C) =
λstate.
bool.LET
(pair.UNCURRY
(λresult.
pair.UNCURRY
(λcarry overflow.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + 3)) s)
(m0.ALUWritePC result state))))
(m0.DataProcessingALU
(opc,
(if opc =
words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then words.n2w 0
else if n = words.n2w 15 then m0.PC state
else m0.R n state), imm32, C))
⊦ ∀x.
(∃B'. x = m0.Branch B') ∨ (∃D. x = m0.Data D) ∨ (∃H. x = m0.Hint H) ∨
(∃L. x = m0.Load L) ∨ (∃M. x = m0.Media M) ∨ (∃M. x = m0.Multiply M) ∨
(∃o'. x = m0.NoOperation o') ∨ (∃S'. x = m0.Store S') ∨
(∃S'. x = m0.System S') ∨ ∃c. x = m0.Undefined c
⊦ ∀t n m.
m0.dfn'StoreByte (t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC ()
(m0.write'MemU
(words.word_extract 7 0 (m0.R t s),
words.word_add (m0.R n s) v, 1) s))))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀a0 a1 a2 a3 a4 a5 a6 a0' a1' a2' a3' a4' a5' a6'.
m0.recordtype.PSR a0 a1 a2 a3 a4 a5 a6 =
m0.recordtype.PSR a0' a1' a2' a3' a4' a5' a6' ⇔
(a0 ⇔ a0') ∧ a1 = a1' ∧ (a2 ⇔ a2') ∧ (a3 ⇔ a3') ∧ (a4 ⇔ a4') ∧
(a5 ⇔ a5') ∧ a6 = a6'
⊦ ∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16 f.
m0.m0_state_CASE
(m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13
a14 a15 a16) f =
f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16
⊦ ∀d n m.
m0.dfn'Multiply32 (d, n, m) =
λstate.
bool.LET
(λv.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.m0_state_PSR_fupd
(const
(m0.PSR_Z_fupd (const (v = words.n2w 0))
(m0.m0_state_PSR s))) s)))
(m0.m0_state_PSR_fupd
(const
(m0.PSR_N_fupd (const (words.word_bit 31 v))
(m0.m0_state_PSR s))) s))
(m0.write'R (v, d) state))
(words.word_mul (m0.R n state) (m0.R m state))
⊦ ((∀g f.
m0.PRIMASK_PM_fupd f ∘ m0.PRIMASK_PM_fupd g =
m0.PRIMASK_PM_fupd (f ∘ g)) ∧
∀h g f.
m0.PRIMASK_PM_fupd f ∘ (m0.PRIMASK_PM_fupd g ∘ h) =
m0.PRIMASK_PM_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.PRIMASK_primask'rst_fupd f ∘ m0.PRIMASK_primask'rst_fupd g =
m0.PRIMASK_primask'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.PRIMASK_primask'rst_fupd f ∘ (m0.PRIMASK_primask'rst_fupd g ∘ h) =
m0.PRIMASK_primask'rst_fupd (f ∘ g) ∘ h
⊦ ((∀g f.
m0.SHPR2_PRI_11_fupd f ∘ m0.SHPR2_PRI_11_fupd g =
m0.SHPR2_PRI_11_fupd (f ∘ g)) ∧
∀h g f.
m0.SHPR2_PRI_11_fupd f ∘ (m0.SHPR2_PRI_11_fupd g ∘ h) =
m0.SHPR2_PRI_11_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.SHPR2_shpr2'rst_fupd f ∘ m0.SHPR2_shpr2'rst_fupd g =
m0.SHPR2_shpr2'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.SHPR2_shpr2'rst_fupd f ∘ (m0.SHPR2_shpr2'rst_fupd g ∘ h) =
m0.SHPR2_shpr2'rst_fupd (f ∘ g) ∘ h
⊦ ∀t n m.
m0.dfn'StoreHalf (t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 0)) s)
(m0.IncPC ()
(m0.write'MemU
(words.word_extract 15 0 (m0.R t s),
words.word_add (m0.R n s) v, arithmetic.BIT2 0)
s))))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀f.
∃fn.
∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16.
fn
(m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12
a13 a14 a15 a16) =
f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_exception_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n (f3 e) c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_AIRCR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state (f3 A) C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CCR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A (f3 C) C0 M f f0 f1 P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CONTROL_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C (f3 C0) M f f0 f1 P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CurrentMode_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 (f3 M) f f0 f1 P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PRIMASK_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 (f3 P) P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PSR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P (f3 P0) f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR2_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 (f3 S) S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR3_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S (f3 S0) c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_count_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c (f3 n) e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pending_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 (f3 o)
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_NVIC_IPR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 (f3 f1) P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_ExceptionActive_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M (f3 f) f0 f1 P P0 f2 S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_VTOR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 (f3 c) n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pcinc_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e (f3 c0) o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_REG_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 (f3 f2) S S0 c n e c0 o
⊦ ∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_MEM_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f (f3 f0) f1 P P0 f2 S S0 c n e c0 o
⊦ ∀b11 b01 b1 c01 c1 b12 b02 b2 c02 c2.
m0.AIRCR_ENDIANNESS_fupd (const b11)
(m0.AIRCR_SYSRESETREQ_fupd (const b01)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b1)
(m0.AIRCR_VECTKEY_fupd (const c01)
(m0.AIRCR_aircr'rst_fupd (const c1) bool.ARB)))) =
m0.AIRCR_ENDIANNESS_fupd (const b12)
(m0.AIRCR_SYSRESETREQ_fupd (const b02)
(m0.AIRCR_VECTCLRACTIVE_fupd (const b2)
(m0.AIRCR_VECTKEY_fupd (const c02)
(m0.AIRCR_aircr'rst_fupd (const c2) bool.ARB)))) ⇔
(b11 ⇔ b12) ∧ (b01 ⇔ b02) ∧ (b1 ⇔ b2) ∧ c01 = c02 ∧ c1 = c2
⊦ ∀c31 c21 c11 c01 c1 c32 c22 c12 c02 c2.
m0.IPR_PRI_N0_fupd (const c31)
(m0.IPR_PRI_N1_fupd (const c21)
(m0.IPR_PRI_N2_fupd (const c11)
(m0.IPR_PRI_N3_fupd (const c01)
(m0.IPR_ipr'rst_fupd (const c1) bool.ARB)))) =
m0.IPR_PRI_N0_fupd (const c32)
(m0.IPR_PRI_N1_fupd (const c22)
(m0.IPR_PRI_N2_fupd (const c12)
(m0.IPR_PRI_N3_fupd (const c02)
(m0.IPR_ipr'rst_fupd (const c2) bool.ARB)))) ⇔
c31 = c32 ∧ c21 = c22 ∧ c11 = c12 ∧ c01 = c02 ∧ c1 = c2
⊦ ∀negate setflags d m shift_t shift_n.
m0.dfn'ShiftImmediate (negate, setflags, d, m, shift_t, shift_n) =
λstate.
if negate then
m0.doRegister
(words.n2w 15, setflags, d, words.n2w 15, m, shift_t, shift_n)
state
else
m0.doRegister
(words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))),
setflags, d, bool.ARB, m, shift_t, shift_n) state
⊦ ∀a.
a = m0.RName_0 ∨ a = m0.RName_1 ∨ a = m0.RName_2 ∨ a = m0.RName_3 ∨
a = m0.RName_4 ∨ a = m0.RName_5 ∨ a = m0.RName_6 ∨ a = m0.RName_7 ∨
a = m0.RName_8 ∨ a = m0.RName_9 ∨ a = m0.RName_10 ∨ a = m0.RName_11 ∨
a = m0.RName_12 ∨ a = m0.RName_SP_main ∨ a = m0.RName_SP_process ∨
a = m0.RName_LR ∨ a = m0.RName_PC
⊦ ∀M M' v0 v1 v2 v3 v4.
M = M' ∧ (M' = m0.SRType_LSL ⇒ v0 = v0') ∧
(M' = m0.SRType_LSR ⇒ v1 = v1') ∧ (M' = m0.SRType_ASR ⇒ v2 = v2') ∧
(M' = m0.SRType_ROR ⇒ v3 = v3') ∧ (M' = m0.SRType_RRX ⇒ v4 = v4') ⇒
m0.SRType_CASE M v0 v1 v2 v3 v4 = m0.SRType_CASE M' v0' v1' v2' v3' v4'
⊦ ∀unsigned t n m.
m0.dfn'LoadByte (unsigned, t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const
(m0.m0_state_count s + arithmetic.BIT2 0))
s)
(m0.IncPC ()
(m0.write'R (m0.Extend (unsigned, v), t) s))))
(m0.MemU (words.word_add (m0.R n s) v, 1) s)))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀unsigned t n m.
m0.dfn'LoadHalf (unsigned, t, n, m) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
m0.m0_state_count_fupd
(const
(m0.m0_state_count s + arithmetic.BIT2 0))
s)
(m0.IncPC ()
(m0.write'R (m0.Extend (unsigned, v), t) s))))
(m0.MemU (words.word_add (m0.R n s) v, arithmetic.BIT2 0)
s)))
(m0.offset_CASE m (λimm32. (imm32, state))
(λm.
m0.Shift
(m0.R m state, m0.SRType_LSL, 0,
m0.PSR_C (m0.m0_state_PSR state)) state))
⊦ ∀x.
m0.rec'PSR x =
m0.recordtype.PSR
(words.word_bit
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_extract (bit1 (arithmetic.BIT2 0)) 0 x)
(words.word_bit 31 x)
(words.word_bit (arithmetic.BIT2 (bit1 (bit1 (arithmetic.BIT2 0))))
x)
(words.word_bit
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_bit
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_concat
(words.word_extract (bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 0)) x)
(words.word_extract
(bit1 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
(bit1 (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))) x))
⊦ ∀f0 f1 f2 f3 f4 f5 f6.
∃fn.
(∀a. fn (m0.ArithLogicImmediate a) = f0 a) ∧
(∀a. fn (m0.CompareImmediate a) = f1 a) ∧
(∀a. fn (m0.Move a) = f2 a) ∧ (∀a. fn (m0.Register a) = f3 a) ∧
(∀a. fn (m0.ShiftImmediate a) = f4 a) ∧
(∀a. fn (m0.ShiftRegister a) = f5 a) ∧
∀a. fn (m0.TestCompareRegister a) = f6 a
⊦ (∀a. m0.Store_size (m0.Push a) = 1) ∧
(∀a.
m0.Store_size (m0.StoreByte a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size) a) ∧
(∀a.
m0.Store_size (m0.StoreHalf a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size) a) ∧
(∀a.
m0.Store_size (m0.StoreMultiple a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
∀a.
m0.Store_size (m0.StoreWord a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size) a
⊦ ∀x shift.
m0.ROR_C (x, shift) =
λstate.
(bool.LET (λresult. (result, words.word_msb result))
(words.word_ror x shift),
(if shift = 0 then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1 (bit1 (bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1
(bit1 (bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (bit1 (bit1 (arithmetic.BIT2 7))) :: []))
state)
else state))
⊦ (∀a f f1 f2 f3.
m0.System_CASE (m0.ChangeProcessorState a) f f1 f2 f3 = f a) ∧
(∀a f f1 f2 f3.
m0.System_CASE (m0.MoveToRegisterFromSpecial a) f f1 f2 f3 = f1 a) ∧
(∀a f f1 f2 f3.
m0.System_CASE (m0.MoveToSpecialRegister a) f f1 f2 f3 = f2 a) ∧
∀a f f1 f2 f3. m0.System_CASE (m0.SupervisorCall a) f f1 f2 f3 = f3 a
⊦ (∀a f f1 f2 f3. m0.Branch_CASE (m0.BranchExchange a) f f1 f2 f3 = f a) ∧
(∀a f f1 f2 f3.
m0.Branch_CASE (m0.BranchLinkExchangeRegister a) f f1 f2 f3 = f1 a) ∧
(∀a f f1 f2 f3.
m0.Branch_CASE (m0.BranchLinkImmediate a) f f1 f2 f3 = f2 a) ∧
∀a f f1 f2 f3. m0.Branch_CASE (m0.BranchTarget a) f f1 f2 f3 = f3 a
⊦ ∀state.
m0.Fetch state =
bool.LET
(λv.
bool.LET
(pair.UNCURRY
(λv0 s.
if words.word_extract 15
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))) v0 =
words.n2w 7 ∧
¬(words.word_extract
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
(bit1 (bit1 (arithmetic.BIT2 0))) v0 =
words.n2w 0)
then
bool.LET (pair.UNCURRY (λv1 s. (m0.Thumb2 (v0, v1), s)))
(m0.MemA
(words.word_add v (words.n2w (arithmetic.BIT2 0)),
arithmetic.BIT2 0) s)
else (m0.Thumb v0, s)))
(m0.MemA (v, arithmetic.BIT2 0) state))
(m0.m0_state_REG state m0.RName_PC)
⊦ ∀d m.
m0.dfn'ByteReverse (d, m) =
λstate.
bool.LET
(λv.
bool.LET
(λs.
m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.write'R
(words.word_concat (words.word_extract 7 0 v)
(words.word_concat
(words.word_extract 15 (arithmetic.BIT2 3) v)
(words.word_concat
(words.word_extract
(bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 7) v)
(words.word_extract 31
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))) v))),
d) state))) (m0.R m state)
⊦ ∀d m.
m0.dfn'ByteReversePackedHalfword (d, m) =
λstate.
bool.LET
(λv.
bool.LET
(λs.
m0.m0_state_count_fupd (const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(m0.write'R
(words.word_concat
(words.word_extract
(bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 7) v)
(words.word_concat
(words.word_extract 31
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))) v)
(words.word_concat (words.word_extract 7 0 v)
(words.word_extract 15 (arithmetic.BIT2 3)
v))), d) state))) (m0.R m state)
⊦ (∀a.
m0.Media_size (m0.ByteReverse a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Media_size (m0.ByteReversePackedHalfword a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Media_size (m0.ByteReverseSignedHalfword a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Media_size (m0.ExtendByte a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0) (λv. 0)) a) ∧
∀a.
m0.Media_size (m0.ExtendHalfword a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0) (λv. 0)) a
⊦ ∀M M' f f1 f2 f3.
M = M' ∧ (∀a. M' = m0.BranchExchange a ⇒ f a = f' a) ∧
(∀a. M' = m0.BranchLinkExchangeRegister a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.BranchLinkImmediate a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.BranchTarget a ⇒ f3 a = f3' a) ⇒
m0.Branch_CASE M f f1 f2 f3 = m0.Branch_CASE M' f' f1' f2' f3'
⊦ ∀M M' f f1 f2 f3.
M = M' ∧ (∀a. M' = m0.ChangeProcessorState a ⇒ f a = f' a) ∧
(∀a. M' = m0.MoveToRegisterFromSpecial a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.MoveToSpecialRegister a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.SupervisorCall a ⇒ f3 a = f3' a) ⇒
m0.System_CASE M f f1 f2 f3 = m0.System_CASE M' f' f1' f2' f3'
⊦ ∀x shift.
m0.ASR_C (x, shift) =
λstate.
((words.word_asr x shift,
words.word_bit
(arithmetic.- (min (words.word_len (words.n2w 0)) shift) 1) x),
(if shift = 0 then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR (bit1 (arithmetic.BIT2 15)) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1
(bit1 (bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (bit1 (bit1 (arithmetic.BIT2 7))) :: []))
state)
else state))
⊦ (∀a. m0.Hint_size (m0.Breakpoint a) = 1) ∧
(∀a. m0.Hint_size (m0.DataMemoryBarrier a) = 1) ∧
(∀a. m0.Hint_size (m0.DataSynchronizationBarrier a) = 1) ∧
(∀a. m0.Hint_size (m0.InstructionSynchronizationBarrier a) = 1) ∧
(∀a. m0.Hint_size (m0.SendEvent a) = 1 + basicSize.one_size a) ∧
(∀a. m0.Hint_size (m0.WaitForEvent a) = 1 + basicSize.one_size a) ∧
(∀a. m0.Hint_size (m0.WaitForInterrupt a) = 1 + basicSize.one_size a) ∧
∀a. m0.Hint_size (m0.Yield a) = 1 + basicSize.one_size a
⊦ ∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16.
m0.m0_state_size
(m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13
a14 a15 a16) =
1 +
(m0.AIRCR_size a0 +
(m0.CCR_size a1 +
(m0.CONTROL_size a2 +
(m0.Mode_size a3 +
(m0.PRIMASK_size a7 +
(m0.PSR_size a8 +
(m0.SHPR2_size a10 +
(m0.SHPR3_size a11 +
(a13 +
(m0.exception_size a14 +
basicSize.option_size m0.ARM_Exception_size a16))))))))))
⊦ ∀x shift.
m0.LSL_C (x, shift) =
λstate.
((words.word_lsl x shift,
bitstring.testbit (words.word_len (words.n2w 0))
(bitstring.w2v x @ bitstring.replicate (⊥ :: []) shift)),
(if shift = 0 then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(bit1 (bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (bit1 (bit1 (arithmetic.BIT2 7))) :: []))
state)
else state))
⊦ ∀x shift.
m0.LSR_C (x, shift) =
λstate.
((words.word_lsr x shift,
shift ≤ words.word_len (words.n2w 0) ∧
words.word_bit (arithmetic.- shift 1) x),
(if shift = 0 then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1
(bit1 (bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (bit1 (bit1 (arithmetic.BIT2 7))) :: []))
state)
else state))
⊦ ∀f0 f1 f2 f3 f4 f5 f6 f7.
∃fn.
(∀a. fn (m0.Breakpoint a) = f0 a) ∧
(∀a. fn (m0.DataMemoryBarrier a) = f1 a) ∧
(∀a. fn (m0.DataSynchronizationBarrier a) = f2 a) ∧
(∀a. fn (m0.InstructionSynchronizationBarrier a) = f3 a) ∧
(∀a. fn (m0.SendEvent a) = f4 a) ∧
(∀a. fn (m0.WaitForEvent a) = f5 a) ∧
(∀a. fn (m0.WaitForInterrupt a) = f6 a) ∧ ∀a. fn (m0.Yield a) = f7 a
⊦ ∀m.
∃A C0 C M f2 f1 f0 P0 P f S0 S c0 n e c o.
m =
m0.m0_state_AIRCR_fupd (const A)
(m0.m0_state_CCR_fupd (const C0)
(m0.m0_state_CONTROL_fupd (const C)
(m0.m0_state_CurrentMode_fupd (const M)
(m0.m0_state_ExceptionActive_fupd (const f2)
(m0.m0_state_MEM_fupd (const f1)
(m0.m0_state_NVIC_IPR_fupd (const f0)
(m0.m0_state_PRIMASK_fupd (const P0)
(m0.m0_state_PSR_fupd (const P)
(m0.m0_state_REG_fupd (const f)
(m0.m0_state_SHPR2_fupd (const S0)
(m0.m0_state_SHPR3_fupd (const S)
(m0.m0_state_VTOR_fupd (const c0)
(m0.m0_state_count_fupd
(const n)
(m0.m0_state_exception_fupd
(const e)
(m0.m0_state_pcinc_fupd
(const c)
(m0.m0_state_pending_fupd
(const o)
bool.ARB))))))))))))))))
⊦ (∀g f A.
m0.AIRCR_ENDIANNESS_fupd f (m0.AIRCR_ENDIANNESS_fupd g A) =
m0.AIRCR_ENDIANNESS_fupd (f ∘ g) A) ∧
(∀g f A.
m0.AIRCR_SYSRESETREQ_fupd f (m0.AIRCR_SYSRESETREQ_fupd g A) =
m0.AIRCR_SYSRESETREQ_fupd (f ∘ g) A) ∧
(∀g f A.
m0.AIRCR_VECTCLRACTIVE_fupd f (m0.AIRCR_VECTCLRACTIVE_fupd g A) =
m0.AIRCR_VECTCLRACTIVE_fupd (f ∘ g) A) ∧
(∀g f A.
m0.AIRCR_VECTKEY_fupd f (m0.AIRCR_VECTKEY_fupd g A) =
m0.AIRCR_VECTKEY_fupd (f ∘ g) A) ∧
∀g f A.
m0.AIRCR_aircr'rst_fupd f (m0.AIRCR_aircr'rst_fupd g A) =
m0.AIRCR_aircr'rst_fupd (f ∘ g) A
⊦ (∀g f I.
m0.IPR_PRI_N0_fupd f (m0.IPR_PRI_N0_fupd g I) =
m0.IPR_PRI_N0_fupd (f ∘ g) I) ∧
(∀g f I.
m0.IPR_PRI_N1_fupd f (m0.IPR_PRI_N1_fupd g I) =
m0.IPR_PRI_N1_fupd (f ∘ g) I) ∧
(∀g f I.
m0.IPR_PRI_N2_fupd f (m0.IPR_PRI_N2_fupd g I) =
m0.IPR_PRI_N2_fupd (f ∘ g) I) ∧
(∀g f I.
m0.IPR_PRI_N3_fupd f (m0.IPR_PRI_N3_fupd g I) =
m0.IPR_PRI_N3_fupd (f ∘ g) I) ∧
∀g f I.
m0.IPR_ipr'rst_fupd f (m0.IPR_ipr'rst_fupd g I) =
m0.IPR_ipr'rst_fupd (f ∘ g) I
⊦ ∀typ imm5.
m0.DecodeImmShift (typ, imm5) =
bool.literal_case
(λv.
if v = words.n2w 0 then (m0.SRType_LSL, words.w2n imm5)
else if v = words.n2w 1 then
(m0.SRType_LSR,
(if imm5 = words.n2w 0 then arithmetic.BIT2 15
else words.w2n imm5))
else if v = words.n2w (arithmetic.BIT2 0) then
(m0.SRType_ASR,
(if imm5 = words.n2w 0 then arithmetic.BIT2 15
else words.w2n imm5))
else if v = words.n2w 3 then
if imm5 = words.n2w 0 then (m0.SRType_RRX, 1)
else (m0.SRType_ROR, words.w2n imm5)
else bool.ARB) typ
⊦ (∀a.
m0.Load_size (m0.LoadByte a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size)) a) ∧
(∀a.
m0.Load_size (m0.LoadHalf a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size)) a) ∧
(∀a.
m0.Load_size (m0.LoadLiteral a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Load_size (m0.LoadMultiple a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0) (λv. 0)) a) ∧
∀a.
m0.Load_size (m0.LoadWord a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) m0.offset_size) a
⊦ ∀P1.
(∀m. P1 m) ⇔
∀A C0 C M f2 f1 f0 P0 P f S0 S c0 n e c o.
P1
(m0.m0_state_AIRCR_fupd (const A)
(m0.m0_state_CCR_fupd (const C0)
(m0.m0_state_CONTROL_fupd (const C)
(m0.m0_state_CurrentMode_fupd (const M)
(m0.m0_state_ExceptionActive_fupd (const f2)
(m0.m0_state_MEM_fupd (const f1)
(m0.m0_state_NVIC_IPR_fupd (const f0)
(m0.m0_state_PRIMASK_fupd (const P0)
(m0.m0_state_PSR_fupd (const P)
(m0.m0_state_REG_fupd (const f)
(m0.m0_state_SHPR2_fupd (const S0)
(m0.m0_state_SHPR3_fupd (const S)
(m0.m0_state_VTOR_fupd
(const c0)
(m0.m0_state_count_fupd
(const n)
(m0.m0_state_exception_fupd
(const e)
(m0.m0_state_pcinc_fupd
(const c)
(m0.m0_state_pending_fupd
(const o)
bool.ARB)))))))))))))))))
⊦ ∀P1.
(∃m. P1 m) ⇔
∃A C0 C M f2 f1 f0 P0 P f S0 S c0 n e c o.
P1
(m0.m0_state_AIRCR_fupd (const A)
(m0.m0_state_CCR_fupd (const C0)
(m0.m0_state_CONTROL_fupd (const C)
(m0.m0_state_CurrentMode_fupd (const M)
(m0.m0_state_ExceptionActive_fupd (const f2)
(m0.m0_state_MEM_fupd (const f1)
(m0.m0_state_NVIC_IPR_fupd (const f0)
(m0.m0_state_PRIMASK_fupd (const P0)
(m0.m0_state_PSR_fupd (const P)
(m0.m0_state_REG_fupd (const f)
(m0.m0_state_SHPR2_fupd (const S0)
(m0.m0_state_SHPR3_fupd (const S)
(m0.m0_state_VTOR_fupd
(const c0)
(m0.m0_state_count_fupd
(const n)
(m0.m0_state_exception_fupd
(const e)
(m0.m0_state_pcinc_fupd
(const c)
(m0.m0_state_pending_fupd
(const o)
bool.ARB)))))))))))))))))
⊦ ∀opc setflags d n m shift_t shift_n.
m0.doRegister (opc, setflags, d, n, m, shift_t, shift_n) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λshifted carry.
bool.LET
(λv.
if d = words.n2w 15 then
m0.DataProcessingPC (opc, n, shifted, v) s
else
m0.DataProcessing
(opc, setflags, d, n, shifted, v) s)
(if m0.ArithmeticOpcode opc then
m0.PSR_C (m0.m0_state_PSR s)
else carry))) v))
(m0.Shift_C
(m0.R m state, shift_t, shift_n,
m0.PSR_C (m0.m0_state_PSR state)) state)
⊦ ∀ExceptionNumber.
m0.ExceptionTaken ExceptionNumber =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_ExceptionActive_fupd
(const
(combin.UPDATE ExceptionNumber ⊤
(m0.m0_state_ExceptionActive s))) s)
(m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd (const ⊥)
(m0.m0_state_CONTROL s))) s))
(m0.m0_state_PSR_fupd
(const
(m0.PSR_ExceptionNumber_fupd
(const ExceptionNumber) (m0.m0_state_PSR s)))
s))
(m0.m0_state_CurrentMode_fupd (const m0.Mode_Handler)
(m0.m0_state_PSR_fupd (const bool.ARB)
(m0.write'PC v s)))))
(m0.MemA
(words.word_add (m0.m0_state_VTOR state)
(words.word_mul (words.n2w (arithmetic.BIT2 1))
(words.w2w ExceptionNumber)), arithmetic.BIT2 1)
(m0.write'R
(bool.ARB,
words.n2w (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0))))
(snd
(state_transformer.FOR
(0, 3,
(λi state.
((), m0.write'R (bool.ARB, words.n2w i) state)))
state))))
⊦ (∀v0 v1 v2 v3 v4. m0.SRType_CASE m0.SRType_LSL v0 v1 v2 v3 v4 = v0) ∧
(∀v0 v1 v2 v3 v4. m0.SRType_CASE m0.SRType_LSR v0 v1 v2 v3 v4 = v1) ∧
(∀v0 v1 v2 v3 v4. m0.SRType_CASE m0.SRType_ASR v0 v1 v2 v3 v4 = v2) ∧
(∀v0 v1 v2 v3 v4. m0.SRType_CASE m0.SRType_ROR v0 v1 v2 v3 v4 = v3) ∧
∀v0 v1 v2 v3 v4. m0.SRType_CASE m0.SRType_RRX v0 v1 v2 v3 v4 = v4
⊦ (∀b b0 b1 c c0.
m0.AIRCR_ENDIANNESS (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b) ∧
(∀b b0 b1 c c0.
m0.AIRCR_SYSRESETREQ (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b0) ∧
(∀b b0 b1 c c0.
m0.AIRCR_VECTCLRACTIVE (m0.recordtype.AIRCR b b0 b1 c c0) ⇔ b1) ∧
(∀b b0 b1 c c0.
m0.AIRCR_VECTKEY (m0.recordtype.AIRCR b b0 b1 c c0) = c) ∧
∀b b0 b1 c c0. m0.AIRCR_aircr'rst (m0.recordtype.AIRCR b b0 b1 c c0) = c0
⊦ (∀c c0 c1 c2 c3. m0.IPR_PRI_N0 (m0.recordtype.IPR c c0 c1 c2 c3) = c) ∧
(∀c c0 c1 c2 c3. m0.IPR_PRI_N1 (m0.recordtype.IPR c c0 c1 c2 c3) = c0) ∧
(∀c c0 c1 c2 c3. m0.IPR_PRI_N2 (m0.recordtype.IPR c c0 c1 c2 c3) = c1) ∧
(∀c c0 c1 c2 c3. m0.IPR_PRI_N3 (m0.recordtype.IPR c c0 c1 c2 c3) = c2) ∧
∀c c0 c1 c2 c3. m0.IPR_ipr'rst (m0.recordtype.IPR c c0 c1 c2 c3) = c3
⊦ (∀a a'. m0.ArithLogicImmediate a = m0.ArithLogicImmediate a' ⇔ a = a') ∧
(∀a a'. m0.CompareImmediate a = m0.CompareImmediate a' ⇔ a = a') ∧
(∀a a'. m0.Move a = m0.Move a' ⇔ a = a') ∧
(∀a a'. m0.Register a = m0.Register a' ⇔ a = a') ∧
(∀a a'. m0.ShiftImmediate a = m0.ShiftImmediate a' ⇔ a = a') ∧
(∀a a'. m0.ShiftRegister a = m0.ShiftRegister a' ⇔ a = a') ∧
∀a a'. m0.TestCompareRegister a = m0.TestCompareRegister a' ⇔ a = a'
⊦ ∀b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0.
m0.bitify16
(b15, b14, b13, b12, b11, b10, b9, b8, b7, b6, b5, b4, b3, b2, b1,
b0) =
bitstring.v2w
(b15 :: b14 :: b13 :: b12 :: b11 :: b10 :: b9 :: b8 :: b7 :: b6 ::
b5 :: b4 :: b3 :: b2 :: b1 :: b0 :: [])
⊦ ∀b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0.
m0.boolify16
(bitstring.v2w
(b15 :: b14 :: b13 :: b12 :: b11 :: b10 :: b9 :: b8 :: b7 :: b6 ::
b5 :: b4 :: b3 :: b2 :: b1 :: b0 :: [])) =
(b15, b14, b13, b12, b11, b10, b9, b8, b7, b6, b5, b4, b3, b2, b1, b0)
⊦ ∀M M' f f1 f2 f3 f4.
M = M' ∧ (∀a. M' = m0.LoadByte a ⇒ f a = f' a) ∧
(∀a. M' = m0.LoadHalf a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.LoadLiteral a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.LoadMultiple a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.LoadWord a ⇒ f4 a = f4' a) ⇒
m0.Load_CASE M f f1 f2 f3 f4 = m0.Load_CASE M' f' f1' f2' f3' f4'
⊦ ∀M M' f f1 f2 f3 f4.
M = M' ∧ (∀a. M' = m0.ByteReverse a ⇒ f a = f' a) ∧
(∀a. M' = m0.ByteReversePackedHalfword a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.ByteReverseSignedHalfword a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.ExtendByte a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.ExtendHalfword a ⇒ f4 a = f4' a) ⇒
m0.Media_CASE M f f1 f2 f3 f4 = m0.Media_CASE M' f' f1' f2' f3' f4'
⊦ ∀M M' f f1 f2 f3 f4.
M = M' ∧ (∀a. M' = m0.Push a ⇒ f a = f' a) ∧
(∀a. M' = m0.StoreByte a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.StoreHalf a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.StoreMultiple a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.StoreWord a ⇒ f4 a = f4' a) ⇒
m0.Store_CASE M f f1 f2 f3 f4 = m0.Store_CASE M' f' f1' f2' f3' f4'
⊦ ∀x.
m0.rec'IPR x =
m0.recordtype.IPR
(words.word_extract 7 (arithmetic.BIT2 (arithmetic.BIT2 0)) x)
(words.word_extract 15
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))) x)
(words.word_extract (bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 1))) x)
(words.word_extract 31
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))) x)
(words.word_concat
(words.word_extract (bit1 (arithmetic.BIT2 0)) 0 x)
(words.word_concat
(words.word_extract
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
(arithmetic.BIT2 3) x)
(words.word_concat
(words.word_extract
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))
(arithmetic.BIT2 7) x)
(words.word_extract
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))
(arithmetic.BIT2 (bit1 (bit1 (arithmetic.BIT2 0)))) x))))
⊦ ∀b31 c01 b21 b11 b01 b1 c1 b32 c02 b22 b12 b02 b2 c2.
m0.PSR_C_fupd (const b31)
(m0.PSR_ExceptionNumber_fupd (const c01)
(m0.PSR_N_fupd (const b21)
(m0.PSR_T_fupd (const b11)
(m0.PSR_V_fupd (const b01)
(m0.PSR_Z_fupd (const b1)
(m0.PSR_psr'rst_fupd (const c1) bool.ARB)))))) =
m0.PSR_C_fupd (const b32)
(m0.PSR_ExceptionNumber_fupd (const c02)
(m0.PSR_N_fupd (const b22)
(m0.PSR_T_fupd (const b12)
(m0.PSR_V_fupd (const b02)
(m0.PSR_Z_fupd (const b2)
(m0.PSR_psr'rst_fupd (const c2) bool.ARB)))))) ⇔
(b31 ⇔ b32) ∧ c01 = c02 ∧ (b21 ⇔ b22) ∧ (b11 ⇔ b12) ∧ (b01 ⇔ b02) ∧
(b1 ⇔ b2) ∧ c1 = c2
⊦ ∀registers.
m0.dfn'Push registers =
λstate.
bool.LET
(λv.
bool.LET
(λbitcount.
bool.LET
(λlength.
bool.LET
(λs1.
m0.m0_state_count_fupd
(const (m0.m0_state_count s1 + bitcount + 1))
s1)
(m0.IncPC ()
(m0.write'SP (words.word_sub v length)
(snd
(snd
(state_transformer.FOR
(0, arithmetic.BIT2 3,
(λi state.
((),
(if words.word_bit i registers
then
(words.word_add (fst state)
(words.n2w
(arithmetic.BIT2 1)),
m0.write'MemA
((if i = arithmetic.BIT2 3
then m0.LR (snd state)
else
m0.R (words.n2w i)
(snd state)),
fst state,
arithmetic.BIT2 1)
(snd state))
else state))))
(words.word_sub v length,
state)))))))
(words.word_mul (words.n2w (arithmetic.BIT2 1))
(words.n2w bitcount))) (m0.BitCount registers))
(m0.SP state)
⊦ ∀M M' f v v1 v2 v3 v4 v5.
M = M' ∧ (∀a. M' = m0.ExternalInterrupt a ⇒ f a = f' a) ∧
(M' = m0.HardFault ⇒ v = v') ∧ (M' = m0.NMI ⇒ v1 = v1') ∧
(M' = m0.PendSV ⇒ v2 = v2') ∧ (M' = m0.Reset ⇒ v3 = v3') ∧
(M' = m0.SVCall ⇒ v4 = v4') ∧ (M' = m0.SysTick ⇒ v5 = v5') ⇒
m0.ARM_Exception_CASE M f v v1 v2 v3 v4 v5 =
m0.ARM_Exception_CASE M' f' v' v1' v2' v3' v4' v5'
⊦ (∀a' a. ¬(m0.ByteReverse a = m0.ByteReversePackedHalfword a')) ∧
(∀a' a. ¬(m0.ByteReverse a = m0.ByteReverseSignedHalfword a')) ∧
(∀a' a. ¬(m0.ByteReverse a = m0.ExtendByte a')) ∧
(∀a' a. ¬(m0.ByteReverse a = m0.ExtendHalfword a')) ∧
(∀a' a.
¬(m0.ByteReversePackedHalfword a = m0.ByteReverseSignedHalfword a')) ∧
(∀a' a. ¬(m0.ByteReversePackedHalfword a = m0.ExtendByte a')) ∧
(∀a' a. ¬(m0.ByteReversePackedHalfword a = m0.ExtendHalfword a')) ∧
(∀a' a. ¬(m0.ByteReverseSignedHalfword a = m0.ExtendByte a')) ∧
(∀a' a. ¬(m0.ByteReverseSignedHalfword a = m0.ExtendHalfword a')) ∧
∀a' a. ¬(m0.ExtendByte a = m0.ExtendHalfword a')
⊦ (∀a' a. ¬(m0.Push a = m0.StoreByte a')) ∧
(∀a' a. ¬(m0.Push a = m0.StoreHalf a')) ∧
(∀a' a. ¬(m0.Push a = m0.StoreMultiple a')) ∧
(∀a' a. ¬(m0.Push a = m0.StoreWord a')) ∧
(∀a' a. ¬(m0.StoreByte a = m0.StoreHalf a')) ∧
(∀a' a. ¬(m0.StoreByte a = m0.StoreMultiple a')) ∧
(∀a' a. ¬(m0.StoreByte a = m0.StoreWord a')) ∧
(∀a' a. ¬(m0.StoreHalf a = m0.StoreMultiple a')) ∧
(∀a' a. ¬(m0.StoreHalf a = m0.StoreWord a')) ∧
∀a' a. ¬(m0.StoreMultiple a = m0.StoreWord a')
⊦ (∀a' a. ¬(m0.LoadByte a = m0.LoadHalf a')) ∧
(∀a' a. ¬(m0.LoadByte a = m0.LoadLiteral a')) ∧
(∀a' a. ¬(m0.LoadByte a = m0.LoadMultiple a')) ∧
(∀a' a. ¬(m0.LoadByte a = m0.LoadWord a')) ∧
(∀a' a. ¬(m0.LoadHalf a = m0.LoadLiteral a')) ∧
(∀a' a. ¬(m0.LoadHalf a = m0.LoadMultiple a')) ∧
(∀a' a. ¬(m0.LoadHalf a = m0.LoadWord a')) ∧
(∀a' a. ¬(m0.LoadLiteral a = m0.LoadMultiple a')) ∧
(∀a' a. ¬(m0.LoadLiteral a = m0.LoadWord a')) ∧
∀a' a. ¬(m0.LoadMultiple a = m0.LoadWord a')
⊦ ((∀g f.
m0.CCR_STKALIGN_fupd f ∘ m0.CCR_STKALIGN_fupd g =
m0.CCR_STKALIGN_fupd (f ∘ g)) ∧
∀h g f.
m0.CCR_STKALIGN_fupd f ∘ (m0.CCR_STKALIGN_fupd g ∘ h) =
m0.CCR_STKALIGN_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.CCR_UNALIGN_TRP_fupd f ∘ m0.CCR_UNALIGN_TRP_fupd g =
m0.CCR_UNALIGN_TRP_fupd (f ∘ g)) ∧
∀h g f.
m0.CCR_UNALIGN_TRP_fupd f ∘ (m0.CCR_UNALIGN_TRP_fupd g ∘ h) =
m0.CCR_UNALIGN_TRP_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.CCR_ccr'rst_fupd f ∘ m0.CCR_ccr'rst_fupd g =
m0.CCR_ccr'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.CCR_ccr'rst_fupd f ∘ (m0.CCR_ccr'rst_fupd g ∘ h) =
m0.CCR_ccr'rst_fupd (f ∘ g) ∘ h
⊦ ((∀g f.
m0.CONTROL_SPSEL_fupd f ∘ m0.CONTROL_SPSEL_fupd g =
m0.CONTROL_SPSEL_fupd (f ∘ g)) ∧
∀h g f.
m0.CONTROL_SPSEL_fupd f ∘ (m0.CONTROL_SPSEL_fupd g ∘ h) =
m0.CONTROL_SPSEL_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.CONTROL_control'rst_fupd f ∘ m0.CONTROL_control'rst_fupd g =
m0.CONTROL_control'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.CONTROL_control'rst_fupd f ∘ (m0.CONTROL_control'rst_fupd g ∘ h) =
m0.CONTROL_control'rst_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.CONTROL_nPRIV_fupd f ∘ m0.CONTROL_nPRIV_fupd g =
m0.CONTROL_nPRIV_fupd (f ∘ g)) ∧
∀h g f.
m0.CONTROL_nPRIV_fupd f ∘ (m0.CONTROL_nPRIV_fupd g ∘ h) =
m0.CONTROL_nPRIV_fupd (f ∘ g) ∘ h
⊦ ((∀g f.
m0.SHPR3_PRI_14_fupd f ∘ m0.SHPR3_PRI_14_fupd g =
m0.SHPR3_PRI_14_fupd (f ∘ g)) ∧
∀h g f.
m0.SHPR3_PRI_14_fupd f ∘ (m0.SHPR3_PRI_14_fupd g ∘ h) =
m0.SHPR3_PRI_14_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.SHPR3_PRI_15_fupd f ∘ m0.SHPR3_PRI_15_fupd g =
m0.SHPR3_PRI_15_fupd (f ∘ g)) ∧
∀h g f.
m0.SHPR3_PRI_15_fupd f ∘ (m0.SHPR3_PRI_15_fupd g ∘ h) =
m0.SHPR3_PRI_15_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.SHPR3_shpr3'rst_fupd f ∘ m0.SHPR3_shpr3'rst_fupd g =
m0.SHPR3_shpr3'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.SHPR3_shpr3'rst_fupd f ∘ (m0.SHPR3_shpr3'rst_fupd g ∘ h) =
m0.SHPR3_shpr3'rst_fupd (f ∘ g) ∘ h
⊦ ∀M M' f.
M = M' ∧
(∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16.
M' =
m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13
a14 a15 a16 ⇒
f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16 =
f' a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16) ⇒
m0.m0_state_CASE M f = m0.m0_state_CASE M' f'
⊦ ∀f0 f1 f2 f3 f4 f5 f6 f7 f8 f9.
∃fn.
(∀a. fn (m0.Branch a) = f0 a) ∧ (∀a. fn (m0.Data a) = f1 a) ∧
(∀a. fn (m0.Hint a) = f2 a) ∧ (∀a. fn (m0.Load a) = f3 a) ∧
(∀a. fn (m0.Media a) = f4 a) ∧ (∀a. fn (m0.Multiply a) = f5 a) ∧
(∀a. fn (m0.NoOperation a) = f6 a) ∧ (∀a. fn (m0.Store a) = f7 a) ∧
(∀a. fn (m0.System a) = f8 a) ∧ ∀a. fn (m0.Undefined a) = f9 a
⊦ (∀f C.
m0.CCR_STKALIGN (m0.CCR_UNALIGN_TRP_fupd f C) ⇔ m0.CCR_STKALIGN C) ∧
(∀f C. m0.CCR_STKALIGN (m0.CCR_ccr'rst_fupd f C) ⇔ m0.CCR_STKALIGN C) ∧
(∀f C.
m0.CCR_UNALIGN_TRP (m0.CCR_STKALIGN_fupd f C) ⇔
m0.CCR_UNALIGN_TRP C) ∧
(∀f C.
m0.CCR_UNALIGN_TRP (m0.CCR_ccr'rst_fupd f C) ⇔ m0.CCR_UNALIGN_TRP C) ∧
(∀f C. m0.CCR_ccr'rst (m0.CCR_STKALIGN_fupd f C) = m0.CCR_ccr'rst C) ∧
(∀f C. m0.CCR_ccr'rst (m0.CCR_UNALIGN_TRP_fupd f C) = m0.CCR_ccr'rst C) ∧
(∀f C.
m0.CCR_STKALIGN (m0.CCR_STKALIGN_fupd f C) ⇔ f (m0.CCR_STKALIGN C)) ∧
(∀f C.
m0.CCR_UNALIGN_TRP (m0.CCR_UNALIGN_TRP_fupd f C) ⇔
f (m0.CCR_UNALIGN_TRP C)) ∧
∀f C. m0.CCR_ccr'rst (m0.CCR_ccr'rst_fupd f C) = f (m0.CCR_ccr'rst C)
⊦ (∀f C.
m0.CONTROL_SPSEL (m0.CONTROL_control'rst_fupd f C) ⇔
m0.CONTROL_SPSEL C) ∧
(∀f C.
m0.CONTROL_SPSEL (m0.CONTROL_nPRIV_fupd f C) ⇔ m0.CONTROL_SPSEL C) ∧
(∀f C.
m0.CONTROL_control'rst (m0.CONTROL_SPSEL_fupd f C) ⇔
m0.CONTROL_control'rst C) ∧
(∀f C.
m0.CONTROL_control'rst (m0.CONTROL_nPRIV_fupd f C) ⇔
m0.CONTROL_control'rst C) ∧
(∀f C.
m0.CONTROL_nPRIV (m0.CONTROL_SPSEL_fupd f C) ⇔ m0.CONTROL_nPRIV C) ∧
(∀f C.
m0.CONTROL_nPRIV (m0.CONTROL_control'rst_fupd f C) ⇔
m0.CONTROL_nPRIV C) ∧
(∀f C.
m0.CONTROL_SPSEL (m0.CONTROL_SPSEL_fupd f C) ⇔
f (m0.CONTROL_SPSEL C)) ∧
(∀f C.
m0.CONTROL_control'rst (m0.CONTROL_control'rst_fupd f C) ⇔
f (m0.CONTROL_control'rst C)) ∧
∀f C.
m0.CONTROL_nPRIV (m0.CONTROL_nPRIV_fupd f C) ⇔ f (m0.CONTROL_nPRIV C)
⊦ (∀f S. m0.SHPR3_PRI_14 (m0.SHPR3_PRI_15_fupd f S) = m0.SHPR3_PRI_14 S) ∧
(∀f S.
m0.SHPR3_PRI_14 (m0.SHPR3_shpr3'rst_fupd f S) = m0.SHPR3_PRI_14 S) ∧
(∀f S. m0.SHPR3_PRI_15 (m0.SHPR3_PRI_14_fupd f S) = m0.SHPR3_PRI_15 S) ∧
(∀f S.
m0.SHPR3_PRI_15 (m0.SHPR3_shpr3'rst_fupd f S) = m0.SHPR3_PRI_15 S) ∧
(∀f S.
m0.SHPR3_shpr3'rst (m0.SHPR3_PRI_14_fupd f S) =
m0.SHPR3_shpr3'rst S) ∧
(∀f S.
m0.SHPR3_shpr3'rst (m0.SHPR3_PRI_15_fupd f S) =
m0.SHPR3_shpr3'rst S) ∧
(∀f S.
m0.SHPR3_PRI_14 (m0.SHPR3_PRI_14_fupd f S) = f (m0.SHPR3_PRI_14 S)) ∧
(∀f S.
m0.SHPR3_PRI_15 (m0.SHPR3_PRI_15_fupd f S) = f (m0.SHPR3_PRI_15 S)) ∧
∀f S.
m0.SHPR3_shpr3'rst (m0.SHPR3_shpr3'rst_fupd f S) =
f (m0.SHPR3_shpr3'rst S)
⊦ (∀a a'. m0.Breakpoint a = m0.Breakpoint a' ⇔ a = a') ∧
(∀a a'. m0.DataMemoryBarrier a = m0.DataMemoryBarrier a' ⇔ a = a') ∧
(∀a a'.
m0.DataSynchronizationBarrier a = m0.DataSynchronizationBarrier a' ⇔
a = a') ∧
(∀a a'.
m0.InstructionSynchronizationBarrier a =
m0.InstructionSynchronizationBarrier a' ⇔ a = a') ∧
(∀a a'. m0.SendEvent a = m0.SendEvent a' ⇔ a = a') ∧
(∀a a'. m0.WaitForEvent a = m0.WaitForEvent a' ⇔ a = a') ∧
(∀a a'. m0.WaitForInterrupt a = m0.WaitForInterrupt a' ⇔ a = a') ∧
∀a a'. m0.Yield a = m0.Yield a' ⇔ a = a'
⊦ (∀a f f1 f2 f3 f4. m0.Store_CASE (m0.Push a) f f1 f2 f3 f4 = f a) ∧
(∀a f f1 f2 f3 f4. m0.Store_CASE (m0.StoreByte a) f f1 f2 f3 f4 = f1 a) ∧
(∀a f f1 f2 f3 f4. m0.Store_CASE (m0.StoreHalf a) f f1 f2 f3 f4 = f2 a) ∧
(∀a f f1 f2 f3 f4.
m0.Store_CASE (m0.StoreMultiple a) f f1 f2 f3 f4 = f3 a) ∧
∀a f f1 f2 f3 f4. m0.Store_CASE (m0.StoreWord a) f f1 f2 f3 f4 = f4 a
⊦ (∀a f f1 f2 f3 f4.
m0.Media_CASE (m0.ByteReverse a) f f1 f2 f3 f4 = f a) ∧
(∀a f f1 f2 f3 f4.
m0.Media_CASE (m0.ByteReversePackedHalfword a) f f1 f2 f3 f4 = f1 a) ∧
(∀a f f1 f2 f3 f4.
m0.Media_CASE (m0.ByteReverseSignedHalfword a) f f1 f2 f3 f4 = f2 a) ∧
(∀a f f1 f2 f3 f4.
m0.Media_CASE (m0.ExtendByte a) f f1 f2 f3 f4 = f3 a) ∧
∀a f f1 f2 f3 f4.
m0.Media_CASE (m0.ExtendHalfword a) f f1 f2 f3 f4 = f4 a
⊦ (∀a f f1 f2 f3 f4. m0.Load_CASE (m0.LoadByte a) f f1 f2 f3 f4 = f a) ∧
(∀a f f1 f2 f3 f4. m0.Load_CASE (m0.LoadHalf a) f f1 f2 f3 f4 = f1 a) ∧
(∀a f f1 f2 f3 f4.
m0.Load_CASE (m0.LoadLiteral a) f f1 f2 f3 f4 = f2 a) ∧
(∀a f f1 f2 f3 f4.
m0.Load_CASE (m0.LoadMultiple a) f f1 f2 f3 f4 = f3 a) ∧
∀a f f1 f2 f3 f4. m0.Load_CASE (m0.LoadWord a) f f1 f2 f3 f4 = f4 a
⊦ ∀n.
m0.boolify16 (words.n2w n) =
bool.LET
(λn1.
bool.LET
(λn2.
bool.LET
(λn3.
bool.LET
(λn4.
bool.LET
(λn5.
bool.LET
(λn6.
bool.LET
(λn7.
bool.LET
(λn8.
bool.LET
(λn9.
bool.LET
(λn10.
bool.LET
(λn11.
bool.LET
(λn12.
bool.LET
(λn13.
bool.LET
(λn14.
bool.LET
(λn15.
(odd
n15,
odd
n14,
odd
n13,
odd
n12,
odd
n11,
odd
n10,
odd
n9,
odd
n8,
odd
n7,
odd
n6,
odd
n5,
odd
n4,
odd
n3,
odd
n2,
odd
n1,
odd
n))
(arithmetic.DIV2
n14))
(arithmetic.DIV2
n13))
(arithmetic.DIV2
n12))
(arithmetic.DIV2
n11))
(arithmetic.DIV2
n10))
(arithmetic.DIV2 n9))
(arithmetic.DIV2 n8))
(arithmetic.DIV2 n7))
(arithmetic.DIV2 n6))
(arithmetic.DIV2 n5)) (arithmetic.DIV2 n4))
(arithmetic.DIV2 n3)) (arithmetic.DIV2 n2))
(arithmetic.DIV2 n1)) (arithmetic.DIV2 n)
⊦ ∀w.
m0.boolify16 w =
(words.word_bit 15 w,
words.word_bit (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))
w, words.word_bit (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))) w,
words.word_bit (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0))) w,
words.word_bit (bit1 (bit1 (arithmetic.BIT2 0))) w,
words.word_bit (arithmetic.BIT2 (arithmetic.BIT2 1)) w,
words.word_bit (bit1 (arithmetic.BIT2 1)) w,
words.word_bit (arithmetic.BIT2 3) w, words.word_bit 7 w,
words.word_bit (arithmetic.BIT2 (arithmetic.BIT2 0)) w,
words.word_bit (bit1 (arithmetic.BIT2 0)) w,
words.word_bit (arithmetic.BIT2 1) w, words.word_bit 3 w,
words.word_bit (arithmetic.BIT2 0) w, words.word_bit 1 w,
words.word_bit 0 w)
⊦ ((∀g f.
m0.CCR_UNALIGN_TRP_fupd f ∘ m0.CCR_STKALIGN_fupd g =
m0.CCR_STKALIGN_fupd g ∘ m0.CCR_UNALIGN_TRP_fupd f) ∧
∀h g f.
m0.CCR_UNALIGN_TRP_fupd f ∘ (m0.CCR_STKALIGN_fupd g ∘ h) =
m0.CCR_STKALIGN_fupd g ∘ (m0.CCR_UNALIGN_TRP_fupd f ∘ h)) ∧
((∀g f.
m0.CCR_ccr'rst_fupd f ∘ m0.CCR_STKALIGN_fupd g =
m0.CCR_STKALIGN_fupd g ∘ m0.CCR_ccr'rst_fupd f) ∧
∀h g f.
m0.CCR_ccr'rst_fupd f ∘ (m0.CCR_STKALIGN_fupd g ∘ h) =
m0.CCR_STKALIGN_fupd g ∘ (m0.CCR_ccr'rst_fupd f ∘ h)) ∧
(∀g f.
m0.CCR_ccr'rst_fupd f ∘ m0.CCR_UNALIGN_TRP_fupd g =
m0.CCR_UNALIGN_TRP_fupd g ∘ m0.CCR_ccr'rst_fupd f) ∧
∀h g f.
m0.CCR_ccr'rst_fupd f ∘ (m0.CCR_UNALIGN_TRP_fupd g ∘ h) =
m0.CCR_UNALIGN_TRP_fupd g ∘ (m0.CCR_ccr'rst_fupd f ∘ h)
⊦ ((∀g f.
m0.CONTROL_control'rst_fupd f ∘ m0.CONTROL_SPSEL_fupd g =
m0.CONTROL_SPSEL_fupd g ∘ m0.CONTROL_control'rst_fupd f) ∧
∀h g f.
m0.CONTROL_control'rst_fupd f ∘ (m0.CONTROL_SPSEL_fupd g ∘ h) =
m0.CONTROL_SPSEL_fupd g ∘ (m0.CONTROL_control'rst_fupd f ∘ h)) ∧
((∀g f.
m0.CONTROL_nPRIV_fupd f ∘ m0.CONTROL_SPSEL_fupd g =
m0.CONTROL_SPSEL_fupd g ∘ m0.CONTROL_nPRIV_fupd f) ∧
∀h g f.
m0.CONTROL_nPRIV_fupd f ∘ (m0.CONTROL_SPSEL_fupd g ∘ h) =
m0.CONTROL_SPSEL_fupd g ∘ (m0.CONTROL_nPRIV_fupd f ∘ h)) ∧
(∀g f.
m0.CONTROL_nPRIV_fupd f ∘ m0.CONTROL_control'rst_fupd g =
m0.CONTROL_control'rst_fupd g ∘ m0.CONTROL_nPRIV_fupd f) ∧
∀h g f.
m0.CONTROL_nPRIV_fupd f ∘ (m0.CONTROL_control'rst_fupd g ∘ h) =
m0.CONTROL_control'rst_fupd g ∘ (m0.CONTROL_nPRIV_fupd f ∘ h)
⊦ ((∀g f.
m0.SHPR3_PRI_15_fupd f ∘ m0.SHPR3_PRI_14_fupd g =
m0.SHPR3_PRI_14_fupd g ∘ m0.SHPR3_PRI_15_fupd f) ∧
∀h g f.
m0.SHPR3_PRI_15_fupd f ∘ (m0.SHPR3_PRI_14_fupd g ∘ h) =
m0.SHPR3_PRI_14_fupd g ∘ (m0.SHPR3_PRI_15_fupd f ∘ h)) ∧
((∀g f.
m0.SHPR3_shpr3'rst_fupd f ∘ m0.SHPR3_PRI_14_fupd g =
m0.SHPR3_PRI_14_fupd g ∘ m0.SHPR3_shpr3'rst_fupd f) ∧
∀h g f.
m0.SHPR3_shpr3'rst_fupd f ∘ (m0.SHPR3_PRI_14_fupd g ∘ h) =
m0.SHPR3_PRI_14_fupd g ∘ (m0.SHPR3_shpr3'rst_fupd f ∘ h)) ∧
(∀g f.
m0.SHPR3_shpr3'rst_fupd f ∘ m0.SHPR3_PRI_15_fupd g =
m0.SHPR3_PRI_15_fupd g ∘ m0.SHPR3_shpr3'rst_fupd f) ∧
∀h g f.
m0.SHPR3_shpr3'rst_fupd f ∘ (m0.SHPR3_PRI_15_fupd g ∘ h) =
m0.SHPR3_PRI_15_fupd g ∘ (m0.SHPR3_shpr3'rst_fupd f ∘ h)
⊦ ∀_.
m0.ExecutionPriority _ =
λstate.
bool.LET
(λs.
bool.LET (λs. integer.int_min (fst s) (fst (snd s)))
(if m0.PRIMASK_PM (m0.m0_state_PRIMASK (snd (snd s))) then
(integer.int_of_num 0, snd s)
else s))
(snd
(state_transformer.FOR
(arithmetic.BIT2 0,
arithmetic.BIT2 (bit1 (bit1 (bit1 (arithmetic.BIT2 0)))),
(λi state.
if m0.m0_state_ExceptionActive (snd (snd state))
(words.n2w i)
then
bool.LET
(pair.UNCURRY
(λv s.
((),
(if integer.int_lt v (fst (snd s)) then
(fst s, v, snd (snd s))
else s))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3. (v, fst (snd state), s3)))
(bool.LET (λs. (m0.ExceptionPriority i s, s))
(snd (snd state))))
(λv s3. (v, fst state, s3)))
else ((), state)))
(integer.int_of_num (arithmetic.BIT2 1),
integer.int_of_num (arithmetic.BIT2 1), state)))
⊦ ∀m1 m2.
m1 = m2 ⇔
m0.m0_state_AIRCR m1 = m0.m0_state_AIRCR m2 ∧
m0.m0_state_CCR m1 = m0.m0_state_CCR m2 ∧
m0.m0_state_CONTROL m1 = m0.m0_state_CONTROL m2 ∧
m0.m0_state_CurrentMode m1 = m0.m0_state_CurrentMode m2 ∧
m0.m0_state_ExceptionActive m1 = m0.m0_state_ExceptionActive m2 ∧
m0.m0_state_MEM m1 = m0.m0_state_MEM m2 ∧
m0.m0_state_NVIC_IPR m1 = m0.m0_state_NVIC_IPR m2 ∧
m0.m0_state_PRIMASK m1 = m0.m0_state_PRIMASK m2 ∧
m0.m0_state_PSR m1 = m0.m0_state_PSR m2 ∧
m0.m0_state_REG m1 = m0.m0_state_REG m2 ∧
m0.m0_state_SHPR2 m1 = m0.m0_state_SHPR2 m2 ∧
m0.m0_state_SHPR3 m1 = m0.m0_state_SHPR3 m2 ∧
m0.m0_state_VTOR m1 = m0.m0_state_VTOR m2 ∧
m0.m0_state_count m1 = m0.m0_state_count m2 ∧
m0.m0_state_exception m1 = m0.m0_state_exception m2 ∧
m0.m0_state_pcinc m1 = m0.m0_state_pcinc m2 ∧
m0.m0_state_pending m1 = m0.m0_state_pending m2
⊦ ∀n registers.
m0.dfn'StoreMultiple (n, registers) =
λstate.
bool.LET
(λv.
bool.LET
(λbitcount.
bool.LET
(λs1.
m0.m0_state_count_fupd
(const (m0.m0_state_count s1 + bitcount + 1)) s1)
(m0.IncPC ()
(m0.write'R
(words.word_add v
(words.word_mul (words.n2w (arithmetic.BIT2 1))
(words.n2w bitcount)), n)
(snd
(snd
(state_transformer.FOR
(0, 7,
(λi state.
((),
(if words.word_bit i registers then
(words.word_add (fst state)
(words.n2w
(arithmetic.BIT2 1)),
(if words.n2w i = n ∧
¬(i =
m0.LowestSetBit registers)
then
m0.write'MemA
(bool.ARB, fst state,
arithmetic.BIT2 1)
(snd state)
else
m0.write'MemA
(m0.R (words.n2w i)
(snd state), fst state,
arithmetic.BIT2 1)
(snd state)))
else state)))) (v, state)))))))
(m0.BitCount registers)) (m0.R n state)
⊦ ∀x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16.
∃f.
f m0.RName_0 = x0 ∧ f m0.RName_1 = x1 ∧ f m0.RName_2 = x2 ∧
f m0.RName_3 = x3 ∧ f m0.RName_4 = x4 ∧ f m0.RName_5 = x5 ∧
f m0.RName_6 = x6 ∧ f m0.RName_7 = x7 ∧ f m0.RName_8 = x8 ∧
f m0.RName_9 = x9 ∧ f m0.RName_10 = x10 ∧ f m0.RName_11 = x11 ∧
f m0.RName_12 = x12 ∧ f m0.RName_SP_main = x13 ∧
f m0.RName_SP_process = x14 ∧ f m0.RName_LR = x15 ∧
f m0.RName_PC = x16
⊦ (∀a. m0.instruction_size (m0.Branch a) = 1 + m0.Branch_size a) ∧
(∀a. m0.instruction_size (m0.Data a) = 1 + m0.Data_size a) ∧
(∀a. m0.instruction_size (m0.Hint a) = 1 + m0.Hint_size a) ∧
(∀a. m0.instruction_size (m0.Load a) = 1 + m0.Load_size a) ∧
(∀a. m0.instruction_size (m0.Media a) = 1 + m0.Media_size a) ∧
(∀a. m0.instruction_size (m0.Multiply a) = 1 + m0.Multiply_size a) ∧
(∀a. m0.instruction_size (m0.NoOperation a) = 1 + basicSize.one_size a) ∧
(∀a. m0.instruction_size (m0.Store a) = 1 + m0.Store_size a) ∧
(∀a. m0.instruction_size (m0.System a) = 1 + m0.System_size a) ∧
∀a. m0.instruction_size (m0.Undefined a) = 1
⊦ (∀g f P. m0.PSR_C_fupd f (m0.PSR_C_fupd g P) = m0.PSR_C_fupd (f ∘ g) P) ∧
(∀g f P.
m0.PSR_ExceptionNumber_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd (f ∘ g) P) ∧
(∀g f P. m0.PSR_N_fupd f (m0.PSR_N_fupd g P) = m0.PSR_N_fupd (f ∘ g) P) ∧
(∀g f P. m0.PSR_T_fupd f (m0.PSR_T_fupd g P) = m0.PSR_T_fupd (f ∘ g) P) ∧
(∀g f P. m0.PSR_V_fupd f (m0.PSR_V_fupd g P) = m0.PSR_V_fupd (f ∘ g) P) ∧
(∀g f P. m0.PSR_Z_fupd f (m0.PSR_Z_fupd g P) = m0.PSR_Z_fupd (f ∘ g) P) ∧
∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_psr'rst_fupd g P) =
m0.PSR_psr'rst_fupd (f ∘ g) P
⊦ (∀a. ¬(m0.ExternalInterrupt a = m0.HardFault)) ∧
(∀a. ¬(m0.ExternalInterrupt a = m0.NMI)) ∧
(∀a. ¬(m0.ExternalInterrupt a = m0.PendSV)) ∧
(∀a. ¬(m0.ExternalInterrupt a = m0.Reset)) ∧
(∀a. ¬(m0.ExternalInterrupt a = m0.SVCall)) ∧
(∀a. ¬(m0.ExternalInterrupt a = m0.SysTick)) ∧ ¬(m0.HardFault = m0.NMI) ∧
¬(m0.HardFault = m0.PendSV) ∧ ¬(m0.HardFault = m0.Reset) ∧
¬(m0.HardFault = m0.SVCall) ∧ ¬(m0.HardFault = m0.SysTick) ∧
¬(m0.NMI = m0.PendSV) ∧ ¬(m0.NMI = m0.Reset) ∧ ¬(m0.NMI = m0.SVCall) ∧
¬(m0.NMI = m0.SysTick) ∧ ¬(m0.PendSV = m0.Reset) ∧
¬(m0.PendSV = m0.SVCall) ∧ ¬(m0.PendSV = m0.SysTick) ∧
¬(m0.Reset = m0.SVCall) ∧ ¬(m0.Reset = m0.SysTick) ∧
¬(m0.SVCall = m0.SysTick)
⊦ ∀M M' f f1 f2 f3 f4 f5 f6.
M = M' ∧ (∀a. M' = m0.ArithLogicImmediate a ⇒ f a = f' a) ∧
(∀a. M' = m0.CompareImmediate a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.Move a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.Register a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.ShiftImmediate a ⇒ f4 a = f4' a) ∧
(∀a. M' = m0.ShiftRegister a ⇒ f5 a = f5' a) ∧
(∀a. M' = m0.TestCompareRegister a ⇒ f6 a = f6' a) ⇒
m0.Data_CASE M f f1 f2 f3 f4 f5 f6 =
m0.Data_CASE M' f' f1' f2' f3' f4' f5' f6'
⊦ m0.num2RName 0 = m0.RName_0 ∧ m0.num2RName 1 = m0.RName_1 ∧
m0.num2RName (arithmetic.BIT2 0) = m0.RName_2 ∧
m0.num2RName 3 = m0.RName_3 ∧
m0.num2RName (arithmetic.BIT2 1) = m0.RName_4 ∧
m0.num2RName (bit1 (arithmetic.BIT2 0)) = m0.RName_5 ∧
m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 0)) = m0.RName_6 ∧
m0.num2RName 7 = m0.RName_7 ∧
m0.num2RName (arithmetic.BIT2 3) = m0.RName_8 ∧
m0.num2RName (bit1 (arithmetic.BIT2 1)) = m0.RName_9 ∧
m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 1)) = m0.RName_10 ∧
m0.num2RName (bit1 (bit1 (arithmetic.BIT2 0))) = m0.RName_11 ∧
m0.num2RName (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0))) = m0.RName_12 ∧
m0.num2RName (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))) =
m0.RName_SP_main ∧
m0.num2RName (arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))) =
m0.RName_SP_process ∧ m0.num2RName 15 = m0.RName_LR ∧
m0.num2RName (arithmetic.BIT2 7) = m0.RName_PC
⊦ m0.RName2num m0.RName_0 = 0 ∧ m0.RName2num m0.RName_1 = 1 ∧
m0.RName2num m0.RName_2 = arithmetic.BIT2 0 ∧
m0.RName2num m0.RName_3 = 3 ∧
m0.RName2num m0.RName_4 = arithmetic.BIT2 1 ∧
m0.RName2num m0.RName_5 = bit1 (arithmetic.BIT2 0) ∧
m0.RName2num m0.RName_6 = arithmetic.BIT2 (arithmetic.BIT2 0) ∧
m0.RName2num m0.RName_7 = 7 ∧
m0.RName2num m0.RName_8 = arithmetic.BIT2 3 ∧
m0.RName2num m0.RName_9 = bit1 (arithmetic.BIT2 1) ∧
m0.RName2num m0.RName_10 = arithmetic.BIT2 (arithmetic.BIT2 1) ∧
m0.RName2num m0.RName_11 = bit1 (bit1 (arithmetic.BIT2 0)) ∧
m0.RName2num m0.RName_12 = arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)) ∧
m0.RName2num m0.RName_SP_main =
bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)) ∧
m0.RName2num m0.RName_SP_process =
arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)) ∧
m0.RName2num m0.RName_LR = 15 ∧
m0.RName2num m0.RName_PC = arithmetic.BIT2 7
⊦ ∀n.
m0.ExceptionPriority n =
λstate.
if n = arithmetic.BIT2 0 then
integer.int_neg (integer.int_of_num (arithmetic.BIT2 0))
else if n = 1 then integer.int_neg (integer.int_of_num 1)
else if n = bit1 (bit1 (arithmetic.BIT2 0)) then
integer_word.w2i (m0.SHPR2_PRI_11 (m0.m0_state_SHPR2 state))
else if n = arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0))
then integer_word.w2i (m0.SHPR3_PRI_14 (m0.m0_state_SHPR3 state))
else if n = 15 then
integer_word.w2i (m0.SHPR3_PRI_15 (m0.m0_state_SHPR3 state))
else if n ≥ arithmetic.BIT2 7 then
bool.LET
(λv.
bool.literal_case
(λv1.
if v1 = words.n2w 0 then
integer_word.w2i (m0.IPR_PRI_N0 v)
else if v1 = words.n2w 1 then
integer_word.w2i (m0.IPR_PRI_N1 v)
else if v1 = words.n2w (arithmetic.BIT2 0) then
integer_word.w2i (m0.IPR_PRI_N2 v)
else if v1 = words.n2w 3 then
integer_word.w2i (m0.IPR_PRI_N3 v)
else bool.ARB) (words.n2w (n mod arithmetic.BIT2 1)))
(m0.m0_state_NVIC_IPR state
(words.n2w
(arithmetic.- n (arithmetic.BIT2 7) div
arithmetic.BIT2 1)))
else integer.int_of_num (arithmetic.BIT2 1)
⊦ (∀a a'. m0.Branch a = m0.Branch a' ⇔ a = a') ∧
(∀a a'. m0.Data a = m0.Data a' ⇔ a = a') ∧
(∀a a'. m0.Hint a = m0.Hint a' ⇔ a = a') ∧
(∀a a'. m0.Load a = m0.Load a' ⇔ a = a') ∧
(∀a a'. m0.Media a = m0.Media a' ⇔ a = a') ∧
(∀a a'. m0.Multiply a = m0.Multiply a' ⇔ a = a') ∧
(∀a a'. m0.NoOperation a = m0.NoOperation a' ⇔ a = a') ∧
(∀a a'. m0.Store a = m0.Store a' ⇔ a = a') ∧
(∀a a'. m0.System a = m0.System a' ⇔ a = a') ∧
∀a a'. m0.Undefined a = m0.Undefined a' ⇔ a = a'
⊦ (∀f b b0 b1 c c0.
m0.AIRCR_ENDIANNESS_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR (f b) b0 b1 c c0) ∧
(∀f b b0 b1 c c0.
m0.AIRCR_SYSRESETREQ_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b (f b0) b1 c c0) ∧
(∀f b b0 b1 c c0.
m0.AIRCR_VECTCLRACTIVE_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 (f b1) c c0) ∧
(∀f b b0 b1 c c0.
m0.AIRCR_VECTKEY_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 b1 (f c) c0) ∧
∀f b b0 b1 c c0.
m0.AIRCR_aircr'rst_fupd f (m0.recordtype.AIRCR b b0 b1 c c0) =
m0.recordtype.AIRCR b b0 b1 c (f c0)
⊦ (∀f c c0 c1 c2 c3.
m0.IPR_PRI_N0_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR (f c) c0 c1 c2 c3) ∧
(∀f c c0 c1 c2 c3.
m0.IPR_PRI_N1_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c (f c0) c1 c2 c3) ∧
(∀f c c0 c1 c2 c3.
m0.IPR_PRI_N2_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 (f c1) c2 c3) ∧
(∀f c c0 c1 c2 c3.
m0.IPR_PRI_N3_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 c1 (f c2) c3) ∧
∀f c c0 c1 c2 c3.
m0.IPR_ipr'rst_fupd f (m0.recordtype.IPR c c0 c1 c2 c3) =
m0.recordtype.IPR c c0 c1 c2 (f c3)
⊦ ∀_.
m0.TakeReset _ =
λstate.
bool.LET
(λv.
bool.LET
(pair.UNCURRY
(λv0 s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
snd
(state_transformer.FOR
(0, 63,
(λi state.
((),
m0.m0_state_ExceptionActive_fupd
(const
(combin.UPDATE
(words.n2w
i) ⊥
(m0.m0_state_ExceptionActive
state)))
state)))
(m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_nPRIV_fupd
(const ⊥)
(m0.m0_state_CONTROL
s))) s)))
(m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd
(const ⊥)
(m0.m0_state_CONTROL
s))) s))
(m0.m0_state_PRIMASK_fupd
(const
(m0.PRIMASK_PM_fupd (const ⊥)
(m0.m0_state_PRIMASK s)))
s))
(m0.m0_state_PSR_fupd
(const
(m0.PSR_ExceptionNumber_fupd
(const (words.n2w 0))
(m0.m0_state_PSR s))) s))
(m0.m0_state_PSR_fupd (const bool.ARB)
(m0.write'PC v s))))
(m0.MemA
(words.word_add v (words.n2w (arithmetic.BIT2 1)),
arithmetic.BIT2 1)
(m0.write'LR bool.ARB
(m0.write'SP_process
(words.word_concat bool.ARB (words.n2w 0))
(m0.write'SP_main v0 s))))))
(m0.MemA (v, arithmetic.BIT2 1)
(snd
(state_transformer.FOR
(0, arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)),
(λi state.
((), m0.write'R (bool.ARB, words.n2w i) state)))
state)))) (m0.m0_state_VTOR state)
⊦ (∀a.
m0.Data_size (m0.ArithLogicImmediate a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) (λv. 0)))) a) ∧
(∀a.
m0.Data_size (m0.CompareImmediate a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Data_size (m0.Move a) =
1 + basicSize.pair_size (λv. 0) (λv. 0) a) ∧
(∀a.
m0.Data_size (m0.Register a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0) (λv. 0)))) a) ∧
(∀a.
m0.Data_size (m0.ShiftImmediate a) =
1 +
basicSize.pair_size basicSize.bool_size
(basicSize.pair_size basicSize.bool_size
(basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0)
(basicSize.pair_size m0.SRType_size (λx. x))))) a) ∧
(∀a.
m0.Data_size (m0.ShiftRegister a) =
1 +
basicSize.pair_size (λv. 0)
(basicSize.pair_size (λv. 0)
(basicSize.pair_size m0.SRType_size (λv. 0))) a) ∧
∀a.
m0.Data_size (m0.TestCompareRegister a) =
1 + basicSize.pair_size (λv. 0) (basicSize.pair_size (λv. 0) (λv. 0)) a
⊦ ∀m A C0 C M f2 f1 f0 P0 P f S0 S c0 n e c o.
m0.m0_state_AIRCR_fupd (const A)
(m0.m0_state_CCR_fupd (const C0)
(m0.m0_state_CONTROL_fupd (const C)
(m0.m0_state_CurrentMode_fupd (const M)
(m0.m0_state_ExceptionActive_fupd (const f2)
(m0.m0_state_MEM_fupd (const f1)
(m0.m0_state_NVIC_IPR_fupd (const f0)
(m0.m0_state_PRIMASK_fupd (const P0)
(m0.m0_state_PSR_fupd (const P)
(m0.m0_state_REG_fupd (const f)
(m0.m0_state_SHPR2_fupd (const S0)
(m0.m0_state_SHPR3_fupd (const S)
(m0.m0_state_VTOR_fupd (const c0)
(m0.m0_state_count_fupd (const n)
(m0.m0_state_exception_fupd
(const e)
(m0.m0_state_pcinc_fupd
(const c)
(m0.m0_state_pending_fupd
(const o)
m)))))))))))))))) =
m0.m0_state_AIRCR_fupd (const A)
(m0.m0_state_CCR_fupd (const C0)
(m0.m0_state_CONTROL_fupd (const C)
(m0.m0_state_CurrentMode_fupd (const M)
(m0.m0_state_ExceptionActive_fupd (const f2)
(m0.m0_state_MEM_fupd (const f1)
(m0.m0_state_NVIC_IPR_fupd (const f0)
(m0.m0_state_PRIMASK_fupd (const P0)
(m0.m0_state_PSR_fupd (const P)
(m0.m0_state_REG_fupd (const f)
(m0.m0_state_SHPR2_fupd (const S0)
(m0.m0_state_SHPR3_fupd (const S)
(m0.m0_state_VTOR_fupd (const c0)
(m0.m0_state_count_fupd (const n)
(m0.m0_state_exception_fupd
(const e)
(m0.m0_state_pcinc_fupd
(const c)
(m0.m0_state_pending_fupd
(const o)
bool.ARB))))))))))))))))
⊦ ∀M M' f f1 f2 f3 f4 f5 f6 f7.
M = M' ∧ (∀a. M' = m0.Breakpoint a ⇒ f a = f' a) ∧
(∀a. M' = m0.DataMemoryBarrier a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.DataSynchronizationBarrier a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.InstructionSynchronizationBarrier a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.SendEvent a ⇒ f4 a = f4' a) ∧
(∀a. M' = m0.WaitForEvent a ⇒ f5 a = f5' a) ∧
(∀a. M' = m0.WaitForInterrupt a ⇒ f6 a = f6' a) ∧
(∀a. M' = m0.Yield a ⇒ f7 a = f7' a) ⇒
m0.Hint_CASE M f f1 f2 f3 f4 f5 f6 f7 =
m0.Hint_CASE M' f' f1' f2' f3' f4' f5' f6' f7'
⊦ ∀cond.
m0.ConditionPassed cond =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
if words.word_bit 0 cond ∧ ¬(cond = words.n2w 15) then ¬v
else v))
(bool.literal_case
(λv.
if v = words.n2w 0 then
(m0.PSR_Z (m0.m0_state_PSR state), state)
else if v = words.n2w 1 then
(m0.PSR_C (m0.m0_state_PSR state), state)
else if v = words.n2w (arithmetic.BIT2 0) then
(m0.PSR_N (m0.m0_state_PSR state), state)
else if v = words.n2w 3 then
(m0.PSR_V (m0.m0_state_PSR state), state)
else if v = words.n2w (arithmetic.BIT2 1) then
(m0.PSR_C (m0.m0_state_PSR state) ∧
¬m0.PSR_Z (m0.m0_state_PSR state), state)
else if v = words.n2w (bit1 (arithmetic.BIT2 0)) then
(m0.PSR_N (m0.m0_state_PSR state) ⇔
m0.PSR_V (m0.m0_state_PSR state), state)
else if v = words.n2w (arithmetic.BIT2 (arithmetic.BIT2 0))
then
((m0.PSR_N (m0.m0_state_PSR state) ⇔
m0.PSR_V (m0.m0_state_PSR state)) ∧
¬m0.PSR_Z (m0.m0_state_PSR state), state)
else if v = words.n2w 7 then (⊤, state)
else bool.ARB) (words.word_extract 3 1 cond))
⊦ ∀a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 a15 a16 a0' a1' a2'
a3' a4' a5' a6' a7' a8' a9' a10' a11' a12' a13' a14' a15' a16'.
m0.recordtype.m0_state a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13
a14 a15 a16 =
m0.recordtype.m0_state a0' a1' a2' a3' a4' a5' a6' a7' a8' a9' a10'
a11' a12' a13' a14' a15' a16' ⇔
a0 = a0' ∧ a1 = a1' ∧ a2 = a2' ∧ a3 = a3' ∧ a4 = a4' ∧ a5 = a5' ∧
a6 = a6' ∧ a7 = a7' ∧ a8 = a8' ∧ a9 = a9' ∧ a10 = a10' ∧ a11 = a11' ∧
a12 = a12' ∧ a13 = a13' ∧ a14 = a14' ∧ a15 = a15' ∧ a16 = a16'
⊦ (∀b c b0 b1 b2 b3 c0.
m0.PSR_C (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b) ∧
(∀b c b0 b1 b2 b3 c0.
m0.PSR_ExceptionNumber (m0.recordtype.PSR b c b0 b1 b2 b3 c0) = c) ∧
(∀b c b0 b1 b2 b3 c0.
m0.PSR_N (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b0) ∧
(∀b c b0 b1 b2 b3 c0.
m0.PSR_T (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b1) ∧
(∀b c b0 b1 b2 b3 c0.
m0.PSR_V (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b2) ∧
(∀b c b0 b1 b2 b3 c0.
m0.PSR_Z (m0.recordtype.PSR b c b0 b1 b2 b3 c0) ⇔ b3) ∧
∀b c b0 b1 b2 b3 c0.
m0.PSR_psr'rst (m0.recordtype.PSR b c b0 b1 b2 b3 c0) = c0
⊦ (∀a f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE (m0.ExternalInterrupt a) f v v1 v2 v3 v4 v5 =
f a) ∧
(∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.HardFault f v v1 v2 v3 v4 v5 = v) ∧
(∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.NMI f v v1 v2 v3 v4 v5 = v1) ∧
(∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.PendSV f v v1 v2 v3 v4 v5 = v2) ∧
(∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.Reset f v v1 v2 v3 v4 v5 = v3) ∧
(∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.SVCall f v v1 v2 v3 v4 v5 = v4) ∧
∀f v v1 v2 v3 v4 v5.
m0.ARM_Exception_CASE m0.SysTick f v v1 v2 v3 v4 v5 = v5
⊦ (∀g f A.
m0.AIRCR_SYSRESETREQ_fupd f (m0.AIRCR_ENDIANNESS_fupd g A) =
m0.AIRCR_ENDIANNESS_fupd g (m0.AIRCR_SYSRESETREQ_fupd f A)) ∧
(∀g f A.
m0.AIRCR_VECTCLRACTIVE_fupd f (m0.AIRCR_ENDIANNESS_fupd g A) =
m0.AIRCR_ENDIANNESS_fupd g (m0.AIRCR_VECTCLRACTIVE_fupd f A)) ∧
(∀g f A.
m0.AIRCR_VECTCLRACTIVE_fupd f (m0.AIRCR_SYSRESETREQ_fupd g A) =
m0.AIRCR_SYSRESETREQ_fupd g (m0.AIRCR_VECTCLRACTIVE_fupd f A)) ∧
(∀g f A.
m0.AIRCR_VECTKEY_fupd f (m0.AIRCR_ENDIANNESS_fupd g A) =
m0.AIRCR_ENDIANNESS_fupd g (m0.AIRCR_VECTKEY_fupd f A)) ∧
(∀g f A.
m0.AIRCR_VECTKEY_fupd f (m0.AIRCR_SYSRESETREQ_fupd g A) =
m0.AIRCR_SYSRESETREQ_fupd g (m0.AIRCR_VECTKEY_fupd f A)) ∧
(∀g f A.
m0.AIRCR_VECTKEY_fupd f (m0.AIRCR_VECTCLRACTIVE_fupd g A) =
m0.AIRCR_VECTCLRACTIVE_fupd g (m0.AIRCR_VECTKEY_fupd f A)) ∧
(∀g f A.
m0.AIRCR_aircr'rst_fupd f (m0.AIRCR_ENDIANNESS_fupd g A) =
m0.AIRCR_ENDIANNESS_fupd g (m0.AIRCR_aircr'rst_fupd f A)) ∧
(∀g f A.
m0.AIRCR_aircr'rst_fupd f (m0.AIRCR_SYSRESETREQ_fupd g A) =
m0.AIRCR_SYSRESETREQ_fupd g (m0.AIRCR_aircr'rst_fupd f A)) ∧
(∀g f A.
m0.AIRCR_aircr'rst_fupd f (m0.AIRCR_VECTCLRACTIVE_fupd g A) =
m0.AIRCR_VECTCLRACTIVE_fupd g (m0.AIRCR_aircr'rst_fupd f A)) ∧
∀g f A.
m0.AIRCR_aircr'rst_fupd f (m0.AIRCR_VECTKEY_fupd g A) =
m0.AIRCR_VECTKEY_fupd g (m0.AIRCR_aircr'rst_fupd f A)
⊦ (∀g f I.
m0.IPR_PRI_N1_fupd f (m0.IPR_PRI_N0_fupd g I) =
m0.IPR_PRI_N0_fupd g (m0.IPR_PRI_N1_fupd f I)) ∧
(∀g f I.
m0.IPR_PRI_N2_fupd f (m0.IPR_PRI_N0_fupd g I) =
m0.IPR_PRI_N0_fupd g (m0.IPR_PRI_N2_fupd f I)) ∧
(∀g f I.
m0.IPR_PRI_N2_fupd f (m0.IPR_PRI_N1_fupd g I) =
m0.IPR_PRI_N1_fupd g (m0.IPR_PRI_N2_fupd f I)) ∧
(∀g f I.
m0.IPR_PRI_N3_fupd f (m0.IPR_PRI_N0_fupd g I) =
m0.IPR_PRI_N0_fupd g (m0.IPR_PRI_N3_fupd f I)) ∧
(∀g f I.
m0.IPR_PRI_N3_fupd f (m0.IPR_PRI_N1_fupd g I) =
m0.IPR_PRI_N1_fupd g (m0.IPR_PRI_N3_fupd f I)) ∧
(∀g f I.
m0.IPR_PRI_N3_fupd f (m0.IPR_PRI_N2_fupd g I) =
m0.IPR_PRI_N2_fupd g (m0.IPR_PRI_N3_fupd f I)) ∧
(∀g f I.
m0.IPR_ipr'rst_fupd f (m0.IPR_PRI_N0_fupd g I) =
m0.IPR_PRI_N0_fupd g (m0.IPR_ipr'rst_fupd f I)) ∧
(∀g f I.
m0.IPR_ipr'rst_fupd f (m0.IPR_PRI_N1_fupd g I) =
m0.IPR_PRI_N1_fupd g (m0.IPR_ipr'rst_fupd f I)) ∧
(∀g f I.
m0.IPR_ipr'rst_fupd f (m0.IPR_PRI_N2_fupd g I) =
m0.IPR_PRI_N2_fupd g (m0.IPR_ipr'rst_fupd f I)) ∧
∀g f I.
m0.IPR_ipr'rst_fupd f (m0.IPR_PRI_N3_fupd g I) =
m0.IPR_PRI_N3_fupd g (m0.IPR_ipr'rst_fupd f I)
⊦ ((∀g f.
m0.AIRCR_ENDIANNESS_fupd f ∘ m0.AIRCR_ENDIANNESS_fupd g =
m0.AIRCR_ENDIANNESS_fupd (f ∘ g)) ∧
∀h g f.
m0.AIRCR_ENDIANNESS_fupd f ∘ (m0.AIRCR_ENDIANNESS_fupd g ∘ h) =
m0.AIRCR_ENDIANNESS_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.AIRCR_SYSRESETREQ_fupd f ∘ m0.AIRCR_SYSRESETREQ_fupd g =
m0.AIRCR_SYSRESETREQ_fupd (f ∘ g)) ∧
∀h g f.
m0.AIRCR_SYSRESETREQ_fupd f ∘ (m0.AIRCR_SYSRESETREQ_fupd g ∘ h) =
m0.AIRCR_SYSRESETREQ_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ m0.AIRCR_VECTCLRACTIVE_fupd g =
m0.AIRCR_VECTCLRACTIVE_fupd (f ∘ g)) ∧
∀h g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ (m0.AIRCR_VECTCLRACTIVE_fupd g ∘ h) =
m0.AIRCR_VECTCLRACTIVE_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.AIRCR_VECTKEY_fupd f ∘ m0.AIRCR_VECTKEY_fupd g =
m0.AIRCR_VECTKEY_fupd (f ∘ g)) ∧
∀h g f.
m0.AIRCR_VECTKEY_fupd f ∘ (m0.AIRCR_VECTKEY_fupd g ∘ h) =
m0.AIRCR_VECTKEY_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.AIRCR_aircr'rst_fupd f ∘ m0.AIRCR_aircr'rst_fupd g =
m0.AIRCR_aircr'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.AIRCR_aircr'rst_fupd f ∘ (m0.AIRCR_aircr'rst_fupd g ∘ h) =
m0.AIRCR_aircr'rst_fupd (f ∘ g) ∘ h
⊦ ((∀g f.
m0.IPR_PRI_N0_fupd f ∘ m0.IPR_PRI_N0_fupd g =
m0.IPR_PRI_N0_fupd (f ∘ g)) ∧
∀h g f.
m0.IPR_PRI_N0_fupd f ∘ (m0.IPR_PRI_N0_fupd g ∘ h) =
m0.IPR_PRI_N0_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.IPR_PRI_N1_fupd f ∘ m0.IPR_PRI_N1_fupd g =
m0.IPR_PRI_N1_fupd (f ∘ g)) ∧
∀h g f.
m0.IPR_PRI_N1_fupd f ∘ (m0.IPR_PRI_N1_fupd g ∘ h) =
m0.IPR_PRI_N1_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.IPR_PRI_N2_fupd f ∘ m0.IPR_PRI_N2_fupd g =
m0.IPR_PRI_N2_fupd (f ∘ g)) ∧
∀h g f.
m0.IPR_PRI_N2_fupd f ∘ (m0.IPR_PRI_N2_fupd g ∘ h) =
m0.IPR_PRI_N2_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.IPR_PRI_N3_fupd f ∘ m0.IPR_PRI_N3_fupd g =
m0.IPR_PRI_N3_fupd (f ∘ g)) ∧
∀h g f.
m0.IPR_PRI_N3_fupd f ∘ (m0.IPR_PRI_N3_fupd g ∘ h) =
m0.IPR_PRI_N3_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.IPR_ipr'rst_fupd f ∘ m0.IPR_ipr'rst_fupd g =
m0.IPR_ipr'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.IPR_ipr'rst_fupd f ∘ (m0.IPR_ipr'rst_fupd g ∘ h) =
m0.IPR_ipr'rst_fupd (f ∘ g) ∘ h
⊦ ∀v0.
m0.Run v0 =
λstate.
m0.instruction_CASE v0
(λv.
m0.Branch_CASE v (λv2. m0.dfn'BranchExchange v2 state)
(λv3. m0.dfn'BranchLinkExchangeRegister v3 state)
(λv4. m0.dfn'BranchLinkImmediate v4 state)
(λv5. m0.dfn'BranchTarget v5 state))
(λv2.
m0.Data_CASE v2 (λv7. m0.dfn'ArithLogicImmediate v7 state)
(λv8. m0.dfn'CompareImmediate v8 state)
(λv9. m0.dfn'Move v9 state) (λv10. m0.dfn'Register v10 state)
(λv11. m0.dfn'ShiftImmediate v11 state)
(λv12. m0.dfn'ShiftRegister v12 state)
(λv13. m0.dfn'TestCompareRegister v13 state))
(λv3.
m0.Hint_CASE v3 (λv15. m0.dfn'Breakpoint v15 state)
(λv16. m0.dfn'DataMemoryBarrier v16 state)
(λv17. m0.dfn'DataSynchronizationBarrier v17 state)
(λv18. m0.dfn'InstructionSynchronizationBarrier v18 state)
(λv19. m0.dfn'SendEvent v19 state)
(λv20. m0.dfn'WaitForEvent v20 state)
(λv21. m0.dfn'WaitForInterrupt v21 state)
(λv22. m0.dfn'Yield v22 state))
(λv4.
m0.Load_CASE v4 (λv24. m0.dfn'LoadByte v24 state)
(λv25. m0.dfn'LoadHalf v25 state)
(λv26. m0.dfn'LoadLiteral v26 state)
(λv27. m0.dfn'LoadMultiple v27 state)
(λv28. m0.dfn'LoadWord v28 state))
(λv5.
m0.Media_CASE v5 (λv30. m0.dfn'ByteReverse v30 state)
(λv31. m0.dfn'ByteReversePackedHalfword v31 state)
(λv32. m0.dfn'ByteReverseSignedHalfword v32 state)
(λv33. m0.dfn'ExtendByte v33 state)
(λv34. m0.dfn'ExtendHalfword v34 state))
(λv7. m0.Multiply_CASE v7 (λv36. m0.dfn'Multiply32 v36 state))
(λv48. m0.dfn'NoOperation v48 state)
(λv9.
m0.Store_CASE v9 (λv38. m0.dfn'Push v38 state)
(λv39. m0.dfn'StoreByte v39 state)
(λv40. m0.dfn'StoreHalf v40 state)
(λv41. m0.dfn'StoreMultiple v41 state)
(λv42. m0.dfn'StoreWord v42 state))
(λv10.
m0.System_CASE v10 (λv44. m0.dfn'ChangeProcessorState v44 state)
(λv45. m0.dfn'MoveToRegisterFromSpecial v45 state)
(λv46. m0.dfn'MoveToSpecialRegister v46 state)
(λv47. m0.dfn'SupervisorCall v47 state))
(λv49. m0.dfn'Undefined v49 state)
⊦ ∀x v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE x v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
v16 =
let m ← m0.RName2num x in
if m < arithmetic.BIT2 3 then
if m < 3 then if m < 1 then v0 else if m = 1 then v1 else v2
else if m < bit1 (arithmetic.BIT2 0) then if m = 3 then v3 else v4
else if m < arithmetic.BIT2 (arithmetic.BIT2 0) then v5
else if m = arithmetic.BIT2 (arithmetic.BIT2 0) then v6
else v7
else if m < arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)) then
if m < bit1 (arithmetic.BIT2 1) then v8
else if m < arithmetic.BIT2 (arithmetic.BIT2 1) then v9
else if m = arithmetic.BIT2 (arithmetic.BIT2 1) then v10
else v11
else if m < arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)) then
if m = arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)) then v12 else v13
else if m < 15 then v14
else if m = 15 then v15
else v16
⊦ ∀M M' f f1 f2 f3 f4 f5 f6 f7 f8 f9.
M = M' ∧ (∀a. M' = m0.Branch a ⇒ f a = f' a) ∧
(∀a. M' = m0.Data a ⇒ f1 a = f1' a) ∧
(∀a. M' = m0.Hint a ⇒ f2 a = f2' a) ∧
(∀a. M' = m0.Load a ⇒ f3 a = f3' a) ∧
(∀a. M' = m0.Media a ⇒ f4 a = f4' a) ∧
(∀a. M' = m0.Multiply a ⇒ f5 a = f5' a) ∧
(∀a. M' = m0.NoOperation a ⇒ f6 a = f6' a) ∧
(∀a. M' = m0.Store a ⇒ f7 a = f7' a) ∧
(∀a. M' = m0.System a ⇒ f8 a = f8' a) ∧
(∀a. M' = m0.Undefined a ⇒ f9 a = f9' a) ⇒
m0.instruction_CASE M f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
m0.instruction_CASE M' f' f1' f2' f3' f4' f5' f6' f7' f8' f9'
⊦ ∀opc setflags d n imm32 C.
m0.DataProcessing (opc, setflags, d, n, imm32, C) =
λstate.
bool.LET
(pair.UNCURRY
(λresult.
pair.UNCURRY
(λcarry overflow.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + 1)) s)
(m0.IncPC ()
(if setflags then
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
if m0.ArithmeticOpcode opc
then
m0.m0_state_PSR_fupd
(const
(m0.PSR_V_fupd
(const overflow)
(m0.m0_state_PSR
s))) s
else s)
(m0.m0_state_PSR_fupd
(const
(m0.PSR_C_fupd
(const carry)
(m0.m0_state_PSR s)))
s))
(m0.m0_state_PSR_fupd
(const
(m0.PSR_Z_fupd
(const
(result = words.n2w 0))
(m0.m0_state_PSR s))) s))
(m0.m0_state_PSR_fupd
(const
(m0.PSR_N_fupd
(const
(words.word_bit 31 result))
(m0.m0_state_PSR s))) s)
else s)))
(if ¬(words.word_extract 3 (arithmetic.BIT2 0) opc =
words.n2w (arithmetic.BIT2 0))
then m0.write'R (result, d) state
else state))))
(m0.DataProcessingALU
(opc,
(if opc =
words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))) ∨
opc = words.n2w 15
then words.n2w 0
else if bool.IN opc
(pred_set.INSERT (words.n2w (arithmetic.BIT2 1))
(pred_set.INSERT (words.n2w (arithmetic.BIT2 0))
pred_set.EMPTY)) ∧ n = words.n2w 15 ∧
¬setflags
then m0.Align (m0.PC state, arithmetic.BIT2 1)
else m0.R n state), imm32, C))
⊦ (∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.ArithLogicImmediate a) f f1 f2 f3 f4 f5 f6 = f a) ∧
(∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.CompareImmediate a) f f1 f2 f3 f4 f5 f6 = f1 a) ∧
(∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.Move a) f f1 f2 f3 f4 f5 f6 = f2 a) ∧
(∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.Register a) f f1 f2 f3 f4 f5 f6 = f3 a) ∧
(∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.ShiftImmediate a) f f1 f2 f3 f4 f5 f6 = f4 a) ∧
(∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.ShiftRegister a) f f1 f2 f3 f4 f5 f6 = f5 a) ∧
∀a f f1 f2 f3 f4 f5 f6.
m0.Data_CASE (m0.TestCompareRegister a) f f1 f2 f3 f4 f5 f6 = f6 a
⊦ ∀wback n registers.
m0.dfn'LoadMultiple (wback, n, registers) =
λstate.
bool.LET
(λv.
bool.LET
(λbitcount.
bool.LET
(λs.
bool.LET
(λs.
if wback ∧
¬words.word_bit (words.w2n n) registers
then
m0.write'R
(words.word_add v
(words.word_mul
(words.n2w (arithmetic.BIT2 1))
(words.n2w bitcount)), n) (snd s)
else snd s)
(if words.word_bit (arithmetic.BIT2 3) registers
then
bool.LET
(λs.
(fst s,
m0.m0_state_count_fupd
(const
(m0.m0_state_count (snd s) +
bitcount + arithmetic.BIT2 1))
(snd s)))
(bool.LET
(pair.UNCURRY
(λv s.
(fst s, m0.LoadWritePC v (snd s))))
(pair.pair_CASE
(m0.MemA (fst s, arithmetic.BIT2 1)
(snd s)) (λv s3. (v, fst s, s3))))
else
bool.LET
(λs1.
(fst s,
m0.m0_state_count_fupd
(const
(m0.m0_state_count s1 + bitcount + 1))
s1)) (m0.IncPC () (snd s))))
(snd
(state_transformer.FOR
(0, 7,
(λi state.
if words.word_bit i registers then
bool.LET
(λs.
((),
words.word_add (fst s)
(words.n2w (arithmetic.BIT2 1)),
snd s))
(bool.LET
(pair.UNCURRY
(λv s.
(fst s, m0.write'R v (snd s))))
(bool.LET
(pair.UNCURRY
(λv s. ((v, words.n2w i), s)))
(pair.pair_CASE
(m0.MemA
(fst state, arithmetic.BIT2 1)
(snd state))
(λv s3. (v, fst state, s3)))))
else ((), state))) (v, state))))
(m0.BitCount registers)) (m0.R n state)
⊦ ∀M M' v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
M = M' ∧ (M' = m0.RName_0 ⇒ v0 = v0') ∧ (M' = m0.RName_1 ⇒ v1 = v1') ∧
(M' = m0.RName_2 ⇒ v2 = v2') ∧ (M' = m0.RName_3 ⇒ v3 = v3') ∧
(M' = m0.RName_4 ⇒ v4 = v4') ∧ (M' = m0.RName_5 ⇒ v5 = v5') ∧
(M' = m0.RName_6 ⇒ v6 = v6') ∧ (M' = m0.RName_7 ⇒ v7 = v7') ∧
(M' = m0.RName_8 ⇒ v8 = v8') ∧ (M' = m0.RName_9 ⇒ v9 = v9') ∧
(M' = m0.RName_10 ⇒ v10 = v10') ∧ (M' = m0.RName_11 ⇒ v11 = v11') ∧
(M' = m0.RName_12 ⇒ v12 = v12') ∧
(M' = m0.RName_SP_main ⇒ v13 = v13') ∧
(M' = m0.RName_SP_process ⇒ v14 = v14') ∧
(M' = m0.RName_LR ⇒ v15 = v15') ∧ (M' = m0.RName_PC ⇒ v16 = v16') ⇒
m0.RName_CASE M v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15
v16 =
m0.RName_CASE M' v0' v1' v2' v3' v4' v5' v6' v7' v8' v9' v10' v11' v12'
v13' v14' v15' v16'
⊦ (∀a' a. ¬(m0.ArithLogicImmediate a = m0.CompareImmediate a')) ∧
(∀a' a. ¬(m0.ArithLogicImmediate a = m0.Move a')) ∧
(∀a' a. ¬(m0.ArithLogicImmediate a = m0.Register a')) ∧
(∀a' a. ¬(m0.ArithLogicImmediate a = m0.ShiftImmediate a')) ∧
(∀a' a. ¬(m0.ArithLogicImmediate a = m0.ShiftRegister a')) ∧
(∀a' a. ¬(m0.ArithLogicImmediate a = m0.TestCompareRegister a')) ∧
(∀a' a. ¬(m0.CompareImmediate a = m0.Move a')) ∧
(∀a' a. ¬(m0.CompareImmediate a = m0.Register a')) ∧
(∀a' a. ¬(m0.CompareImmediate a = m0.ShiftImmediate a')) ∧
(∀a' a. ¬(m0.CompareImmediate a = m0.ShiftRegister a')) ∧
(∀a' a. ¬(m0.CompareImmediate a = m0.TestCompareRegister a')) ∧
(∀a' a. ¬(m0.Move a = m0.Register a')) ∧
(∀a' a. ¬(m0.Move a = m0.ShiftImmediate a')) ∧
(∀a' a. ¬(m0.Move a = m0.ShiftRegister a')) ∧
(∀a' a. ¬(m0.Move a = m0.TestCompareRegister a')) ∧
(∀a' a. ¬(m0.Register a = m0.ShiftImmediate a')) ∧
(∀a' a. ¬(m0.Register a = m0.ShiftRegister a')) ∧
(∀a' a. ¬(m0.Register a = m0.TestCompareRegister a')) ∧
(∀a' a. ¬(m0.ShiftImmediate a = m0.ShiftRegister a')) ∧
(∀a' a. ¬(m0.ShiftImmediate a = m0.TestCompareRegister a')) ∧
∀a' a. ¬(m0.ShiftRegister a = m0.TestCompareRegister a')
⊦ ∀SYSm n.
m0.dfn'MoveToSpecialRegister (SYSm, n) =
λstate.
bool.LET
(λv.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.IncPC ()
(bool.literal_case
(λv1.
if v1 = words.n2w 0 then
if ¬words.word_bit (arithmetic.BIT2 0) SYSm then
m0.m0_state_PSR_fupd
(const
(m0.write'reg'PSR
(m0.m0_state_PSR state,
words.bit_field_insert 31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0))))
(words.word_extract 31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))) v)
(m0.reg'PSR
(m0.m0_state_PSR state))))) state
else state
else if v1 = words.n2w 1 then
if m0.CurrentModeIsPrivileged () state then
bool.literal_case
(λv1.
if v1 = words.n2w 0 then
m0.write'SP_main
(words.word_concat
(words.word_extract 31
(arithmetic.BIT2 0) v)
(words.n2w 0)) state
else if v1 = words.n2w 1 then
m0.write'SP_process
(words.word_concat
(words.word_extract 31
(arithmetic.BIT2 0) v)
(words.n2w 0)) state
else state)
(words.word_extract (arithmetic.BIT2 0) 0 SYSm)
else state
else if v1 = words.n2w (arithmetic.BIT2 0) then
if m0.CurrentModeIsPrivileged () state then
bool.literal_case
(λv1.
if v1 = words.n2w 0 then
m0.m0_state_PRIMASK_fupd
(const
(m0.PRIMASK_PM_fupd
(const (words.word_bit 0 v))
(m0.m0_state_PRIMASK state)))
state
else if v1 = words.n2w (arithmetic.BIT2 1)
then
if m0.m0_state_CurrentMode state =
m0.Mode_Thread
then
bool.LET
(λs.
m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_nPRIV_fupd
(const
(words.word_bit 0 v))
(m0.m0_state_CONTROL s)))
s)
(m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd
(const (words.word_bit 1 v))
(m0.m0_state_CONTROL state)))
state)
else state
else state)
(words.word_extract (arithmetic.BIT2 0) 0 SYSm)
else state
else state) (words.word_extract 7 3 SYSm))))
(m0.R n state)
⊦ ∀A1 C01 C1 M1 f21 f11 f01 P01 P1 f1 S01 S1 c01 n1 e1 c1 o1 A2 C02 C2 M2
f22 f12 f02 P02 P2 f2 S02 S2 c02 n2 e2 c2 o2.
m0.m0_state_AIRCR_fupd (const A1)
(m0.m0_state_CCR_fupd (const C01)
(m0.m0_state_CONTROL_fupd (const C1)
(m0.m0_state_CurrentMode_fupd (const M1)
(m0.m0_state_ExceptionActive_fupd (const f21)
(m0.m0_state_MEM_fupd (const f11)
(m0.m0_state_NVIC_IPR_fupd (const f01)
(m0.m0_state_PRIMASK_fupd (const P01)
(m0.m0_state_PSR_fupd (const P1)
(m0.m0_state_REG_fupd (const f1)
(m0.m0_state_SHPR2_fupd (const S01)
(m0.m0_state_SHPR3_fupd (const S1)
(m0.m0_state_VTOR_fupd (const c01)
(m0.m0_state_count_fupd
(const n1)
(m0.m0_state_exception_fupd
(const e1)
(m0.m0_state_pcinc_fupd
(const c1)
(m0.m0_state_pending_fupd
(const o1)
bool.ARB)))))))))))))))) =
m0.m0_state_AIRCR_fupd (const A2)
(m0.m0_state_CCR_fupd (const C02)
(m0.m0_state_CONTROL_fupd (const C2)
(m0.m0_state_CurrentMode_fupd (const M2)
(m0.m0_state_ExceptionActive_fupd (const f22)
(m0.m0_state_MEM_fupd (const f12)
(m0.m0_state_NVIC_IPR_fupd (const f02)
(m0.m0_state_PRIMASK_fupd (const P02)
(m0.m0_state_PSR_fupd (const P2)
(m0.m0_state_REG_fupd (const f2)
(m0.m0_state_SHPR2_fupd (const S02)
(m0.m0_state_SHPR3_fupd (const S2)
(m0.m0_state_VTOR_fupd (const c02)
(m0.m0_state_count_fupd
(const n2)
(m0.m0_state_exception_fupd
(const e2)
(m0.m0_state_pcinc_fupd
(const c2)
(m0.m0_state_pending_fupd
(const o2)
bool.ARB)))))))))))))))) ⇔
A1 = A2 ∧ C01 = C02 ∧ C1 = C2 ∧ M1 = M2 ∧ f21 = f22 ∧ f11 = f12 ∧
f01 = f02 ∧ P01 = P02 ∧ P1 = P2 ∧ f1 = f2 ∧ S01 = S02 ∧ S1 = S2 ∧
c01 = c02 ∧ n1 = n2 ∧ e1 = e2 ∧ c1 = c2 ∧ o1 = o2
⊦ (∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.Breakpoint a) f f1 f2 f3 f4 f5 f6 f7 = f a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.DataMemoryBarrier a) f f1 f2 f3 f4 f5 f6 f7 = f1 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.DataSynchronizationBarrier a) f f1 f2 f3 f4 f5 f6
f7 = f2 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.InstructionSynchronizationBarrier a) f f1 f2 f3 f4 f5
f6 f7 = f3 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.SendEvent a) f f1 f2 f3 f4 f5 f6 f7 = f4 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.WaitForEvent a) f f1 f2 f3 f4 f5 f6 f7 = f5 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.WaitForInterrupt a) f f1 f2 f3 f4 f5 f6 f7 = f6 a) ∧
∀a f f1 f2 f3 f4 f5 f6 f7.
m0.Hint_CASE (m0.Yield a) f f1 f2 f3 f4 f5 f6 f7 = f7 a
⊦ ∀value n.
m0.write'R (value, n) =
λstate.
if n = words.n2w 15 then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1 (bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2 (bit1 (arithmetic.BIT2 0))))) ::
[])) state)
else if n =
words.n2w
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then
m0.m0_state_REG_fupd
(const (combin.UPDATE m0.RName_LR value (m0.m0_state_REG state)))
state
else if n = words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then
m0.m0_state_REG_fupd
(const
(combin.UPDATE (m0.LookUpSP () state)
(words.word_concat
(words.word_extract 31 (arithmetic.BIT2 0) value)
(words.n2w 0)) (m0.m0_state_REG state))) state
else
m0.m0_state_REG_fupd
(const
(combin.UPDATE (m0.num2RName (words.w2n n)) value
(m0.m0_state_REG state))) state
⊦ (∀f b c b0 b1 b2 b3 c0.
m0.PSR_C_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR (f b) c b0 b1 b2 b3 c0) ∧
(∀f b c b0 b1 b2 b3 c0.
m0.PSR_ExceptionNumber_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b (f c) b0 b1 b2 b3 c0) ∧
(∀f b c b0 b1 b2 b3 c0.
m0.PSR_N_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c (f b0) b1 b2 b3 c0) ∧
(∀f b c b0 b1 b2 b3 c0.
m0.PSR_T_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 (f b1) b2 b3 c0) ∧
(∀f b c b0 b1 b2 b3 c0.
m0.PSR_V_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 (f b2) b3 c0) ∧
(∀f b c b0 b1 b2 b3 c0.
m0.PSR_Z_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 b2 (f b3) c0) ∧
∀f b c b0 b1 b2 b3 c0.
m0.PSR_psr'rst_fupd f (m0.recordtype.PSR b c b0 b1 b2 b3 c0) =
m0.recordtype.PSR b c b0 b1 b2 b3 (f c0)
⊦ ((∀g f. m0.PSR_C_fupd f ∘ m0.PSR_C_fupd g = m0.PSR_C_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_C_fupd f ∘ (m0.PSR_C_fupd g ∘ h) = m0.PSR_C_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.PSR_ExceptionNumber_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_ExceptionNumber_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd (f ∘ g) ∘ h) ∧
((∀g f. m0.PSR_N_fupd f ∘ m0.PSR_N_fupd g = m0.PSR_N_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_N_fupd f ∘ (m0.PSR_N_fupd g ∘ h) = m0.PSR_N_fupd (f ∘ g) ∘ h) ∧
((∀g f. m0.PSR_T_fupd f ∘ m0.PSR_T_fupd g = m0.PSR_T_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_T_fupd f ∘ (m0.PSR_T_fupd g ∘ h) = m0.PSR_T_fupd (f ∘ g) ∘ h) ∧
((∀g f. m0.PSR_V_fupd f ∘ m0.PSR_V_fupd g = m0.PSR_V_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_V_fupd f ∘ (m0.PSR_V_fupd g ∘ h) = m0.PSR_V_fupd (f ∘ g) ∘ h) ∧
((∀g f. m0.PSR_Z_fupd f ∘ m0.PSR_Z_fupd g = m0.PSR_Z_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_Z_fupd g ∘ h) = m0.PSR_Z_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_psr'rst_fupd g =
m0.PSR_psr'rst_fupd (f ∘ g)) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_psr'rst_fupd g ∘ h) =
m0.PSR_psr'rst_fupd (f ∘ g) ∘ h
⊦ ∀SYSm d.
m0.dfn'MoveToRegisterFromSpecial (SYSm, d) =
λstate.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_count_fupd
(const (m0.m0_state_count s + arithmetic.BIT2 1)) s)
(m0.IncPC ()
(bool.literal_case
(λv.
if v = words.n2w 0 then
bool.LET
(λs.
bool.LET
(λs.
if ¬words.word_bit (arithmetic.BIT2 0)
SYSm
then
m0.write'R
(words.bit_field_insert 31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0))))
(words.word_extract 31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0))))
(m0.reg'PSR
(m0.m0_state_PSR s)))
(m0.R d s), d) s
else s)
(if words.word_bit 1 SYSm then
m0.write'R
(words.bit_field_insert
(arithmetic.BIT2
(bit1
(bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2
(bit1
(bit1 (arithmetic.BIT2 0))))
(words.n2w 0) (m0.R d s), d) s
else s))
(if words.word_bit 0 SYSm then
m0.write'R
(words.bit_field_insert (arithmetic.BIT2 3)
0
(words.word_extract (arithmetic.BIT2 3) 0
(m0.reg'PSR (m0.m0_state_PSR s)))
(m0.R d s), d) s
else s)
else if v = words.n2w 1 then
bool.literal_case
(λv.
if v = words.n2w 0 then
m0.write'R (m0.SP_main s, d) s
else if v = words.n2w 1 then
m0.write'R (m0.SP_process s, d) s
else s)
(words.word_extract (arithmetic.BIT2 0) 0 SYSm)
else if v = words.n2w (arithmetic.BIT2 0) then
bool.literal_case
(λv.
if v = words.n2w 0 then
m0.write'R
(words.bit_field_insert 0 0
(bitstring.v2w
(m0.PRIMASK_PM
(m0.m0_state_PRIMASK s) :: []))
(m0.R d s), d) s
else if v = words.n2w (arithmetic.BIT2 1) then
m0.write'R
(words.bit_field_insert 1 0
(words.word_extract 1 0
(m0.reg'CONTROL
(m0.m0_state_CONTROL s)))
(m0.R d s), d) s
else s)
(words.word_extract (arithmetic.BIT2 0) 0 SYSm)
else s) (words.word_extract 7 3 SYSm))))
(m0.write'R (words.n2w 0, d) state)
⊦ ∀opc a b c.
m0.DataProcessingALU (opc, a, b, c) =
bool.literal_case
(λv.
if v = words.n2w 0 then (words.word_and a b, c, bool.ARB)
else if v = words.n2w (arithmetic.BIT2 3) then
(words.word_and a b, c, bool.ARB)
else if v = words.n2w 1 then (words.word_xor a b, c, bool.ARB)
else if v = words.n2w (bit1 (arithmetic.BIT2 1)) then
(words.word_xor a b, c, bool.ARB)
else if v = words.n2w (arithmetic.BIT2 0) then
m0.AddWithCarry (a, words.word_1comp b, ⊤)
else if v = words.n2w (arithmetic.BIT2 (arithmetic.BIT2 1)) then
m0.AddWithCarry (a, words.word_1comp b, ⊤)
else if v = words.n2w 3 then
m0.AddWithCarry (words.word_1comp a, b, ⊤)
else if v = words.n2w (arithmetic.BIT2 1) then
m0.AddWithCarry (a, b, ⊥)
else if v = words.n2w (bit1 (bit1 (arithmetic.BIT2 0))) then
m0.AddWithCarry (a, b, ⊥)
else if v = words.n2w (bit1 (arithmetic.BIT2 0)) then
m0.AddWithCarry (a, b, c)
else if v = words.n2w (arithmetic.BIT2 (arithmetic.BIT2 0)) then
m0.AddWithCarry (a, words.word_1comp b, c)
else if v = words.n2w 7 then
m0.AddWithCarry (words.word_1comp a, b, c)
else if v = words.n2w (arithmetic.BIT2 (bit1 (arithmetic.BIT2 0)))
then (words.word_or a b, c, bool.ARB)
else if v = words.n2w (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then (b, c, bool.ARB)
else if v =
words.n2w
(arithmetic.BIT2 (arithmetic.BIT2 (arithmetic.BIT2 0)))
then (words.word_and a (words.word_1comp b), c, bool.ARB)
else if v = words.n2w 15 then (words.word_1comp b, c, bool.ARB)
else bool.ARB) opc
⊦ ∀mc s.
m0.DECODE_UNPREDICTABLE (mc, s) =
λstate.
snd
(m0.raise'exception
(m0.UNPREDICTABLE
((string.CHR (arithmetic.BIT2 (bit1 (arithmetic.BIT2 7))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) :: []) @
m0.MachineCode_CASE mc
(λopc.
bitstring.v2s (bitstring.w2v opc) @
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) :: [])
(λv1.
pair.pair_CASE v1
(λopc1 opc2.
bitstring.v2s (bitstring.w2v opc1) @
(string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) :: []) @
bitstring.v2s (bitstring.w2v opc2) @
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) :: [])) @ s))
state)
⊦ (∀a' a. ¬(m0.Breakpoint a = m0.DataMemoryBarrier a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.DataSynchronizationBarrier a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.InstructionSynchronizationBarrier a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.SendEvent a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.WaitForEvent a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.Breakpoint a = m0.Yield a')) ∧
(∀a' a. ¬(m0.DataMemoryBarrier a = m0.DataSynchronizationBarrier a')) ∧
(∀a' a.
¬(m0.DataMemoryBarrier a = m0.InstructionSynchronizationBarrier a')) ∧
(∀a' a. ¬(m0.DataMemoryBarrier a = m0.SendEvent a')) ∧
(∀a' a. ¬(m0.DataMemoryBarrier a = m0.WaitForEvent a')) ∧
(∀a' a. ¬(m0.DataMemoryBarrier a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.DataMemoryBarrier a = m0.Yield a')) ∧
(∀a' a.
¬(m0.DataSynchronizationBarrier a =
m0.InstructionSynchronizationBarrier a')) ∧
(∀a' a. ¬(m0.DataSynchronizationBarrier a = m0.SendEvent a')) ∧
(∀a' a. ¬(m0.DataSynchronizationBarrier a = m0.WaitForEvent a')) ∧
(∀a' a. ¬(m0.DataSynchronizationBarrier a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.DataSynchronizationBarrier a = m0.Yield a')) ∧
(∀a' a. ¬(m0.InstructionSynchronizationBarrier a = m0.SendEvent a')) ∧
(∀a' a. ¬(m0.InstructionSynchronizationBarrier a = m0.WaitForEvent a')) ∧
(∀a' a.
¬(m0.InstructionSynchronizationBarrier a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.InstructionSynchronizationBarrier a = m0.Yield a')) ∧
(∀a' a. ¬(m0.SendEvent a = m0.WaitForEvent a')) ∧
(∀a' a. ¬(m0.SendEvent a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.SendEvent a = m0.Yield a')) ∧
(∀a' a. ¬(m0.WaitForEvent a = m0.WaitForInterrupt a')) ∧
(∀a' a. ¬(m0.WaitForEvent a = m0.Yield a')) ∧
∀a' a. ¬(m0.WaitForInterrupt a = m0.Yield a')
⊦ (∀f A.
m0.AIRCR_ENDIANNESS (m0.AIRCR_SYSRESETREQ_fupd f A) ⇔
m0.AIRCR_ENDIANNESS A) ∧
(∀f A.
m0.AIRCR_ENDIANNESS (m0.AIRCR_VECTCLRACTIVE_fupd f A) ⇔
m0.AIRCR_ENDIANNESS A) ∧
(∀f A.
m0.AIRCR_ENDIANNESS (m0.AIRCR_VECTKEY_fupd f A) ⇔
m0.AIRCR_ENDIANNESS A) ∧
(∀f A.
m0.AIRCR_ENDIANNESS (m0.AIRCR_aircr'rst_fupd f A) ⇔
m0.AIRCR_ENDIANNESS A) ∧
(∀f A.
m0.AIRCR_SYSRESETREQ (m0.AIRCR_ENDIANNESS_fupd f A) ⇔
m0.AIRCR_SYSRESETREQ A) ∧
(∀f A.
m0.AIRCR_SYSRESETREQ (m0.AIRCR_VECTCLRACTIVE_fupd f A) ⇔
m0.AIRCR_SYSRESETREQ A) ∧
(∀f A.
m0.AIRCR_SYSRESETREQ (m0.AIRCR_VECTKEY_fupd f A) ⇔
m0.AIRCR_SYSRESETREQ A) ∧
(∀f A.
m0.AIRCR_SYSRESETREQ (m0.AIRCR_aircr'rst_fupd f A) ⇔
m0.AIRCR_SYSRESETREQ A) ∧
(∀f A.
m0.AIRCR_VECTCLRACTIVE (m0.AIRCR_ENDIANNESS_fupd f A) ⇔
m0.AIRCR_VECTCLRACTIVE A) ∧
(∀f A.
m0.AIRCR_VECTCLRACTIVE (m0.AIRCR_SYSRESETREQ_fupd f A) ⇔
m0.AIRCR_VECTCLRACTIVE A) ∧
(∀f A.
m0.AIRCR_VECTCLRACTIVE (m0.AIRCR_VECTKEY_fupd f A) ⇔
m0.AIRCR_VECTCLRACTIVE A) ∧
(∀f A.
m0.AIRCR_VECTCLRACTIVE (m0.AIRCR_aircr'rst_fupd f A) ⇔
m0.AIRCR_VECTCLRACTIVE A) ∧
(∀f A.
m0.AIRCR_VECTKEY (m0.AIRCR_ENDIANNESS_fupd f A) =
m0.AIRCR_VECTKEY A) ∧
(∀f A.
m0.AIRCR_VECTKEY (m0.AIRCR_SYSRESETREQ_fupd f A) =
m0.AIRCR_VECTKEY A) ∧
(∀f A.
m0.AIRCR_VECTKEY (m0.AIRCR_VECTCLRACTIVE_fupd f A) =
m0.AIRCR_VECTKEY A) ∧
(∀f A.
m0.AIRCR_VECTKEY (m0.AIRCR_aircr'rst_fupd f A) = m0.AIRCR_VECTKEY A) ∧
(∀f A.
m0.AIRCR_aircr'rst (m0.AIRCR_ENDIANNESS_fupd f A) =
m0.AIRCR_aircr'rst A) ∧
(∀f A.
m0.AIRCR_aircr'rst (m0.AIRCR_SYSRESETREQ_fupd f A) =
m0.AIRCR_aircr'rst A) ∧
(∀f A.
m0.AIRCR_aircr'rst (m0.AIRCR_VECTCLRACTIVE_fupd f A) =
m0.AIRCR_aircr'rst A) ∧
(∀f A.
m0.AIRCR_aircr'rst (m0.AIRCR_VECTKEY_fupd f A) =
m0.AIRCR_aircr'rst A) ∧
(∀f A.
m0.AIRCR_ENDIANNESS (m0.AIRCR_ENDIANNESS_fupd f A) ⇔
f (m0.AIRCR_ENDIANNESS A)) ∧
(∀f A.
m0.AIRCR_SYSRESETREQ (m0.AIRCR_SYSRESETREQ_fupd f A) ⇔
f (m0.AIRCR_SYSRESETREQ A)) ∧
(∀f A.
m0.AIRCR_VECTCLRACTIVE (m0.AIRCR_VECTCLRACTIVE_fupd f A) ⇔
f (m0.AIRCR_VECTCLRACTIVE A)) ∧
(∀f A.
m0.AIRCR_VECTKEY (m0.AIRCR_VECTKEY_fupd f A) =
f (m0.AIRCR_VECTKEY A)) ∧
∀f A.
m0.AIRCR_aircr'rst (m0.AIRCR_aircr'rst_fupd f A) =
f (m0.AIRCR_aircr'rst A)
⊦ (∀f I. m0.IPR_PRI_N0 (m0.IPR_PRI_N1_fupd f I) = m0.IPR_PRI_N0 I) ∧
(∀f I. m0.IPR_PRI_N0 (m0.IPR_PRI_N2_fupd f I) = m0.IPR_PRI_N0 I) ∧
(∀f I. m0.IPR_PRI_N0 (m0.IPR_PRI_N3_fupd f I) = m0.IPR_PRI_N0 I) ∧
(∀f I. m0.IPR_PRI_N0 (m0.IPR_ipr'rst_fupd f I) = m0.IPR_PRI_N0 I) ∧
(∀f I. m0.IPR_PRI_N1 (m0.IPR_PRI_N0_fupd f I) = m0.IPR_PRI_N1 I) ∧
(∀f I. m0.IPR_PRI_N1 (m0.IPR_PRI_N2_fupd f I) = m0.IPR_PRI_N1 I) ∧
(∀f I. m0.IPR_PRI_N1 (m0.IPR_PRI_N3_fupd f I) = m0.IPR_PRI_N1 I) ∧
(∀f I. m0.IPR_PRI_N1 (m0.IPR_ipr'rst_fupd f I) = m0.IPR_PRI_N1 I) ∧
(∀f I. m0.IPR_PRI_N2 (m0.IPR_PRI_N0_fupd f I) = m0.IPR_PRI_N2 I) ∧
(∀f I. m0.IPR_PRI_N2 (m0.IPR_PRI_N1_fupd f I) = m0.IPR_PRI_N2 I) ∧
(∀f I. m0.IPR_PRI_N2 (m0.IPR_PRI_N3_fupd f I) = m0.IPR_PRI_N2 I) ∧
(∀f I. m0.IPR_PRI_N2 (m0.IPR_ipr'rst_fupd f I) = m0.IPR_PRI_N2 I) ∧
(∀f I. m0.IPR_PRI_N3 (m0.IPR_PRI_N0_fupd f I) = m0.IPR_PRI_N3 I) ∧
(∀f I. m0.IPR_PRI_N3 (m0.IPR_PRI_N1_fupd f I) = m0.IPR_PRI_N3 I) ∧
(∀f I. m0.IPR_PRI_N3 (m0.IPR_PRI_N2_fupd f I) = m0.IPR_PRI_N3 I) ∧
(∀f I. m0.IPR_PRI_N3 (m0.IPR_ipr'rst_fupd f I) = m0.IPR_PRI_N3 I) ∧
(∀f I. m0.IPR_ipr'rst (m0.IPR_PRI_N0_fupd f I) = m0.IPR_ipr'rst I) ∧
(∀f I. m0.IPR_ipr'rst (m0.IPR_PRI_N1_fupd f I) = m0.IPR_ipr'rst I) ∧
(∀f I. m0.IPR_ipr'rst (m0.IPR_PRI_N2_fupd f I) = m0.IPR_ipr'rst I) ∧
(∀f I. m0.IPR_ipr'rst (m0.IPR_PRI_N3_fupd f I) = m0.IPR_ipr'rst I) ∧
(∀f I. m0.IPR_PRI_N0 (m0.IPR_PRI_N0_fupd f I) = f (m0.IPR_PRI_N0 I)) ∧
(∀f I. m0.IPR_PRI_N1 (m0.IPR_PRI_N1_fupd f I) = f (m0.IPR_PRI_N1 I)) ∧
(∀f I. m0.IPR_PRI_N2 (m0.IPR_PRI_N2_fupd f I) = f (m0.IPR_PRI_N2 I)) ∧
(∀f I. m0.IPR_PRI_N3 (m0.IPR_PRI_N3_fupd f I) = f (m0.IPR_PRI_N3 I)) ∧
∀f I. m0.IPR_ipr'rst (m0.IPR_ipr'rst_fupd f I) = f (m0.IPR_ipr'rst I)
⊦ (∀m g f.
m0.m0_state_AIRCR_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_CCR_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_CONTROL_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_CurrentMode_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_ExceptionActive_fupd f
(m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_VTOR_fupd g m) =
m0.m0_state_VTOR_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_count_fupd g m) =
m0.m0_state_count_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_exception_fupd g m) =
m0.m0_state_exception_fupd (f ∘ g) m) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_pcinc_fupd g m) =
m0.m0_state_pcinc_fupd (f ∘ g) m) ∧
∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_pending_fupd g m) =
m0.m0_state_pending_fupd (f ∘ g) m
⊦ ∀address size.
m0.mem (address, size) =
λstate.
bool.literal_case
(λv.
if v = 1 then
(bitstring.field 7 0
(m0.mem1 (words.word_add address (words.n2w 0)) state),
state)
else if v = arithmetic.BIT2 0 then
(bitstring.field 15 0
(m0.mem1 (words.word_add address (words.n2w 1)) state @
m0.mem1 (words.word_add address (words.n2w 0)) state),
state)
else if v = arithmetic.BIT2 1 then
(bitstring.field 31 0
(m0.mem1 (words.word_add address (words.n2w 3)) state @
m0.mem1
(words.word_add address (words.n2w (arithmetic.BIT2 0)))
state @
m0.mem1 (words.word_add address (words.n2w 1)) state @
m0.mem1 (words.word_add address (words.n2w 0)) state),
state)
else
m0.raise'exception
(m0.ASSERT
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) :: [])) state)
size
⊦ ∀frameptr EXC_RETURN.
m0.PopStack (frameptr, EXC_RETURN) =
λstate.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λspmask.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_PSR_fupd
(const
(m0.write'reg'PSR
(m0.m0_state_PSR
s,
words.bit_field_insert
(bit1
(arithmetic.BIT2
0))
0
(words.word_extract
(bit1
(arithmetic.BIT2
0))
0
v)
(m0.reg'PSR
(m0.m0_state_PSR
s)))))
s)
(m0.m0_state_PSR_fupd
(const
(m0.write'reg'PSR
(m0.m0_state_PSR
s,
words.bit_field_insert
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0))))
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0))))
(bitstring.v2w
(words.word_bit
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0))))
v ::
[]))
(m0.reg'PSR
(m0.m0_state_PSR
s)))))
s))
(m0.m0_state_PSR_fupd
(const
(m0.write'reg'PSR
(m0.m0_state_PSR
s,
words.bit_field_insert
31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))
(words.word_extract
31
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))
v)
(m0.reg'PSR
(m0.m0_state_PSR
s)))))
s))
(bool.LET
(pair.UNCURRY
(λb'3.
pair.UNCURRY
(λb'2.
pair.UNCURRY
(λb'1
b'0.
if ¬b'1 ∧
b'0
then
if ¬b'2
then
m0.write'SP_main
(words.word_or
(words.word_add
(m0.SP_main
s)
(words.n2w
(arithmetic.BIT2
15)))
spmask)
s
else if b'3 ∧
b'2
then
m0.write'SP_process
(words.word_or
(words.word_add
(m0.SP_process
s)
(words.n2w
(arithmetic.BIT2
15)))
spmask)
s
else
s
else
s))))
(m0.boolify4
(words.word_extract
3
0
EXC_RETURN))))
(words.w2w
(words.word_concat
(words.word_extract
(bit1
(arithmetic.BIT2
1))
(bit1
(arithmetic.BIT2
1))
v)
(words.n2w
0)))))
(m0.MemA
(words.word_add
frameptr
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))),
arithmetic.BIT2
1)
(m0.write'PC
v
s))))
(m0.MemA
(words.word_add
frameptr
(words.n2w
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0))))),
arithmetic.BIT2
1)
(m0.write'LR v
s))))
(m0.MemA
(words.word_add frameptr
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1)))),
arithmetic.BIT2 1)
(m0.write'R
(v,
words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0))))
s))))
(m0.MemA
(words.word_add frameptr
(words.n2w
(arithmetic.BIT2 7)),
arithmetic.BIT2 1)
(m0.write'R (v, words.n2w 3)
s))))
(m0.MemA
(words.word_add frameptr
(words.n2w
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))),
arithmetic.BIT2 1)
(m0.write'R
(v, words.n2w (arithmetic.BIT2 0))
s))))
(m0.MemA
(words.word_add frameptr
(words.n2w (arithmetic.BIT2 3)),
arithmetic.BIT2 1)
(m0.write'R (v, words.n2w 1) s))))
(m0.MemA
(words.word_add frameptr
(words.n2w (arithmetic.BIT2 1)), arithmetic.BIT2 1)
(m0.write'R (v, words.n2w 0) s))))
(m0.MemA (frameptr, arithmetic.BIT2 1) state)
⊦ (∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Branch a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Data a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 = f1 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Hint a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 = f2 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Load a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 = f3 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Media a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f4 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Multiply a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f5 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.NoOperation a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f6 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Store a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f7 a) ∧
(∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.System a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f8 a) ∧
∀a f f1 f2 f3 f4 f5 f6 f7 f8 f9.
m0.instruction_CASE (m0.Undefined a) f f1 f2 f3 f4 f5 f6 f7 f8 f9 =
f9 a
⊦ (∀g f P.
m0.PSR_ExceptionNumber_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_ExceptionNumber_fupd f P)) ∧
(∀g f P.
m0.PSR_N_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_N_fupd f P)) ∧
(∀g f P.
m0.PSR_N_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd g (m0.PSR_N_fupd f P)) ∧
(∀g f P.
m0.PSR_T_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_T_fupd f P)) ∧
(∀g f P.
m0.PSR_T_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd g (m0.PSR_T_fupd f P)) ∧
(∀g f P.
m0.PSR_T_fupd f (m0.PSR_N_fupd g P) =
m0.PSR_N_fupd g (m0.PSR_T_fupd f P)) ∧
(∀g f P.
m0.PSR_V_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_V_fupd f P)) ∧
(∀g f P.
m0.PSR_V_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd g (m0.PSR_V_fupd f P)) ∧
(∀g f P.
m0.PSR_V_fupd f (m0.PSR_N_fupd g P) =
m0.PSR_N_fupd g (m0.PSR_V_fupd f P)) ∧
(∀g f P.
m0.PSR_V_fupd f (m0.PSR_T_fupd g P) =
m0.PSR_T_fupd g (m0.PSR_V_fupd f P)) ∧
(∀g f P.
m0.PSR_Z_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_Z_fupd f P)) ∧
(∀g f P.
m0.PSR_Z_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd g (m0.PSR_Z_fupd f P)) ∧
(∀g f P.
m0.PSR_Z_fupd f (m0.PSR_N_fupd g P) =
m0.PSR_N_fupd g (m0.PSR_Z_fupd f P)) ∧
(∀g f P.
m0.PSR_Z_fupd f (m0.PSR_T_fupd g P) =
m0.PSR_T_fupd g (m0.PSR_Z_fupd f P)) ∧
(∀g f P.
m0.PSR_Z_fupd f (m0.PSR_V_fupd g P) =
m0.PSR_V_fupd g (m0.PSR_Z_fupd f P)) ∧
(∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_C_fupd g P) =
m0.PSR_C_fupd g (m0.PSR_psr'rst_fupd f P)) ∧
(∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_ExceptionNumber_fupd g P) =
m0.PSR_ExceptionNumber_fupd g (m0.PSR_psr'rst_fupd f P)) ∧
(∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_N_fupd g P) =
m0.PSR_N_fupd g (m0.PSR_psr'rst_fupd f P)) ∧
(∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_T_fupd g P) =
m0.PSR_T_fupd g (m0.PSR_psr'rst_fupd f P)) ∧
(∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_V_fupd g P) =
m0.PSR_V_fupd g (m0.PSR_psr'rst_fupd f P)) ∧
∀g f P.
m0.PSR_psr'rst_fupd f (m0.PSR_Z_fupd g P) =
m0.PSR_Z_fupd g (m0.PSR_psr'rst_fupd f P)
⊦ ((∀g f.
m0.AIRCR_SYSRESETREQ_fupd f ∘ m0.AIRCR_ENDIANNESS_fupd g =
m0.AIRCR_ENDIANNESS_fupd g ∘ m0.AIRCR_SYSRESETREQ_fupd f) ∧
∀h g f.
m0.AIRCR_SYSRESETREQ_fupd f ∘ (m0.AIRCR_ENDIANNESS_fupd g ∘ h) =
m0.AIRCR_ENDIANNESS_fupd g ∘ (m0.AIRCR_SYSRESETREQ_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ m0.AIRCR_ENDIANNESS_fupd g =
m0.AIRCR_ENDIANNESS_fupd g ∘ m0.AIRCR_VECTCLRACTIVE_fupd f) ∧
∀h g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ (m0.AIRCR_ENDIANNESS_fupd g ∘ h) =
m0.AIRCR_ENDIANNESS_fupd g ∘ (m0.AIRCR_VECTCLRACTIVE_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ m0.AIRCR_SYSRESETREQ_fupd g =
m0.AIRCR_SYSRESETREQ_fupd g ∘ m0.AIRCR_VECTCLRACTIVE_fupd f) ∧
∀h g f.
m0.AIRCR_VECTCLRACTIVE_fupd f ∘ (m0.AIRCR_SYSRESETREQ_fupd g ∘ h) =
m0.AIRCR_SYSRESETREQ_fupd g ∘ (m0.AIRCR_VECTCLRACTIVE_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_VECTKEY_fupd f ∘ m0.AIRCR_ENDIANNESS_fupd g =
m0.AIRCR_ENDIANNESS_fupd g ∘ m0.AIRCR_VECTKEY_fupd f) ∧
∀h g f.
m0.AIRCR_VECTKEY_fupd f ∘ (m0.AIRCR_ENDIANNESS_fupd g ∘ h) =
m0.AIRCR_ENDIANNESS_fupd g ∘ (m0.AIRCR_VECTKEY_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_VECTKEY_fupd f ∘ m0.AIRCR_SYSRESETREQ_fupd g =
m0.AIRCR_SYSRESETREQ_fupd g ∘ m0.AIRCR_VECTKEY_fupd f) ∧
∀h g f.
m0.AIRCR_VECTKEY_fupd f ∘ (m0.AIRCR_SYSRESETREQ_fupd g ∘ h) =
m0.AIRCR_SYSRESETREQ_fupd g ∘ (m0.AIRCR_VECTKEY_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_VECTKEY_fupd f ∘ m0.AIRCR_VECTCLRACTIVE_fupd g =
m0.AIRCR_VECTCLRACTIVE_fupd g ∘ m0.AIRCR_VECTKEY_fupd f) ∧
∀h g f.
m0.AIRCR_VECTKEY_fupd f ∘ (m0.AIRCR_VECTCLRACTIVE_fupd g ∘ h) =
m0.AIRCR_VECTCLRACTIVE_fupd g ∘ (m0.AIRCR_VECTKEY_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_aircr'rst_fupd f ∘ m0.AIRCR_ENDIANNESS_fupd g =
m0.AIRCR_ENDIANNESS_fupd g ∘ m0.AIRCR_aircr'rst_fupd f) ∧
∀h g f.
m0.AIRCR_aircr'rst_fupd f ∘ (m0.AIRCR_ENDIANNESS_fupd g ∘ h) =
m0.AIRCR_ENDIANNESS_fupd g ∘ (m0.AIRCR_aircr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_aircr'rst_fupd f ∘ m0.AIRCR_SYSRESETREQ_fupd g =
m0.AIRCR_SYSRESETREQ_fupd g ∘ m0.AIRCR_aircr'rst_fupd f) ∧
∀h g f.
m0.AIRCR_aircr'rst_fupd f ∘ (m0.AIRCR_SYSRESETREQ_fupd g ∘ h) =
m0.AIRCR_SYSRESETREQ_fupd g ∘ (m0.AIRCR_aircr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.AIRCR_aircr'rst_fupd f ∘ m0.AIRCR_VECTCLRACTIVE_fupd g =
m0.AIRCR_VECTCLRACTIVE_fupd g ∘ m0.AIRCR_aircr'rst_fupd f) ∧
∀h g f.
m0.AIRCR_aircr'rst_fupd f ∘ (m0.AIRCR_VECTCLRACTIVE_fupd g ∘ h) =
m0.AIRCR_VECTCLRACTIVE_fupd g ∘ (m0.AIRCR_aircr'rst_fupd f ∘ h)) ∧
(∀g f.
m0.AIRCR_aircr'rst_fupd f ∘ m0.AIRCR_VECTKEY_fupd g =
m0.AIRCR_VECTKEY_fupd g ∘ m0.AIRCR_aircr'rst_fupd f) ∧
∀h g f.
m0.AIRCR_aircr'rst_fupd f ∘ (m0.AIRCR_VECTKEY_fupd g ∘ h) =
m0.AIRCR_VECTKEY_fupd g ∘ (m0.AIRCR_aircr'rst_fupd f ∘ h)
⊦ ((∀g f.
m0.IPR_PRI_N1_fupd f ∘ m0.IPR_PRI_N0_fupd g =
m0.IPR_PRI_N0_fupd g ∘ m0.IPR_PRI_N1_fupd f) ∧
∀h g f.
m0.IPR_PRI_N1_fupd f ∘ (m0.IPR_PRI_N0_fupd g ∘ h) =
m0.IPR_PRI_N0_fupd g ∘ (m0.IPR_PRI_N1_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_PRI_N2_fupd f ∘ m0.IPR_PRI_N0_fupd g =
m0.IPR_PRI_N0_fupd g ∘ m0.IPR_PRI_N2_fupd f) ∧
∀h g f.
m0.IPR_PRI_N2_fupd f ∘ (m0.IPR_PRI_N0_fupd g ∘ h) =
m0.IPR_PRI_N0_fupd g ∘ (m0.IPR_PRI_N2_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_PRI_N2_fupd f ∘ m0.IPR_PRI_N1_fupd g =
m0.IPR_PRI_N1_fupd g ∘ m0.IPR_PRI_N2_fupd f) ∧
∀h g f.
m0.IPR_PRI_N2_fupd f ∘ (m0.IPR_PRI_N1_fupd g ∘ h) =
m0.IPR_PRI_N1_fupd g ∘ (m0.IPR_PRI_N2_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_PRI_N3_fupd f ∘ m0.IPR_PRI_N0_fupd g =
m0.IPR_PRI_N0_fupd g ∘ m0.IPR_PRI_N3_fupd f) ∧
∀h g f.
m0.IPR_PRI_N3_fupd f ∘ (m0.IPR_PRI_N0_fupd g ∘ h) =
m0.IPR_PRI_N0_fupd g ∘ (m0.IPR_PRI_N3_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_PRI_N3_fupd f ∘ m0.IPR_PRI_N1_fupd g =
m0.IPR_PRI_N1_fupd g ∘ m0.IPR_PRI_N3_fupd f) ∧
∀h g f.
m0.IPR_PRI_N3_fupd f ∘ (m0.IPR_PRI_N1_fupd g ∘ h) =
m0.IPR_PRI_N1_fupd g ∘ (m0.IPR_PRI_N3_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_PRI_N3_fupd f ∘ m0.IPR_PRI_N2_fupd g =
m0.IPR_PRI_N2_fupd g ∘ m0.IPR_PRI_N3_fupd f) ∧
∀h g f.
m0.IPR_PRI_N3_fupd f ∘ (m0.IPR_PRI_N2_fupd g ∘ h) =
m0.IPR_PRI_N2_fupd g ∘ (m0.IPR_PRI_N3_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_ipr'rst_fupd f ∘ m0.IPR_PRI_N0_fupd g =
m0.IPR_PRI_N0_fupd g ∘ m0.IPR_ipr'rst_fupd f) ∧
∀h g f.
m0.IPR_ipr'rst_fupd f ∘ (m0.IPR_PRI_N0_fupd g ∘ h) =
m0.IPR_PRI_N0_fupd g ∘ (m0.IPR_ipr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_ipr'rst_fupd f ∘ m0.IPR_PRI_N1_fupd g =
m0.IPR_PRI_N1_fupd g ∘ m0.IPR_ipr'rst_fupd f) ∧
∀h g f.
m0.IPR_ipr'rst_fupd f ∘ (m0.IPR_PRI_N1_fupd g ∘ h) =
m0.IPR_PRI_N1_fupd g ∘ (m0.IPR_ipr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.IPR_ipr'rst_fupd f ∘ m0.IPR_PRI_N2_fupd g =
m0.IPR_PRI_N2_fupd g ∘ m0.IPR_ipr'rst_fupd f) ∧
∀h g f.
m0.IPR_ipr'rst_fupd f ∘ (m0.IPR_PRI_N2_fupd g ∘ h) =
m0.IPR_PRI_N2_fupd g ∘ (m0.IPR_ipr'rst_fupd f ∘ h)) ∧
(∀g f.
m0.IPR_ipr'rst_fupd f ∘ m0.IPR_PRI_N3_fupd g =
m0.IPR_PRI_N3_fupd g ∘ m0.IPR_ipr'rst_fupd f) ∧
∀h g f.
m0.IPR_ipr'rst_fupd f ∘ (m0.IPR_PRI_N3_fupd g ∘ h) =
m0.IPR_PRI_N3_fupd g ∘ (m0.IPR_ipr'rst_fupd f ∘ h)
⊦ ∀value address size.
m0.write'mem (value, address, size) =
λstate.
bool.literal_case
(λv.
if v = 1 then
m0.m0_state_MEM_fupd
(const
(combin.UPDATE (words.word_add address (words.n2w 0))
(bitstring.v2w (bitstring.field 7 0 value))
(m0.m0_state_MEM state))) state
else if v = arithmetic.BIT2 0 then
bool.LET
(λs.
m0.m0_state_MEM_fupd
(const
(combin.UPDATE
(words.word_add address (words.n2w 1))
(bitstring.v2w
(bitstring.field 15 (arithmetic.BIT2 3)
value)) (m0.m0_state_MEM s))) s)
(m0.m0_state_MEM_fupd
(const
(combin.UPDATE (words.word_add address (words.n2w 0))
(bitstring.v2w (bitstring.field 7 0 value))
(m0.m0_state_MEM state))) state)
else if v = arithmetic.BIT2 1 then
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
m0.m0_state_MEM_fupd
(const
(combin.UPDATE
(words.word_add address (words.n2w 3))
(bitstring.v2w
(bitstring.field 31
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2 0))))
value)) (m0.m0_state_MEM s))) s)
(m0.m0_state_MEM_fupd
(const
(combin.UPDATE
(words.word_add address
(words.n2w (arithmetic.BIT2 0)))
(bitstring.v2w
(bitstring.field
(bit1
(bit1
(bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 7) value))
(m0.m0_state_MEM s))) s))
(m0.m0_state_MEM_fupd
(const
(combin.UPDATE
(words.word_add address (words.n2w 1))
(bitstring.v2w
(bitstring.field 15 (arithmetic.BIT2 3)
value)) (m0.m0_state_MEM s))) s))
(m0.m0_state_MEM_fupd
(const
(combin.UPDATE (words.word_add address (words.n2w 0))
(bitstring.v2w (bitstring.field 7 0 value))
(m0.m0_state_MEM state))) state)
else
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) :: []))
state)) size
⊦ ∀value n.
m0.BigEndianReverse (value, n) =
λstate.
bool.literal_case
(λv.
if v = 1 then (bitstring.field 7 0 value, state)
else if v = arithmetic.BIT2 0 then
(bitstring.field 7 0 value @
bitstring.field 15 (arithmetic.BIT2 3) value, state)
else if v = arithmetic.BIT2 1 then
(bitstring.field 7 0 value @
bitstring.field 15 (arithmetic.BIT2 3) value @
bitstring.field (bit1 (bit1 (bit1 (arithmetic.BIT2 0))))
(arithmetic.BIT2 7) value @
bitstring.field 31
(arithmetic.BIT2 (bit1 (bit1 (arithmetic.BIT2 0)))) value,
state)
else
m0.raise'exception
(m0.ASSERT
(string.CHR (arithmetic.BIT2 (arithmetic.BIT2 15)) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 7))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 1)))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) :: [])) state)
n
⊦ (∀a' a. ¬(m0.Branch a = m0.Data a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Hint a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Load a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Media a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Multiply a')) ∧
(∀a' a. ¬(m0.Branch a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Store a')) ∧
(∀a' a. ¬(m0.Branch a = m0.System a')) ∧
(∀a' a. ¬(m0.Branch a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Data a = m0.Hint a')) ∧ (∀a' a. ¬(m0.Data a = m0.Load a')) ∧
(∀a' a. ¬(m0.Data a = m0.Media a')) ∧
(∀a' a. ¬(m0.Data a = m0.Multiply a')) ∧
(∀a' a. ¬(m0.Data a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Data a = m0.Store a')) ∧
(∀a' a. ¬(m0.Data a = m0.System a')) ∧
(∀a' a. ¬(m0.Data a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Hint a = m0.Load a')) ∧
(∀a' a. ¬(m0.Hint a = m0.Media a')) ∧
(∀a' a. ¬(m0.Hint a = m0.Multiply a')) ∧
(∀a' a. ¬(m0.Hint a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Hint a = m0.Store a')) ∧
(∀a' a. ¬(m0.Hint a = m0.System a')) ∧
(∀a' a. ¬(m0.Hint a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Load a = m0.Media a')) ∧
(∀a' a. ¬(m0.Load a = m0.Multiply a')) ∧
(∀a' a. ¬(m0.Load a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Load a = m0.Store a')) ∧
(∀a' a. ¬(m0.Load a = m0.System a')) ∧
(∀a' a. ¬(m0.Load a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Media a = m0.Multiply a')) ∧
(∀a' a. ¬(m0.Media a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Media a = m0.Store a')) ∧
(∀a' a. ¬(m0.Media a = m0.System a')) ∧
(∀a' a. ¬(m0.Media a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Multiply a = m0.NoOperation a')) ∧
(∀a' a. ¬(m0.Multiply a = m0.Store a')) ∧
(∀a' a. ¬(m0.Multiply a = m0.System a')) ∧
(∀a' a. ¬(m0.Multiply a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.NoOperation a = m0.Store a')) ∧
(∀a' a. ¬(m0.NoOperation a = m0.System a')) ∧
(∀a' a. ¬(m0.NoOperation a = m0.Undefined a')) ∧
(∀a' a. ¬(m0.Store a = m0.System a')) ∧
(∀a' a. ¬(m0.Store a = m0.Undefined a')) ∧
∀a' a. ¬(m0.System a = m0.Undefined a')
⊦ (∀f P. m0.PSR_C (m0.PSR_ExceptionNumber_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P. m0.PSR_C (m0.PSR_N_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P. m0.PSR_C (m0.PSR_T_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P. m0.PSR_C (m0.PSR_V_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P. m0.PSR_C (m0.PSR_Z_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P. m0.PSR_C (m0.PSR_psr'rst_fupd f P) ⇔ m0.PSR_C P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_C_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_N_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_T_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_V_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_Z_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_psr'rst_fupd f P) =
m0.PSR_ExceptionNumber P) ∧
(∀f P. m0.PSR_N (m0.PSR_C_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_N (m0.PSR_ExceptionNumber_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_N (m0.PSR_T_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_N (m0.PSR_V_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_N (m0.PSR_Z_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_N (m0.PSR_psr'rst_fupd f P) ⇔ m0.PSR_N P) ∧
(∀f P. m0.PSR_T (m0.PSR_C_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_T (m0.PSR_ExceptionNumber_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_T (m0.PSR_N_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_T (m0.PSR_V_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_T (m0.PSR_Z_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_T (m0.PSR_psr'rst_fupd f P) ⇔ m0.PSR_T P) ∧
(∀f P. m0.PSR_V (m0.PSR_C_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_V (m0.PSR_ExceptionNumber_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_V (m0.PSR_N_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_V (m0.PSR_T_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_V (m0.PSR_Z_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_V (m0.PSR_psr'rst_fupd f P) ⇔ m0.PSR_V P) ∧
(∀f P. m0.PSR_Z (m0.PSR_C_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_Z (m0.PSR_ExceptionNumber_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_Z (m0.PSR_N_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_Z (m0.PSR_T_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_Z (m0.PSR_V_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_Z (m0.PSR_psr'rst_fupd f P) ⇔ m0.PSR_Z P) ∧
(∀f P. m0.PSR_psr'rst (m0.PSR_C_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P.
m0.PSR_psr'rst (m0.PSR_ExceptionNumber_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P. m0.PSR_psr'rst (m0.PSR_N_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P. m0.PSR_psr'rst (m0.PSR_T_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P. m0.PSR_psr'rst (m0.PSR_V_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P. m0.PSR_psr'rst (m0.PSR_Z_fupd f P) = m0.PSR_psr'rst P) ∧
(∀f P. m0.PSR_C (m0.PSR_C_fupd f P) ⇔ f (m0.PSR_C P)) ∧
(∀f P.
m0.PSR_ExceptionNumber (m0.PSR_ExceptionNumber_fupd f P) =
f (m0.PSR_ExceptionNumber P)) ∧
(∀f P. m0.PSR_N (m0.PSR_N_fupd f P) ⇔ f (m0.PSR_N P)) ∧
(∀f P. m0.PSR_T (m0.PSR_T_fupd f P) ⇔ f (m0.PSR_T P)) ∧
(∀f P. m0.PSR_V (m0.PSR_V_fupd f P) ⇔ f (m0.PSR_V P)) ∧
(∀f P. m0.PSR_Z (m0.PSR_Z_fupd f P) ⇔ f (m0.PSR_Z P)) ∧
∀f P. m0.PSR_psr'rst (m0.PSR_psr'rst_fupd f P) = f (m0.PSR_psr'rst P)
⊦ ((∀g f.
m0.m0_state_AIRCR_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_AIRCR_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_CCR_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_CCR_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_CONTROL_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_CONTROL_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_CurrentMode_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_CurrentMode_fupd f ∘
(m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_ExceptionActive_fupd f ∘
m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_ExceptionActive_fupd f ∘
(m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_VTOR_fupd g =
m0.m0_state_VTOR_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_VTOR_fupd g ∘ h) =
m0.m0_state_VTOR_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_count_fupd g =
m0.m0_state_count_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_count_fupd g ∘ h) =
m0.m0_state_count_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_exception_fupd g =
m0.m0_state_exception_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_exception_fupd g ∘ h) =
m0.m0_state_exception_fupd (f ∘ g) ∘ h) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_pcinc_fupd g =
m0.m0_state_pcinc_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_pcinc_fupd g ∘ h) =
m0.m0_state_pcinc_fupd (f ∘ g) ∘ h) ∧
(∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_pending_fupd g =
m0.m0_state_pending_fupd (f ∘ g)) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_pending_fupd g ∘ h) =
m0.m0_state_pending_fupd (f ∘ g) ∘ h
⊦ ((∀g f.
m0.PSR_ExceptionNumber_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_ExceptionNumber_fupd f) ∧
∀h g f.
m0.PSR_ExceptionNumber_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_ExceptionNumber_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_N_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_N_fupd f) ∧
∀h g f.
m0.PSR_N_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_N_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_N_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd g ∘ m0.PSR_N_fupd f) ∧
∀h g f.
m0.PSR_N_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd g ∘ (m0.PSR_N_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_T_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_T_fupd f) ∧
∀h g f.
m0.PSR_T_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_T_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_T_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd g ∘ m0.PSR_T_fupd f) ∧
∀h g f.
m0.PSR_T_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd g ∘ (m0.PSR_T_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_T_fupd f ∘ m0.PSR_N_fupd g =
m0.PSR_N_fupd g ∘ m0.PSR_T_fupd f) ∧
∀h g f.
m0.PSR_T_fupd f ∘ (m0.PSR_N_fupd g ∘ h) =
m0.PSR_N_fupd g ∘ (m0.PSR_T_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_V_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_V_fupd f) ∧
∀h g f.
m0.PSR_V_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_V_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_V_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd g ∘ m0.PSR_V_fupd f) ∧
∀h g f.
m0.PSR_V_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd g ∘ (m0.PSR_V_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_V_fupd f ∘ m0.PSR_N_fupd g =
m0.PSR_N_fupd g ∘ m0.PSR_V_fupd f) ∧
∀h g f.
m0.PSR_V_fupd f ∘ (m0.PSR_N_fupd g ∘ h) =
m0.PSR_N_fupd g ∘ (m0.PSR_V_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_V_fupd f ∘ m0.PSR_T_fupd g =
m0.PSR_T_fupd g ∘ m0.PSR_V_fupd f) ∧
∀h g f.
m0.PSR_V_fupd f ∘ (m0.PSR_T_fupd g ∘ h) =
m0.PSR_T_fupd g ∘ (m0.PSR_V_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_Z_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_Z_fupd f) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_Z_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_Z_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd g ∘ m0.PSR_Z_fupd f) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd g ∘ (m0.PSR_Z_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_Z_fupd f ∘ m0.PSR_N_fupd g =
m0.PSR_N_fupd g ∘ m0.PSR_Z_fupd f) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_N_fupd g ∘ h) =
m0.PSR_N_fupd g ∘ (m0.PSR_Z_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_Z_fupd f ∘ m0.PSR_T_fupd g =
m0.PSR_T_fupd g ∘ m0.PSR_Z_fupd f) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_T_fupd g ∘ h) =
m0.PSR_T_fupd g ∘ (m0.PSR_Z_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_Z_fupd f ∘ m0.PSR_V_fupd g =
m0.PSR_V_fupd g ∘ m0.PSR_Z_fupd f) ∧
∀h g f.
m0.PSR_Z_fupd f ∘ (m0.PSR_V_fupd g ∘ h) =
m0.PSR_V_fupd g ∘ (m0.PSR_Z_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_C_fupd g =
m0.PSR_C_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_C_fupd g ∘ h) =
m0.PSR_C_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_ExceptionNumber_fupd g =
m0.PSR_ExceptionNumber_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_ExceptionNumber_fupd g ∘ h) =
m0.PSR_ExceptionNumber_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_N_fupd g =
m0.PSR_N_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_N_fupd g ∘ h) =
m0.PSR_N_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_T_fupd g =
m0.PSR_T_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_T_fupd g ∘ h) =
m0.PSR_T_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)) ∧
((∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_V_fupd g =
m0.PSR_V_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_V_fupd g ∘ h) =
m0.PSR_V_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)) ∧
(∀g f.
m0.PSR_psr'rst_fupd f ∘ m0.PSR_Z_fupd g =
m0.PSR_Z_fupd g ∘ m0.PSR_psr'rst_fupd f) ∧
∀h g f.
m0.PSR_psr'rst_fupd f ∘ (m0.PSR_Z_fupd g ∘ h) =
m0.PSR_Z_fupd g ∘ (m0.PSR_psr'rst_fupd f ∘ h)
⊦ ∀_.
m0.PushStack _ =
λstate.
bool.LET
(pair.UNCURRY
(λs0 s1.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λs2.
if m0.m0_state_CurrentMode
s2 =
m0.Mode_Handler
then
m0.write'LR
(words.n2w
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0))))))))))))))))))))))))))))))))
s2
else if ¬m0.CONTROL_SPSEL
(m0.m0_state_CONTROL
s2)
then
m0.write'LR
(words.n2w
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0))))))))))))))))))))))))))))))))
s2
else
m0.write'LR
(words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0))))))))))))))))))))))))))))))))
s2)
(m0.write'MemA
(words.word_concat
(words.word_extract
31
(arithmetic.BIT2
(arithmetic.BIT2
1))
(m0.reg'PSR
(m0.m0_state_PSR
(snd
(snd
s)))))
(words.word_concat
(fst
(snd
s))
(words.word_extract
(arithmetic.BIT2
3) 0
(m0.reg'PSR
(m0.m0_state_PSR
(snd
(snd
s)))))),
words.word_add
(fst s)
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))),
arithmetic.BIT2
1)
(snd (snd s))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0,
fst (snd s0),
m0.write'MemA
(v0,
words.word_add
(fst s)
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1)))),
arithmetic.BIT2
1)
(snd
(snd
s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3.
(v,
fst
(snd
s),
s3)))
(bool.LET
(λs0.
(m0.ReturnAddress
() s0,
s0))
(snd
(snd
s))))
(λv s3.
(v, fst s,
s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0,
fst (snd s0),
m0.write'MemA
(v0,
words.word_add
(fst s)
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1)))),
arithmetic.BIT2
1)
(snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3.
(v,
fst (snd s),
s3)))
(bool.LET
(λs0.
(m0.LR s0,
s0))
(snd (snd s))))
(λv s3.
(v, fst s, s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0, fst (snd s0),
m0.write'MemA
(v0,
words.word_add
(fst s)
(words.n2w
(arithmetic.BIT2
7)),
arithmetic.BIT2 1)
(snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3.
(v, fst (snd s),
s3)))
(bool.LET
(λs0.
(m0.R
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0))))
s0, s0))
(snd (snd s))))
(λv s3. (v, fst s, s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0, fst (snd s0),
m0.write'MemA
(v0,
words.word_add (fst s)
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))),
arithmetic.BIT2 1)
(snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3.
(v, fst (snd s), s3)))
(bool.LET
(λs0.
(m0.R (words.n2w 3) s0,
s0)) (snd (snd s))))
(λv s3. (v, fst s, s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0, fst (snd s0),
m0.write'MemA
(v0,
words.word_add (fst s)
(words.n2w
(arithmetic.BIT2 3)),
arithmetic.BIT2 1)
(snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3. (v, fst (snd s), s3)))
(bool.LET
(λs0.
(m0.R
(words.n2w
(arithmetic.BIT2 0))
s0, s0)) (snd (snd s))))
(λv s3. (v, fst s, s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0, fst (snd s0),
m0.write'MemA
(v0,
words.word_add (fst s)
(words.n2w (arithmetic.BIT2 1)),
arithmetic.BIT2 1) (snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY
(λv s3. (v, fst (snd s), s3)))
(bool.LET
(λs0. (m0.R (words.n2w 1) s0, s0))
(snd (snd s))))
(λv s3. (v, fst s, s3)))))
(bool.LET
(pair.UNCURRY
(λv0 s0.
(fst s0, fst (snd s0),
m0.write'MemA (v0, fst s, arithmetic.BIT2 1)
(snd (snd s0)))))
(pair.pair_CASE
(bool.LET
(pair.UNCURRY (λv s3. (v, fst (snd s), s3)))
(bool.LET (λs0. (m0.R (words.n2w 0) s0, s0))
(snd (snd s)))) (λv s3. (v, fst s, s3)))))
(if m0.CONTROL_SPSEL (m0.m0_state_CONTROL state) ∧
m0.m0_state_CurrentMode state = m0.Mode_Thread
then
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs2.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs2.
bool.LET
(pair.UNCURRY
(λv s. (v, snd s)))
(pair.pair_CASE
(m0.SP_process s2,
fst (snd s), s2)
(λv s3. (v, fst s, s3))))
(m0.write'SP_process
(words.word_and
(words.word_sub v
(words.n2w
(arithmetic.BIT2
15)))
(words.word_1comp
(words.w2w
(words.n2w
(arithmetic.BIT2
1)))))
(snd (snd s)))))
(pair.pair_CASE
(m0.SP_process s2,
words.word_extract
(arithmetic.BIT2 0)
(arithmetic.BIT2 0) v, s2)
(λv s3. (v, fst s, s3))))
(snd (snd s))))
(pair.pair_CASE (m0.SP_process state, s1, state)
(λv s3. (v, s0, s3)))
else
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs2.
bool.LET
(pair.UNCURRY
(λv s.
bool.LET
(λs2.
bool.LET
(pair.UNCURRY
(λv s. (v, snd s)))
(pair.pair_CASE
(m0.SP_main s2,
fst (snd s), s2)
(λv s3. (v, fst s, s3))))
(m0.write'SP_process
(words.word_and
(words.word_sub v
(words.n2w
(arithmetic.BIT2
15)))
(words.word_1comp
(words.w2w
(words.n2w
(arithmetic.BIT2
1)))))
(snd (snd s)))))
(pair.pair_CASE
(m0.SP_main s2,
words.word_extract
(arithmetic.BIT2 0)
(arithmetic.BIT2 0) v, s2)
(λv s3. (v, fst s, s3))))
(snd (snd s))))
(pair.pair_CASE (m0.SP_main state, s1, state)
(λv s3. (v, s0, s3)))))) (bool.ARB, bool.ARB)
⊦ (∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_0 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v0) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_1 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v1) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_2 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v2) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_3 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v3) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_4 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v4) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_5 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v5) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_6 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v6) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_7 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v7) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_8 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v8) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_9 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v9) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_10 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12
v13 v14 v15 v16 = v10) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_11 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12
v13 v14 v15 v16 = v11) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_12 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12
v13 v14 v15 v16 = v12) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_SP_main v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11
v12 v13 v14 v15 v16 = v13) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_SP_process v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10
v11 v12 v13 v14 v15 v16 = v14) ∧
(∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_LR v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12
v13 v14 v15 v16 = v15) ∧
∀v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16.
m0.RName_CASE m0.RName_PC v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13
v14 v15 v16 = v16
⊦ (∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_AIRCR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
A) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CCR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
C) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CONTROL
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
C0) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CurrentMode
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
M) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_ExceptionActive
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_MEM
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f0) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_NVIC_IPR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f1) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PRIMASK
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
P) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PSR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
P0) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_REG
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
f2) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR2
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
S) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
S0) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_VTOR
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
c) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_count
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
n) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_exception
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
e) ∧
(∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pcinc
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
c0) ∧
∀A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pending
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) = o
⊦ ∀h.
m0.DecodeThumb2 h =
λstate.
bool.LET
(λmc.
bool.LET
(pair.UNCURRY
(pair.UNCURRY
(λb'31.
pair.UNCURRY
(λb'30.
pair.UNCURRY
(λb'29.
pair.UNCURRY
(λb'28.
pair.UNCURRY
(λb'27.
pair.UNCURRY
(λb'26.
pair.UNCURRY
(λb'25.
pair.UNCURRY
(λb'24.
pair.UNCURRY
(λb'23.
pair.UNCURRY
(λb'22.
pair.UNCURRY
(λb'21.
pair.UNCURRY
(λb'20.
pair.UNCURRY
(λb'19.
pair.UNCURRY
(λb'18.
pair.UNCURRY
(λb'17
b'16.
pair.UNCURRY
(λb'15.
pair.UNCURRY
(λb'14.
pair.UNCURRY
(λb'13.
pair.UNCURRY
(λb'12.
pair.UNCURRY
(λb'11.
pair.UNCURRY
(λb'10.
pair.UNCURRY
(λb'9.
pair.UNCURRY
(λb'8.
pair.UNCURRY
(λb'7.
pair.UNCURRY
(λb'6.
pair.UNCURRY
(λb'5.
pair.UNCURRY
(λb'4.
pair.UNCURRY
(λb'3.
pair.UNCURRY
(λb'2.
pair.UNCURRY
(λb'1
b'0.
if b'31 ∧
b'30 ∧
b'29 ∧
b'28 ∧
¬b'27 ∧
b'15
then
if ¬b'26 ∧
b'25 ∧
b'24 ∧
b'23 ∧
¬b'22 ∧
¬b'21 ∧
¬b'14 ∧
¬b'12
then
bool.LET
(λRn.
bool.LET
(λSYSm.
(m0.System
(m0.MoveToSpecialRegister
(SYSm,
Rn)),
(if bool.IN
Rn
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))
(pred_set.INSERT
(words.n2w
15)
pred_set.EMPTY)) ∨
¬bool.IN
SYSm
(pred_set.INSERT
(words.n2w
0)
(pred_set.INSERT
(words.n2w
1)
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
0))
(pred_set.INSERT
(words.n2w
3)
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
0)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
0)))
(pred_set.INSERT
(words.n2w
7)
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
3))
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
1)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
7))
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
3)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
3)))
(pred_set.INSERT
(words.n2w
(bit1
(bit1
(arithmetic.BIT2
1))))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))
pred_set.EMPTY))))))))))))))
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
[])
state
else
state)))
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[])))
(bitstring.v2w
(b'19 ::
b'18 ::
b'17 ::
b'16 ::
[]))
else if ¬b'26 ∧
b'25 ∧
b'24 ∧
b'23 ∧
¬b'22 ∧
b'21 ∧
b'20 ∧
¬b'14 ∧
¬b'12
then
bool.LET
(λoption.
(bool.literal_case
(λv.
if v =
words.n2w
(arithmetic.BIT2
1)
then
m0.Hint
(m0.DataSynchronizationBarrier
option)
else if v =
words.n2w
(bit1
(arithmetic.BIT2
0))
then
m0.Hint
(m0.DataMemoryBarrier
option)
else if v =
words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
0))
then
m0.Hint
(m0.InstructionSynchronizationBarrier
option)
else
m0.Undefined
(words.n2w
0))
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
[])),
state))
(bitstring.v2w
(b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
else if ¬b'26 ∧
b'25 ∧
b'24 ∧
b'23 ∧
b'22 ∧
b'21 ∧
¬b'14 ∧
¬b'12
then
bool.LET
(λSYSm.
bool.LET
(λRd.
(m0.System
(m0.MoveToRegisterFromSpecial
(SYSm,
Rd)),
(if bool.IN
Rd
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))))
(pred_set.INSERT
(words.n2w
15)
pred_set.EMPTY)) ∨
¬bool.IN
SYSm
(pred_set.INSERT
(words.n2w
0)
(pred_set.INSERT
(words.n2w
1)
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
0))
(pred_set.INSERT
(words.n2w
3)
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
0)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
0)))
(pred_set.INSERT
(words.n2w
7)
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
3))
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
1)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
7))
(pred_set.INSERT
(words.n2w
(bit1
(arithmetic.BIT2
3)))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
3)))
(pred_set.INSERT
(words.n2w
(bit1
(bit1
(arithmetic.BIT2
1))))
(pred_set.INSERT
(words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))
pred_set.EMPTY))))))))))))))
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])
state
else
state)))
(bitstring.v2w
(b'11 ::
b'10 ::
b'9 ::
b'8 ::
[])))
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
else if b'26 ∧
b'25 ∧
b'24 ∧
b'23 ∧
b'22 ∧
b'21 ∧
b'20 ∧
¬b'14 ∧
b'13 ∧
¬b'12
then
(m0.Undefined
(words.w2w
(words.word_concat
(bitstring.v2w
(b'19 ::
b'18 ::
b'17 ::
b'16 ::
[]))
(bitstring.v2w
(b'11 ::
b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[])))),
state)
else if b'14 ∧
b'12
then
bool.LET
(λS.
(m0.Branch
(m0.BranchLinkImmediate
(words.sw2sw
(words.word_concat
S
(words.word_concat
(words.word_1comp
(words.word_xor
(bitstring.v2w
(b'13 ::
[]))
S))
(words.word_concat
(words.word_1comp
(words.word_xor
(bitstring.v2w
(b'11 ::
[]))
S))
(words.word_concat
(bitstring.v2w
(b'25 ::
b'24 ::
b'23 ::
b'22 ::
b'21 ::
b'20 ::
b'19 ::
b'18 ::
b'17 ::
b'16 ::
[]))
(words.word_concat
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0)))))))),
state))
(bitstring.v2w
(b'26 ::
[]))
else
(m0.Undefined
(words.n2w
0),
state)
else
(m0.Undefined
(words.n2w
0),
state)))))))))))))))))))))))))))))))))
(m0.boolify16 (fst h), m0.boolify16 (snd h))) (m0.Thumb2 h)
⊦ (∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_AIRCR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state (f3 A) C C0 M f f0 f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CCR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A (f3 C) C0 M f f0 f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CONTROL_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C (f3 C0) M f f0 f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_CurrentMode_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 (f3 M) f f0 f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_ExceptionActive_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M (f3 f) f0 f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_MEM_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f (f3 f0) f1 P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_NVIC_IPR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 (f3 f1) P P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PRIMASK_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 (f3 P) P0 f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_PSR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P (f3 P0) f2 S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_REG_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 (f3 f2) S S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR2_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 (f3 S) S0 c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_SHPR3_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S (f3 S0) c n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_VTOR_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 (f3 c) n e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_count_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c (f3 n) e c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_exception_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n (f3 e) c0
o) ∧
(∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pcinc_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e (f3 c0)
o) ∧
∀f3 A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o.
m0.m0_state_pending_fupd f3
(m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 o) =
m0.recordtype.m0_state A C C0 M f f0 f1 P P0 f2 S S0 c n e c0 (f3 o)
⊦ ∀EXC_RETURN.
m0.ExceptionReturn EXC_RETURN =
λstate.
bool.LET
(λs.
bool.LET
(λs.
bool.LET
(λv.
bool.LET
(pair.UNCURRY
(λv0 s.
if ¬m0.m0_state_ExceptionActive s v then
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) :: []))
s)
else
bool.LET
(λs.
bool.LET
(λs1.
if m0.m0_state_CurrentMode s1 =
m0.Mode_Handler
then
if m0.PSR_ExceptionNumber
(m0.m0_state_PSR s1) =
words.n2w 0
then
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s1)
else s1
else if ¬(m0.PSR_ExceptionNumber
(m0.m0_state_PSR
s1) = words.n2w 0)
then
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s1)
else s1)
(m0.PopStack (fst s, EXC_RETURN)
(m0.DeActivate v (snd s))))
(bool.literal_case
(λv.
if v = words.n2w 1 then
if v0 = 1 then
(bool.ARB,
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s))
else
bool.LET
(λs1.
(m0.SP_main s,
m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd
(const ⊥)
(m0.m0_state_CONTROL
s1))) s1))
(m0.m0_state_CurrentMode_fupd
(const m0.Mode_Handler) s)
else if v =
words.n2w
(bit1 (arithmetic.BIT2 1))
then
if ¬(v0 = 1) then
(bool.ARB,
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s))
else
bool.LET
(λs1.
(m0.SP_main s,
m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd
(const ⊥)
(m0.m0_state_CONTROL
s1))) s1))
(m0.m0_state_CurrentMode_fupd
(const m0.Mode_Thread) s)
else if v =
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))
then
if ¬(v0 = 1) then
(bool.ARB,
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s))
else
bool.LET
(λs1.
(m0.SP_process s,
m0.m0_state_CONTROL_fupd
(const
(m0.CONTROL_SPSEL_fupd
(const ⊤)
(m0.m0_state_CONTROL
s1))) s1))
(m0.m0_state_CurrentMode_fupd
(const m0.Mode_Thread) s)
else
(bool.ARB,
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])) s)))
(words.word_extract 3 0 EXC_RETURN))))
(m0.ExceptionActiveBitCount () s))
(m0.PSR_ExceptionNumber (m0.m0_state_PSR s)))
(if ¬m0.IsOnes
(words.word_extract
(bit1 (bit1 (arithmetic.BIT2 (arithmetic.BIT2 0))))
(arithmetic.BIT2 1) EXC_RETURN)
then
snd
(m0.raise'exception
(m0.UNPREDICTABLE
(string.CHR
(bit1 (arithmetic.BIT2 (arithmetic.BIT2 7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
[])) s)
else s))
(if ¬(m0.m0_state_CurrentMode state = m0.Mode_Handler) then
snd
(m0.raise'exception
(m0.ASSERT
(string.CHR (bit1 (bit1 (arithmetic.BIT2 7))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 0))))) ::
string.CHR (arithmetic.BIT2 15) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(bit1
(bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 3)))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1 (bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1 (bit1 (arithmetic.BIT2 0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2 0)))))) :: []))
state)
else state)
⊦ (∀m g f.
m0.m0_state_CCR_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_CCR_fupd f m)) ∧
(∀m g f.
m0.m0_state_CONTROL_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_CONTROL_fupd f m)) ∧
(∀m g f.
m0.m0_state_CONTROL_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_CONTROL_fupd f m)) ∧
(∀m g f.
m0.m0_state_CurrentMode_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_CurrentMode_fupd f m)) ∧
(∀m g f.
m0.m0_state_CurrentMode_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_CurrentMode_fupd f m)) ∧
(∀m g f.
m0.m0_state_CurrentMode_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_CurrentMode_fupd f m)) ∧
(∀m g f.
m0.m0_state_ExceptionActive_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_ExceptionActive_fupd f m)) ∧
(∀m g f.
m0.m0_state_ExceptionActive_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_ExceptionActive_fupd f m)) ∧
(∀m g f.
m0.m0_state_ExceptionActive_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_ExceptionActive_fupd f m)) ∧
(∀m g f.
m0.m0_state_ExceptionActive_fupd f
(m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g
(m0.m0_state_ExceptionActive_fupd f m)) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_MEM_fupd f m)) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_MEM_fupd f m)) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_MEM_fupd f m)) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_MEM_fupd f m)) ∧
(∀m g f.
m0.m0_state_MEM_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_MEM_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_NVIC_IPR_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_NVIC_IPR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PRIMASK_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_PRIMASK_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_PSR_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_PSR_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_REG_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_REG_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR2_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_SHPR2_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_SHPR3_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_SHPR3_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_VTOR_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd g (m0.m0_state_VTOR_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_count_fupd f (m0.m0_state_VTOR_fupd g m) =
m0.m0_state_VTOR_fupd g (m0.m0_state_count_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_VTOR_fupd g m) =
m0.m0_state_VTOR_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_exception_fupd f (m0.m0_state_count_fupd g m) =
m0.m0_state_count_fupd g (m0.m0_state_exception_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_VTOR_fupd g m) =
m0.m0_state_VTOR_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_count_fupd g m) =
m0.m0_state_count_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pcinc_fupd f (m0.m0_state_exception_fupd g m) =
m0.m0_state_exception_fupd g (m0.m0_state_pcinc_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_AIRCR_fupd g m) =
m0.m0_state_AIRCR_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_CCR_fupd g m) =
m0.m0_state_CCR_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_CONTROL_fupd g m) =
m0.m0_state_CONTROL_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_CurrentMode_fupd g m) =
m0.m0_state_CurrentMode_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_ExceptionActive_fupd g m) =
m0.m0_state_ExceptionActive_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_MEM_fupd g m) =
m0.m0_state_MEM_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_NVIC_IPR_fupd g m) =
m0.m0_state_NVIC_IPR_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_PRIMASK_fupd g m) =
m0.m0_state_PRIMASK_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_PSR_fupd g m) =
m0.m0_state_PSR_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_REG_fupd g m) =
m0.m0_state_REG_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_SHPR2_fupd g m) =
m0.m0_state_SHPR2_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_SHPR3_fupd g m) =
m0.m0_state_SHPR3_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_VTOR_fupd g m) =
m0.m0_state_VTOR_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_count_fupd g m) =
m0.m0_state_count_fupd g (m0.m0_state_pending_fupd f m)) ∧
(∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_exception_fupd g m) =
m0.m0_state_exception_fupd g (m0.m0_state_pending_fupd f m)) ∧
∀m g f.
m0.m0_state_pending_fupd f (m0.m0_state_pcinc_fupd g m) =
m0.m0_state_pcinc_fupd g (m0.m0_state_pending_fupd f m)
⊦ ∀h.
m0.DecodeThumb h =
λstate.
bool.LET
(λmc.
bool.LET
(pair.UNCURRY
(λb'15.
pair.UNCURRY
(λb'14.
pair.UNCURRY
(λb'13.
pair.UNCURRY
(λb'12.
pair.UNCURRY
(λb'11.
pair.UNCURRY
(λb'10.
pair.UNCURRY
(λb'9.
pair.UNCURRY
(λb'8.
pair.UNCURRY
(λb'7.
pair.UNCURRY
(λb'6.
pair.UNCURRY
(λb'5.
pair.UNCURRY
(λb'4.
pair.UNCURRY
(λb'3.
pair.UNCURRY
(λb'2.
pair.UNCURRY
(λb'1
b'0.
if b'15
then
if b'13
then
if ¬b'14 ∧
¬b'12
then
(m0.Data
(m0.ArithLogicImmediate
(words.n2w
(arithmetic.BIT2
1),
⊥,
words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])),
(if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))
else
words.n2w
15),
words.w2w
(words.word_concat
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0)))),
state)
else if ¬b'14 ∧
b'12 ∧
¬b'11 ∧
¬b'10 ∧
¬b'9 ∧
¬b'8
then
(m0.Data
(m0.ArithLogicImmediate
((if bitstring.v2w
(b'7 ::
[]) =
words.n2w
1
then
words.n2w
(arithmetic.BIT2
0)
else
words.n2w
(arithmetic.BIT2
1)),
⊥,
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))),
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))),
words.w2w
(words.word_concat
(bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0)))),
state)
else if ¬b'14 ∧
b'12 ∧
¬b'11 ∧
¬b'10 ∧
b'9 ∧
¬b'8 ∧
¬b'6
then
(m0.Media
(m0.ExtendHalfword
(bitstring.v2w
(b'7 ::
[]) =
words.n2w
1,
words.w2w
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
words.w2w
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))),
state)
else if ¬b'14 ∧
b'12 ∧
¬b'11 ∧
¬b'10 ∧
b'9 ∧
¬b'8 ∧
b'6
then
(m0.Media
(m0.ExtendByte
(bitstring.v2w
(b'7 ::
[]) =
words.n2w
1,
words.w2w
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
words.w2w
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))),
state)
else if ¬b'14 ∧
b'12 ∧
¬b'11 ∧
b'10 ∧
¬b'9
then
bool.LET
(λregisters.
(m0.Store
(m0.Push
registers),
(if m0.BitCount
registers <
1
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
[])
state
else
state)))
(bitstring.v2w
(b'8 ::
b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
else if ¬b'14 ∧
b'12 ∧
¬b'11 ∧
b'10 ∧
b'9 ∧
¬b'8 ∧
¬b'7 ∧
b'6 ∧
b'5
then
(m0.System
(m0.ChangeProcessorState
(¬(bitstring.v2w
(b'4 ::
[]) =
words.n2w
0))),
state)
else if ¬b'14 ∧
b'12 ∧
b'11 ∧
¬b'10 ∧
b'9 ∧
¬b'8
then
bool.LET
(λRd.
bool.LET
(λRm.
(bool.literal_case
(λv.
if v =
words.n2w
0
then
m0.Media
(m0.ByteReverse
(words.w2w
Rd,
words.w2w
Rm))
else if v =
words.n2w
1
then
m0.Media
(m0.ByteReversePackedHalfword
(words.w2w
Rd,
words.w2w
Rm))
else if v =
words.n2w
3
then
m0.Media
(m0.ByteReverseSignedHalfword
(words.w2w
Rd,
words.w2w
Rm))
else
m0.Undefined
(words.n2w
0))
(bitstring.v2w
(b'7 ::
b'6 ::
[])),
state))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else if ¬b'14 ∧
b'12 ∧
b'11 ∧
b'10 ∧
¬b'9
then
bool.LET
(λregisters.
(m0.Load
(m0.LoadMultiple
(⊤,
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))),
registers)),
(if m0.BitCount
registers <
1
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
[])
state
else
state)))
(bitstring.v2w
(b'8 ::
b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
else
((if ¬b'14 ∧
b'12 ∧
b'11 ∧
b'10 ∧
b'9 ∧
¬b'8
then
m0.Hint
(m0.Breakpoint
(words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))))
else if ¬b'14 ∧
b'12 ∧
b'11 ∧
b'10 ∧
b'9 ∧
b'8 ∧
¬b'3 ∧
¬b'2 ∧
¬b'1 ∧
¬b'0
then
bool.literal_case
(λv.
if v =
words.n2w
1
then
m0.Hint
(m0.Yield
())
else if v =
words.n2w
(arithmetic.BIT2
0)
then
m0.Hint
(m0.WaitForEvent
())
else if v =
words.n2w
3
then
m0.Hint
(m0.WaitForInterrupt
())
else if v =
words.n2w
(arithmetic.BIT2
1)
then
m0.Hint
(m0.SendEvent
())
else
m0.NoOperation
())
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
[]))
else if b'14 ∧
¬b'12 ∧
¬b'11
then
m0.Branch
(m0.BranchTarget
(words.sw2sw
(words.word_concat
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0))))
else
m0.Undefined
(words.n2w
0)),
state)
else if ¬b'14 ∧
¬b'12
then
bool.LET
(λRt.
bool.LET
(λRn.
(bool.LET
(λm.
if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
m0.Load
(m0.LoadHalf
(⊤,
words.w2w
Rt,
words.w2w
Rn,
m))
else
m0.Store
(m0.StoreHalf
(words.w2w
Rt,
words.w2w
Rn,
m)))
(m0.immediate_form
(words.w2w
(words.word_concat
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
[]))
(words.n2w
0)))),
state))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else if ¬b'14 ∧
b'12
then
bool.LET
(λRt.
(bool.LET
(λm.
if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
m0.Load
(m0.LoadWord
(words.w2w
Rt,
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))),
m))
else
m0.Store
(m0.StoreWord
(words.w2w
Rt,
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0))),
m)))
(m0.immediate_form
(words.w2w
(words.word_concat
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0)))),
state))
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[]))
else if b'14 ∧
¬b'12 ∧
¬b'11
then
bool.LET
(λregisters.
(m0.Store
(m0.StoreMultiple
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])),
registers)),
(if m0.BitCount
registers <
1
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(bit1
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
1))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
[])
state
else
state)))
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
else if b'14 ∧
¬b'12 ∧
b'11
then
bool.LET
(λRn.
bool.LET
(λregisters.
(m0.Load
(m0.LoadMultiple
(¬words.word_bit
(words.w2n
Rn)
registers,
words.w2w
Rn,
registers)),
(if m0.BitCount
registers <
1
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(bit1
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(bit1
(bit1
(arithmetic.BIT2
0)))))) ::
[])
state
else
state)))
(words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))))
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[]))
else
((if b'14 ∧
b'12 ∧
b'11 ∧
b'10 ∧
b'9 ∧
¬b'8
then
m0.Undefined
(words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[])))
else if b'14 ∧
b'12 ∧
b'11 ∧
b'10 ∧
b'9 ∧
b'8
then
m0.System
(m0.SupervisorCall
(words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))))
else if b'14 ∧
b'12
then
if m0.ConditionPassed
(bitstring.v2w
(b'11 ::
b'10 ::
b'9 ::
b'8 ::
[]))
state
then
m0.Branch
(m0.BranchTarget
(words.sw2sw
(words.word_concat
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0))))
else
m0.NoOperation
()
else
m0.Undefined
(words.n2w
0)),
state)
else if b'14
then
if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
¬b'10
then
bool.LET
(λRy.
bool.LET
(λRx.
bool.LET
(λopc.
(bool.literal_case
(λv.
if v =
words.n2w
0
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
1
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(bit1
(arithmetic.BIT2
0))
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
0))
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
0)))
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
0)))
then
bool.LET
(λd.
m0.Data
(m0.Register
(opc,
⊤,
d,
d,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
0)
then
bool.LET
(λd.
m0.Data
(m0.ShiftRegister
(d,
d,
m0.DecodeRegShift
(words.w2w
(words.word_sub
opc
(words.n2w
(arithmetic.BIT2
0)))),
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
3
then
bool.LET
(λd.
m0.Data
(m0.ShiftRegister
(d,
d,
m0.DecodeRegShift
(words.w2w
(words.word_sub
opc
(words.n2w
(arithmetic.BIT2
0)))),
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
1)
then
bool.LET
(λd.
m0.Data
(m0.ShiftRegister
(d,
d,
m0.DecodeRegShift
(words.w2w
(words.word_sub
opc
(words.n2w
(arithmetic.BIT2
0)))),
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
7
then
bool.LET
(λd.
m0.Data
(m0.ShiftRegister
(d,
d,
m0.SRType_ROR,
words.w2w
Rx)))
(words.w2w
Ry)
else if v =
words.n2w
(arithmetic.BIT2
3)
then
m0.Data
(m0.TestCompareRegister
(words.word_extract
1
0
opc,
words.w2w
Ry,
words.w2w
Rx))
else if v =
words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
1))
then
m0.Data
(m0.TestCompareRegister
(words.word_extract
1
0
opc,
words.w2w
Ry,
words.w2w
Rx))
else if v =
words.n2w
(bit1
(bit1
(arithmetic.BIT2
0)))
then
m0.Data
(m0.TestCompareRegister
(words.word_extract
1
0
opc,
words.w2w
Ry,
words.w2w
Rx))
else if v =
words.n2w
(bit1
(arithmetic.BIT2
1))
then
m0.Data
(m0.ArithLogicImmediate
(words.n2w
3,
⊤,
words.w2w
Ry,
words.w2w
Rx,
words.n2w
0))
else if v =
words.n2w
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
0)))
then
bool.LET
(λd.
m0.Multiply
(m0.Multiply32
(d,
words.w2w
Rx,
d)))
(words.w2w
Ry)
else if v =
words.n2w
15
then
m0.Data
(m0.ShiftImmediate
(⊤,
⊤,
words.w2w
Ry,
words.w2w
Rx,
m0.SRType_LSL,
0))
else
bool.ARB)
opc,
state))
(bitstring.v2w
(b'9 ::
b'8 ::
b'7 ::
b'6 ::
[])))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
b'10 ∧
¬b'9 ∧
¬b'8
then
bool.LET
(λRm.
bool.LET
(λd.
(m0.Data
(m0.Register
(words.n2w
(arithmetic.BIT2
1),
⊥,
d,
d,
Rm)),
(if d =
words.n2w
15 ∧
Rm =
words.n2w
15
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(bit1
(arithmetic.BIT2
15)) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
7))) ::
string.CHR
(arithmetic.BIT2
(bit1
(arithmetic.BIT2
7))) ::
[])
state
else
state)))
(words.word_concat
(bitstring.v2w
(b'7 ::
[]))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))))
(bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
[]))
else if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
b'10 ∧
¬b'9 ∧
b'8
then
bool.LET
(λRm.
bool.LET
(λn.
(m0.Data
(m0.TestCompareRegister
(words.n2w
(arithmetic.BIT2
0),
n,
Rm)),
(if words.word_lo
n
(words.n2w
(arithmetic.BIT2
3)) ∧
words.word_lo
Rm
(words.n2w
(arithmetic.BIT2
3)) ∨
n =
words.n2w
15 ∨
Rm =
words.n2w
15
then
m0.DECODE_UNPREDICTABLE
(mc,
string.CHR
(bit1
(bit1
(arithmetic.BIT2
7))) ::
string.CHR
(bit1
(arithmetic.BIT2
(arithmetic.BIT2
(arithmetic.BIT2
3)))) ::
string.CHR
(arithmetic.BIT2
(bit1
(bit1
(bit1
(arithmetic.BIT2
1))))) ::
[])
state
else
state)))
(words.word_concat
(bitstring.v2w
(b'7 ::
[]))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))))
(bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
[]))
else if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
b'10 ∧
b'9 ∧
¬b'8
then
(m0.Data
(m0.ShiftImmediate
(⊥,
⊥,
words.word_concat
(bitstring.v2w
(b'7 ::
[]))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
[]),
m0.SRType_LSL,
0)),
state)
else if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
b'10 ∧
b'9 ∧
b'8 ∧
¬b'7
then
(m0.Branch
(m0.BranchExchange
(bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
[]))),
state)
else if ¬b'13 ∧
¬b'12 ∧
¬b'11 ∧
b'10 ∧
b'9 ∧
b'8 ∧
b'7
then
(m0.Branch
(m0.BranchLinkExchangeRegister
(bitstring.v2w
(b'6 ::
b'5 ::
b'4 ::
b'3 ::
[]))),
state)
else if ¬b'13 ∧
¬b'12 ∧
b'11
then
(m0.Load
(m0.LoadLiteral
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])),
words.w2w
(words.word_concat
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))
(words.n2w
0)))),
state)
else if ¬b'13 ∧
b'12
then
bool.LET
(λRt.
bool.LET
(λRn.
(bool.LET
(λm.
bool.literal_case
(λv.
if v =
words.n2w
0
then
m0.Store
(m0.StoreWord
(words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
1
then
m0.Store
(m0.StoreHalf
(words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
(arithmetic.BIT2
0)
then
m0.Store
(m0.StoreByte
(words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
3
then
m0.Load
(m0.LoadByte
(⊥,
words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
(arithmetic.BIT2
1)
then
m0.Load
(m0.LoadWord
(words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
(bit1
(arithmetic.BIT2
0))
then
m0.Load
(m0.LoadHalf
(⊤,
words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
(arithmetic.BIT2
(arithmetic.BIT2
0))
then
m0.Load
(m0.LoadByte
(⊤,
words.w2w
Rt,
words.w2w
Rn,
m))
else if v =
words.n2w
7
then
m0.Load
(m0.LoadHalf
(⊥,
words.w2w
Rt,
words.w2w
Rn,
m))
else
bool.ARB)
(bitstring.v2w
(b'11 ::
b'10 ::
b'9 ::
[])))
(m0.register_form
(words.w2w
(bitstring.v2w
(b'8 ::
b'7 ::
b'6 ::
[])))),
state))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else if b'13 ∧
¬b'12
then
bool.LET
(λRt.
bool.LET
(λRn.
(bool.LET
(λm.
if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
m0.Load
(m0.LoadWord
(words.w2w
Rt,
words.w2w
Rn,
m))
else
m0.Store
(m0.StoreWord
(words.w2w
Rt,
words.w2w
Rn,
m)))
(m0.immediate_form
(words.w2w
(words.word_concat
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
[]))
(words.n2w
0)))),
state))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else if b'13 ∧
b'12
then
bool.LET
(λRt.
bool.LET
(λRn.
(bool.LET
(λm.
if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
m0.Load
(m0.LoadByte
(⊤,
words.w2w
Rt,
words.w2w
Rn,
m))
else
m0.Store
(m0.StoreByte
(words.w2w
Rt,
words.w2w
Rn,
m)))
(m0.immediate_form
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
[])))),
state))
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])))
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[]))
else
(m0.Undefined
(words.n2w
0),
state)
else
((if ¬b'13 ∧
b'12 ∧
b'11 ∧
¬b'10
then
m0.Data
(m0.Register
((if bitstring.v2w
(b'9 ::
[]) =
words.n2w
1
then
words.n2w
(arithmetic.BIT2
0)
else
words.n2w
(arithmetic.BIT2
1)),
⊤,
words.w2w
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
words.w2w
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])),
words.w2w
(bitstring.v2w
(b'8 ::
b'7 ::
b'6 ::
[]))))
else if ¬b'13 ∧
b'12 ∧
b'11 ∧
b'10
then
m0.Data
(m0.ArithLogicImmediate
((if bitstring.v2w
(b'9 ::
[]) =
words.n2w
1
then
words.n2w
(arithmetic.BIT2
0)
else
words.n2w
(arithmetic.BIT2
1)),
⊤,
words.w2w
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
words.w2w
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])),
words.w2w
(bitstring.v2w
(b'8 ::
b'7 ::
b'6 ::
[]))))
else if ¬b'13
then
bool.LET
(pair.UNCURRY
(λshift_t
shift_n.
m0.Data
(m0.ShiftImmediate
(⊥,
⊤,
words.w2w
(bitstring.v2w
(b'2 ::
b'1 ::
b'0 ::
[])),
words.w2w
(bitstring.v2w
(b'5 ::
b'4 ::
b'3 ::
[])),
shift_t,
shift_n))))
(m0.DecodeImmShift
(bitstring.v2w
(b'12 ::
b'11 ::
[]),
bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
b'7 ::
b'6 ::
[])))
else if b'13 ∧
¬b'12 ∧
¬b'11
then
m0.Data
(m0.Move
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])),
words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))))
else if b'13 ∧
¬b'12 ∧
b'11
then
m0.Data
(m0.CompareImmediate
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])),
words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[]))))
else if b'13 ∧
b'12
then
bool.LET
(λd.
m0.Data
(m0.ArithLogicImmediate
((if bitstring.v2w
(b'11 ::
[]) =
words.n2w
1
then
words.n2w
(arithmetic.BIT2
0)
else
words.n2w
(arithmetic.BIT2
1)),
⊤,
d,
d,
words.w2w
(bitstring.v2w
(b'7 ::
b'6 ::
b'5 ::
b'4 ::
b'3 ::
b'2 ::
b'1 ::
b'0 ::
[])))))
(words.w2w
(bitstring.v2w
(b'10 ::
b'9 ::
b'8 ::
[])))
else
m0.Undefined
(words.n2w
0)),
state)))))))))))))))))
(m0.boolify16 h)) (m0.Thumb h)
⊦ (∀m f.
m0.m0_state_AIRCR (m0.m0_state_CCR_fupd f m) = m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_MEM_fupd f m) = m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_PSR_fupd f m) = m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_REG_fupd f m) = m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_VTOR_fupd f m) = m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_count_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_exception_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_pending_fupd f m) =
m0.m0_state_AIRCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_AIRCR_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_CONTROL_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_CCR m) ∧
(∀m f. m0.m0_state_CCR (m0.m0_state_MEM_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_NVIC_IPR_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_PRIMASK_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f. m0.m0_state_CCR (m0.m0_state_PSR_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f. m0.m0_state_CCR (m0.m0_state_REG_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_SHPR2_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_SHPR3_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f. m0.m0_state_CCR (m0.m0_state_VTOR_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_count_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_exception_fupd f m) =
m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_pcinc_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_pending_fupd f m) = m0.m0_state_CCR m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_CCR_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_MEM_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_PSR_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_REG_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_count_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_exception_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_pending_fupd f m) =
m0.m0_state_CONTROL m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_CCR_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_MEM_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_PSR_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_REG_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_count_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_exception_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_pending_fupd f m) =
m0.m0_state_CurrentMode m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_CCR_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_MEM_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_PSR_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_REG_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_count_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_exception_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_pending_fupd f m) =
m0.m0_state_ExceptionActive m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_AIRCR_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f. m0.m0_state_MEM (m0.m0_state_CCR_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_CONTROL_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_NVIC_IPR_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_PRIMASK_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f. m0.m0_state_MEM (m0.m0_state_PSR_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f. m0.m0_state_MEM (m0.m0_state_REG_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_SHPR2_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_SHPR3_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f. m0.m0_state_MEM (m0.m0_state_VTOR_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_count_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_exception_fupd f m) =
m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_pcinc_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_pending_fupd f m) = m0.m0_state_MEM m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_CCR_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_MEM_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_PSR_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_REG_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_count_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_exception_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_pending_fupd f m) =
m0.m0_state_NVIC_IPR m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_CCR_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_MEM_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_PSR_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_REG_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_count_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_exception_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_pending_fupd f m) =
m0.m0_state_PRIMASK m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_AIRCR_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f. m0.m0_state_PSR (m0.m0_state_CCR_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_CONTROL_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_PSR m) ∧
(∀m f. m0.m0_state_PSR (m0.m0_state_MEM_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_NVIC_IPR_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_PRIMASK_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f. m0.m0_state_PSR (m0.m0_state_REG_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_SHPR2_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_SHPR3_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f. m0.m0_state_PSR (m0.m0_state_VTOR_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_count_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_exception_fupd f m) =
m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_pcinc_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_pending_fupd f m) = m0.m0_state_PSR m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_AIRCR_fupd f m) = m0.m0_state_REG m) ∧
(∀m f. m0.m0_state_REG (m0.m0_state_CCR_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_CONTROL_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_REG m) ∧
(∀m f. m0.m0_state_REG (m0.m0_state_MEM_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_NVIC_IPR_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_PRIMASK_fupd f m) = m0.m0_state_REG m) ∧
(∀m f. m0.m0_state_REG (m0.m0_state_PSR_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_SHPR2_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_SHPR3_fupd f m) = m0.m0_state_REG m) ∧
(∀m f. m0.m0_state_REG (m0.m0_state_VTOR_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_count_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_exception_fupd f m) =
m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_pcinc_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_pending_fupd f m) = m0.m0_state_REG m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_CCR_fupd f m) = m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_MEM_fupd f m) = m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_PSR_fupd f m) = m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_REG_fupd f m) = m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_VTOR_fupd f m) = m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_count_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_exception_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_pending_fupd f m) =
m0.m0_state_SHPR2 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_CCR_fupd f m) = m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_MEM_fupd f m) = m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_PSR_fupd f m) = m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_REG_fupd f m) = m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_VTOR_fupd f m) = m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_count_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_exception_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_pending_fupd f m) =
m0.m0_state_SHPR3 m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_AIRCR_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_CCR_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_MEM_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_PSR_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_REG_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_SHPR2_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_SHPR3_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_count_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_exception_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_pcinc_fupd f m) = m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_pending_fupd f m) =
m0.m0_state_VTOR m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_CCR_fupd f m) = m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_MEM_fupd f m) = m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_PSR_fupd f m) = m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_REG_fupd f m) = m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_VTOR_fupd f m) = m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_exception_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_pending_fupd f m) =
m0.m0_state_count m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_CCR_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_MEM_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_PSR_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_REG_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_count_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_pending_fupd f m) =
m0.m0_state_exception m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_CCR_fupd f m) = m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_MEM_fupd f m) = m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_PSR_fupd f m) = m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_REG_fupd f m) = m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_VTOR_fupd f m) = m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_count_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_exception_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_pending_fupd f m) =
m0.m0_state_pcinc m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_AIRCR_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_CCR_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_CONTROL_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_CurrentMode_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_ExceptionActive_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_MEM_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_NVIC_IPR_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_PRIMASK_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_PSR_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_REG_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_SHPR2_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_SHPR3_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_VTOR_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_count_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_exception_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_pending (m0.m0_state_pcinc_fupd f m) =
m0.m0_state_pending m) ∧
(∀m f.
m0.m0_state_AIRCR (m0.m0_state_AIRCR_fupd f m) =
f (m0.m0_state_AIRCR m)) ∧
(∀m f.
m0.m0_state_CCR (m0.m0_state_CCR_fupd f m) = f (m0.m0_state_CCR m)) ∧
(∀m f.
m0.m0_state_CONTROL (m0.m0_state_CONTROL_fupd f m) =
f (m0.m0_state_CONTROL m)) ∧
(∀m f.
m0.m0_state_CurrentMode (m0.m0_state_CurrentMode_fupd f m) =
f (m0.m0_state_CurrentMode m)) ∧
(∀m f.
m0.m0_state_ExceptionActive (m0.m0_state_ExceptionActive_fupd f m) =
f (m0.m0_state_ExceptionActive m)) ∧
(∀m f.
m0.m0_state_MEM (m0.m0_state_MEM_fupd f m) = f (m0.m0_state_MEM m)) ∧
(∀m f.
m0.m0_state_NVIC_IPR (m0.m0_state_NVIC_IPR_fupd f m) =
f (m0.m0_state_NVIC_IPR m)) ∧
(∀m f.
m0.m0_state_PRIMASK (m0.m0_state_PRIMASK_fupd f m) =
f (m0.m0_state_PRIMASK m)) ∧
(∀m f.
m0.m0_state_PSR (m0.m0_state_PSR_fupd f m) = f (m0.m0_state_PSR m)) ∧
(∀m f.
m0.m0_state_REG (m0.m0_state_REG_fupd f m) = f (m0.m0_state_REG m)) ∧
(∀m f.
m0.m0_state_SHPR2 (m0.m0_state_SHPR2_fupd f m) =
f (m0.m0_state_SHPR2 m)) ∧
(∀m f.
m0.m0_state_SHPR3 (m0.m0_state_SHPR3_fupd f m) =
f (m0.m0_state_SHPR3 m)) ∧
(∀m f.
m0.m0_state_VTOR (m0.m0_state_VTOR_fupd f m) =
f (m0.m0_state_VTOR m)) ∧
(∀m f.
m0.m0_state_count (m0.m0_state_count_fupd f m) =
f (m0.m0_state_count m)) ∧
(∀m f.
m0.m0_state_exception (m0.m0_state_exception_fupd f m) =
f (m0.m0_state_exception m)) ∧
(∀m f.
m0.m0_state_pcinc (m0.m0_state_pcinc_fupd f m) =
f (m0.m0_state_pcinc m)) ∧
∀m f.
m0.m0_state_pending (m0.m0_state_pending_fupd f m) =
f (m0.m0_state_pending m)
⊦ ((∀g f.
m0.m0_state_CCR_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_CCR_fupd f) ∧
∀h g f.
m0.m0_state_CCR_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_CCR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_CONTROL_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_CONTROL_fupd f) ∧
∀h g f.
m0.m0_state_CONTROL_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_CONTROL_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_CONTROL_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_CONTROL_fupd f) ∧
∀h g f.
m0.m0_state_CONTROL_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_CONTROL_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_CurrentMode_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_CurrentMode_fupd f) ∧
∀h g f.
m0.m0_state_CurrentMode_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_CurrentMode_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_CurrentMode_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_CurrentMode_fupd f) ∧
∀h g f.
m0.m0_state_CurrentMode_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_CurrentMode_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_CurrentMode_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_CurrentMode_fupd f) ∧
∀h g f.
m0.m0_state_CurrentMode_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_CurrentMode_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_ExceptionActive_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_ExceptionActive_fupd f) ∧
∀h g f.
m0.m0_state_ExceptionActive_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_ExceptionActive_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_ExceptionActive_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_ExceptionActive_fupd f) ∧
∀h g f.
m0.m0_state_ExceptionActive_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_ExceptionActive_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_ExceptionActive_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_ExceptionActive_fupd f) ∧
∀h g f.
m0.m0_state_ExceptionActive_fupd f ∘
(m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘
(m0.m0_state_ExceptionActive_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_ExceptionActive_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘
m0.m0_state_ExceptionActive_fupd f) ∧
∀h g f.
m0.m0_state_ExceptionActive_fupd f ∘
(m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘
(m0.m0_state_ExceptionActive_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_MEM_fupd f) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_MEM_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_MEM_fupd f) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_MEM_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_MEM_fupd f) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_MEM_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_MEM_fupd f) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_MEM_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_MEM_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_MEM_fupd f) ∧
∀h g f.
m0.m0_state_MEM_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_MEM_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘
(m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘
(m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_NVIC_IPR_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_NVIC_IPR_fupd f) ∧
∀h g f.
m0.m0_state_NVIC_IPR_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_NVIC_IPR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘
(m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘
(m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PRIMASK_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_PRIMASK_fupd f) ∧
∀h g f.
m0.m0_state_PRIMASK_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_PRIMASK_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_PSR_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_PSR_fupd f) ∧
∀h g f.
m0.m0_state_PSR_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_PSR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_REG_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_REG_fupd f) ∧
∀h g f.
m0.m0_state_REG_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_REG_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR2_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_SHPR2_fupd f) ∧
∀h g f.
m0.m0_state_SHPR2_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_SHPR2_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_SHPR3_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_SHPR3_fupd f) ∧
∀h g f.
m0.m0_state_SHPR3_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_SHPR3_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_VTOR_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd g ∘ m0.m0_state_VTOR_fupd f) ∧
∀h g f.
m0.m0_state_VTOR_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd g ∘ (m0.m0_state_VTOR_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_count_fupd f ∘ m0.m0_state_VTOR_fupd g =
m0.m0_state_VTOR_fupd g ∘ m0.m0_state_count_fupd f) ∧
∀h g f.
m0.m0_state_count_fupd f ∘ (m0.m0_state_VTOR_fupd g ∘ h) =
m0.m0_state_VTOR_fupd g ∘ (m0.m0_state_count_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘
(m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘
(m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_VTOR_fupd g =
m0.m0_state_VTOR_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_VTOR_fupd g ∘ h) =
m0.m0_state_VTOR_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_exception_fupd f ∘ m0.m0_state_count_fupd g =
m0.m0_state_count_fupd g ∘ m0.m0_state_exception_fupd f) ∧
∀h g f.
m0.m0_state_exception_fupd f ∘ (m0.m0_state_count_fupd g ∘ h) =
m0.m0_state_count_fupd g ∘ (m0.m0_state_exception_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_VTOR_fupd g =
m0.m0_state_VTOR_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_VTOR_fupd g ∘ h) =
m0.m0_state_VTOR_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_count_fupd g =
m0.m0_state_count_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_count_fupd g ∘ h) =
m0.m0_state_count_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pcinc_fupd f ∘ m0.m0_state_exception_fupd g =
m0.m0_state_exception_fupd g ∘ m0.m0_state_pcinc_fupd f) ∧
∀h g f.
m0.m0_state_pcinc_fupd f ∘ (m0.m0_state_exception_fupd g ∘ h) =
m0.m0_state_exception_fupd g ∘ (m0.m0_state_pcinc_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_AIRCR_fupd g =
m0.m0_state_AIRCR_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_AIRCR_fupd g ∘ h) =
m0.m0_state_AIRCR_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_CCR_fupd g =
m0.m0_state_CCR_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_CCR_fupd g ∘ h) =
m0.m0_state_CCR_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_CONTROL_fupd g =
m0.m0_state_CONTROL_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_CONTROL_fupd g ∘ h) =
m0.m0_state_CONTROL_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_CurrentMode_fupd g =
m0.m0_state_CurrentMode_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_CurrentMode_fupd g ∘ h) =
m0.m0_state_CurrentMode_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_ExceptionActive_fupd g =
m0.m0_state_ExceptionActive_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘
(m0.m0_state_ExceptionActive_fupd g ∘ h) =
m0.m0_state_ExceptionActive_fupd g ∘
(m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_MEM_fupd g =
m0.m0_state_MEM_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_MEM_fupd g ∘ h) =
m0.m0_state_MEM_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_NVIC_IPR_fupd g =
m0.m0_state_NVIC_IPR_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_NVIC_IPR_fupd g ∘ h) =
m0.m0_state_NVIC_IPR_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_PRIMASK_fupd g =
m0.m0_state_PRIMASK_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_PRIMASK_fupd g ∘ h) =
m0.m0_state_PRIMASK_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_PSR_fupd g =
m0.m0_state_PSR_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_PSR_fupd g ∘ h) =
m0.m0_state_PSR_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_REG_fupd g =
m0.m0_state_REG_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_REG_fupd g ∘ h) =
m0.m0_state_REG_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_SHPR2_fupd g =
m0.m0_state_SHPR2_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_SHPR2_fupd g ∘ h) =
m0.m0_state_SHPR2_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_SHPR3_fupd g =
m0.m0_state_SHPR3_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_SHPR3_fupd g ∘ h) =
m0.m0_state_SHPR3_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_VTOR_fupd g =
m0.m0_state_VTOR_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_VTOR_fupd g ∘ h) =
m0.m0_state_VTOR_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_count_fupd g =
m0.m0_state_count_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_count_fupd g ∘ h) =
m0.m0_state_count_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
((∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_exception_fupd g =
m0.m0_state_exception_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_exception_fupd g ∘ h) =
m0.m0_state_exception_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)) ∧
(∀g f.
m0.m0_state_pending_fupd f ∘ m0.m0_state_pcinc_fupd g =
m0.m0_state_pcinc_fupd g ∘ m0.m0_state_pending_fupd f) ∧
∀h g f.
m0.m0_state_pending_fupd f ∘ (m0.m0_state_pcinc_fupd g ∘ h) =
m0.m0_state_pcinc_fupd g ∘ (m0.m0_state_pending_fupd f ∘ h)
External Type Operators
- →
- bool
- Data
- List
- list
- Option
- option
- Pair
- ×
- Unit
- unit
- List
- HOL4
- bool
- bool.itself
- fcp
- fcp.bit0
- fcp.bit1
- fcp.cart
- ind_type
- ind_type.recspace
- integer
- integer.int
- string
- string.char
- bool
- Number
- Natural
- natural
- Natural
External Constants
- =
- select
- Data
- Bool
- ∀
- ∧
- ⇒
- ∃
- ∨
- ¬
- cond
- ⊥
- ⊤
- List
- ::
- @
- []
- head
- length
- Option
- some
- Pair
- ,
- fst
- snd
- Unit
- ()
- Bool
- Function
- const
- id
- ∘
- HOL4
- arithmetic
- arithmetic.-
- arithmetic.BIT2
- arithmetic.DIV2
- arithmetic.FUNPOW
- basicSize
- basicSize.bool_size
- basicSize.one_size
- basicSize.option_size
- basicSize.pair_size
- bit
- bit.BIT
- bit.BITS
- bit.DIV_2EXP
- bit.MOD_2EXP
- bitstring
- bitstring.field
- bitstring.replicate
- bitstring.testbit
- bitstring.v2s
- bitstring.v2w
- bitstring.w2v
- bool
- bool.literal_case
- bool.the_value
- bool.ARB
- bool.IN
- bool.LET
- bool.TYPE_DEFINITION
- combin
- combin.UPDATE
- fcp
- fcp.dimindex
- fcp.fcp_index
- ind_type
- ind_type.CONSTR
- ind_type.FCONS
- integer
- integer.int_add
- integer.int_lt
- integer.int_min
- integer.int_neg
- integer.int_of_num
- integer.int_sub
- integer.Num
- integer_word
- integer_word.w2i
- list
- list.list_size
- list.EL
- numeral
- numeral.iDUB
- numeral.iSUB
- numeral.iZ
- numeral.iiSUC
- numeral.texp_help
- option
- option.option_CASE
- pair
- pair.pair_CASE
- pair.UNCURRY
- pred_set
- pred_set.EMPTY
- pred_set.INSERT
- prim_rec
- prim_rec.PRE
- state_transformer
- state_transformer.FOR
- string
- string.char_size
- string.CHR
- words
- words.bit_field_insert
- words.n2w
- words.sw2sw
- words.w2n
- words.w2w
- words.word_1comp
- words.word_2comp
- words.word_add
- words.word_and
- words.word_asr
- words.word_bit
- words.word_concat
- words.word_extract
- words.word_len
- words.word_lo
- words.word_log2
- words.word_lsl
- words.word_lsr
- words.word_msb
- words.word_mul
- words.word_or
- words.word_reverse
- words.word_ror
- words.word_sub
- words.word_xor
- arithmetic
- Number
- Natural
- *
- +
- <
- ≤
- >
- ≥
- ↑
- bit1
- div
- even
- min
- mod
- odd
- suc
- zero
- Natural
Assumptions
⊦ ⊤
⊦ 0 = 0
⊦ ∀n. 0 ≤ n
⊦ bool.LET = λf x. f x
⊦ ∀x. id x = x
⊦ (¬) = λt. t ⇒ ⊥
⊦ (∃) = λP. P ((select) P)
⊦ ∀t. (∀x. t) ⇔ t
⊦ ∀t. (λx. t x) = t
⊦ (∀) = λP. P = λx. ⊤
⊦ fcp.dimindex bool.the_value = arithmetic.BIT2 1
⊦ ∀x. x = x ⇔ ⊤
⊦ ∀A. A ⇒ ¬A ⇒ ⊥
⊦ ∀t. (t ⇒ ⊥) ⇒ ¬t
⊦ ∀x y. const x y = x
⊦ (⇒) = λp q. p ∧ q ⇔ p
⊦ fcp.dimindex bool.the_value = arithmetic.BIT2 7
⊦ ∀t. t ⇒ ⊥ ⇔ t ⇔ ⊥
⊦ ∀n. suc n = 1 + n
⊦ ∀x y. fst (x, y) = x
⊦ ∀x y. snd (x, y) = y
⊦ ∀h t. head (h :: t) = h
⊦ ∀f x. bool.LET f x = f x
⊦ ∀x. ∃q r. x = (q, r)
⊦ ∀x y. x = y ⇔ y = x
⊦ ∀m n. m + n = n + m
⊦ (¬A ⇒ ⊥) ⇒ (A ⇒ ⊥) ⇒ ⊥
⊦ ∀A B. A ⇒ B ⇔ ¬A ∨ B
⊦ ∀m n. m < n ⇔ suc m ≤ n
⊦ ∀n x. bit.DIV_2EXP n x = arithmetic.FUNPOW arithmetic.DIV2 n x
⊦ ∀m n. ¬(m < n) ⇔ n ≤ m
⊦ (∧) = λp q. (λf. f p q) = λf. f ⊤ ⊤
⊦ ∀n. odd n ⇔ n mod arithmetic.BIT2 0 = 1
⊦ (∃) = λP. ∀q. (∀x. P x ⇒ q) ⇒ q
⊦ ∀f g x. (f ∘ g) x = f (g x)
⊦ ∀x n. bit.MOD_2EXP x n = n mod arithmetic.BIT2 0 ↑ x
⊦ ∀P a. (∃x. x = a ∧ P x) ⇔ P a
⊦ ∀P t. (∀x. x = t ⇒ P x) ⇒ (∃) P
⊦ ∀f x y. pair.UNCURRY f (x, y) = f x y
⊦ (∨) = λt1 t2. ∀t. (t1 ⇒ t) ⇒ (t2 ⇒ t) ⇒ t
⊦ ∀t1 t2. (t1 ⇒ t2) ⇒ (t2 ⇒ t1) ⇒ (t1 ⇔ t2)
⊦ ∀m n. m = n ⇔ m ≤ n ∧ n ≤ m
⊦ ∀b n. bit.BIT b n ⇔ bit.BITS b b n = 1
⊦ (p ⇔ ¬q) ⇔ (p ∨ q) ∧ (¬q ∨ ¬p)
⊦ ¬(¬A ∨ B) ⇒ ⊥ ⇔ A ⇒ ¬B ⇒ ⊥
⊦ ∀w b.
b < fcp.dimindex bool.the_value ⇒
(fcp.fcp_index w b ⇔ words.word_bit b w)
⊦ list.EL 0 = head ∧ list.EL (suc n) (l :: ls) = list.EL n ls
⊦ ¬(A ∨ B) ⇒ ⊥ ⇔ (A ⇒ ⊥) ⇒ ¬B ⇒ ⊥
⊦ ∀t1 t2 t3. t1 ∧ t2 ∧ t3 ⇔ (t1 ∧ t2) ∧ t3
⊦ ∀t1 t2 t3. t1 ⇒ t2 ⇒ t3 ⇔ t1 ∧ t2 ⇒ t3
⊦ ∀A B C. A ∨ B ∨ C ⇔ (A ∨ B) ∨ C
⊦ ∀m n p. m + (n + p) = m + n + p
⊦ ∀m n p. m + n ≤ m + p ⇔ n ≤ p
⊦ ∀m n p. m ≤ n ∧ n ≤ p ⇒ m ≤ p
⊦ ∀f g h. f ∘ (g ∘ h) = f ∘ g ∘ h
⊦ ∀t1 t2. (if ⊤ then t1 else t2) = t1 ∧ (if ⊥ then t1 else t2) = t2
⊦ ∀t1 t2. (t1 ⇔ t2) ⇔ t1 ∧ t2 ∨ ¬t1 ∧ ¬t2
⊦ ∀n m. arithmetic.- n m = if m < n then numeral.iSUB ⊤ n m else 0
⊦ ∀n v.
words.word_bit n (bitstring.v2w v) ⇔
n < fcp.dimindex bool.the_value ∧ bitstring.testbit n v
⊦ length [] = 0 ∧ ∀h t. length (h :: t) = suc (length t)
⊦ (∀t. ¬¬t ⇔ t) ∧ (¬⊤ ⇔ ⊥) ∧ (¬⊥ ⇔ ⊤)
⊦ ∀m n. ¬(m = n) ⇔ suc m ≤ n ∨ suc n ≤ m
⊦ ∀h l n.
bit.BITS h l n =
bit.MOD_2EXP (arithmetic.- (suc h) l) (bit.DIV_2EXP l n)
⊦ ∀b n.
words.word_bit b (words.n2w n) ⇔
b ≤ arithmetic.- (fcp.dimindex bool.the_value) 1 ∧ bit.BIT b n
⊦ ∀x y.
x = y ⇔
∀i.
i < fcp.dimindex bool.the_value ⇒
fcp.fcp_index x i = fcp.fcp_index y i
⊦ ∀x y a b. (x, y) = (a, b) ⇔ x = a ∧ y = b
⊦ ∀Fn. ∃f. ∀c i r. f (ind_type.CONSTR c i r) = Fn c i r (λn. f (r n))
⊦ ∀n.
numeral.iDUB (bit1 n) = arithmetic.BIT2 (numeral.iDUB n) ∧
numeral.iDUB (arithmetic.BIT2 n) = arithmetic.BIT2 (bit1 n) ∧
numeral.iDUB 0 = 0
⊦ (p ⇔ q ∨ r) ⇔ (p ∨ ¬q) ∧ (p ∨ ¬r) ∧ (q ∨ r ∨ ¬p)
⊦ ∀b v.
bitstring.testbit b v ⇔
bool.LET (λn. b < n ∧ list.EL (arithmetic.- (arithmetic.- n 1) b) v)
(length v)
⊦ (∀a f. ind_type.FCONS a f 0 = a) ∧
∀a f n. ind_type.FCONS a f (suc n) = f n
⊦ ∀x x' y y'. (x ⇔ x') ∧ (x' ⇒ (y ⇔ y')) ⇒ (x ⇒ y ⇔ x' ⇒ y')
⊦ (p ⇔ q ∧ r) ⇔ (p ∨ ¬q ∨ ¬r) ∧ (q ∨ ¬p) ∧ (r ∨ ¬p)
⊦ suc 0 = 1 ∧ (∀n. suc (bit1 n) = arithmetic.BIT2 n) ∧
∀n. suc (arithmetic.BIT2 n) = bit1 (suc n)
⊦ P (arithmetic.- a b) ⇔ ∀d. (b = a + d ⇒ P 0) ∧ (a = b + d ⇒ P d)
⊦ ∀A B. (¬(A ∧ B) ⇔ ¬A ∨ ¬B) ∧ (¬(A ∨ B) ⇔ ¬A ∧ ¬B)
⊦ list.EL (bit1 n) (l :: ls) = list.EL (prim_rec.PRE (bit1 n)) ls ∧
list.EL (arithmetic.BIT2 n) (l :: ls) = list.EL (bit1 n) ls
⊦ bool.TYPE_DEFINITION =
λP rep.
(∀x' x''. rep x' = rep x'' ⇒ x' = x'') ∧ ∀x. P x ⇔ ∃x'. x = rep x'
⊦ ∀t. ((⊤ ⇔ t) ⇔ t) ∧ ((t ⇔ ⊤) ⇔ t) ∧ ((⊥ ⇔ t) ⇔ ¬t) ∧ ((t ⇔ ⊥) ⇔ ¬t)
⊦ ∀P.
(∃rep. bool.TYPE_DEFINITION P rep) ⇒
∃rep abs. (∀a. abs (rep a) = a) ∧ ∀r. P r ⇔ rep (abs r) = r
⊦ numeral.texp_help 0 acc = arithmetic.BIT2 acc ∧
numeral.texp_help (bit1 n) acc =
numeral.texp_help (prim_rec.PRE (bit1 n)) (bit1 acc) ∧
numeral.texp_help (arithmetic.BIT2 n) acc =
numeral.texp_help (bit1 n) (bit1 acc)
⊦ arithmetic.BIT2 0 ↑ 0 = 1 ∧
arithmetic.BIT2 0 ↑ bit1 n =
numeral.texp_help (prim_rec.PRE (bit1 n)) 0 ∧
arithmetic.BIT2 0 ↑ arithmetic.BIT2 n = numeral.texp_help (bit1 n) 0
⊦ ∀t. (⊤ ∧ t ⇔ t) ∧ (t ∧ ⊤ ⇔ t) ∧ (⊥ ∧ t ⇔ ⊥) ∧ (t ∧ ⊥ ⇔ ⊥) ∧ (t ∧ t ⇔ t)
⊦ ∀t. (⊤ ∨ t ⇔ ⊤) ∧ (t ∨ ⊤ ⇔ ⊤) ∧ (⊥ ∨ t ⇔ t) ∧ (t ∨ ⊥ ⇔ t) ∧ (t ∨ t ⇔ t)
⊦ 0 + m = m ∧ m + 0 = m ∧ suc m + n = suc (m + n) ∧ m + suc n = suc (m + n)
⊦ arithmetic.FUNPOW f 0 x = x ∧
arithmetic.FUNPOW f (bit1 n) x =
arithmetic.FUNPOW f (prim_rec.PRE (bit1 n)) (f x) ∧
arithmetic.FUNPOW f (arithmetic.BIT2 n) x =
arithmetic.FUNPOW f (bit1 n) (f x)
⊦ (p ⇔ q ⇔ r) ⇔ (p ∨ q ∨ r) ∧ (p ∨ ¬r ∨ ¬q) ∧ (q ∨ ¬r ∨ ¬p) ∧ (r ∨ ¬q ∨ ¬p)
⊦ prim_rec.PRE 0 = 0 ∧ prim_rec.PRE 1 = 0 ∧
(∀n.
prim_rec.PRE (bit1 (bit1 n)) =
arithmetic.BIT2 (prim_rec.PRE (bit1 n))) ∧
(∀n.
prim_rec.PRE (bit1 (arithmetic.BIT2 n)) = arithmetic.BIT2 (bit1 n)) ∧
∀n. prim_rec.PRE (arithmetic.BIT2 n) = bit1 n
⊦ (∀m n.
m < bit1 n ⇔
m = arithmetic.- (bit1 n) 1 ∨ m < arithmetic.- (bit1 n) 1) ∧
∀m n. m < arithmetic.BIT2 n ⇔ m = bit1 n ∨ m < bit1 n
⊦ ∀m n.
0 * m = 0 ∧ m * 0 = 0 ∧ 1 * m = m ∧ m * 1 = m ∧ suc m * n = m * n + n ∧
m * suc n = m + m * n
⊦ ∀n m.
(0 ≤ n ⇔ ⊤) ∧ (bit1 n ≤ 0 ⇔ ⊥) ∧ (arithmetic.BIT2 n ≤ 0 ⇔ ⊥) ∧
(bit1 n ≤ bit1 m ⇔ n ≤ m) ∧ (bit1 n ≤ arithmetic.BIT2 m ⇔ n ≤ m) ∧
(arithmetic.BIT2 n ≤ bit1 m ⇔ ¬(m ≤ n)) ∧
(arithmetic.BIT2 n ≤ arithmetic.BIT2 m ⇔ n ≤ m)
⊦ ∀n m.
(0 < bit1 n ⇔ ⊤) ∧ (0 < arithmetic.BIT2 n ⇔ ⊤) ∧ (n < 0 ⇔ ⊥) ∧
(bit1 n < bit1 m ⇔ n < m) ∧
(arithmetic.BIT2 n < arithmetic.BIT2 m ⇔ n < m) ∧
(bit1 n < arithmetic.BIT2 m ⇔ ¬(m < n)) ∧
(arithmetic.BIT2 n < bit1 m ⇔ n < m)
⊦ ∀n m.
(0 = bit1 n ⇔ ⊥) ∧ (bit1 n = 0 ⇔ ⊥) ∧ (0 = arithmetic.BIT2 n ⇔ ⊥) ∧
(arithmetic.BIT2 n = 0 ⇔ ⊥) ∧ (bit1 n = arithmetic.BIT2 m ⇔ ⊥) ∧
(arithmetic.BIT2 n = bit1 m ⇔ ⊥) ∧ (bit1 n = bit1 m ⇔ n = m) ∧
(arithmetic.BIT2 n = arithmetic.BIT2 m ⇔ n = m)
⊦ ∀b n m.
numeral.iSUB b 0 x = 0 ∧ numeral.iSUB ⊤ n 0 = n ∧
numeral.iSUB ⊥ (bit1 n) 0 = numeral.iDUB n ∧
numeral.iSUB ⊤ (bit1 n) (bit1 m) = numeral.iDUB (numeral.iSUB ⊤ n m) ∧
numeral.iSUB ⊥ (bit1 n) (bit1 m) = bit1 (numeral.iSUB ⊥ n m) ∧
numeral.iSUB ⊤ (bit1 n) (arithmetic.BIT2 m) =
bit1 (numeral.iSUB ⊥ n m) ∧
numeral.iSUB ⊥ (bit1 n) (arithmetic.BIT2 m) =
numeral.iDUB (numeral.iSUB ⊥ n m) ∧
numeral.iSUB ⊥ (arithmetic.BIT2 n) 0 = bit1 n ∧
numeral.iSUB ⊤ (arithmetic.BIT2 n) (bit1 m) =
bit1 (numeral.iSUB ⊤ n m) ∧
numeral.iSUB ⊥ (arithmetic.BIT2 n) (bit1 m) =
numeral.iDUB (numeral.iSUB ⊤ n m) ∧
numeral.iSUB ⊤ (arithmetic.BIT2 n) (arithmetic.BIT2 m) =
numeral.iDUB (numeral.iSUB ⊤ n m) ∧
numeral.iSUB ⊥ (arithmetic.BIT2 n) (arithmetic.BIT2 m) =
bit1 (numeral.iSUB ⊥ n m)
⊦ ∀n m.
numeral.iZ (0 + n) = n ∧ numeral.iZ (n + 0) = n ∧
numeral.iZ (bit1 n + bit1 m) = arithmetic.BIT2 (numeral.iZ (n + m)) ∧
numeral.iZ (bit1 n + arithmetic.BIT2 m) = bit1 (suc (n + m)) ∧
numeral.iZ (arithmetic.BIT2 n + bit1 m) = bit1 (suc (n + m)) ∧
numeral.iZ (arithmetic.BIT2 n + arithmetic.BIT2 m) =
arithmetic.BIT2 (suc (n + m)) ∧ suc (0 + n) = suc n ∧
suc (n + 0) = suc n ∧ suc (bit1 n + bit1 m) = bit1 (suc (n + m)) ∧
suc (bit1 n + arithmetic.BIT2 m) = arithmetic.BIT2 (suc (n + m)) ∧
suc (arithmetic.BIT2 n + bit1 m) = arithmetic.BIT2 (suc (n + m)) ∧
suc (arithmetic.BIT2 n + arithmetic.BIT2 m) =
bit1 (numeral.iiSUC (n + m)) ∧
numeral.iiSUC (0 + n) = numeral.iiSUC n ∧
numeral.iiSUC (n + 0) = numeral.iiSUC n ∧
numeral.iiSUC (bit1 n + bit1 m) = arithmetic.BIT2 (suc (n + m)) ∧
numeral.iiSUC (bit1 n + arithmetic.BIT2 m) =
bit1 (numeral.iiSUC (n + m)) ∧
numeral.iiSUC (arithmetic.BIT2 n + bit1 m) =
bit1 (numeral.iiSUC (n + m)) ∧
numeral.iiSUC (arithmetic.BIT2 n + arithmetic.BIT2 m) =
arithmetic.BIT2 (numeral.iiSUC (n + m))
⊦ (∀n. 0 + n = n) ∧ (∀n. n + 0 = n) ∧ (∀n m. n + m = numeral.iZ (n + m)) ∧
(∀n. 0 * n = 0) ∧ (∀n. n * 0 = 0) ∧ (∀n m. n * m = n * m) ∧
(∀n. arithmetic.- 0 n = 0) ∧ (∀n. arithmetic.- n 0 = n) ∧
(∀n m. arithmetic.- n m = arithmetic.- n m) ∧ (∀n. 0 ↑ bit1 n = 0) ∧
(∀n. 0 ↑ arithmetic.BIT2 n = 0) ∧ (∀n. n ↑ 0 = 1) ∧
(∀n m. n ↑ m = n ↑ m) ∧ suc 0 = 1 ∧ (∀n. suc n = suc n) ∧
prim_rec.PRE 0 = 0 ∧ (∀n. prim_rec.PRE n = prim_rec.PRE n) ∧
(∀n. n = 0 ⇔ n = 0) ∧ (∀n. 0 = n ⇔ n = 0) ∧ (∀n m. n = m ⇔ n = m) ∧
(∀n. n < 0 ⇔ ⊥) ∧ (∀n. 0 < n ⇔ 0 < n) ∧ (∀n m. n < m ⇔ n < m) ∧
(∀n. 0 > n ⇔ ⊥) ∧ (∀n. n > 0 ⇔ 0 < n) ∧ (∀n m. n > m ⇔ m < n) ∧
(∀n. 0 ≤ n ⇔ ⊤) ∧ (∀n. n ≤ 0 ⇔ n ≤ 0) ∧ (∀n m. n ≤ m ⇔ n ≤ m) ∧
(∀n. n ≥ 0 ⇔ ⊤) ∧ (∀n. 0 ≥ n ⇔ n = 0) ∧ (∀n m. n ≥ m ⇔ m ≤ n) ∧
(∀n. odd n ⇔ odd n) ∧ (∀n. even n ⇔ even n) ∧ ¬odd 0 ∧ even 0