Pass MP, MPDMBS tests with address translation

Author: febyeji

ArchSemArm/VMPromising.v

@@ -2102,8 +2102,20 @@ Next Obligation. Admitted.
 Next Obligation. Admitted.
 Next Obligation. Admitted.
 
+Program Definition VMPromising_exe_pf' (isem : iMon ())
+    : BasicExecutablePM :=
+  {|pModel := VMPromising_cert' isem;
+    enumerate_promises_and_terminal_states :=
+      λ fuel tid term initmem ts mem,
+          run_to_termination_pf tid initmem term isem fuel ts mem
+  |}.
+Next Obligation. Admitted.
+Next Obligation. Admitted.
+Next Obligation. Admitted.
+Next Obligation. Admitted.
+
 Definition VMPromising_cert_c isem fuel :=
   Promising_to_Modelc isem (VMPromising_exe' isem) fuel.
 
 Definition VMPromising_cert_c_pf isem fuel :=
-  Promising_to_Modelc_pf isem (VMPromising_exe' isem) fuel.
+  Promising_to_Modelc_pf isem (VMPromising_exe_pf' isem) fuel.

ArchSemArm/tests/UMPromisingTest.v

@@ -301,3 +301,85 @@ Module MP.
     apply NoDup_Permutation; try solve_NoDup; set_solver.
   Qed.
 End MP.
+
+Module MPDMBS.
+  (* A classic MP litmus test
+     Thread 1: STR X2, [X1, X0]; DMB SY; STR X5, [X4, X3]
+     Thread 2: LDR X5, [X4, X3]; DMB SY; LDR X2, [X1, X0]
+     Expected outcome of (R5, R2) at Thread 2:
+       (0x1, 0x2a), (0x0, 0x2a), (0x0, 0x0)
+  *)
+
+  Definition init_reg_t1 : registerMap :=
+    ∅
+    |> reg_insert _PC 0x500
+    |> reg_insert R0 0x1000
+    |> reg_insert R1 0x100
+    |> reg_insert R3 0x1000
+    |> reg_insert R4 0x200
+    |> reg_insert R2 0x2a
+    |> reg_insert R5 0x1
+    |> reg_insert SCTLR_EL1 0x0
+    |> reg_insert PSTATE (init_pstate 0%bv 0%bv).
+
+  Definition init_reg_t2 : registerMap :=
+    ∅
+    |> reg_insert _PC 0x600
+    |> reg_insert R0 0x1000
+    |> reg_insert R1 0x100
+    |> reg_insert R3 0x1000
+    |> reg_insert R4 0x200
+    |> reg_insert R2 0x0
+    |> reg_insert R5 0x0
+    |> reg_insert SCTLR_EL1 0x0
+    |> reg_insert PSTATE (init_pstate 0%bv 0%bv).
+
+  Definition init_mem : memoryMap :=
+    ∅
+    (* Thread 1 @ 0x500 *)
+    |> mem_insert 0x500 4 0xf8206822  (* STR X2, [X1, X0] *)
+    |> mem_insert 0x504 4 0xd5033fbf  (* DMB SY *)
+    |> mem_insert 0x508 4 0xf8236885  (* STR X5, [X4, X3] *)
+    (* Thread 2 @ 0x600 *)
+    |> mem_insert 0x600 4 0xf8636885  (* LDR X5, [X4, X3] *)
+    |> mem_insert 0x604 4 0xd5033fbf  (* DMB SY *)
+    |> mem_insert 0x608 4 0xf8606822  (* LDR X2, [X1, X0] *)
+    (* Backing memory so the addresses exist *)
+    |> mem_insert 0x1100 8 0x0
+    |> mem_insert 0x1200 8 0x0.
+
+  Definition n_threads := 2%nat.
+
+  Definition terminate_at := [# Some (0x50c : bv 64); Some (0x60c : bv 64)].
+
+  (* Each thread’s PC must reach the end of its three instructions *)
+  Definition termCond : terminationCondition n_threads :=
+    (λ tid rm, reg_lookup _PC rm =? terminate_at !!! tid).
+
+  Definition initState :=
+    {|archState.memory := init_mem;
+      archState.regs := [# init_reg_t1; init_reg_t2];
+      archState.address_space := PAS_NonSecure |}.
+
+  Definition fuel := 8%nat.
+
+  Definition test_results :=
+    UMPromising_cert_c arm_sem fuel n_threads termCond initState.
+
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
+    [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
+  Proof.
+    vm_compute (elements _).
+    apply NoDup_Permutation; try solve_NoDup; set_solver.
+  Qed.
+
+  Definition test_results_pf :=
+    UMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+    [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
+  Proof.
+    vm_compute (elements _).
+    apply NoDup_Permutation; try solve_NoDup; set_solver.
+  Qed.
+End MPDMBS.

ArchSemArm/tests/VMPromisingTest.v

@@ -421,7 +421,7 @@ Module LDRPT.
   Qed.
 End LDRPT.
 
-(* Module MP.
+Module MP.
   (* A classic MP litmus test with address translation
      Thread 1: STR X2, [X1, X0]; STR X5, [X4, X3]
      Thread 2: LDR X5, [X4, X3]; LDR X2, [X1, X0]
@@ -476,15 +476,15 @@ End LDRPT.
     |> mem_insert 0x1100 8 0x0
     |> mem_insert 0x1200 8 0x0
     (* L0[1] -> L1  (for VA with L0 index = 1) *)
-    |> mem_insert 0x80008 8 0x81003
+    |> mem_insert 0x80008 8 0x81803
     (* L1[0] -> L2 *)
-    |> mem_insert 0x81000 8 0x82003
+    |> mem_insert 0x81000 8 0x82803
     (* L2[0] -> L3 *)
-    |> mem_insert 0x82000 8 0x83003
+    |> mem_insert 0x82000 8 0x83803
     (* L3[0] : map VA page 0x8000000000 -> PA page 0x0000 (executable) *)
-    |> mem_insert 0x83000 8 0x3
+    |> mem_insert 0x83000 8 0x403
     (* L3[1] : map VA page 0x8000001000 -> PA page 0x1000 (data) *)
-    |> mem_insert 0x83008 8 0x1003.
+    |> mem_insert 0x83008 8 0x1443.
 
   Definition n_threads := 2%nat.
 
@@ -496,23 +496,21 @@ End LDRPT.
     (λ tid rm, reg_lookup _PC rm =? terminate_at !!! tid).
 
   Definition initState :=
-    {| MState.state :=
-        {| MState.memory := init_mem;
-            MState.regs := [# init_reg_t1; init_reg_t2];
-            MState.address_space := PAS_NonSecure |};
-      MState.termCond := termCond |}.
+    {|archState.memory := init_mem;
+      archState.regs := [# init_reg_t1; init_reg_t2];
+      archState.address_space := PAS_NonSecure |}.
 
   Definition fuel := 6%nat.
 
-  Definition test_results :=
+  (* Definition test_results :=
     VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
   Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]; Ok [0x1%Z; 0x0%Z]].
   Proof.
     vm_compute (elements _).
     apply NoDup_Permutation; try solve_NoDup; set_solver.
-  Qed.
+  Qed. *)
 
   Definition test_results_pf :=
     VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
@@ -523,9 +521,9 @@ End LDRPT.
     vm_compute (elements _).
     apply NoDup_Permutation; try solve_NoDup; set_solver.
   Qed.
-End MP. *)
+End MP.
 
-(* Module MPDMBS.
+Module MPDMBS.
   (* A classic MP litmus test with address translation
      Thread 1: STR X2, [X1, X0]; DMB SY; STR X5, [X4, X3]
      Thread 2: LDR X5, [X4, X3]; DMB SY; LDR X2, [X1, X0]
@@ -587,9 +585,9 @@ End MP. *)
     (* L2[0] -> L3 *)
     |> mem_insert 0x82000 8 0x83003
     (* L3[0] : map VA page 0x8000000000 -> PA page 0x0000 (executable) *)
-    |> mem_insert 0x83000 8 0x3
+    |> mem_insert 0x83000 8 0x403
     (* L3[1] : map VA page 0x8000001000 -> PA page 0x1000 (data) *)
-    |> mem_insert 0x83008 8 0x1003.
+    |> mem_insert 0x83008 8 0x60000000001443.
 
   Definition n_threads := 2%nat.
 
@@ -600,22 +598,31 @@ End MP. *)
     (λ tid rm, reg_lookup _PC rm =? terminate_at !!! tid).
 
   Definition initState :=
-    {| MState.state :=
-        {| MState.memory := init_mem;
-            MState.regs := [# init_reg_t1; init_reg_t2];
-            MState.address_space := PAS_NonSecure |};
-      MState.termCond := termCond |}.
+    {|archState.memory := init_mem;
+      archState.regs := [# init_reg_t1; init_reg_t2];
+      archState.address_space := PAS_NonSecure |}.
 
   Definition fuel := 8%nat.
 
-  Definition test_results :=
-    VMPromising_cert_c arm_sem fuel n_threads initState.
+  (* Definition test_results :=
+    VMPromising_cert_c arm_sem fuel n_threads termCond initState.
 
   (** The test is fenced enough, the 0x1; 0x0 outcome is impossible*)
   Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results) ≡ₚ
     [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
   Proof.
     vm_compute (elements _).
     apply NoDup_Permutation; try solve_NoDup; set_solver.
+  Qed. *)
+
+  Definition test_results_pf :=
+    VMPromising_cert_c_pf arm_sem fuel n_threads termCond initState.
+
+  (** The test is fenced enough, the 0x1; 0x0 outcome is impossible*)
+  Goal elements (regs_extract [(1%fin, R5); (1%fin, R2)] <$> test_results_pf) ≡ₚ
+    [Ok [0x0%Z;0x2a%Z]; Ok [0x0%Z;0x0%Z]; Ok [0x1%Z; 0x2a%Z]].
+  Proof.
+    vm_compute (elements _).
+    apply NoDup_Permutation; try solve_NoDup; set_solver.
   Qed.
-End MPDMBS. *)
+End MPDMBS.