alignment value check in allocate_object and proof sketch

vzaliva · vzaliva · commit 1151f106ac4b · 2024-07-16T16:00:36.000-07:00
diff --git a/coq/CheriMemory/CheriMorelloMemory.v b/coq/CheriMemory/CheriMorelloMemory.v
@@ -873,14 +873,17 @@ Module Type CheriMemoryImpl
     : memM pointer_value
     :=
     let align_n := num_of_int int_val in
-    size_n <- serr2InternalErr (sizeof DEFAULT_FUEL None ty) ;;
-    let size_z := Z.of_nat size_n in
-    let mask := C.representable_alignment_mask size_z in
-    let size_z' := C.representable_length size_z in
-    let size_n' := Z.to_nat size_z' in
-    let align_n' := Z.max align_n (1 + (AddressValue.to_Z (AddressValue.bitwise_complement (AddressValue.of_Z mask)))) in
-
-    (*
+    if align_n <=? 0
+      then raise (InternalErr "non-positive aligment passed to allocate_object")
+    else
+      size_n <- serr2InternalErr (sizeof DEFAULT_FUEL None ty) ;;
+      let size_z := Z.of_nat size_n in
+      let mask := C.representable_alignment_mask size_z in
+      let size_z' := C.representable_length size_z in
+      let size_n' := Z.to_nat size_z' in
+      let align_n' := Z.max align_n (1 + (AddressValue.to_Z (AddressValue.bitwise_complement (AddressValue.of_Z mask)))) in
+
+      (*
     (if (negb ((size_n =? size_n') && (align_n =? align_n')))
     then
       mprint_msg
@@ -891,60 +894,60 @@ Module Type CheriMemoryImpl
                   ", size= " ++ String.dec_str size_n' ++
                     ", align= " ++ String.dec_str align_n')
     else ret tt) ;;
-     *)
+       *)
 
-    (match init_opt with
-     | None =>
-         '(alloc_id, addr) <- allocator size_n' align_n' false pref (Some ty) IsWritable ;;
-         ret (alloc_id, addr, false)
-     | Some mval =>  (* here we allocate an object with initiliazer *)
-         let (ro,readonly_status) :=
-           match pref with
-           | CoqSymbol.PrefStringLiteral _ _ => (true, IsReadOnly ReadonlyStringLiteral)
-           | CoqSymbol.PrefTemporaryLifetime _ _ =>
-               (true, IsReadOnly ReadonlyTemporaryLifetime)
-           | _ =>
-               (true, IsReadOnly ReadonlyConstQualified)
-                 (* | _ => (false,IsWritable) *)
-           end
-         in
-         '(alloc_id, addr) <- allocator size_n' align_n' false pref (Some ty) readonly_status ;;
-         (* We should be careful not to introduce a state change here
+      (match init_opt with
+       | None =>
+           '(alloc_id, addr) <- allocator size_n' align_n' false pref (Some ty) IsWritable ;;
+           ret (alloc_id, addr, false)
+       | Some mval =>  (* here we allocate an object with initiliazer *)
+           let (ro,readonly_status) :=
+             match pref with
+             | CoqSymbol.PrefStringLiteral _ _ => (true, IsReadOnly ReadonlyStringLiteral)
+             | CoqSymbol.PrefTemporaryLifetime _ _ =>
+                 (true, IsReadOnly ReadonlyTemporaryLifetime)
+             | _ =>
+                 (true, IsReadOnly ReadonlyConstQualified)
+                   (* | _ => (false,IsWritable) *)
+             end
+           in
+           '(alloc_id, addr) <- allocator size_n' align_n' false pref (Some ty) readonly_status ;;
+           (* We should be careful not to introduce a state change here
          in case of error which happens after the [allocator]
          invocation, as [allocator] modifies state. In the current
          implementation, this is not happening, as errors are handled
          as [InternalErr] which supposedly should terminate program
          evaluation.  *)
-         st <- get ;;
-         '(funptrmap, capmeta, pre_bs) <- serr2InternalErr (repr DEFAULT_FUEL st.(funptrmap) st.(capmeta) addr mval) ;;
-         let bs := mapi (fun i b => (AddressValue.with_offset addr (Z.of_nat i), b)) pre_bs in
-         let bytemap := List.fold_left (fun acc '(addr, b) => AMap.M.add addr b acc) bs st.(bytemap) in
-         put {|
-             next_alloc_id    := st.(next_alloc_id);
-             last_address     := st.(last_address) ;
-             allocations      := st.(allocations);
-             funptrmap        := funptrmap;
-             varargs          := st.(varargs);
-             next_varargs_id  := st.(next_varargs_id);
-             bytemap          := bytemap;
-             capmeta          := capmeta;
-           |}
-         ;;
-         ret (alloc_id, addr, ro)
-     end)
-      >>=
-      fun '(alloc_id, addr, ro)  =>
-        let c := C.alloc_cap addr (AddressValue.of_Z size_z') in
-        let c :=
-          if ro then
-            let p := C.cap_get_perms c in
-            let p := Permissions.perm_clear_store p in
-            let p := Permissions.perm_clear_store_cap p in
-            let p := Permissions.perm_clear_store_local_cap p in
-            C.cap_narrow_perms c p
-          else c
-        in
-        ret (PVconcrete c).
+           st <- get ;;
+           '(funptrmap, capmeta, pre_bs) <- serr2InternalErr (repr DEFAULT_FUEL st.(funptrmap) st.(capmeta) addr mval) ;;
+           let bs := mapi (fun i b => (AddressValue.with_offset addr (Z.of_nat i), b)) pre_bs in
+           let bytemap := List.fold_left (fun acc '(addr, b) => AMap.M.add addr b acc) bs st.(bytemap) in
+           put {|
+               next_alloc_id    := st.(next_alloc_id);
+               last_address     := st.(last_address) ;
+               allocations      := st.(allocations);
+               funptrmap        := funptrmap;
+               varargs          := st.(varargs);
+               next_varargs_id  := st.(next_varargs_id);
+               bytemap          := bytemap;
+               capmeta          := capmeta;
+             |}
+           ;;
+           ret (alloc_id, addr, ro)
+       end)
+        >>=
+        fun '(alloc_id, addr, ro)  =>
+          let c := C.alloc_cap addr (AddressValue.of_Z size_z') in
+          let c :=
+            if ro then
+              let p := C.cap_get_perms c in
+              let p := Permissions.perm_clear_store p in
+              let p := Permissions.perm_clear_store_cap p in
+              let p := Permissions.perm_clear_store_local_cap p in
+              C.cap_narrow_perms c p
+            else c
+          in
+          ret (PVconcrete c).
 
 
   Definition cap_is_null  (c : C.t) : bool :=
diff --git a/coq/Proofs/Revocation.v b/coq/Proofs/Revocation.v
@@ -4105,7 +4105,7 @@ Module CheriMemoryImplWithProofs
     same_state_steps.
   Qed.
 
-  Instance allocate_object_PreservesInvariant
+  Instance allocate_object_PreservesInvariantg
     (tid:MemCommonExe.thread_id)
     (pref:CoqSymbol.prefix)
     (int_val:integer_value)
@@ -4116,7 +4116,78 @@ Module CheriMemoryImplWithProofs
   Proof.
     intros s.
     unfold allocate_object.
-    (* TODO: postponed until I figure out readonly logic and re-prove `allocator` *)
+    break_if;[preserves_step|].
+    preserves_step.
+    preserves_step.
+    preserves_step.
+    -
+      break_match_goal; repeat break_let.
+      +
+        apply bind_PreservesInvariant_value.
+        intros H s'0 x0 H0.
+
+
+        assert(mem_invariant s'0) as S0.
+        {
+          pose proof (allocator_PreservesInvariant (Z.to_nat (Capability_GS.representable_length (Z.of_nat x)))
+                        (Z.max (num_of_int int_val)
+                           (1 +
+                              AddressValue.to_Z
+                                (AddressValue.bitwise_complement
+                                   (AddressValue.of_Z
+                                      (Capability_GS.representable_alignment_mask (Z.of_nat x))))))
+                        false pref (Some ty) r
+            ) as A.
+          autospecialize A.
+          lia.
+          specialize (A s' H).
+          unfold post_exec_invariant, lift_sum_p in A.
+          clear Heqp.
+          break_match_hyp.
+          --
+            unfold execErrS in Heqs0.
+            break_let.
+            tuple_inversion.
+            invc Heqs0.
+          --
+            unfold execErrS in Heqs0.
+            break_let.
+            tuple_inversion.
+            apply ret_inr in Heqs0.
+            invc Heqs0.
+            assumption.
+        }
+
+        split.
+        *
+          apply S0.
+        *
+          repeat break_let.
+          preserves_step.
+          preserves_step.
+          preserves_step.
+          repeat break_let.
+          preserves_step;[|preserves_step].
+          preserves_step.
+
+          bool_to_prop_hyp.
+          destruct x1, p0.
+          tuple_inversion.
+
+          (* TODO: need `allocator_capmeta_spec`
+             similar to `init_ghost_tags_spec`
+           *)
+
+          admit.
+      +
+        preserves_step.
+        apply allocator_PreservesInvariant.
+        lia.
+        break_let.
+        preserves_step.
+    -
+      repeat break_let.
+      preserves_step.
   Admitted.
 
   Instance allocate_region_PreservesInvariant
