Library Pip.Proof.Consistency
Summary
This file contains the formalization of the consistency properties : for each one we summarize the description of its definition
Require Import Pip.Model.ADT Pip.Model.Hardware Pip.Model.MAL Pip.Model.Lib.
Require Import Pip.Proof.Lib Pip.Proof.Isolation Pip.Proof.StateLib.
Require Import List Coq.Logic.ProofIrrelevance.
Import List.ListNotations.
Require Import Pip.Proof.Lib Pip.Proof.Isolation Pip.Proof.StateLib.
Require Import List Coq.Logic.ProofIrrelevance.
Import List.ListNotations.
The dataStructurePdSh1Sh2asRoot property defines the type of different values
stored into the page directory structure, the first shadow structure and the second shadow structure. Configuation tables of the last level must contain :- Physical entries (the type PEntry is already definded in Model.ADT) for the page directory data structure
- Virtual entries (the type VEntry is already definded in Model.ADT ) for the first shadow data structure
- Virtual addresses (the type vaddr is already definded in Model.ADT) for the second shadow data structure
Definition dataStructurePdSh1Sh2asRoot (idxroot : index) (s : state) :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ entry, nextEntryIsPP partition idxroot entry s →
∀ va : vaddr,
True → ∀ level stop , Some level = getNbLevel →
∀ indirection idx, getIndirection entry va level stop s = Some indirection →
( indirection = defaultPage ∨
(( ( stop < level ∧ isPE indirection idx s )\/
( stop ≥ level ∧ ( (isVE indirection idx s ∧ idxroot = sh1idx) ∨
(isVA indirection idx s ∧ idxroot = sh2idx) ∨
(isPE indirection idx s ∧ idxroot = PDidx) ) ))
∧
indirection ≠ defaultPage)) .
Definition wellFormedFstShadow (s : state) :=
∀ partition,
In partition (getPartitions multiplexer s) →
∀ va pg pd sh1,
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va= SomePage pg →
∃ vainparent, getVirtualAddressSh1 sh1 s va = Some vainparent.
Definition wellFormedSndShadow (s : state) :=
∀ partition,
In partition (getPartitions multiplexer s) →
partition ≠ multiplexer →
∀ va pg pd sh2,
StateLib.getPd partition (memory s) = Some pd →
StateLib.getSndShadow partition (memory s) = Some sh2 →
getMappedPage pd s va= SomePage pg →
∃ vainparent, getVirtualAddressSh2 sh2 s va = Some vainparent ∧
beqVAddr defaultVAddr vainparent = false .
Definition wellFormedShadows (idxroot : index) (s : state) :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ pdroot ,
StateLib.getPd partition (memory s) = Some pdroot →
∀ structroot, nextEntryIsPP partition idxroot structroot s →
∀ nbL stop , Some nbL = getNbLevel →
∀ indirection1 va b,
getIndirection pdroot va nbL stop s = Some indirection1 →
(Nat.eqb defaultPage indirection1) = b →
(∃ indirection2,
getIndirection structroot va nbL stop s = Some indirection2 ∧
(Nat.eqb defaultPage indirection2) = b).
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ entry, nextEntryIsPP partition idxroot entry s →
∀ va : vaddr,
True → ∀ level stop , Some level = getNbLevel →
∀ indirection idx, getIndirection entry va level stop s = Some indirection →
( indirection = defaultPage ∨
(( ( stop < level ∧ isPE indirection idx s )\/
( stop ≥ level ∧ ( (isVE indirection idx s ∧ idxroot = sh1idx) ∨
(isVA indirection idx s ∧ idxroot = sh2idx) ∨
(isPE indirection idx s ∧ idxroot = PDidx) ) ))
∧
indirection ≠ defaultPage)) .
Definition wellFormedFstShadow (s : state) :=
∀ partition,
In partition (getPartitions multiplexer s) →
∀ va pg pd sh1,
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va= SomePage pg →
∃ vainparent, getVirtualAddressSh1 sh1 s va = Some vainparent.
Definition wellFormedSndShadow (s : state) :=
∀ partition,
In partition (getPartitions multiplexer s) →
partition ≠ multiplexer →
∀ va pg pd sh2,
StateLib.getPd partition (memory s) = Some pd →
StateLib.getSndShadow partition (memory s) = Some sh2 →
getMappedPage pd s va= SomePage pg →
∃ vainparent, getVirtualAddressSh2 sh2 s va = Some vainparent ∧
beqVAddr defaultVAddr vainparent = false .
Definition wellFormedShadows (idxroot : index) (s : state) :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ pdroot ,
StateLib.getPd partition (memory s) = Some pdroot →
∀ structroot, nextEntryIsPP partition idxroot structroot s →
∀ nbL stop , Some nbL = getNbLevel →
∀ indirection1 va b,
getIndirection pdroot va nbL stop s = Some indirection1 →
(Nat.eqb defaultPage indirection1) = b →
(∃ indirection2,
getIndirection structroot va nbL stop s = Some indirection2 ∧
(Nat.eqb defaultPage indirection2) = b).
The currentPartitionInPartitionsList property specifies that the
current partition must be into the list of partitions retrieved from the first created partition (multiplexer) (2)
Definition currentPartitionInPartitionsList (s : state) :=
In (currentPartition s) (getPartitions multiplexer s).
In (currentPartition s) (getPartitions multiplexer s).
The currentPartitionIsNotDefaultPage t property specifies that the
current partition is not a default physical page (2)The parentInPartitionList property specifies that the parent of a given
partition should be into the list of partitions retrieved from the first created partition (multiplexer) (3)
Definition parentInPartitionList (s : state) :=
∀ partition, In partition (getPartitions multiplexer s) →
∀ parent, nextEntryIsPP partition PPRidx parent s →
In parent (getPartitions multiplexer s).
∀ partition, In partition (getPartitions multiplexer s) →
∀ parent, nextEntryIsPP partition PPRidx parent s →
In parent (getPartitions multiplexer s).
The partitionDescriptorEntry defines some properties of the partition descriptor.
- A partition descriptor is a table containing virtual addresses and physical pages.
- Indecie PDidx, sh1idx, sh2idx, PPRidx and PRidx should be less than ("tableSize" - 1) and contain virtual addresses.
- The successors of these indices contain physical pages which should not be equal to "defaultPage".
Definition partitionDescriptorEntry s :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ (idxroot : index), (idxroot = PDidx ∨ idxroot = sh1idx ∨ idxroot = sh2idx ∨
idxroot = sh3idx ∨
idxroot = PPRidx ∨ idxroot = PRidx ) →
idxroot < tableSize - 1 ∧
isVA partition idxroot s ∧
∃ entry, nextEntryIsPP partition idxroot entry s ∧
entry ≠ defaultPage.
∀ (partition : page),
In partition (getPartitions multiplexer s) →
∀ (idxroot : index), (idxroot = PDidx ∨ idxroot = sh1idx ∨ idxroot = sh2idx ∨
idxroot = sh3idx ∨
idxroot = PPRidx ∨ idxroot = PRidx ) →
idxroot < tableSize - 1 ∧
isVA partition idxroot s ∧
∃ entry, nextEntryIsPP partition idxroot entry s ∧
entry ≠ defaultPage.
The multiplexerWithoutParent specifies that the multiplexer is the root of
the partition treeThe noDupMappedPagesList requires that mapped pages of a single partition
are different (5)
Definition noDupMappedPagesList s :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
NoDup ((getMappedPages partition s)).
∀ (partition : page),
In partition (getPartitions multiplexer s) →
NoDup ((getMappedPages partition s)).
The noDupConfigPagesList requires that configuation tables of
a single partition are different (6)
Definition noDupConfigPagesList s :=
∀ (partition : page),
In partition (getPartitions multiplexer s) →
NoDup (getConfigPages partition s).
∀ (partition : page),
In partition (getPartitions multiplexer s) →
NoDup (getConfigPages partition s).
The accessibleVAIsNotPartitionDescriptor requires that accessible virtual
addresses are not marked as partition descriptor into the first shadow configuation structure (7)
Definition accessibleVAIsNotPartitionDescriptor s :=
∀ partition va pd sh1 page,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getAccessibleMappedPage pd s va = SomePage page →
getPDFlag sh1 va s = false.
∀ partition va pd sh1 page,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getAccessibleMappedPage pd s va = SomePage page →
getPDFlag sh1 va s = false.
The accessibleChildPageIsAccessibleIntoParent requires that all accessible physical
pages into a given partition should be accessible into its parent (8)
Definition accessibleChildPageIsAccessibleIntoParent s :=
∀ partition va pd accessiblePage,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
getAccessibleMappedPage pd s va = SomePage accessiblePage →
isAccessibleMappedPageInParent partition va accessiblePage s = true.
∀ partition va pd accessiblePage,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
getAccessibleMappedPage pd s va = SomePage accessiblePage →
isAccessibleMappedPageInParent partition va accessiblePage s = true.
The noCycleInPartitionTree requires that a partition and
its ancestors are different (9)
Definition noCycleInPartitionTree s :=
∀ ancestor partition,
In partition (getPartitions multiplexer s) →
In ancestor (getAncestors partition s) →
ancestor ≠ partition.
∀ ancestor partition,
In partition (getPartitions multiplexer s) →
In ancestor (getAncestors partition s) →
ancestor ≠ partition.
The configTablesAreDifferent requires that configuation tables of different
partitions are disjoint (10)
Definition configTablesAreDifferent s :=
∀ partition1 partition2,
In partition1 (getPartitions multiplexer s) →
In partition2 (getPartitions multiplexer s) →
partition1 ≠ partition2 →
disjoint (getConfigPages partition1 s) (getConfigPages partition2 s).
∀ partition1 partition2,
In partition1 (getPartitions multiplexer s) →
In partition2 (getPartitions multiplexer s) →
partition1 ≠ partition2 →
disjoint (getConfigPages partition1 s) (getConfigPages partition2 s).
The isChild specifies that a given partition should be a child of the
physical page stored as parent into the associated partition descriptor (11)
Definition isChild s :=
∀ partition parent : page,
In partition (getPartitions multiplexer s) →
StateLib.getParent partition (memory s) = Some parent →
In partition (getChildren parent s).
∀ partition parent : page,
In partition (getPartitions multiplexer s) →
StateLib.getParent partition (memory s) = Some parent →
In partition (getChildren parent s).
The isParent specifies that if we take any child into the children list of any
partition into the partition list so this partition should be the parent of this child (..)
Definition isParent s :=
∀ partition parent : page,
In parent (getPartitions multiplexer s) →
In partition (getChildren parent s) →
StateLib.getParent partition (memory s) = Some parent.
∀ partition parent : page,
In parent (getPartitions multiplexer s) →
In partition (getChildren parent s) →
StateLib.getParent partition (memory s) = Some parent.
The isPresentNotDefaultIff specifies that if the present flag of a physical
entry is equal to false so the associated physical page must be equal to the default value (12)
Definition isPresentNotDefaultIff s:=
∀ table idx ,
readPresent table idx (memory s) = Some false ↔
readPhyEntry table idx (memory s) = Some defaultPage .
∀ table idx ,
readPresent table idx (memory s) = Some false ↔
readPhyEntry table idx (memory s) = Some defaultPage .
The physicalPageNotDerived specifies that if a given physical
page is marked as not derived in a parent so it is not mapped in any child (13)
Definition physicalPageNotDerived s :=
∀ parent va pdParent pageParent,
In parent (getPartitions multiplexer s) →
StateLib.getPd parent (memory s) = Some pdParent →
¬ isDerived parent va s →
getMappedPage pdParent s va = SomePage pageParent →
∀ child pdChild vaInChild pageChild ,
In child (getChildren parent s) →
StateLib.getPd child (memory s) = Some pdChild →
getMappedPage pdChild s vaInChild = SomePage pageChild →
pageParent ≠ pageChild.
Definition noDupPartitionTree s :=
NoDup (getPartitions multiplexer s) .
Definition wellFormedFstShadowIfDefaultValues s :=
∀ partition va pd sh1 ,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va = SomeDefault→
getPDFlag sh1 va s = false ∧
getVirtualAddressSh1 sh1 s va = Some defaultVAddr.
Definition wellFormedFstShadowIfNone s :=
∀ partition va pd sh1 ,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va = NonePage →
getPDFlag sh1 va s = false ∧
getVirtualAddressSh1 sh1 s va = None.
∀ parent va pdParent pageParent,
In parent (getPartitions multiplexer s) →
StateLib.getPd parent (memory s) = Some pdParent →
¬ isDerived parent va s →
getMappedPage pdParent s va = SomePage pageParent →
∀ child pdChild vaInChild pageChild ,
In child (getChildren parent s) →
StateLib.getPd child (memory s) = Some pdChild →
getMappedPage pdChild s vaInChild = SomePage pageChild →
pageParent ≠ pageChild.
Definition noDupPartitionTree s :=
NoDup (getPartitions multiplexer s) .
Definition wellFormedFstShadowIfDefaultValues s :=
∀ partition va pd sh1 ,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va = SomeDefault→
getPDFlag sh1 va s = false ∧
getVirtualAddressSh1 sh1 s va = Some defaultVAddr.
Definition wellFormedFstShadowIfNone s :=
∀ partition va pd sh1 ,
In partition (getPartitions multiplexer s) →
StateLib.getPd partition (memory s) = Some pd →
StateLib.getFstShadow partition (memory s) = Some sh1 →
getMappedPage pd s va = NonePage →
getPDFlag sh1 va s = false ∧
getVirtualAddressSh1 sh1 s va = None.
Consistency : Linked list properties
Definition LLconfiguration1 s:=
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s nbPage) →
isI LLtable (CIndex 1) s.
Definition LLconfiguration2 s:=
∀ part fstLL LLtable maxidx,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s nbPage) →
StateLib.getMaxIndex = Some maxidx →
isPP LLtable maxidx s.
Definition LLconfiguration3 s:=
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s (nbPage+1)) →
isI LLtable (CIndex 0) s.
Definition LLconfiguration4 s:=
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s (nbPage+1)) →
∃ FFI nextFFI,
StateLib.readIndex LLtable (CIndex 0) (memory s)= Some FFI
∧ isVA LLtable FFI s ∧ FFI < tableSize - 1
∧ StateLib.Index.succ FFI = Some nextFFI
∧ isI LLtable nextFFI s.
Definition LLconfiguration5 s:=
∀ part fstLL ,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
NoDup (getLLPages fstLL s (nbPage + 1)).
Definition LLconfiguration5' s:=
∀ partition LL LLtable FFI nextFFI,
In partition (getPartitions multiplexer s) →
getConfigTablesLinkedList partition (memory s) = Some LL →
In LLtable (getLLPages LL s (nbPage + 1)) →
isIndexValue LLtable (CIndex 0) FFI s →
StateLib.Index.succ FFI = Some nextFFI →
StateLib.getMaxIndex ≠ Some nextFFI ∧
nextFFI ≠ CIndex 1.
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s nbPage) →
isI LLtable (CIndex 1) s.
Definition LLconfiguration2 s:=
∀ part fstLL LLtable maxidx,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s nbPage) →
StateLib.getMaxIndex = Some maxidx →
isPP LLtable maxidx s.
Definition LLconfiguration3 s:=
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s (nbPage+1)) →
isI LLtable (CIndex 0) s.
Definition LLconfiguration4 s:=
∀ part fstLL LLtable,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
In LLtable (getLLPages part s (nbPage+1)) →
∃ FFI nextFFI,
StateLib.readIndex LLtable (CIndex 0) (memory s)= Some FFI
∧ isVA LLtable FFI s ∧ FFI < tableSize - 1
∧ StateLib.Index.succ FFI = Some nextFFI
∧ isI LLtable nextFFI s.
Definition LLconfiguration5 s:=
∀ part fstLL ,
In part (getPartitions multiplexer s) →
nextEntryIsPP part sh3idx fstLL s →
NoDup (getLLPages fstLL s (nbPage + 1)).
Definition LLconfiguration5' s:=
∀ partition LL LLtable FFI nextFFI,
In partition (getPartitions multiplexer s) →
getConfigTablesLinkedList partition (memory s) = Some LL →
In LLtable (getLLPages LL s (nbPage + 1)) →
isIndexValue LLtable (CIndex 0) FFI s →
StateLib.Index.succ FFI = Some nextFFI →
StateLib.getMaxIndex ≠ Some nextFFI ∧
nextFFI ≠ CIndex 1.
Definition consistency s :=
partitionDescriptorEntry s ∧
dataStructurePdSh1Sh2asRoot PDidx s ∧
dataStructurePdSh1Sh2asRoot sh1idx s ∧
dataStructurePdSh1Sh2asRoot sh2idx s ∧
currentPartitionInPartitionsList s ∧
noDupMappedPagesList s ∧
noDupConfigPagesList s ∧
parentInPartitionList s ∧
accessibleVAIsNotPartitionDescriptor s ∧
accessibleChildPageIsAccessibleIntoParent s ∧
noCycleInPartitionTree s ∧
configTablesAreDifferent s ∧
isChild s ∧
isPresentNotDefaultIff s ∧
physicalPageNotDerived s ∧
multiplexerWithoutParent s ∧
isParent s ∧
noDupPartitionTree s ∧
wellFormedFstShadow s ∧
wellFormedSndShadow s ∧
wellFormedShadows sh1idx s ∧
wellFormedShadows sh2idx s ∧
currentPartitionIsNotDefaultPage s ∧
wellFormedFstShadowIfNone s ∧
wellFormedFstShadowIfDefaultValues s.
partitionDescriptorEntry s ∧
dataStructurePdSh1Sh2asRoot PDidx s ∧
dataStructurePdSh1Sh2asRoot sh1idx s ∧
dataStructurePdSh1Sh2asRoot sh2idx s ∧
currentPartitionInPartitionsList s ∧
noDupMappedPagesList s ∧
noDupConfigPagesList s ∧
parentInPartitionList s ∧
accessibleVAIsNotPartitionDescriptor s ∧
accessibleChildPageIsAccessibleIntoParent s ∧
noCycleInPartitionTree s ∧
configTablesAreDifferent s ∧
isChild s ∧
isPresentNotDefaultIff s ∧
physicalPageNotDerived s ∧
multiplexerWithoutParent s ∧
isParent s ∧
noDupPartitionTree s ∧
wellFormedFstShadow s ∧
wellFormedSndShadow s ∧
wellFormedShadows sh1idx s ∧
wellFormedShadows sh2idx s ∧
currentPartitionIsNotDefaultPage s ∧
wellFormedFstShadowIfNone s ∧
wellFormedFstShadowIfDefaultValues s.