# A formal specification for BIL: BIL Instruction Language

# October 5, 2018

# Contents

| 1 | Introduction                                 | 2         |  |  |  |
|---|----------------------------------------------|-----------|--|--|--|
| 2 |                                              | 2         |  |  |  |
|   | 2.1 Metavariables                            | 2         |  |  |  |
|   | 2.2 BIL syntax                               |           |  |  |  |
|   | 2.3 Bitvector syntax                         | 4         |  |  |  |
|   | 2.4 Value syntax                             | 5         |  |  |  |
|   | 2.5 Context syntax                           | 5         |  |  |  |
|   | 2.6 Formula syntax                           | 5         |  |  |  |
|   | 2.7 Instruction syntax                       | 6         |  |  |  |
| 3 | 3 Typing                                     |           |  |  |  |
| 4 | Operational semantics 4.1 Model of a program | <b>10</b> |  |  |  |
| 5 | Semantics of statements                      | 10        |  |  |  |
| 6 | Semantics of expressions 1                   |           |  |  |  |

#### 1 Introduction

This document describes the syntax and semantics of BAP Instruction Language. The language is used to represent a semantics of machine instructions. Each machine instruction is represented by a BIL program that captures side effect of the instruction.

# 2 Syntax

#### 2.1 Metavariables

We define a small set of metavariables that are used to denote subscripts, numerals and string literals:

```
index, m, n subscripts id a literal for variable num number literal string, str quoted string literal
```

#### 2.2 BIL syntax

BIL program is reperesented as a sequence of statements. Each statement performs some side-effectful computation.

```
bil, seq
              ::=
                     \{s_1; ...; s_n\} S
stmt, s
                                                   - assign exp to var
                     var := exp
                                                   - transfer control to a given address e
                    \mathbf{jmp}\ e
                    \mathbf{cpuexn}(num)
                                                   - interrupt CPU with a given interrupt num
                                                   - instruction with unknown semantics
                    special(string)
                    while (exp)seq
                                                   - eval seq while exp is true
                                            S
                    if (e) seq
                                                   - eval seq if e is true
                                                   - if e is true then eval seq_1 else seq_2
                    if (e) seq<sub>1</sub> else seq<sub>2</sub>
```

BIL expressions are side-effect free. Expressions include a usual set of operations on bitvectors, like arithmetic operations and converting bitvectors of one size to bitvectors of another size (casting in BIL parlance). We write  $[e_1/var]e_2$  for the capture-avoiding substitution of  $e_1$  for free occurances of var in  $e_2$ 

```
exp, e
                                                         S
                   (exp)
                                                                – a variable
                   var
                                                                - an immediate value
                   word
                   v[w \leftarrow v' : sz]
                                                                – a memory value
                   e_1[e_2, endian]: nat
                                                                - load a value from address e_2 at storage e_1
                   e_1 with [e_2, endian] : nat \leftarrow e_3
                                                                - update a storage e_1 with binding e_2 \leftarrow e_3
                                                                – perform binary operation on e_1 and e_2
                   e_1 \ bop \ e_2
                   uop e_1
                                                                – perform an unary operation on e_1
                                                                – extract or extend bitvector e
                   cast: nat[e]
                   let var = e_1 in e_2
                                                                - bind e_1 to var in expression e_2
                   \mathbf{unknown}\left[string\right]:type
                                                                - unknown or undefined value of a given type
                                                                – evaluates to e_2 if e_1 is true else to e_3
                   ite e_1 e_2 e_3
```

```
\mathbf{extract} : nat_1 : nat_2[e]
                                            - extract or extend bitvector e
         e_1@e_2
                                            – concatenate two bitvector e_1 to e_2
        [e_1/var]e_2
                                     Μ
                                            - the (capture avoiding) substitution of e_1 for var in e_2
var
         ::=
               id:type S
bop
                 ::=
                                          - arithmetic operators
                       aop

    logical operators

                       lop
aop
                                          – plus
                       +
                                          - minus
                                          - times
                                          divide
                       signed
                                          - signed divide
                       %
                                          - modulo
                       signed
                                          - signed modulo
                                          - bitwise and
                       &
                                          – bitwise or
                                          - bitwise xor
                       xor

    logical shift left

                       \ll
                       \gg

    logical shift right

                                          - arithmetic shift right
                       >>>
lop
                                          - equality
                                          - non-equality
                                          - less than
                                          - less than or equal
                                          - signed less than
                       signed
                                          - signed less than or equal
uop
                                          - unary negation
                                          - bitwise complement
endian, ed
                                          - little endian
                       \mathbf{el}
                                          – big endian
                       \mathbf{be}
cast
                 ::=
                       low
                                          - extract lower bits
                       high
                                          - extract high bits
                       signed
                                          - extend with sign bit
                       unsigned
                                          - extend with zero
```

The type system of BIL consists of two type families - immediate values, indexed by a bitwidth, and storagies (aka memories), indexed with address bitwidth and values bitwidth.

```
\begin{array}{llll} \textit{type}, \ t & ::= & & & & & & & & & \\ & | & \mathbf{imm} < sz > & & & & & - \text{immediate of size } sz \\ & | & \mathbf{mem} < sz_1, sz_2 > & & & - \text{memory with address size } sz_1 \text{ and element size } sz_2 \\ & | & type(v) & \mathsf{M} & & \text{a function that computes the type of a value} \end{array}
```

#### 2.3 Bitvector syntax

We define a type of *words*, which are concrete bitvectors represented by a pair of value and size. Many operations on words are required by the semantics and are listed below.

Operations marked with sbv are signed. All other operations are unsigned (if it does matter). Operations ext and exts performs extract/extend operation. The former is unsigned (i.e., it extends with zeros), the latter is signed. This operation extracts bits from a bitvector starting from hi and ending with lo bit (both ends included). If hi is greater than the bitwidth of the bitvector, then it is extended with zeros (for ext operation) or with a sign bit (for exts) operation.

| nond an |                                                          | 1 | , , , , , , , , , , , , , , , , , , , , |
|---------|----------------------------------------------------------|---|-----------------------------------------|
| vord, w | ::=<br>                                                  | М |                                         |
|         | num:nat                                                  | S |                                         |
|         | $egin{array}{ccc} (w) \ 1:nat \end{array}$               | S |                                         |
|         | true                                                     | S | – sugar for 1:1                         |
|         | false                                                    | S | - sugar for 0:1                         |
|         | bv                                                       |   | _                                       |
|         | $\begin{vmatrix} w_1 + w_2 \\ bv \end{vmatrix}$          | S | – plus                                  |
|         | $  w_1 - w_2  $                                          | S | – minus                                 |
|         | $  w_1 \overset{bv}{*} w_2$                              | S | - times                                 |
|         | $ \hspace{.05cm}w_1\hspace{.05cm}/\hspace{.05cm}w_2$     | S | - division                              |
|         | $   w_1 \stackrel{sbv}{/} w_2  $                         | S | - signed division                       |
|         | $ \hspace{.05cm}w_1\stackrel{bv}{\%}w_2$                 | S | – modulo                                |
|         | $ \hspace{.05cm}w_1\stackrel{sbv}{\%}w_2$                | S | - signed modulo                         |
|         | $  w_1 \stackrel{bv}{\ll} w_2$                           | S | – logical shift left                    |
|         | $  w_1 \stackrel{bv}{\gg} w_2$                           | S | – logical shift right                   |
|         | $  w_1 \gg w_2$                                          | S | – arithmetic shift right                |
|         | $  w_1 \overset{bv}{\&} w_2$                             | S | – bitwise and                           |
|         | $ \hspace{.05cm} w_1 \hspace{.1cm}  \hspace{.1cm} w_2$   | S | – bitwise or                            |
|         | $  w_1 \stackrel{bv}{xor} w_2$                           | S | – bitwise xor                           |
|         | $  w_1 \stackrel{bv}{<} w_2$                             | S | – less than                             |
|         | $  w_1 \stackrel{sbv}{<} w_2$                            | S | – signed less than                      |
|         | $\begin{vmatrix} bv \\ -w \end{vmatrix}$                 | S | - integer negation                      |
|         | $\stackrel{bv}{\sim} w$                                  | S | - logical negation                      |
|         | $  w_1 \stackrel{bv}{\cdot} w_2$                         | S | - concatenation                         |
|         | ext $w \sim \mathbf{hi} : sz_1 \sim \mathbf{lo} : sz_2$  | S | - extract/extend                        |
|         | exts $w \sim \mathbf{hi} : sz_1 \sim \mathbf{lo} : sz_2$ | S | <ul><li>signed extract/extend</li></ul> |

#### 2.4 Value syntax

Values are syntactic subset of expressions. They are used to represent expressions that are not reducible.

We have three kinds of values — immediates, represented as bitvectors; unknown values and storages (memories in BIL parlance), represented symbolically as a list of assignments:

```
\begin{array}{ll} val, \ v & ::= \\ & | \quad word \\ & | \quad v[w \leftarrow v':sz] \\ & | \quad \mathbf{unknown}\left[string\right]:type \end{array}
```

#### 2.5 Context syntax

Contexts are used in the typing judgments to specify the types of all variables. While each variable is annotated with its type, the context ensures that all uses of a given variable have the same type.

#### 2.6 Formula syntax

The following syntax is used to specify symbolic formulas in premises of judgments.

We use  $\Delta$  to denote set of bindings of variables to values. The  $\Delta$  context is represented as list of pairs. We write  $(var, v) \in \Delta$  to indicate that the value v is the right-most binding of var in  $\Delta$ . Additionally, we write  $dom(\Delta)$  for  $\Delta$ 's domain (the set of variables for which it contains values).

We also add a small set of operations over natural numbers, like comparison and arithmetics. Natural numbers are mostly used to reason about sizes of bitvectors, that's why they are often referred as sz.

We also add syntax for equality comparison for values and variables.

```
\Delta
                                          emptyextend
formula
                       judgement
                       (formula)
                       v_1 \neq v_2
                       var_1 \neq var_2
                       w_1 <> w_2
                       nat_1 > nat_2
                       nat_1 = nat_2
                       nat_1 >= nat_2
                                            Μ
                       nat_1\%sz = 0
                                            М
                       t_1 = t_2
                                            Μ
                       e_1 \stackrel{\text{def}}{:=} e_2
                                            Μ
```

```
nat, sz
```

Μ

#### 2.7Instruction syntax

To reason about the whole program we introduce a syntax for instruction. An instruction is a binary sequence of  $w_2$  bytes, that was read by a decoder from an address  $w_1$ . The semantics of an instruction is described by the bil program.

```
insn
                      \{ \mathbf{addr} = w_1; \mathbf{size} = w2; \mathbf{code} = bil \} S
```

## 3 Typing

This section defines typing rules for BIL programs. We define four judgements:  $\Gamma \vdash bil$  **is ok** for programs,  $\Gamma \vdash s$  **is ok** for statements,  $\Gamma \vdash e :: t$  for expressions, and  $\Gamma$  **is ok** for contexts.

BIL statement-level variables represent global state, and are implicitly declared at their first use. While variables carry their type with them, it is still necessary to track them in a context during type checking. This is required to rule out programs like:

if (foo) then 
$$\{x:imm<1> = 0\}$$
 else  $\{x:imm<32> = 42\}$ ; bar

Such a program would leave the type associated with x unclear in bar. This is ruled out because the typing rules are set up such that  $\Gamma \vdash bil$  is ok implies  $\Gamma$  is ok, which requires that each variable has a single type.

 $\Gamma \vdash bil \text{ is ok}$ 

$$\frac{\Gamma \vdash stmt \mathbf{isok}}{\Gamma \vdash \{stmt\} \mathbf{isok}} \xrightarrow{\mathbf{T\_SEQ\_ONE}}$$

$$\Gamma \vdash s_1 \mathbf{isok}$$

$$\frac{\Gamma \vdash \{s_2; ...; s_n\} \mathbf{isok}}{\Gamma \vdash \{s_1; s_2; ...; s_n\} \mathbf{isok}} \xrightarrow{\mathbf{T\_SEQ\_REC}}$$

 $\Gamma \vdash stmt \ \mathbf{is} \ \mathbf{ok}$ 

$$\begin{array}{c} \Gamma \vdash var :: t \\ \Gamma \vdash exp :: t \\ \hline \Gamma \vdash var := exp \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash var := exp \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{jmp} \ exp \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{jmp} \ exp \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{is} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{ok} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{cpuexn} \ (num) \ \mathbf{ok} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{ok} \ \mathbf{ok} \ \mathbf{ok} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{ok} \ \mathbf{ok} \ \mathbf{ok} \ \mathbf{ok} \\ \hline \Gamma \vdash \mathbf{ok} \ \mathbf{ok} \ \mathbf{o$$

 $\Gamma \vdash exp :: type$ 

$$\begin{aligned} &id:t \in \Gamma \\ &\frac{\Gamma \, \mathbf{is} \, \mathbf{ok}}{\Gamma \vdash id:t::t} \end{aligned} \quad \mathbf{T}_{-} \mathbf{VAR}$$

```
sz > 0
                                        \Gamma is ok
                                                                       - T_INT
                     \Gamma \vdash num : sz :: \mathbf{imm} < sz >
                      sz > 0
                      nat > 0
                      \Gamma \vdash v :: \mathbf{mem} < nat, sz >
                      \Gamma \vdash v' :: \mathbf{imm} < sz >
                                                                                          T\_MEM
   \Gamma \vdash v[num_1 : nat \leftarrow v' : sz] :: \mathbf{mem} < nat, sz >
                     sz'\%sz = 0
                     sz' > 0
                     \Gamma \vdash e_1 :: \mathbf{mem} < nat, sz >
                     \Gamma \vdash e_2 :: \mathbf{imm} < nat >
               \Gamma \vdash e_1[e_2, ed] : sz' :: \mathbf{imm} < sz' >  T_LOAD
                    sz'\%sz = 0
                    sz' > 0
                    \Gamma \vdash e_1 :: \mathbf{mem} < nat, sz >
                    \Gamma \vdash e_2 :: \mathbf{imm} < nat >
                    \Gamma \vdash e_3 :: \mathbf{imm} < sz' >
                                                                                          T_STORE
\overline{\Gamma \vdash e_1 \, \mathbf{with} \, [e_2, ed] : sz' \leftarrow e_3 :: \mathbf{mem} \, < nat, sz >}
                          \Gamma \vdash e_1 :: \mathbf{imm} < sz >
                          \Gamma \vdash e_2 :: \mathbf{imm} < sz >
                                                                          T_AOP
                     \overline{\Gamma \vdash e_1 \ aop \ e_2 :: \mathbf{imm} < sz >}
                           \Gamma \vdash e_1 :: \mathbf{imm} < sz >
                          \Gamma \vdash e_2 :: \mathbf{imm} < sz >
                      \Gamma \vdash e_1 lop \ e_2 :: \mathbf{imm} < 1 > T_LOP
                      \frac{\Gamma \vdash e_1 :: \mathbf{imm} < sz >}{\Gamma \vdash uop \ e_1 :: \mathbf{imm} < sz >} \quad \text{T_UOP}
                  sz > 0
                  sz >= nat
                  \Gamma \vdash e :: \mathbf{imm} < nat >
                                                                         T_CAST_WIDEN
     \overline{\Gamma \vdash widen\_cast : sz[e] :: \mathbf{imm} < sz >}
                sz > 0
                 nat >= sz
                 \Gamma \vdash e :: \mathbf{imm} < nat >
                                                                        T_CAST_NARROW
  \overline{\Gamma \vdash narrow\_cast : sz[e] :: \mathbf{imm} < sz >}
                                \Gamma \vdash e_1 :: t
                      \frac{\Gamma, id: t \vdash e_2 :: t'}{\Gamma \vdash \mathbf{let} \ id: t = e_1 \ \mathbf{in} \ e_2 :: t'} \quad \text{T_LET}
                                  t \mathbf{isok}
                                  \Gamma is ok
                 \overline{\Gamma \vdash \mathbf{unknown}\left[str\right] : t :: t}
                                                                   T_UNKNOWN
                            \Gamma \vdash e_1 :: \mathbf{imm} < 1 >
                            \Gamma \vdash e_2 :: t
                            \Gamma \vdash e_3 :: t
                                                                    T_{-}ITE
                              \Gamma \vdash \mathbf{ite} \ e_1 \ e_2 \ e_3 :: t
```

$$\begin{array}{c} \Gamma \vdash e :: \mathbf{imm} < sz > \\ sz_1 >= sz_2 \\ \hline \Gamma \vdash \mathbf{extract} : sz_1 : sz_2[e] :: \mathbf{imm} < sz_1 - sz_2 + 1 > \\ \hline \Gamma \vdash e_1 :: \mathbf{imm} < sz_1 > \\ \hline \Gamma \vdash e_2 :: \mathbf{imm} < sz_2 > \\ \hline \Gamma \vdash e_1 @ e_2 :: \mathbf{imm} < sz_1 + sz_2 > \\ \hline \end{array}$$

 $t \mathbf{isok}$ 

$$\begin{array}{c} sz > 0 \\ \overline{\mathbf{imm}} < sz > \mathbf{is}\,\mathbf{ok} \end{array} \quad \text{TWF\_IMM} \\ nat > 0 \\ sz > 0 \\ \overline{\mathbf{mem}} < nat, sz > \mathbf{is}\,\mathbf{ok} \end{array} \quad \text{TWF\_MEM}$$

 $\Gamma$  is ok

$$\begin{split} & \overline{[] \, \mathbf{is} \, \mathbf{ok}} \quad ^{\mathrm{TG\_NIL}} \\ & id \notin \mathsf{dom}(\Gamma) \\ & t \, \mathbf{is} \, \mathbf{ok} \\ & \underline{\Gamma \, \mathbf{is} \, \mathbf{ok}} \\ & \overline{(\Gamma, id: t) \, \mathbf{is} \, \mathbf{ok}} \end{split} \quad ^{\mathrm{TG\_CONS}}$$

## 4 Operational semantics

#### 4.1 Model of a program

Program is coinductively defined as an infinite stream of program states, produced by a step rule. Each state is represented with a triplet  $(\Delta, w, var)$ , where  $\Delta$  is a mapping from variables to values, w is a program counter, and var is a variable denoting currently active memory.

The step rule defines how a machine instruction is evaluated. We use "magic" rule decode that fetches instructions from the memory and decodes them to a BIL program.

The BIL code is evaluated using reduction rules of statements (see section 5). Then the program counter is updated with the  $w_3$ , that initially points to a byte following current instruction.

$$\begin{array}{c} [\Delta, w, var \leadsto \Delta', w', var'] \\ \\ \frac{delta, w, var \mapsto \{ \, \mathbf{addr} \, = w_1; \, \mathbf{size} \, = w2; \, \mathbf{code} \, = bil \} \\ \\ \frac{\Delta, w_1 + w_2 \vdash bil \leadsto \Delta', w_3, \{ \, \} }{\Delta, w, var \leadsto \Delta', w_3, var} \\ \\ \hline \frac{delta, w, var \mapsto insn}{} \end{array} ] \quad \text{STEP}$$

### 5 Semantics of statements

The reduction rule defines transformation of a state for each statement. The state of the reduction rule consists of a pair  $(\Delta, w)$ , where  $\Delta$  is a mapping from variables to values and w is an address of a next instruction.

Two statements affect the state: Move statement introduces new  $var \leftarrow v$  binding in  $\Delta$ , and Jmp affects program counter.

The if and while instructions introduce local control flow.

There is no special semantics associated with special and cpuexn statements.

$$\Delta, word \vdash stmt \leadsto \Delta', word'$$

$$\frac{\Delta \vdash e \leadsto^* v}{\Delta, w \vdash var := e \leadsto \Delta[var \leftarrow v], w} \quad \text{MOVE}$$

$$\frac{\Delta \vdash e \leadsto^* w'}{\Delta, w \vdash \mathbf{jmp} \ e \leadsto \Delta, w'} \quad \text{JMP}$$

$$\overline{\Delta, w \vdash \mathbf{cpuexn} \ (num) \leadsto \Delta, w} \quad \text{CPUEXN}$$

$$\overline{\Delta, w \vdash \mathbf{special} \ (str) \leadsto \Delta, w} \quad \text{SPECIAL}$$

$$\frac{\Delta \vdash e \leadsto^* \mathbf{true}}{\Delta, word \vdash seq \leadsto \Delta', word', \{\}} \quad \text{IFTHEN\_TRUE}$$

$$\frac{\Delta \vdash e \leadsto^* \mathbf{true}}{\Delta, word \vdash \mathbf{if} \ (e) seq \leadsto \Delta', word', \{\}}$$

$$\overline{\Delta, word \vdash \mathbf{if} \ (e) seq \ \mathbf{else} \ seq_1 \leadsto \Delta', word'} \quad \text{IF\_TRUE}$$

$$\frac{\Delta \vdash e \leadsto^* \mathbf{true}}{\Delta, word \vdash \mathbf{if} \ (e) seq \ \mathbf{else} \ seq_1 \leadsto \Delta', word'} \quad \text{IF\_TRUE}$$

$$\frac{\Delta \vdash e \leadsto^* \mathbf{false}}{\Delta, word \vdash \mathbf{seq} \leadsto \Delta', word', \{\}}$$

$$\frac{\Delta \vdash e \leadsto^* \mathbf{false}}{\Delta, word \vdash \mathbf{if} \ (e) seq_1 \ \mathbf{else} \ seq \leadsto \Delta', word'} \quad \text{IF\_FALSE}$$

$$\begin{array}{c} \Delta_{1} \vdash e \leadsto^{*} \mathbf{true} \\ \Delta_{1}, word_{1} \vdash seq \leadsto \Delta_{2}, word_{2}, \{ \} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \overline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{1}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{1}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \end{array} \quad \text{WHILE} \\ \underline{\Delta_{2}, word_{1} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{3}, word_{3} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}, word_{2} \\ \underline{\Delta_{2}, word_{2} \vdash \mathbf{while}} \ (e)seq \leadsto \Delta_{2}$$

## 6 Semantics of expressions

This section describes a small step operational semantics for expressions. A symbolic formula  $\Delta \vdash e \rightarrow e'$  defines a step of transformation from expression e to an expression e' under given context  $\Delta$ .

A well formed (well typed) expression evaluates to a value expression, that is syntactic subset of expression grammar (see section 2.4).

A value can be either an immediate, represented by a bitvector, a unknown value, or a memory storage.

A memory storage is represented symbolically as a sequence of storages to the originally undefined memory. Each storage operation of size greater than 8 bits is desugared into a sequence of 8 bit storages in a big endian order.

A load operation will first reduce all sub expressions of a memory object to values and then recursively destruct the object until one of the following conditions is met:

**load-byte:** if the memory object is a storage of a value to an immediate (known) address that we're trying to load then the load expression is reduced to value.

**load-un-memory:** if the memory object is an unknown value, then the load expression evaluates to unknown.

**load-un-addr:** if the memory object is a storage to **unknown** value address then load expression evaluates to **unknown**.

This section also defines  $\Delta \vdash e_1 \leadsto^* e_2$ . This relation is the reflexive, transitive closure of  $\leadsto$ . It is useful to describe reductions that may take many steps. For example, in the evaluation rules for statements, it is often necessary to evaluate an expression completely to a value. The  $\leadsto^*$  relation is used to allow reductions that take an indeterminate number of individual  $\leadsto$  steps. Such a derivation can be built with repeated use of the REDUCE rule.

Some evaluation rules depend on the type of a value. Since there are two canonical forms for each type, we avoid duplicating each rule by defining the following metafunction:

|type(v)| a function that computes the type of a value

```
type(num:nat) \equiv imm < nat >
                                                 type(\mathbf{unknown}[str]:t) \equiv t
    \Delta \vdash exp \leadsto exp'
                                                                           \frac{(var, v) \in \Delta}{\Delta \vdash var \leadsto v} \quad \text{VAR\_IN}
                                                               id: type \notin \mathsf{dom}(\Delta)
                                            \frac{ds \cdot type}{\Delta \vdash id : type} \rightsquigarrow \mathbf{unknown} [str] : type  VAR_UNKNOWN
                                             \frac{\Delta \vdash e_2 \leadsto e_2'}{\Delta \vdash e_1[e_2, ed] : sz \leadsto e_1[e_2', ed] : sz} \quad \text{LOAD\_STEP\_ADDR}
                                              \frac{\Delta \vdash e_1 \leadsto e_1'}{\Delta \vdash e_1[v_2, ed] : sz \leadsto e_1'[v_2, ed] : sz} \quad \text{LOAD\_STEP\_MEM}
                                                 \overline{\Delta \vdash v[w \leftarrow v':sz][w,ed']:sz \leadsto v'} \quad \text{LOAD\_BYTE}
                        \frac{w_1 \neq w_2}{\Delta \vdash v[w_1 \leftarrow v' : sz][w_2, ed] : sz \leadsto v[w_2, ed] : sz} \quad \text{LOAD\_BYTE\_FROM\_NEXT}
             \overline{\Delta \vdash (\mathbf{unknown}\,[str]:t)[v,ed]: sz \leadsto \mathbf{unknown}\,[str]: \mathbf{imm}\, < sz >} \quad \text{LOAD\_UN\_MEM}
                                                                                                                                                                              LOAD_UN_ADDR
\overline{\Delta \vdash (v[w_1 \leftarrow v':sz])[\mathbf{unknown}\,[str]:t,ed]:sz' \leadsto \mathbf{unknown}\,[str]:\mathbf{imm}\,< sz'>}
                                                    \operatorname{succ} w = w'
                                                    type(v) = \mathbf{mem} < nat, sz >
                       \frac{1}{\Delta \vdash v[w, \mathbf{be}] : sz' \leadsto v[w, \mathbf{be}] : sz@(v[w', \mathbf{be}] : (sz' - sz))} \quad \text{LOAL_BE}
                                                    sz' > sz
                                                    \operatorname{succ} w = w'
                         \frac{type(v) = \mathbf{mem} < nat, sz >}{\Delta \vdash v[w, \mathbf{el}] : sz' \leadsto v[w', \mathbf{el}] : (sz' - sz)@(v[w, \mathbf{be}] : sz)}
                                                                                                                                                LOAD_WORD_EL
                      \frac{\Delta \vdash e_3 \leadsto e_3'}{\Delta \vdash e_1 \, \mathbf{with} \, [e_2, ed] : sz \leftarrow e_3 \leadsto e_1 \, \mathbf{with} \, [e_2, ed] : sz \leftarrow e_3'}
                                                                                                                                             STORE_STEP_VAL
                    \frac{\Delta \vdash e_2 \leadsto e_2'}{\Delta \vdash e_1 \, \mathbf{with} \, [e_2, ed] : sz \leftarrow v_3 \leadsto e_1 \, \mathbf{with} \, [e_2', ed] : sz \leftarrow v_3}
                                                                                                                                              STORE_STEP_ADDR
                     \frac{\Delta \vdash e_1 \leadsto e_1'}{\Delta \vdash e_1 \, \mathbf{with} \, [v_2, ed] : sz \leftarrow v_3 \leadsto e_1' \, \mathbf{with} \, [v_2, ed] : sz \leftarrow v_3} \quad \text{STORE\_STEP\_MEM}
                                          \operatorname{succ} w = w'
                                          type(v) = \mathbf{mem} < nat, sz >
                                          e_1 \stackrel{\mathrm{def}}{:=} (v \ \mathbf{with} \ [w, \mathbf{be}] : sz \leftarrow \mathbf{high} : sz[val])
\frac{1}{\Delta \vdash v \text{ with } [w, \mathbf{be}] : sz' \leftarrow val \leadsto e_1 \text{ with } [w', \mathbf{be}] : (sz' - sz) \leftarrow \mathbf{low} : (sz' - sz)[val]}
                                                                                                                                                                                STORE_WORD_BE
                                           sz' > sz
                                           \operatorname{succ} w = w'
                                           type(v) = \mathbf{mem} < nat, sz >
\frac{e_1 \overset{\text{def}}{:=} (v \, \mathbf{with} \, [w, \mathbf{el}] : sz \leftarrow \mathbf{low} : sz[val])}{\Delta \vdash v \, \mathbf{with} \, [w, \mathbf{el}] : sz' \leftarrow val \leadsto e_1 \, \mathbf{with} \, [w', \mathbf{el}] : (sz' - sz) \leftarrow \mathbf{high} : (sz' - sz)[val]}
                                                                                                                                                                               STORE_WORD_EL
```

 $type(v[num_1:nat \leftarrow v':sz]) \equiv \mathbf{mem} < nat, sz >$ 

```
\frac{type(v) = \mathbf{mem} < nat, sz >}{\Delta \vdash v \, \mathbf{with} \, [w, ed] : sz \leftarrow v' \leadsto v[w \leftarrow v' : sz]}
                                                                                                                                             STORE_VAL
\frac{sgpe(v) = v}{\Delta \vdash v \text{ with } [\text{unknown } [str] : t', ed] : sz' \leftarrow v_2 \rightsquigarrow \text{unknown } [str] : t}
                                                                                                                                                                STORE_UN_ADDR
                                    \frac{\Delta \vdash e_1 \leadsto e_1'}{\Delta \vdash \mathbf{let} \ var = e_1 \ \mathbf{in} \ e_2 \leadsto \mathbf{let} \ var = e_1' \ \mathbf{in} \ e_2}
                                                      \overline{\Delta \vdash \mathbf{let} \ var = v \ \mathbf{in} \ e \leadsto [v/var]e}
                                            \frac{\Delta \vdash e_1 \leadsto e_1'}{\Delta \vdash \mathbf{ite} \; e_1 \; v_2 \; v_3 \leadsto \mathbf{ite} \; e_1' \; v_2 \; v_3} \quad \text{ITE\_STEP\_COND}
                                            \frac{\Delta \vdash e_2 \leadsto e_2'}{\Delta \vdash \mathbf{ite} \ e_1 \ e_2 \ v_3 \leadsto \mathbf{ite} \ e_1 \ e_2' \ v_3}
                                                                                                                   ITE_STEP_THEN
                                              \frac{\Delta \vdash e_3 \leadsto e_3'}{\Delta \vdash \mathbf{ite} \; e_1 \; e_2 \; e_3 \leadsto \mathbf{ite} \; e_1 \; e_2 \; e_3'} \quad \text{ITE\_STEP\_ELSE}
                                                                                                                   ITE_TRUE
                                                          \overline{\Delta \vdash \mathbf{ite}\,\mathbf{true}\,v_2\,v_3 \leadsto v_2}
                                                         \overline{\Delta \vdash \mathbf{ite \, false} \, v_2 \, v_3 \leadsto v_3}
                                                                                                                   ITE_FALSE
                         \frac{type(v_2) = t'}{\Delta \vdash \mathbf{ite} \, \mathbf{unknown} \, [str] : t \, v_2 \, v_3 \leadsto \mathbf{unknown} \, [str] : t'}
                                                                                                                                                         ITE_UNK
                                                        \frac{\Delta \vdash e_2 \leadsto e_2'}{\Delta \vdash v_1 \; bop \; e_2 \leadsto v_1 \; bop \; e_2'} \quad \text{BOP\_RHS}
                                                        \frac{\Delta \vdash e_1 \leadsto e_1'}{\Delta \vdash e_1 \ bop \ e_2 \leadsto e_1' \ bop \ e_2} \quad \text{BOP\_LHS}
                                                                                                                                               AOP_UNK_RHS
                       \Delta \vdash \bowtie p \text{ unknown } [str] : t \leadsto \text{unknown } [str] : t
                                                                                                                                               AOP_UNK_LHS
                       \overline{\Delta \vdash \mathbf{unknown} [str] : t \ aop \ e \leadsto \mathbf{unknown} [str] : t}
                                                                                                                                                            LOP_UNK_RHS
          \Delta \vdash e \ lop \ \mathbf{unknown} \ [str] : t \leadsto \mathbf{unknown} \ [str] : \mathbf{imm} < 1 > 
                                                                                                                                                           LOP_UNK_LHS
           \overline{\Delta \vdash \mathbf{unknown} [str] : t \ lop \ e \leadsto \mathbf{unknown} [str] : \mathbf{imm} < 1 >}
                                                             \Delta \vdash w_1 + w_2 \leadsto w_1 + w_2
                                                            \Delta \vdash w_1 \ - \ w_2 \leadsto w_1 \stackrel{bv}{-} w_2
                                                             \Delta \vdash w_1 * \overline{w_2 \leadsto w_1 \overset{bv}{*} w_2}
                                                                 \Delta \vdash w_1 \stackrel{signed}{/} w_2 \leadsto w_1 \stackrel{sbv}{/} w_2
                                                              \frac{bv}{\Delta \vdash w_1 \% w_2 \leadsto w_1 \% w_2}
```

```
type(v_1) = \mathbf{imm} < sz_1 >
                                                                                                                                                                                                                                                                                                                                                                                                                                       CONCAT_RHS_UN
\Delta \vdash v inknown [str] : \mathbf{imm} < sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{imm} < sz_1 + sz_2 > \leadsto \mathbf{unknown} [str] : \mathbf{unknown} [str
                                                                                                                                                                        \frac{}{\Delta \vdash w_1 @ w_2 \leadsto w_1 \stackrel{bv}{\cdot} w_2}
                                                                      \frac{\Delta \vdash e \leadsto e'}{\Delta \vdash \mathbf{extract} : \mathit{sz}_1 : \mathit{sz}_2[e] \leadsto \mathbf{extract} : \mathit{sz}_1 : \mathit{sz}_2[e']} \quad \texttt{EXTRACT\_REDUCE}
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  EXTRACT_UN
\overline{\Delta \vdash \mathbf{extract} \, : sz_1 : sz_2[\mathbf{unknown} \, [str] : t]} \leadsto \mathbf{unknown} \, [str] : \mathbf{imm} \, < (sz_1 - sz_2) + 1 > 0
                                                                                \overline{\Delta \vdash \mathbf{extract} \, : sz_1 : sz_2[w] \leadsto \mathbf{ext} \, w \sim \mathbf{hi} : sz_1 \sim \mathbf{lo} : sz_2}
                                                                                                                                      \frac{\Delta \vdash e \leadsto e'}{\Delta \vdash cast : sz[e] \leadsto cast : sz[e']} \quad \text{CAST\_REDUCE}
                                                   \overline{\Delta \vdash cast : sz[\mathbf{unknown}\,[str] : t]} \leadsto \mathbf{unknown}\,[str] : \mathbf{imm} \, < sz >
                                                                                               \overline{\Delta \vdash \mathbf{low} : sz[w] \leadsto \mathbf{ext} \ w \sim \mathbf{hi} : (sz-1) \sim \mathbf{lo} : 0} \quad \text{CAST\_LOW}
                             \overline{\Delta \vdash \mathbf{high} : sz[num : sz'] \leadsto \mathbf{ext} \ num : sz' \sim \mathbf{hi} : (sz'-1) \sim \mathbf{lo} : (sz'-sz)}
                                                                                                                                                                                                                                                                                                                                                                                 CAST\_SIGNED
                                                                             \overline{\Delta \vdash \mathbf{signed} : sz[w] \leadsto \mathbf{exts} \ w \sim \mathbf{hi} : (sz-1) \sim \mathbf{lo} : 0}
                                                                                                                                                                                                                                                                                                                                                                               CAST_UNSIGNED
                                                                \overline{\Delta \vdash \mathbf{unsigned} : sz[w] \leadsto \mathbf{ext} \ w \sim \mathbf{hi} : (sz-1) \sim \mathbf{lo} : 0}
                      \mathbf{succ} \ w_1 = exp
                                                                                                                                                    \frac{}{\mathbf{succ}\,num:sz=num:sz+1:sz}
                      \Delta \vdash exp \leadsto^* exp'
                                                                                                                                                                                                               \frac{}{\Delta \vdash e \leadsto^* e} REFL

\frac{\Delta \vdash e_1 \leadsto e_2}{\Delta \vdash e_2 \leadsto^* e_3} \\
\frac{\Delta \vdash e_1 \leadsto^* e_3}{\Delta \vdash e_1 \leadsto^* e_3}
 REDUCE
```