Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add automation support for pairwise memory separation #126

Merged
merged 21 commits into from
Sep 6, 2024
Merged

feat: add automation support for pairwise memory separation #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
f55ff94
chore: add defn for List.pairwise mem_separate xs
bollu Aug 27, 2024
3e7ba47
chore: completely untested code for separation
bollu Aug 27, 2024
35f5e6c
chore: don't use decideProof in ways that don't work
bollu Aug 27, 2024
80454da
chore: I don't understand this failure
bollu Aug 27, 2024
f2877b9
chore: add separate example
bollu Aug 27, 2024
13e12ef
chore: add examples for pairwise
bollu Aug 27, 2024
16ec26c
chore: show example where better address normalization is needed
bollu Aug 27, 2024
f9d879a
chore: cleanup
bollu Aug 27, 2024
a8a8f64
chore: touchup
bollu Aug 27, 2024
75c3435
metaprogramming nits
bollu Aug 27, 2024
d71b7b4
feat: cleanup
bollu Sep 3, 2024
d1facdd
Merge branch 'main' into mem-pairwise
shigoel Sep 3, 2024
56d5154
Update Proofs/Experiments/MemoryAliasing.lean
bollu Sep 4, 2024
d38e1a5
chore: scope trace enablement
bollu Sep 4, 2024
743c4e3
Merge remote-tracking branch 'origin/mem-pairwise' into mem-pairwise
bollu Sep 4, 2024
34ded47
chore: simp only
bollu Sep 4, 2024
dd24b6d
chore: use custom simp set
bollu Sep 4, 2024
46c2947
Merge branch 'main' into mem-pairwise
shigoel Sep 4, 2024
194b745
Merge branch 'main' into mem-pairwise
shigoel Sep 5, 2024
67618c4
Merge branch 'main' into mem-pairwise
shigoel Sep 5, 2024
2bf5368
Merge branch 'main' into mem-pairwise
shigoel Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 56 additions & 1 deletion Arm/Memory/Separate.lean
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,12 @@ theorem BitVec.not_le_eq_lt {a b : BitVec w₁} : (¬ (a ≤ b)) ↔ b < a := by
rw [BitVec.le_def, BitVec.lt_def]
omega

theorem mem_separate'_comm (h : mem_separate' a an b bn) :
mem_separate' b bn a an := by
have := h.omega_def
apply mem_separate'.of_omega
omega

/-#
This is a theorem we ought to prove, which establishes the equivalence
bollu marked this conversation as resolved.
Show resolved Hide resolved
between the old and new defintions of 'mem_separate'.
Expand Down Expand Up @@ -492,7 +498,7 @@ theorem Memory.read_bytes_write_bytes_eq_of_mem_subset'
· subst hxn
exfalso
have h := i.isLt
simp at h
simp only [Nat.reduceMul, Nat.zero_mul, Nat.not_lt_zero] at h
· by_cases h₁ : ↑i < xn * 8
· simp only [h₁]
simp only [decide_True, Bool.true_and]
Expand Down Expand Up @@ -560,4 +566,53 @@ theorem Memory.read_bytes_eq_extractLsBytes_sub_of_mem_subset'
bv_omega
· simp only [h, ↓reduceIte]

/-- A region of memory, given by (base pointer, length) -/
abbrev Memory.Region := BitVec 64 × Nat
shigoel marked this conversation as resolved.
Show resolved Hide resolved

def Memory.Region.mk (a : BitVec 64) (n : Nat) : Memory.Region := (a, n)

/-- A hypothesis that memory regions `a` and `b` are separate. -/
def Memory.Region.separate (a b : Memory.Region) : Prop :=
mem_separate' a.fst a.snd b.fst b.snd

/-- A list of memory regions, that are known to be pairwise disjoint. -/
def Memory.Region.pairwiseSeparate (mems : List Memory.Region) : Prop :=
mems.Pairwise Memory.Region.separate

/-- If `i ≠ j`, then prove that `mems[i] ⟂ mems[j]`.
The theorem is stated in mildly awkward fashion for ease of use during proof automation.
-/
def Memory.Region.separate'_of_pairwiseSeprate_of_mem_of_mem
(h : Memory.Region.pairwiseSeparate mems)
(i j : Nat)
(hij : i ≠ j)
(a b : Memory.Region)
(ha : mems.get? i = some a) (hb : mems.get? j = some b) :
mem_separate' a.fst a.snd b.fst b.snd := by
induction h generalizing a b i j
case nil => simp only [List.get?_eq_getElem?, List.getElem?_nil, reduceCtorEq] at ha
case cons x xs ihx _ihxs ihxs' =>
simp only [List.get?_eq_getElem?] at ha hb
rcases i with rfl | i'
· simp at ha
bollu marked this conversation as resolved.
Show resolved Hide resolved
· rcases j with rfl | j'
· simp only [ne_eq, not_true_eq_false] at hij
· subst ha
simp only [List.getElem?_cons_succ] at hb
apply ihx
exact List.getElem?_mem hb
· rcases j with rfl | j'
· simp only [List.length_cons, Nat.zero_lt_succ, List.getElem?_eq_getElem,
List.getElem_cons_zero, Option.some.injEq] at hb
· subst hb
simp only [List.getElem?_cons_succ] at ha
apply mem_separate'_comm
apply ihx
exact List.getElem?_mem ha
· simp only [List.getElem?_cons_succ] at ha hb
apply ihxs' i' j'
· omega
· simp only [List.get?_eq_getElem?, ha]
· simp only [List.get?_eq_getElem?, hb]

end NewDefinitions
Loading