Library mcertikos.ticketlog.TicketLockIntroGenDef
This file provide the contextual refinement proof between MBoot layer and MALInit layer
Require Export Coqlib.
Require Export Errors.
Require Export AST.
Require Export Integers.
Require Export Floats.
Require Export Op.
Require Export Asm.
Require Export Events.
Require Export Globalenvs.
Require Export Smallstep.
Require Export Values.
Require Export Memory.
Require Export Maps.
Require Export CommonTactic.
Require Export AuxLemma.
Require Export FlatMemory.
Require Export AuxStateDataType.
Require Export Constant.
Require Export GlobIdent.
Require Export RealParams.
Require Export LoadStoreSem1.
Require Export AsmImplLemma.
Require Export GenSem.
Require Export RefinementTactic.
Require Export PrimSemantics.
Require Export liblayers.logic.PTreeModules.
Require Export liblayers.logic.LayerLogicImpl.
Require Export liblayers.compcertx.Stencil.
Require Export liblayers.compcertx.MakeProgram.
Require Export liblayers.compat.CompatLayers.
Require Export liblayers.compat.CompatGenSem.
Require Export compcert.cfrontend.Ctypes.
Require Export LayerCalculusLemma.
Require Export AbstractDataType.
Require Import DeviceStateDataType.
Require Export MTicketLockIntro.
Open Scope string_scope.
Open Scope error_monad_scope.
Open Scope Z_scope.
Notation HDATA := RData.
Notation LDATA := RData.
Notation HDATAOps := (cdata (cdata_ops := mcurid_data_ops) HDATA).
Notation LDATAOps := (cdata (cdata_ops := mcurid_data_ops) LDATA).
Require Export Errors.
Require Export AST.
Require Export Integers.
Require Export Floats.
Require Export Op.
Require Export Asm.
Require Export Events.
Require Export Globalenvs.
Require Export Smallstep.
Require Export Values.
Require Export Memory.
Require Export Maps.
Require Export CommonTactic.
Require Export AuxLemma.
Require Export FlatMemory.
Require Export AuxStateDataType.
Require Export Constant.
Require Export GlobIdent.
Require Export RealParams.
Require Export LoadStoreSem1.
Require Export AsmImplLemma.
Require Export GenSem.
Require Export RefinementTactic.
Require Export PrimSemantics.
Require Export liblayers.logic.PTreeModules.
Require Export liblayers.logic.LayerLogicImpl.
Require Export liblayers.compcertx.Stencil.
Require Export liblayers.compcertx.MakeProgram.
Require Export liblayers.compat.CompatLayers.
Require Export liblayers.compat.CompatGenSem.
Require Export compcert.cfrontend.Ctypes.
Require Export LayerCalculusLemma.
Require Export AbstractDataType.
Require Import DeviceStateDataType.
Require Export MTicketLockIntro.
Open Scope string_scope.
Open Scope error_monad_scope.
Open Scope Z_scope.
Notation HDATA := RData.
Notation LDATA := RData.
Notation HDATAOps := (cdata (cdata_ops := mcurid_data_ops) HDATA).
Notation LDATAOps := (cdata (cdata_ops := mcurid_data_ops) LDATA).
Section Refinement.
Section WITHMEM.
Context `{Hstencil: Stencil}.
Context `{Hmem: Mem.MemoryModelX}.
Context `{Hmwd: UseMemWithData mem}.
Context `{multi_oracle_prop: MultiOracleProp}.
Section WITHMEM.
Context `{Hstencil: Stencil}.
Context `{Hmem: Mem.MemoryModelX}.
Context `{Hmwd: UseMemWithData mem}.
Context `{multi_oracle_prop: MultiOracleProp}.
Section REFINEMENT_REL.
Inductive match_TICKET_info: MultiLogType → val → val → Prop :=
| MATCH_TICKET_UNDEF: ∀ v1 v2, match_TICKET_info MultiUndef v1 v2
| MATCH_TICKET_VALID: ∀ l t n tq
(HCal: CalTicketLockWraparound l = Some (t, n, tq)),
match_TICKET_info (MultiDef l) (Vint (Int.repr t)) (Vint (Int.repr n)).
Inductive match_TICKET_info: MultiLogType → val → val → Prop :=
| MATCH_TICKET_UNDEF: ∀ v1 v2, match_TICKET_info MultiUndef v1 v2
| MATCH_TICKET_VALID: ∀ l t n tq
(HCal: CalTicketLockWraparound l = Some (t, n, tq)),
match_TICKET_info (MultiDef l) (Vint (Int.repr t)) (Vint (Int.repr n)).
Relation between the allocation table and the underline memory
Inductive match_TICKET: stencil → MultiLogPool → mem → Prop :=
| MATCH_TICKET: ∀ log m b s
(Hticket: (∀ index ofs z (Hvalid: index2Z index ofs = Some z),
(∃ v1 v2,
Mem.load Mint32 m b (z × 8) = Some v1 ∧
Mem.load Mint32 m b (z × 8 + 4) = Some v2 ∧
Mem.valid_access m Mint32 b (z × 8) Writable ∧
Mem.valid_access m Mint32 b (z × 8 + 4) Writable ∧
match_TICKET_info (ZMap.get z log) v1 v2)))
(Hsymbol: find_symbol s TICKET_LOCK_LOC = Some b),
match_TICKET s log m.
| MATCH_TICKET: ∀ log m b s
(Hticket: (∀ index ofs z (Hvalid: index2Z index ofs = Some z),
(∃ v1 v2,
Mem.load Mint32 m b (z × 8) = Some v1 ∧
Mem.load Mint32 m b (z × 8 + 4) = Some v2 ∧
Mem.valid_access m Mint32 b (z × 8) Writable ∧
Mem.valid_access m Mint32 b (z × 8 + 4) Writable ∧
match_TICKET_info (ZMap.get z log) v1 v2)))
(Hsymbol: find_symbol s TICKET_LOCK_LOC = Some b),
match_TICKET s log m.
Relation between the new raw data at the higher layer with the mememory at lower layer
Inductive match_RData: stencil → HDATA → mem → meminj → Prop :=
| MATCH_RDATA: ∀ hadt m s f
(Hlog: match_TICKET s (multi_log hadt) m),
match_RData s hadt m f.
| MATCH_RDATA: ∀ hadt m s f
(Hlog: match_TICKET s (multi_log hadt) m),
match_RData s hadt m f.
Relation between the shared raw data at two layers
Record relate_RData (s: stencil) (f:meminj) (hadt: HDATA) (ladt: LDATA) :=
mkrelate_RData {
flatmem_re: FlatMem.flatmem_inj (HP hadt) (HP ladt);
MM_re: MM hadt = MM ladt;
MMSize_re: MMSize hadt = MMSize ladt;
vmxinfo_re: vmxinfo hadt = vmxinfo ladt;
CR3_re: CR3 hadt = CR3 ladt;
ikern_re: ikern hadt = ikern ladt;
pg_re: pg hadt = pg ladt;
ihost_re: ihost hadt = ihost ladt;
ti_fst_re: (fst (ti hadt)) = (fst (ti ladt));
ti_snd_re: val_inject f (snd (ti hadt)) (snd (ti ladt));
init_re: init hadt = init ladt;
buffer_re: buffer hadt = buffer ladt;
CPU_ID_re: CPU_ID hadt = CPU_ID ladt;
cid_re: cid hadt = cid ladt;
multi_oracle_re: multi_oracle hadt = multi_oracle ladt;
multi_log_re: multi_log hadt = multi_log ladt;
com1_re: com1 ladt = com1 hadt;
ioapic_re: ioapic ladt = ioapic hadt;
lapic_re: lapic ladt = lapic hadt;
intr_flag_re: intr_flag ladt = intr_flag hadt;
saved_intr_flags_re: saved_intr_flags ladt = saved_intr_flags hadt;
curr_intr_num_re: curr_intr_num ladt = curr_intr_num hadt;
in_intr_re: in_intr hadt = in_intr ladt;
tf_re: tfs_inj f (tf hadt) (tf ladt)
}.
Global Instance rel_ops: CompatRelOps HDATAOps LDATAOps :=
{
relate_AbData s f d1 d2 := relate_RData s f d1 d2;
match_AbData s d1 m f := match_RData s d1 m f;
new_glbl := TICKET_LOCK_LOC :: nil
}.
End REFINEMENT_REL.
mkrelate_RData {
flatmem_re: FlatMem.flatmem_inj (HP hadt) (HP ladt);
MM_re: MM hadt = MM ladt;
MMSize_re: MMSize hadt = MMSize ladt;
vmxinfo_re: vmxinfo hadt = vmxinfo ladt;
CR3_re: CR3 hadt = CR3 ladt;
ikern_re: ikern hadt = ikern ladt;
pg_re: pg hadt = pg ladt;
ihost_re: ihost hadt = ihost ladt;
ti_fst_re: (fst (ti hadt)) = (fst (ti ladt));
ti_snd_re: val_inject f (snd (ti hadt)) (snd (ti ladt));
init_re: init hadt = init ladt;
buffer_re: buffer hadt = buffer ladt;
CPU_ID_re: CPU_ID hadt = CPU_ID ladt;
cid_re: cid hadt = cid ladt;
multi_oracle_re: multi_oracle hadt = multi_oracle ladt;
multi_log_re: multi_log hadt = multi_log ladt;
com1_re: com1 ladt = com1 hadt;
ioapic_re: ioapic ladt = ioapic hadt;
lapic_re: lapic ladt = lapic hadt;
intr_flag_re: intr_flag ladt = intr_flag hadt;
saved_intr_flags_re: saved_intr_flags ladt = saved_intr_flags hadt;
curr_intr_num_re: curr_intr_num ladt = curr_intr_num hadt;
in_intr_re: in_intr hadt = in_intr ladt;
tf_re: tfs_inj f (tf hadt) (tf ladt)
}.
Global Instance rel_ops: CompatRelOps HDATAOps LDATAOps :=
{
relate_AbData s f d1 d2 := relate_RData s f d1 d2;
match_AbData s d1 m f := match_RData s d1 m f;
new_glbl := TICKET_LOCK_LOC :: nil
}.
End REFINEMENT_REL.
Section Rel_Property.
Lemma inject_match_correct:
∀ s d1 m2 f m2´ j,
match_RData s d1 m2 f →
Mem.inject j m2 m2´ →
inject_incr (Mem.flat_inj (genv_next s)) j →
match_RData s d1 m2´ (compose_meminj f j).
Proof.
inversion 1; subst; intros.
econstructor; eauto; intros.
inv Hlog.
assert (HFB0: j b = Some (b, 0)).
{
eapply stencil_find_symbol_inject´; eauto.
}
econstructor; eauto; intros.
+ specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
specialize (Mem.load_inject _ _ _ _ _ _ _ _ _ H0 HL1 HFB0).
specialize (Mem.load_inject _ _ _ _ _ _ _ _ _ H0 HL2 HFB0).
repeat rewrite Z.add_0_r; intros [v2´[HLD2´ HV2´]] [v1´[HLD1´ HV1´]].
refine_split´; eauto.
specialize(Mem.valid_access_inject _ _ _ _ _ _ _ _ _ HFB0 H0 HV1).
rewrite Z.add_0_r; trivial.
specialize(Mem.valid_access_inject _ _ _ _ _ _ _ _ _ HFB0 H0 HV2).
rewrite Z.add_0_r; trivial.
inv HM. constructor.
inv HV1´. inv HV2´.
econstructor; eauto.
Qed.
Lemma store_match_correct:
∀ s abd m0 m0´ f b2 v v´ chunk,
match_RData s abd m0 f →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.store chunk m0 b2 v v´ = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto.
intros. specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_store_other _ _ _ _ _ _ H1); auto.
refine_split´; eauto.
eapply Mem.store_valid_access_1; eauto.
eapply Mem.store_valid_access_1; eauto.
Qed.
Lemma storebytes_match_correct:
∀ s abd m0 m0´ f b2 v v´,
match_RData s abd m0 f →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.storebytes m0 b2 v v´ = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_storebytes_other _ _ _ _ _ H1); eauto.
refine_split´; eauto.
eapply Mem.storebytes_valid_access_1; eauto.
eapply Mem.storebytes_valid_access_1; eauto.
Qed.
Lemma free_match_correct:
∀ s abd m0 m0´ f ofs sz b2,
match_RData s abd m0 f→
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.free m0 b2 ofs sz = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_free _ _ _ _ _ H1); auto.
refine_split´; eauto.
eapply Mem.valid_access_free_1; eauto.
eapply Mem.valid_access_free_1; eauto.
Qed.
Lemma alloc_match_correct:
∀ s abd m´0 m´1 f f´ ofs sz b0 b´1,
match_RData s abd m´0 f→
Mem.alloc m´0 ofs sz = (m´1, b´1) →
f´ b0 = Some (b´1, 0%Z) →
(∀ b : block, b ≠ b0 → f´ b = f b) →
inject_incr f f´ →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b0) →
match_RData s abd m´1 f´.
Proof.
intros. rename H1 into HF1, H2 into HB.
inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
refine_split´; eauto.
apply (Mem.load_alloc_other _ _ _ _ _ H0); auto.
apply (Mem.load_alloc_other _ _ _ _ _ H0); auto.
eapply Mem.valid_access_alloc_other; eauto.
eapply Mem.valid_access_alloc_other; eauto.
Qed.
Lemma inject_match_correct:
∀ s d1 m2 f m2´ j,
match_RData s d1 m2 f →
Mem.inject j m2 m2´ →
inject_incr (Mem.flat_inj (genv_next s)) j →
match_RData s d1 m2´ (compose_meminj f j).
Proof.
inversion 1; subst; intros.
econstructor; eauto; intros.
inv Hlog.
assert (HFB0: j b = Some (b, 0)).
{
eapply stencil_find_symbol_inject´; eauto.
}
econstructor; eauto; intros.
+ specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
specialize (Mem.load_inject _ _ _ _ _ _ _ _ _ H0 HL1 HFB0).
specialize (Mem.load_inject _ _ _ _ _ _ _ _ _ H0 HL2 HFB0).
repeat rewrite Z.add_0_r; intros [v2´[HLD2´ HV2´]] [v1´[HLD1´ HV1´]].
refine_split´; eauto.
specialize(Mem.valid_access_inject _ _ _ _ _ _ _ _ _ HFB0 H0 HV1).
rewrite Z.add_0_r; trivial.
specialize(Mem.valid_access_inject _ _ _ _ _ _ _ _ _ HFB0 H0 HV2).
rewrite Z.add_0_r; trivial.
inv HM. constructor.
inv HV1´. inv HV2´.
econstructor; eauto.
Qed.
Lemma store_match_correct:
∀ s abd m0 m0´ f b2 v v´ chunk,
match_RData s abd m0 f →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.store chunk m0 b2 v v´ = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto.
intros. specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_store_other _ _ _ _ _ _ H1); auto.
refine_split´; eauto.
eapply Mem.store_valid_access_1; eauto.
eapply Mem.store_valid_access_1; eauto.
Qed.
Lemma storebytes_match_correct:
∀ s abd m0 m0´ f b2 v v´,
match_RData s abd m0 f →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.storebytes m0 b2 v v´ = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_storebytes_other _ _ _ _ _ H1); eauto.
refine_split´; eauto.
eapply Mem.storebytes_valid_access_1; eauto.
eapply Mem.storebytes_valid_access_1; eauto.
Qed.
Lemma free_match_correct:
∀ s abd m0 m0´ f ofs sz b2,
match_RData s abd m0 f→
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b2) →
Mem.free m0 b2 ofs sz = Some m0´ →
match_RData s abd m0´ f.
Proof.
intros. inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
eapply H0 in Hsymbol; simpl; eauto.
repeat rewrite (Mem.load_free _ _ _ _ _ H1); auto.
refine_split´; eauto.
eapply Mem.valid_access_free_1; eauto.
eapply Mem.valid_access_free_1; eauto.
Qed.
Lemma alloc_match_correct:
∀ s abd m´0 m´1 f f´ ofs sz b0 b´1,
match_RData s abd m´0 f→
Mem.alloc m´0 ofs sz = (m´1, b´1) →
f´ b0 = Some (b´1, 0%Z) →
(∀ b : block, b ≠ b0 → f´ b = f b) →
inject_incr f f´ →
(∀ i b,
In i new_glbl →
find_symbol s i = Some b → b ≠ b0) →
match_RData s abd m´1 f´.
Proof.
intros. rename H1 into HF1, H2 into HB.
inv H. inv Hlog.
econstructor; eauto.
econstructor; eauto. intros.
specialize (Hticket _ _ _ Hvalid).
destruct Hticket as [v1[v2[HL1[HL2[HV1[HV2 HM]]]]]].
refine_split´; eauto.
apply (Mem.load_alloc_other _ _ _ _ _ H0); auto.
apply (Mem.load_alloc_other _ _ _ _ _ H0); auto.
eapply Mem.valid_access_alloc_other; eauto.
eapply Mem.valid_access_alloc_other; eauto.
Qed.
Prove that after taking one step, the refinement relation still holds
Lemma relate_incr:
∀ s abd abd´ f f´,
relate_RData s f abd abd´
→ inject_incr f f´
→ relate_RData s f´ abd abd´.
Proof.
inversion 1; subst; intros; inv H; constructor; eauto.
eapply tfs_inj_incr; eauto.
Qed.
Global Instance rel_prf: CompatRel HDATAOps LDATAOps.
Proof.
constructor.
- apply inject_match_correct.
- apply store_match_correct.
- apply alloc_match_correct.
- apply free_match_correct.
- apply storebytes_match_correct.
- intros. eapply relate_incr; eauto.
Qed.
End Rel_Property.
End WITHMEM.
End Refinement.
∀ s abd abd´ f f´,
relate_RData s f abd abd´
→ inject_incr f f´
→ relate_RData s f´ abd abd´.
Proof.
inversion 1; subst; intros; inv H; constructor; eauto.
eapply tfs_inj_incr; eauto.
Qed.
Global Instance rel_prf: CompatRel HDATAOps LDATAOps.
Proof.
constructor.
- apply inject_match_correct.
- apply store_match_correct.
- apply alloc_match_correct.
- apply free_match_correct.
- apply storebytes_match_correct.
- intros. eapply relate_incr; eauto.
Qed.
End Rel_Property.
End WITHMEM.
End Refinement.