Apply code reviews

Author: febyeji

ArchSem/GenPromising.v

@@ -391,46 +391,41 @@ Module GenPromising (IWA : InterfaceWithArch) (TM : TermModelsT IWA).
           run fuel
         else mthrow "Could not finish running within the size of the fuel".
 
-    (** Explore all possible promise-based executions across all threads. *)
-    Fixpoint prune_promises_and_states (fuel_per_tid fuel : nat)
-        (finals : list final) : Exec.t t string (list final) :=
+    (** Computationally evaluate all the possible allowed final states according
+        to the promising model prom starting from st with promise-first optimization.
+        The size of fuel should be at least (# of promises) + max(# of instructions) + 1 *)
+    Fixpoint run_promise_first (fuel : nat) : Exec.t t string final :=
       if fuel is S fuel then
         st ← mGet;
         (* Find out next possible promises or terminating states at the current thread *)
         executions ←
           vmapM (λ '(tid, ts),
             '(promises_per_tid, tstates_per_tid) ←
               mlift $ prom.(enumerate_promises_and_terminal_states)
-                        fuel_per_tid (fin_to_nat tid) (term tid) (initmem st) ts (events st);
+                        fuel (fin_to_nat tid) (term tid) (initmem st) ts (events st);
             mret (map (.,tid) promises_per_tid, tstates_per_tid)
           ) (venumerate (tstates st));
-        (* Compute cartesian products of the possible thread states *)
-        let tstates_all := cprodn (vmap snd executions) in
-        let new_finals :=
-          omap (λ tstates,
-            let st := Make tstates st.(PState.initmem) st.(PState.events) in
-            if decide $ terminated prom term st is left pt
-            then Some (make_final st pt)
-            else None
-          ) tstates_all in
-
-        (* Non-deterministically choose the next promise and the tid for pruning *)
-        let promises_all := List.concat executions.*1 in
+
         promise ← mchoosel (enum bool);
         if (promise : bool) then
+          (* Non-deterministically choose the next promise and the tid for pruning *)
+          let promises_all := List.concat (vmap fst executions) in
           '(next_ev, tid) ← mchoosel promises_all;
           mSet (λ st, promise_tid prom st tid next_ev);;
-          prune_promises_and_states fuel_per_tid fuel (new_finals ++ finals)
+          run_promise_first fuel
         else
-          mret (new_finals ++ finals)
-      else mret finals.
-
-    (** Computational evaluate all the possible allowed final states according
-        to the promising model prom starting from st
-        with promise-first optimization *)
-    Definition run_promise_first (fuel : nat) : Exec.t t string final :=
-      finals ← prune_promises_and_states fuel fuel [];
-      mchoosel finals.
+          (* Compute cartesian products of the possible thread states *)
+          let tstates_all := cprodn (vmap snd executions) in
+          let new_finals :=
+            omap (λ tstates,
+              let st := Make tstates st.(PState.initmem) st.(PState.events) in
+              if decide $ terminated prom term st is left pt
+              then Some (make_final st pt)
+              else None
+            ) tstates_all in
+          mchoosel new_finals
+      else
+        mthrow "Could not finish running within the size of the fuel".
 
     End CPS.
     Arguments to_final_archState {_ _ _}.
@@ -439,27 +434,14 @@ Module GenPromising (IWA : InterfaceWithArch) (TM : TermModelsT IWA).
   (** Create a computational model from an ISA model and promising model *)
   Definition Promising_to_Modelc (isem : iMon ()) (prom : BasicExecutablePM)
       (fuel : nat) : archModel.c ∅ :=
-    λ n term (initMs : archState n),
-      PState.from_archState prom initMs |>
-      archModel.Res.from_exec
-        $ CPState.to_final_archState
-        <$> CPState.run isem prom term fuel.
-
-  (** Create a computational model from an ISA model and promising model
-      with promise-first optimization *)
-  Definition Promising_to_Modelc_pf (isem : iMon ()) (prom : BasicExecutablePM)
-      (fuel : nat) : archModel.c ∅ :=
     λ n term (initMs : archState n),
       PState.from_archState prom initMs |>
       archModel.Res.from_exec
         $ CPState.to_final_archState
         <$> CPState.run_promise_first prom term fuel.
 
-    (* TODO state some soundness lemma between Promising_to_Modelnc and
-        Promising_Modelc *)
-
 End GenPromising.
 
 Module Type GenPromisingT (IWA : InterfaceWithArch) (TM : TermModelsT IWA).
   Include GenPromising IWA TM.
-End GenPromisingT.
+End GenPromisingT.

ArchSemArm/UMPromising.v

@@ -659,7 +659,7 @@ Section ComputeProm.
     else
       mret res.
 
-  (* Run the thread state until termination, collecting certifiable promises.
+  (* Run the thread state until termination, collecting certified promises.
      Returns true if termination occurs within the given fuel,
      false otherwise. *)
   Fixpoint run_to_termination_promise
@@ -681,19 +681,7 @@ Section ComputeProm.
         run_to_termination_promise isem fuel base
     end.
 
-    Definition run_to_termination (isem : iMon ())
-                                (fuel : nat)
-                                (ts : TState.t)
-                                (mem : Memory.t) :
-      result string (list Msg.t * list TState.t) :=
-    let base := List.length mem in
-    let res := Exec.results $
-      run_to_termination_promise isem fuel base (CProm.init, PPState.Make ts mem IIS.init) in
-    guard_or ("Could not finish promises within the size of the fuel")%string
-      (∀ r ∈ res, r.2 = true);;
-    mret $ (CProm.proms (union_list res.*1.*1), []).
-
-  Definition run_to_termination_pf (isem : iMon ())
+  Definition run_to_termination (isem : iMon ())
                                 (fuel : nat)
                                 (ts : TState.t)
                                 (mem : Memory.t)
@@ -782,17 +770,17 @@ Definition UMPromising_cert_nc isem :=
 
 (** Implement the Executable Promising Model (Promise-Free) *)
 
-Program Definition UMPromising_exe_pf' (isem : iMon ())
+Program Definition UMPromising_exe' (isem : iMon ())
     : BasicExecutablePM :=
   {|pModel := UMPromising_cert' isem;
     enumerate_promises_and_terminal_states :=
       λ fuel tid term initmem ts mem,
-          run_to_termination_pf tid initmem term isem fuel ts mem
+          run_to_termination tid initmem term isem fuel ts mem
   |}.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 
-Definition UMPromising_cert_c_pf isem fuel :=
-  Promising_to_Modelc_pf isem (UMPromising_exe_pf' isem) fuel.
+Definition UMPromising_cert_c isem fuel :=
+  Promising_to_Modelc isem (UMPromising_exe' isem) fuel.

ArchSemArm/VMPromising.v

@@ -1942,7 +1942,7 @@ Section ComputeProm.
     else
       mret res.
 
-  (* Run the thread state until termination, collecting certifiable promises.
+  (* Run the thread state until termination, collecting certified promises.
     Returns true if termination occurs within the given fuel,
     false otherwise. *)
   Fixpoint run_to_termination_promise
@@ -1964,19 +1964,7 @@ Section ComputeProm.
         run_to_termination_promise isem fuel base
     end.
 
-    Definition run_to_termination (isem : iMon ())
-                                (fuel : nat)
-                                (ts : TState.t)
-                                (mem : Memory.t) :
-      result string (list Ev.t * list TState.t) :=
-    let base := List.length mem in
-    let res := Exec.results $
-      run_to_termination_promise isem fuel base (CProm.init, PPState.Make ts mem IIS.init) in
-    guard_or ("Could not finish promises within the size of the fuel")%string
-      (∀ r ∈ res, r.2 = true);;
-    mret $ (CProm.proms (union_list res.*1.*1), []).
-
-  Definition run_to_termination_pf (isem : iMon ())
+  Definition run_to_termination (isem : iMon ())
                                 (fuel : nat)
                                 (ts : TState.t)
                                 (mem : Memory.t)
@@ -2059,17 +2047,17 @@ Definition VMPromising_cert' (isem : iMon ()) : PromisingModel :=
 
 (** Implement the Executable Promising Model (Promise-Free) *)
 
-Program Definition VMPromising_exe_pf' (isem : iMon ())
+Program Definition VMPromising_exe' (isem : iMon ())
     : BasicExecutablePM :=
   {|pModel := VMPromising_cert' isem;
     enumerate_promises_and_terminal_states :=
       λ fuel tid term initmem ts mem,
-          run_to_termination_pf tid initmem term isem fuel ts mem
+          run_to_termination tid initmem term isem fuel ts mem
   |}.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 
-Definition VMPromising_cert_c_pf isem fuel :=
-  Promising_to_Modelc_pf isem (VMPromising_exe_pf' isem) fuel.
+Definition VMPromising_cert_c isem fuel :=
+  Promising_to_Modelc isem (VMPromising_exe' isem) fuel.

ArchSemArm/tests/UMPromisingTest.v

@@ -116,10 +116,10 @@ Module EOR.
 
   Definition fuel := 2%nat.
 
-  Definition test_results_pf :=
-    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf = Listset [Ok 0x110%Z].
+  Goal reg_extract R0 0%fin <$> test_results = Listset [Ok 0x110%Z].
     vm_compute (_ <$> _).
     reflexivity.
   Qed.
@@ -151,10 +151,10 @@ Module LDR. (* LDR X0, [X1, X0] at 0x500, loading from 0x1000 *)
 
   Definition fuel := 2%nat.
 
-  Definition test_results_pf :=
-    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf = Listset [Ok 0x2a%Z].
+  Goal reg_extract R0 0%fin <$> test_results = Listset [Ok 0x2a%Z].
     vm_compute (_ <$> _).
     reflexivity.
   Qed.
@@ -186,12 +186,12 @@ Module STRLDR. (* STR X2, [X1, X0]; LDR X0, [X1, X0] at 0x500, using address 0x1
       archState.regs := [# init_reg];
       archState.address_space := PAS_NonSecure |}.
 
-  Definition fuel := 3%nat.
+  Definition fuel := 4%nat.
 
-  Definition test_results_pf :=
-    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf ≡ Listset [Ok 0x2a%Z].
+  Goal reg_extract R0 0%fin <$> test_results ≡ Listset [Ok 0x2a%Z].
     vm_compute (_ <$> _).
     set_solver.
   Qed.
@@ -257,10 +257,10 @@ Module MP.
 
   Definition fuel := 6%nat.
 
-  Definition test_results_pf :=
-    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]; Ok [0x1%Z; 0x0%Z]].
   Proof.
     vm_compute (elements _).
@@ -327,12 +327,12 @@ Module MPDMBS.
       archState.regs := [# init_reg_t1; init_reg_t2];
       archState.address_space := PAS_NonSecure |}.
 
-  Definition fuel := 8%nat.
+  Definition fuel := 9%nat.
 
-  Definition test_results_pf :=
-    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
   Proof.
     vm_compute (elements _).

ArchSemArm/tests/VMPromisingTest.v

@@ -126,10 +126,10 @@ Module EORMMUOFF.
 
   Definition fuel := 2%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf = Listset [Ok 0x110%Z].
+  Goal reg_extract R0 0%fin <$> test_results = Listset [Ok 0x110%Z].
     vm_compute (_ <$> _).
     reflexivity.
   Qed.
@@ -192,10 +192,10 @@ Module EOR.
 
   Definition fuel := 2%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf = Listset [Ok 0x110%Z].
+  Goal reg_extract R0 0%fin <$> test_results = Listset [Ok 0x110%Z].
     vm_compute (_ <$> _).
     reflexivity.
   Qed.
@@ -245,10 +245,10 @@ Module LDR.
 
   Definition fuel := 2%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf = Listset [Ok 0x2a%Z].
+  Goal reg_extract R0 0%fin <$> test_results = Listset [Ok 0x2a%Z].
     vm_compute (_ <$> _).
     reflexivity.
   Qed.
@@ -297,10 +297,10 @@ Module STRLDR.
 
   Definition fuel := 4%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal reg_extract R0 0%fin <$> test_results_pf ≡ Listset [Ok 0x2a%Z].
+  Goal reg_extract R0 0%fin <$> test_results ≡ Listset [Ok 0x2a%Z].
     vm_compute (_ <$> _).
     set_solver.
   Qed.
@@ -364,13 +364,13 @@ Module LDRPT.
       archState.regs := [# init_reg];
       archState.address_space := PAS_NonSecure |}.
 
-  Definition fuel := 4%nat.
+  Definition fuel := 5%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
   (* R0 should be 0x2a (from old mapping), R4 should be 0x42 (from new mapping) *)
-  Goal elements (regs_extract [(0%fin, R0); (0%fin, R4)] <$> test_results_pf) ≡ₚ
+  Goal elements (regs_extract [(0%fin, R0); (0%fin, R4)] <$> test_results) ≡ₚ
       [Ok [0x2a%Z; 0x2a%Z]; Ok [0x2a%Z; 0x42%Z]].
   Proof.
     vm_compute (elements _).
@@ -457,12 +457,12 @@ Module MP.
       archState.regs := [# init_reg_t1; init_reg_t2];
       archState.address_space := PAS_NonSecure |}.
 
-  Definition fuel := 6%nat.
+  Definition fuel := 8%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
-  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]; Ok [0x1%Z; 0x0%Z]].
   Proof.
     vm_compute (elements _).
@@ -551,11 +551,11 @@ Module MPDMBS.
 
   Definition fuel := 8%nat.
 
-  Definition test_results_pf :=
-    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+  Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
   (** The test is fenced enough, the 0x1; 0x0 outcome is impossible*)
-  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
   Proof.
     vm_compute (elements _).