Package h-def: Definition of memory safety for the H interface
Information
| name | h-def |
| version | 1.112 |
| description | Definition of memory safety for the H interface |
| author | Joe Leslie-Hurd <joe@gilith.com> |
| license | MIT |
| provenance | HOL Light theory extracted on 2014-01-15 |
| requires | base byte word10 word12 |
| show | Data.Bool Data.Byte Data.List Data.Option Data.Pair Data.Word10 Data.Word12 Function Number.Natural Set System.H |
Files
- Package tarball h-def-1.112.tgz
- Theory source file h-def.thy (included in the package tarball)
Defined Type Operators
- System
- H
- action
- domain
- output
- page
- regionLength
- state
- view
- Page
- Page.data
- Page.offset
- Directory
- Page.Directory.data
- Page.Directory.entry
- Table
- Page.Table.data
- Physical
- Physical.address
- Physical.page
- Physical.region
- Physical.superpage
- State
- State.regions
- Superpage
- Superpage.offset
- View
- View.observablePages
- Virtual
- Virtual.address
- Virtual.page
- Virtual.region
- Virtual.superpage
- H
Defined Constants
- System
- H
- action
- domain
- interferes
- output
- view
- Action
- Action.specification
- Action.specificationAddKernelMappingH
- Action.specificationAddMapping
- Action.specificationAddMappingH
- Action.specificationAllocatePageDirectoryH
- Action.specificationDeriveRegionH
- Action.specificationExecuteH
- Action.specificationFreePageDirectoryH
- Action.specificationRemoveMappingH
- Action.specificationWriteEnvironment
- Action.specificationWriteKernel
- Action.specificationWriteUser
- Action.AddKernelMappingH
- Action.AddMappingH
- Action.AllocatePageDirectoryH
- Action.DeriveRegionH
- Action.ExecuteH
- Action.FreePageDirectoryH
- Action.RemoveMappingH
- Action.WriteEnvironment
- Action.WriteKernel
- Action.WriteUser
- Domain
- Domain.Environment
- Domain.H
- Domain.Kernel
- Domain.User
- Output
- Output.dest
- Output.mk
- Page
- Page.destDirectory
- Page.destEnvironment
- Page.destEnvironmentOrNormal
- Page.destNormal
- Page.destTable
- Page.isDirectory
- Page.isDirectoryOrTable
- Page.isEnvironment
- Page.isInstalled
- Page.isNormal
- Page.isNotInstalled
- Page.isTable
- Data
- Page.Data.dest
- Page.Data.mk
- Page.Data.update
- Page.Data.zero
- Page.Directory
- Data
- Page.Directory.Data.dest
- Page.Directory.Data.mk
- Entry
- Page.Directory.Entry.case
- Page.Directory.Entry.Superpage
- Page.Directory.Entry.Table
- Data
- Page.Environment
- Page.Normal
- Page.NotInstalled
- Offset
- Page.Offset.dest
- Page.Offset.mk
- Page.Table
- Data
- Page.Table.Data.dest
- Page.Table.Data.mk
- Data
- Physical
- Address
- Physical.Address.dest
- Physical.Address.mk
- Page
- Physical.Page.add
- Physical.Page.dest
- Physical.Page.mk
- Physical.Page.suc
- Region
- Physical.Region.exists
- Physical.Region.forall
- Physical.Region.isSubregion
- Physical.Region.length
- Physical.Region.member
- Physical.Region.mk
- Physical.Region.pageList
- Physical.Region.start
- Superpage
- Physical.Superpage.add
- Physical.Superpage.dest
- Physical.Superpage.fromNatural
- Physical.Superpage.mk
- Address
- RegionLength
- RegionLength.fromNatural
- RegionLength.toNatural
- State
- State.cr3
- State.cr3IsPageDirectory
- State.environmentOnlyInReference
- State.initialRegionsAreRegions
- State.isEnvironmentPage
- State.isNormalPage
- State.mappedPage
- State.mappedPagesAreAvailable
- State.noSharedPageTables
- State.page
- State.pageDirectoriesContainReference
- State.reference
- State.referenceContainsEnvironment
- State.referenceIsPageDirectory
- State.referenceMapsKernelAddresses
- State.regions
- State.regionsAreNotEnvironment
- State.tableMappedInDirectory
- State.tablePointersArePageTables
- State.translatePage
- State.translation
- State.unmappedNormalPage
- State.unmappedPage
- State.wellformed
- State.Regions
- State.Regions.all
- State.Regions.initial
- Superpage
- Offset
- Superpage.Offset.add
- Superpage.Offset.dest
- Superpage.Offset.fromNatural
- Superpage.Offset.mk
- Offset
- View
- View.currentPageDirectoryH
- View.equivalent
- View.mkCurrentPageDirectoryH
- View.mkObservablePagesEnvironment
- View.mkObservablePagesKernel
- View.mkObservablePagesUser
- View.mkPagesH
- View.mkReferencePageDirectoryH
- View.mkRegionHandlesH
- View.mkRegionHandlesKernel
- View.observablePagesEnvironment
- View.observablePagesKernel
- View.observablePagesUser
- View.pagesH
- View.referencePageDirectoryH
- View.regionHandlesH
- View.regionHandlesKernel
- View.Environment
- View.H
- View.Kernel
- ObservablePages
- View.ObservablePages.dest
- View.ObservablePages.fromTranslate
- View.ObservablePages.mk
- View.User
- Virtual
- Address
- Virtual.Address.dest
- Virtual.Address.isKernel
- Virtual.Address.isUser
- Virtual.Address.mk
- Page
- Virtual.Page.add
- Virtual.Page.dest
- Virtual.Page.isKernel
- Virtual.Page.isUser
- Virtual.Page.mk
- Virtual.Page.suc
- Region
- Virtual.Region.exists
- Virtual.Region.forall
- Virtual.Region.isKernel
- Virtual.Region.isSubregion
- Virtual.Region.isUser
- Virtual.Region.length
- Virtual.Region.member
- Virtual.Region.mk
- Virtual.Region.pageList
- Virtual.Region.start
- Superpage
- Virtual.Superpage.add
- Virtual.Superpage.dest
- Virtual.Superpage.fromNatural
- Virtual.Superpage.isKernel
- Virtual.Superpage.isUser
- Virtual.Superpage.mk
- Address
- H
Theorems
⊦ View.mkCurrentPageDirectoryH = State.cr3
⊦ View.mkReferencePageDirectoryH = State.reference
⊦ View.mkRegionHandlesH = State.regions
⊦ View.mkRegionHandlesKernel = State.regions
⊦ Page.Data.zero = Page.Data.mk (λi. 0)
⊦ ∀f. View.observablePagesEnvironment (View.Environment f) = f
⊦ ∀f. View.observablePagesUser (View.User f) = f
⊦ ∀n.
Physical.Superpage.fromNatural n =
Physical.Superpage.mk (fromNatural n)
⊦ ∀n. Superpage.Offset.fromNatural n = Superpage.Offset.mk (fromNatural n)
⊦ ∀n.
Virtual.Superpage.fromNatural n = Virtual.Superpage.mk (fromNatural n)
⊦ ∀p. Page.isDirectory p ⇔ isSome (Page.destDirectory p)
⊦ ∀p. Page.isEnvironment p ⇔ isSome (Page.destEnvironment p)
⊦ ∀p. Page.isInstalled p ⇔ ¬Page.isNotInstalled p
⊦ ∀p. Page.isNormal p ⇔ isSome (Page.destNormal p)
⊦ ∀p. Page.isTable p ⇔ isSome (Page.destTable p)
⊦ ∀va. Virtual.Address.isUser va ⇔ ¬Virtual.Address.isKernel va
⊦ ∀vpa. Virtual.Page.isUser vpa ⇔ ¬Virtual.Page.isKernel vpa
⊦ ∀vr.
Virtual.Region.isKernel vr ⇔
Virtual.Region.forall Virtual.Page.isKernel vr
⊦ ∀vr.
Virtual.Region.isUser vr ⇔ Virtual.Region.forall Virtual.Page.isUser vr
⊦ ∀vsa. Virtual.Superpage.isUser vsa ⇔ ¬Virtual.Superpage.isKernel vsa
⊦ ∀s l. Physical.Region.length (Physical.Region.mk s l) = l
⊦ ∀s l. Physical.Region.start (Physical.Region.mk s l) = s
⊦ ∀f g. View.regionHandlesKernel (View.Kernel f g) = g
⊦ ∀f g. View.observablePagesKernel (View.Kernel f g) = f
⊦ ∀s l. Virtual.Region.length (Virtual.Region.mk s l) = l
⊦ ∀s l. Virtual.Region.start (Virtual.Region.mk s l) = s
⊦ ∀i a. State.Regions.all (State.Regions i a) = a
⊦ ∀i a. State.Regions.initial (State.Regions i a) = i
⊦ View.mkObservablePagesKernel =
View.ObservablePages.fromTranslate
(λs vpa. State.translatePage s (State.cr3 s) vpa)
⊦ ∀p. Page.isDirectoryOrTable p ⇔ Page.isDirectory p ∨ Page.isTable p
⊦ ∀s.
State.cr3IsPageDirectory s ⇔
Page.isDirectory (State.page s (State.cr3 s))
⊦ ∀s.
State.referenceIsPageDirectory s ⇔
Page.isDirectory (State.page s (State.reference s))
⊦ ∀s ppa.
State.isEnvironmentPage s ppa ⇔ Page.isEnvironment (State.page s ppa)
⊦ ∀s ppa. State.isNormalPage s ppa ⇔ Page.isNormal (State.page s ppa)
⊦ ∀ppa pr.
Physical.Region.member ppa pr ⇔
member ppa (Physical.Region.pageList pr)
⊦ ∀ppa vr.
Virtual.Region.member ppa vr ⇔ member ppa (Virtual.Region.pageList vr)
⊦ ∀p pr. Physical.Region.exists p pr ⇔ any p (Physical.Region.pageList pr)
⊦ ∀p pr. Physical.Region.forall p pr ⇔ all p (Physical.Region.pageList pr)
⊦ ∀p vr. Virtual.Region.exists p vr ⇔ any p (Virtual.Region.pageList vr)
⊦ ∀p vr. Virtual.Region.forall p vr ⇔ all p (Virtual.Region.pageList vr)
⊦ ∀s.
State.initialRegionsAreRegions s ⇔
State.Regions.initial (State.regions s) ⊆
State.Regions.all (State.regions s)
⊦ ∀a s. output a s = Output.mk (view (domain a) s)
⊦ ∀pr1 pr2.
Physical.Region.isSubregion pr1 pr2 ⇔
Physical.Region.forall (λppa. Physical.Region.member ppa pr2) pr1
⊦ ∀vr1 vr2.
Virtual.Region.isSubregion vr1 vr2 ⇔
Virtual.Region.forall (λppa. Virtual.Region.member ppa vr2) vr1
⊦ ∀psa n.
Physical.Superpage.add psa n =
Physical.Superpage.mk (Physical.Superpage.dest psa + fromNatural n)
⊦ ∀si n.
Superpage.Offset.add si n =
Superpage.Offset.mk (Superpage.Offset.dest si + fromNatural n)
⊦ ∀vsa n.
Virtual.Superpage.add vsa n =
Virtual.Superpage.mk (Virtual.Superpage.dest vsa + fromNatural n)
⊦ ∀p. (∀s l. p (Physical.Region.mk s l)) ⇒ ∀pr. p pr
⊦ ∀P. (∀a0 a1. P (State.Regions a0 a1)) ⇒ ∀x. P x
⊦ ∀p. (∀s l. p (Virtual.Region.mk s l)) ⇒ ∀pr. p pr
⊦ View.mkObservablePagesUser =
View.ObservablePages.fromTranslate
(λs vpa.
if Virtual.Page.isUser vpa then
State.translatePage s (State.cr3 s) vpa
else none)
⊦ ∀s ppa.
State.unmappedNormalPage s ppa ⇔
State.unmappedPage s ppa ∧ State.isNormalPage s ppa
⊦ ∀s.
State.referenceMapsKernelAddresses s ⇔
∀vpa.
State.mappedPage s (State.reference s) vpa ⇒
Virtual.Page.isKernel vpa
⊦ ∀c r s g. State.cr3 (State c r s g) = c
⊦ ∀c r s g. State.reference (State c r s g) = r
⊦ ∀c r s g. State.regions (State c r s g) = g
⊦ ∀c r s g. State.page (State c r s g) = s
⊦ ∀c p g r. View.currentPageDirectoryH (View.H c p g r) = c
⊦ ∀c p g r. View.referencePageDirectoryH (View.H c p g r) = r
⊦ ∀c p g r. View.regionHandlesH (View.H c p g r) = g
⊦ ∀c p g r. View.pagesH (View.H c p g r) = p
⊦ ∀f. ∃fn. ∀s l. fn (Physical.Region.mk s l) = f s l
⊦ ∀f. ∃fn. ∀s l. fn (Virtual.Region.mk s l) = f s l
⊦ ∀f. ∃fn. ∀a0 a1. fn (State.Regions a0 a1) = f a0 a1
⊦ (∀x. Output.mk (Output.dest x) = x) ∧ ∀v. Output.dest (Output.mk v) = v
⊦ (∀l. RegionLength.fromNatural (RegionLength.toNatural l) = l) ∧
∀n. RegionLength.toNatural (RegionLength.fromNatural n) = n
⊦ (∀d. Page.Data.mk (Page.Data.dest d) = d) ∧
∀f. Page.Data.dest (Page.Data.mk f) = f
⊦ (∀i. Page.Offset.mk (Page.Offset.dest i) = i) ∧
∀w. Page.Offset.dest (Page.Offset.mk w) = w
⊦ (∀d. Page.Directory.Data.mk (Page.Directory.Data.dest d) = d) ∧
∀f. Page.Directory.Data.dest (Page.Directory.Data.mk f) = f
⊦ (∀t. Page.Table.Data.mk (Page.Table.Data.dest t) = t) ∧
∀f. Page.Table.Data.dest (Page.Table.Data.mk f) = f
⊦ (∀pa. Physical.Address.mk (Physical.Address.dest pa) = pa) ∧
∀r. Physical.Address.dest (Physical.Address.mk r) = r
⊦ (∀ppa. Physical.Page.mk (Physical.Page.dest ppa) = ppa) ∧
∀r. Physical.Page.dest (Physical.Page.mk r) = r
⊦ (∀psa. Physical.Superpage.mk (Physical.Superpage.dest psa) = psa) ∧
∀w. Physical.Superpage.dest (Physical.Superpage.mk w) = w
⊦ (∀si. Superpage.Offset.mk (Superpage.Offset.dest si) = si) ∧
∀w. Superpage.Offset.dest (Superpage.Offset.mk w) = w
⊦ (∀v. View.ObservablePages.mk (View.ObservablePages.dest v) = v) ∧
∀f. View.ObservablePages.dest (View.ObservablePages.mk f) = f
⊦ (∀va. Virtual.Address.mk (Virtual.Address.dest va) = va) ∧
∀r. Virtual.Address.dest (Virtual.Address.mk r) = r
⊦ (∀vpa. Virtual.Page.mk (Virtual.Page.dest vpa) = vpa) ∧
∀r. Virtual.Page.dest (Virtual.Page.mk r) = r
⊦ (∀vsa. Virtual.Superpage.mk (Virtual.Superpage.dest vsa) = vsa) ∧
∀w. Virtual.Superpage.dest (Virtual.Superpage.mk w) = w
⊦ ∀s pd vpa.
State.mappedPage s pd vpa ⇔ isSome (State.translatePage s pd vpa)
⊦ ∀s l.
Physical.Region.pageList (Physical.Region.mk s l) =
map (Physical.Page.add s) (interval 0 (RegionLength.toNatural l))
⊦ ∀s l.
Virtual.Region.pageList (Virtual.Region.mk s l) =
map (Virtual.Page.add s) (interval 0 (RegionLength.toNatural l))
⊦ ∀P.
(∀a. P (Page.Directory.Entry.Superpage a)) ∧
(∀a. P (Page.Directory.Entry.Table a)) ⇒ ∀x. P x
⊦ ∀d s t. View.equivalent d s t ⇔ view d s = view d t
⊦ ∀s ppa.
View.mkPagesH s ppa =
let page ← State.page s ppa in
if Page.isNormal page then none else some page
⊦ ∀p.
p Domain.Environment ∧ p Domain.H ∧ p Domain.Kernel ∧ p Domain.User ⇒
∀d. p d
⊦ ∀s.
State.mappedPagesAreAvailable s ⇔
∀pd vpa.
case State.translatePage s pd vpa of
none → ⊤
| some ppa → Page.isInstalled (State.page s ppa)
⊦ ∀va.
Virtual.Address.isKernel va ⇔
let (vpa, i) ← Virtual.Address.dest va in Virtual.Page.isKernel vpa
⊦ ∀vpa.
Virtual.Page.isKernel vpa ⇔
let (vsa, si) ← Virtual.Page.dest vpa in Virtual.Superpage.isKernel vsa
⊦ ∀P. (∀a0 a1 a2 a3. P (State a0 a1 a2 a3)) ⇒ ∀x. P x
⊦ ∀k v d.
Page.Data.update k v d =
Page.Data.mk (λi. if i = k then v else Page.Data.dest d i)
⊦ ∀a s s'.
action a s s' ⇔
State.wellformed s ∧ State.wellformed s' ∧ Action.specification a s s'
⊦ View.mkObservablePagesEnvironment =
View.ObservablePages.fromTranslate
(λs vpa.
case State.translatePage s (State.cr3 s) vpa of
none → none
| some ppa →
if Page.isEnvironment (State.page s ppa) then some ppa
else none)
⊦ (∀ppa. Physical.Page.add ppa 0 = ppa) ∧
∀ppa n.
Physical.Page.add ppa (suc n) =
Physical.Page.add (Physical.Page.suc ppa) n
⊦ (∀vpa. Virtual.Page.add vpa 0 = vpa) ∧
∀vpa n.
Virtual.Page.add vpa (suc n) =
Virtual.Page.add (Virtual.Page.suc vpa) n
⊦ ∀s.
State.referenceContainsEnvironment s ⇔
∀ppa.
Page.isEnvironment (State.page s ppa) ⇒
∃vpa. State.translatePage s (State.reference s) vpa = some ppa
⊦ ∀pd s s'.
Action.specificationFreePageDirectoryH pd s s' ⇔
Action.specificationAllocatePageDirectoryH pd s' s ∧
State.page s' pd = Page.Normal Page.Data.zero
⊦ ∀f0 f1.
∃fn.
(∀a. fn (Page.Directory.Entry.Superpage a) = f0 a) ∧
∀a. fn (Page.Directory.Entry.Table a) = f1 a
⊦ ∀f. ∃fn. ∀a0 a1 a2 a3. fn (State a0 a1 a2 a3) = f a0 a1 a2 a3
⊦ ∀vsa.
Virtual.Superpage.isKernel vsa ⇔
let w ← Virtual.Superpage.dest vsa in bit w 9 ∧ bit w 8
⊦ ∀s.
State.regionsAreNotEnvironment s ⇔
∀r ppa.
r ∈ State.Regions.all (State.regions s) ∧
Physical.Region.member ppa r ⇒ ¬Page.isEnvironment (State.page s ppa)
⊦ ∀s ppa.
State.unmappedPage s ppa ⇔
∀pd.
Page.isDirectory (State.page s pd) ⇒
∀vpa. ¬(State.translatePage s pd vpa = some ppa)
⊦ ∀s.
State.environmentOnlyInReference s ⇔
∀pd vpa.
case State.translatePage s pd vpa of
none → ⊤
| some ppa →
Page.isEnvironment (State.page s ppa) ⇒
State.mappedPage s (State.reference s) vpa
⊦ ∀s pd pt.
State.tableMappedInDirectory s pd pt ⇔
case Page.destDirectory (State.page s pd) of
none → ⊥
| some pdd →
∃pdi.
Page.Directory.Data.dest pdd pdi =
some (Page.Directory.Entry.Table pt)
⊦ ∀s.
State.pageDirectoriesContainReference s ⇔
∀pd vpa.
Page.isDirectory (State.page s pd) ∧ Virtual.Page.isKernel vpa ⇒
State.translatePage s pd vpa =
State.translatePage s (State.reference s) vpa
⊦ (∀f g psa.
Page.Directory.Entry.case f g (Page.Directory.Entry.Superpage psa) =
f psa) ∧
∀f g pt.
Page.Directory.Entry.case f g (Page.Directory.Entry.Table pt) = g pt
⊦ ∀fe fh fk fu.
∃fn.
fn Domain.Environment = fe ∧ fn Domain.H = fh ∧
fn Domain.Kernel = fk ∧ fn Domain.User = fu
⊦ ∀s.
State.tablePointersArePageTables s ⇔
∀pd pdi.
case Page.destDirectory (State.page s pd) of
none → ⊤
| some pdd →
case Page.Directory.Data.dest pdd pdi of
none → ⊤
| some pde →
case pde of
Page.Directory.Entry.Superpage spa → ⊤
| Page.Directory.Entry.Table ppa →
Page.isTable (State.page s ppa)
⊦ ∀P.
(∀a. P (Page.Environment a)) ∧ (∀a. P (Page.Normal a)) ∧
(∀a. P (Page.Directory a)) ∧ (∀a. P (Page.Table a)) ∧
P Page.NotInstalled ⇒ ∀x. P x
⊦ ∀s va.
State.translation s va =
let (vpa, i) ← Virtual.Address.dest va in
case State.translatePage s (State.cr3 s) vpa of
none → none
| some ppa → some (Physical.Address.mk (ppa, i))
⊦ ∀pd s s'.
Action.specificationExecuteH pd s s' ⇔
State.reference s = State.reference s' ∧ State.page s = State.page s' ∧
State.regions s = State.regions s' ∧ State.cr3 s' = pd
⊦ ∀s.
State.wellformed s ⇔
State.cr3IsPageDirectory s ∧ State.pageDirectoriesContainReference s ∧
State.mappedPagesAreAvailable s ∧ State.tablePointersArePageTables s ∧
State.noSharedPageTables s ∧ State.referenceIsPageDirectory s ∧
State.referenceMapsKernelAddresses s ∧
State.environmentOnlyInReference s ∧ State.initialRegionsAreRegions s ∧
State.regionsAreNotEnvironment s
⊦ (∀d. Page.isNotInstalled (Page.Environment d) ⇔ ⊥) ∧
(∀d. Page.isNotInstalled (Page.Normal d) ⇔ ⊥) ∧
(∀pdd. Page.isNotInstalled (Page.Directory pdd) ⇔ ⊥) ∧
(∀ptd. Page.isNotInstalled (Page.Table ptd) ⇔ ⊥) ∧
(Page.isNotInstalled Page.NotInstalled ⇔ ⊤)
⊦ ∀ppa.
Physical.Page.suc ppa =
let (psa, si) ← Physical.Page.dest ppa in
let si' ← Superpage.Offset.add si 1 in
let psa' ← if si' = 0 then Physical.Superpage.add psa 1 else psa in
Physical.Page.mk (psa', si')
⊦ ∀vpa.
Virtual.Page.suc vpa =
let (vsa, si) ← Virtual.Page.dest vpa in
let si' ← Superpage.Offset.add si 1 in
let vsa' ← if si' = 0 then Virtual.Superpage.add vsa 1 else vsa in
Virtual.Page.mk (vsa', si')
⊦ (∀d. Page.destNormal (Page.Environment d) = none) ∧
(∀d. Page.destNormal (Page.Normal d) = some d) ∧
(∀pdd. Page.destNormal (Page.Directory pdd) = none) ∧
(∀ptd. Page.destNormal (Page.Table ptd) = none) ∧
Page.destNormal Page.NotInstalled = none
⊦ (∀d. Page.destDirectory (Page.Environment d) = none) ∧
(∀d. Page.destDirectory (Page.Normal d) = none) ∧
(∀pdd. Page.destDirectory (Page.Directory pdd) = some pdd) ∧
(∀ptd. Page.destDirectory (Page.Table ptd) = none) ∧
Page.destDirectory Page.NotInstalled = none
⊦ (∀d. Page.destTable (Page.Environment d) = none) ∧
(∀d. Page.destTable (Page.Normal d) = none) ∧
(∀pdd. Page.destTable (Page.Directory pdd) = none) ∧
(∀ptd. Page.destTable (Page.Table ptd) = some ptd) ∧
Page.destTable Page.NotInstalled = none
⊦ (∀d. Page.destEnvironment (Page.Environment d) = some d) ∧
(∀d. Page.destEnvironment (Page.Normal d) = none) ∧
(∀pdd. Page.destEnvironment (Page.Directory pdd) = none) ∧
(∀ptd. Page.destEnvironment (Page.Table ptd) = none) ∧
Page.destEnvironment Page.NotInstalled = none
⊦ (∀d. Page.destEnvironmentOrNormal (Page.Environment d) = some d) ∧
(∀d. Page.destEnvironmentOrNormal (Page.Normal d) = some d) ∧
(∀pdd. Page.destEnvironmentOrNormal (Page.Directory pdd) = none) ∧
(∀ptd. Page.destEnvironmentOrNormal (Page.Table ptd) = none) ∧
Page.destEnvironmentOrNormal Page.NotInstalled = none
⊦ ∀tr s.
View.ObservablePages.fromTranslate tr s =
View.ObservablePages.mk
(λvpa.
case tr s vpa of
none → none
| some ppa →
case Page.destEnvironmentOrNormal (State.page s ppa) of
none → none
| some d → some (d, { vpa'. vpa' | tr s vpa' = some ppa }))
⊦ ∀phi.
(∀f. phi (View.Environment f)) ∧ (∀c p g r. phi (View.H c p g r)) ∧
(∀f g. phi (View.Kernel f g)) ∧ (∀f. phi (View.User f)) ⇒ ∀v. phi v
⊦ (∀s.
view Domain.Environment s =
View.Environment (View.mkObservablePagesEnvironment s)) ∧
(∀s.
view Domain.H s =
View.H (View.mkCurrentPageDirectoryH s) (View.mkPagesH s)
(View.mkRegionHandlesH s) (View.mkReferencePageDirectoryH s)) ∧
(∀s.
view Domain.Kernel s =
View.Kernel (View.mkObservablePagesKernel s)
(View.mkRegionHandlesKernel s)) ∧
∀s. view Domain.User s = View.User (View.mkObservablePagesUser s)
⊦ ∀ppa s s'.
Action.specificationAllocatePageDirectoryH ppa s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ State.unmappedNormalPage s ppa ∧
∀ppa'.
State.page s' ppa' =
State.page s (if ppa' = ppa then State.reference s else ppa')
⊦ ∀pd pts pr vr s s'.
Action.specificationAddMappingH pd pts pr vr s s' ⇔
length (nub pts) = length pts ∧
pr ∈ State.Regions.all (State.regions s) ∧
∃n.
n ≤ length pts ∧
Action.specificationAddMapping pd (toSet (take n pts)) pr vr s s'
⊦ ∀f0 f1 f2 f3 f4.
∃fn.
(∀a. fn (Page.Environment a) = f0 a) ∧
(∀a. fn (Page.Normal a) = f1 a) ∧
(∀a. fn (Page.Directory a) = f2 a) ∧ (∀a. fn (Page.Table a) = f3 a) ∧
fn Page.NotInstalled = f4
⊦ ∀pd vr s s'.
Action.specificationRemoveMappingH pd vr s s' ⇔
case State.translatePage s pd (Virtual.Region.start vr) of
none → ⊥
| some prs →
let pr ← Physical.Region.mk prs (Virtual.Region.length vr) in
let pts ←
{ ppa. ppa |
Page.isTable (State.page s ppa) ∧
State.page s' ppa = Page.Normal Page.Data.zero } in
Action.specificationAddMapping pd pts pr vr s' s
⊦ ∀s pd vpa.
State.translatePage s pd vpa =
let (vsa, si) ← Virtual.Page.dest vpa in
case Page.destDirectory (State.page s pd) of
none → none
| some pdd →
case Page.Directory.Data.dest pdd vsa of
none → none
| some pde →
case pde of
Page.Directory.Entry.Superpage psa →
some (Physical.Page.mk (psa, si))
| Page.Directory.Entry.Table pt →
case Page.destTable (State.page s pt) of
none → none
| some ptd → Page.Table.Data.dest ptd si
⊦ ∀fe fh fk fu.
∃fn.
(∀f. fn (View.Environment f) = fe f) ∧
(∀c p g r. fn (View.H c p g r) = fh c p g r) ∧
(∀f g. fn (View.Kernel f g) = fk f g) ∧ ∀f. fn (View.User f) = fu f
⊦ ∀s.
State.noSharedPageTables s ⇔
∀pt pd1 pd2 pdd1 pdd2 vsa1 vsa2.
Page.destDirectory (State.page s pd1) = some pdd1 ∧
Page.destDirectory (State.page s pd2) = some pdd2 ∧
Page.Directory.Data.dest pdd1 vsa1 =
some (Page.Directory.Entry.Table pt) ∧
Page.Directory.Data.dest pdd2 vsa2 =
some (Page.Directory.Entry.Table pt) ⇒
vsa1 = vsa2 ∧ (Virtual.Superpage.isKernel vsa1 ∨ pd1 = pd2)
⊦ ∀pr ppa l s s'.
Action.specificationDeriveRegionH pr ppa l s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.page s = State.page s' ∧
State.Regions.initial (State.regions s) =
State.Regions.initial (State.regions s') ∧
let r ← Physical.Region.mk ppa l in
Physical.Region.isSubregion r pr ∧
¬(r ∈ State.Regions.all (State.regions s)) ∧
State.Regions.all (State.regions s') =
insert r (State.Regions.all (State.regions s))
⊦ ∀va b s s'.
Action.specificationWriteEnvironment va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destEnvironment (State.page s ppa') of
none → ⊥
| some d →
Page.destEnvironment (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀va b s s'.
Action.specificationWriteKernel va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ Virtual.Address.isKernel va ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destNormal (State.page s ppa') of
none → ⊥
| some d →
Page.destNormal (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀va b s s'.
Action.specificationWriteUser va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ Virtual.Address.isUser va ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destNormal (State.page s ppa') of
none → ⊥
| some d →
Page.destNormal (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀p.
(∀va b. p (Action.WriteEnvironment va b)) ∧
(∀pr ppa l. p (Action.DeriveRegionH pr ppa l)) ∧
(∀ppa. p (Action.AllocatePageDirectoryH ppa)) ∧
(∀pd. p (Action.FreePageDirectoryH pd)) ∧
(∀pd pts pr vr. p (Action.AddMappingH pd pts pr vr)) ∧
(∀pd vr. p (Action.RemoveMappingH pd vr)) ∧
(∀pr vr. p (Action.AddKernelMappingH pr vr)) ∧
(∀pd. p (Action.ExecuteH pd)) ∧ (∀va b. p (Action.WriteKernel va b)) ∧
(∀va b. p (Action.WriteUser va b)) ⇒ ∀a. p a
⊦ ∀x y.
interferes x y ⇔
x = Domain.Environment ∧ y = Domain.Environment ∨
x = Domain.Environment ∧ y = Domain.H ∨
x = Domain.Environment ∧ y = Domain.Kernel ∨
x = Domain.H ∧ y = Domain.H ∨ x = Domain.H ∧ y = Domain.Kernel ∨
x = Domain.H ∧ y = Domain.User ∨
x = Domain.Kernel ∧ y = Domain.Kernel ∨
x = Domain.Kernel ∧ y = Domain.User ∨
x = Domain.User ∧ y = Domain.Kernel ∨ x = Domain.User ∧ y = Domain.User
⊦ (∀va b. domain (Action.WriteEnvironment va b) = Domain.Environment) ∧
(∀pr ppa l. domain (Action.DeriveRegionH pr ppa l) = Domain.H) ∧
(∀ppa. domain (Action.AllocatePageDirectoryH ppa) = Domain.H) ∧
(∀pd. domain (Action.FreePageDirectoryH pd) = Domain.H) ∧
(∀pd pts pr vr. domain (Action.AddMappingH pd pts pr vr) = Domain.H) ∧
(∀pd vr. domain (Action.RemoveMappingH pd vr) = Domain.H) ∧
(∀pr vr. domain (Action.AddKernelMappingH pr vr) = Domain.H) ∧
(∀pd. domain (Action.ExecuteH pd) = Domain.H) ∧
(∀va b. domain (Action.WriteKernel va b) = Domain.Kernel) ∧
∀va b. domain (Action.WriteUser va b) = Domain.User
⊦ ∀pr vr s s'.
Action.specificationAddKernelMappingH pr vr s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
pr ∈ State.Regions.all (State.regions s) ∧
Physical.Region.forall (State.isNormalPage s) pr ∧
Physical.Region.length pr = Virtual.Region.length vr ∧
Virtual.Region.isKernel vr ∧
(∀vpa.
¬Virtual.Region.member vpa vr ⇒
State.translatePage s' (State.reference s') vpa =
State.translatePage s (State.reference s) vpa) ∧
Virtual.Region.forall
(λvpa.
case State.translatePage s (State.reference s) vpa of
none → ⊤
| some ppa → ¬State.isEnvironmentPage s ppa) vr ∧
all id
(zipWith
(λvpa ppa.
State.translatePage s' (State.reference s') vpa = some ppa)
(Virtual.Region.pageList vr) (Physical.Region.pageList pr)) ∧
∀ppa.
if State.tableMappedInDirectory s (State.reference s) ppa then
Page.isTable (State.page s' ppa)
else State.page s ppa = State.page s' ppa
⊦ (∀va b.
Action.specification (Action.WriteEnvironment va b) =
Action.specificationWriteEnvironment va b) ∧
(∀pr ppa l.
Action.specification (Action.DeriveRegionH pr ppa l) =
Action.specificationDeriveRegionH pr ppa l) ∧
(∀ppa.
Action.specification (Action.AllocatePageDirectoryH ppa) =
Action.specificationAllocatePageDirectoryH ppa) ∧
(∀pd.
Action.specification (Action.FreePageDirectoryH pd) =
Action.specificationFreePageDirectoryH pd) ∧
(∀pd pts pr vr.
Action.specification (Action.AddMappingH pd pts pr vr) =
Action.specificationAddMappingH pd pts pr vr) ∧
(∀pd vr.
Action.specification (Action.RemoveMappingH pd vr) =
Action.specificationRemoveMappingH pd vr) ∧
(∀pr vr.
Action.specification (Action.AddKernelMappingH pr vr) =
Action.specificationAddKernelMappingH pr vr) ∧
(∀pd.
Action.specification (Action.ExecuteH pd) =
Action.specificationExecuteH pd) ∧
(∀va b.
Action.specification (Action.WriteKernel va b) =
Action.specificationWriteKernel va b) ∧
∀va b.
Action.specification (Action.WriteUser va b) =
Action.specificationWriteUser va b
⊦ ∀fwe fdr fapd ffpd fam frm fakm fe fwk fwu.
∃fn.
(∀va b. fn (Action.WriteEnvironment va b) = fwe va b) ∧
(∀pr ppa l. fn (Action.DeriveRegionH pr ppa l) = fdr pr ppa l) ∧
(∀ppa. fn (Action.AllocatePageDirectoryH ppa) = fapd ppa) ∧
(∀pd. fn (Action.FreePageDirectoryH pd) = ffpd pd) ∧
(∀pd pts pr vr.
fn (Action.AddMappingH pd pts pr vr) = fam pd pts pr vr) ∧
(∀pd vr. fn (Action.RemoveMappingH pd vr) = frm pd vr) ∧
(∀pr vr. fn (Action.AddKernelMappingH pr vr) = fakm pr vr) ∧
(∀pd. fn (Action.ExecuteH pd) = fe pd) ∧
(∀va b. fn (Action.WriteKernel va b) = fwk va b) ∧
∀va b. fn (Action.WriteUser va b) = fwu va b
⊦ ∀pd pts pr vr s s'.
Action.specificationAddMapping pd pts pr vr s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
Page.isDirectory (State.page s pd) ∧
(∀pt. pt ∈ pts ⇒ State.unmappedNormalPage s pt) ∧
(∀pt. pt ∈ pts ⇒ ¬Physical.Region.member pt pr) ∧
Physical.Region.forall (State.isNormalPage s) pr ∧
Physical.Region.length pr = Virtual.Region.length vr ∧
Virtual.Region.isUser vr ∧
(∀vpa.
if Virtual.Region.member vpa vr then
isNone (State.translatePage s pd vpa)
else State.translatePage s' pd vpa = State.translatePage s pd vpa) ∧
all id
(zipWith (λvpa ppa. State.translatePage s' pd vpa = some ppa)
(Virtual.Region.pageList vr) (Physical.Region.pageList pr)) ∧
∀ppa.
if ppa ∈ pts then State.tableMappedInDirectory s' pd ppa
else if ppa = pd then Page.isDirectory (State.page s' ppa)
else if State.tableMappedInDirectory s pd ppa then
Page.isTable (State.page s' ppa)
else State.page s ppa = State.page s' ppa
External Type Operators
- →
- bool
- Data
- Byte
- byte
- List
- list
- Option
- option
- Pair
- ×
- Word10
- word10
- Word12
- word12
- Byte
- Number
- Natural
- natural
- Natural
- Set
- set
External Constants
- =
- select
- Data
- Bool
- ∀
- ∧
- ⇒
- ∃
- ∃!
- ∨
- ¬
- cond
- ⊥
- ⊤
- Byte
- fromNatural
- List
- all
- any
- interval
- length
- map
- member
- nub
- take
- toSet
- zipWith
- Option
- case
- isNone
- isSome
- none
- some
- Pair
- ,
- fst
- snd
- Word10
- +
- bit
- fromNatural
- Bool
- Function
- id
- Number
- Natural
- *
- +
- <
- ≤
- ↑
- bit0
- bit1
- even
- suc
- zero
- Natural
- Set
- fromPredicate
- insert
- ∈
- ⊆
Assumptions
⊦ ⊤
⊦ ¬⊥ ⇔ ⊤
⊦ ¬⊤ ⇔ ⊥
⊦ bit0 0 = 0
⊦ ∀n. 0 ≤ n
⊦ ⊥ ⇔ ∀p. p
⊦ (¬) = λp. p ⇒ ⊥
⊦ (∃) = λp. p ((select) p)
⊦ ∀a. ∃!x. x = a
⊦ ∀t. (∀x. t) ⇔ t
⊦ ∀t. (∃x. t) ⇔ t
⊦ ∀t. (λx. t x) = t
⊦ (∀) = λp. p = λx. ⊤
⊦ ∀t. ¬¬t ⇔ t
⊦ ∀t. (⊤ ⇔ t) ⇔ t
⊦ ∀t. (t ⇔ ⊤) ⇔ t
⊦ ∀t. ⊥ ∧ t ⇔ ⊥
⊦ ∀t. ⊤ ∧ t ⇔ t
⊦ ∀t. t ∧ ⊤ ⇔ t
⊦ ∀t. ⊥ ⇒ t ⇔ ⊤
⊦ ∀t. ⊤ ⇒ t ⇔ t
⊦ ∀t. t ⇒ ⊤ ⇔ ⊤
⊦ ∀t. ⊥ ∨ t ⇔ t
⊦ ∀t. ⊤ ∨ t ⇔ ⊤
⊦ ∀t. t ∨ ⊥ ⇔ t
⊦ ∀n. ¬(suc n = 0)
⊦ ∀n. 0 + n = n
⊦ ∀t. (⊥ ⇔ t) ⇔ ¬t
⊦ ∀t. (t ⇔ ⊥) ⇔ ¬t
⊦ ∀t. t ⇒ ⊥ ⇔ ¬t
⊦ ∀n. even (2 * n)
⊦ ∀n. bit1 n = suc (bit0 n)
⊦ ∀m. m ↑ 0 = 1
⊦ (⇒) = λp q. p ∧ q ⇔ p
⊦ ∀t. (t ⇔ ⊤) ∨ (t ⇔ ⊥)
⊦ ∀n. even (suc n) ⇔ ¬even n
⊦ ∀m. m ≤ 0 ⇔ m = 0
⊦ ∀t1 t2. (if ⊥ then t1 else t2) = t2
⊦ ∀t1 t2. (if ⊤ then t1 else t2) = t1
⊦ ∀a b. fst (a, b) = a
⊦ ∀a b. snd (a, b) = b
⊦ ∀n. bit0 (suc n) = suc (suc (bit0 n))
⊦ ∀x y. x = y ⇔ y = x
⊦ ∀t1 t2. t1 ∨ t2 ⇔ t2 ∨ t1
⊦ ∀n. 2 * n = n + n
⊦ ∀m n. ¬(m < n ∧ n ≤ m)
⊦ ∀m n. ¬(m ≤ n ∧ n < m)
⊦ ∀m n. suc m ≤ n ⇔ m < n
⊦ (∧) = λp q. (λf. f p q) = λf. f ⊤ ⊤
⊦ (∃) = λp. ∀q. (∀x. p x ⇒ q) ⇒ q
⊦ ∀m n. m + suc n = suc (m + n)
⊦ ∀m n. suc m + n = suc (m + n)
⊦ ∀m n. suc m = suc n ⇔ m = n
⊦ ∀m n. even (m * n) ⇔ even m ∨ even n
⊦ ∀m n. even (m + n) ⇔ even m ⇔ even n
⊦ ∀m n. m ↑ suc n = m * m ↑ n
⊦ ∀f g. (∀x. f x = g x) ⇔ f = g
⊦ ∀p a. (∃x. a = x ∧ p x) ⇔ p a
⊦ (∨) = λp q. ∀r. (p ⇒ r) ⇒ (q ⇒ r) ⇒ r
⊦ ∀m n. m ≤ n ⇔ m < n ∨ m = n
⊦ ∀m n. m ≤ n ∧ n ≤ m ⇔ m = n
⊦ ∀p q. (∃x. p ∧ q x) ⇔ p ∧ ∃x. q x
⊦ ∀t1 t2 t3. (t1 ∧ t2) ∧ t3 ⇔ t1 ∧ t2 ∧ t3
⊦ ∀m n p. m * (n * p) = m * n * p
⊦ ∀p m n. m + p = n + p ⇔ m = n
⊦ ∀p x. (∀y. p y ⇔ y = x) ⇒ (select) p = x
⊦ ∀r. (∀x. ∃y. r x y) ⇔ ∃f. ∀x. r x (f x)
⊦ ∀m n. m ≤ suc n ⇔ m = suc n ∨ m ≤ n
⊦ ∀m n. m * n = 0 ⇔ m = 0 ∨ n = 0
⊦ ∀p. p 0 ∧ (∀n. p n ⇒ p (suc n)) ⇒ ∀n. p n
⊦ ∀m n. m ↑ n = 0 ⇔ m = 0 ∧ ¬(n = 0)
⊦ (∃!) = λp. (∃) p ∧ ∀x y. p x ∧ p y ⇒ x = y
⊦ ∀p q. (∀x. p x ∧ q x) ⇔ (∀x. p x) ∧ ∀x. q x
⊦ ∀p q. (∀x. p x ⇒ q x) ⇒ (∀x. p x) ⇒ ∀x. q x
⊦ ∀p q. (∀x. p x ⇒ q x) ⇒ (∃x. p x) ⇒ ∃x. q x
⊦ ∀p q. (∀x. p x) ∧ (∀x. q x) ⇔ ∀x. p x ∧ q x
⊦ ∀e f. ∃!fn. fn 0 = e ∧ ∀n. fn (suc n) = f (fn n) n
⊦ ∀m n p. m * n = m * p ⇔ m = 0 ∨ n = p
⊦ ∀m n p. m * n ≤ m * p ⇔ m = 0 ∨ n ≤ p
⊦ ∀m n p. m * n < m * p ⇔ ¬(m = 0) ∧ n < p
⊦ ∀p1 p2 q1 q2. (p1 ⇒ p2) ∧ (q1 ⇒ q2) ⇒ p1 ∧ q1 ⇒ p2 ∧ q2
⊦ ∀p1 p2 q1 q2. (p1 ⇒ p2) ∧ (q1 ⇒ q2) ⇒ p1 ∨ q1 ⇒ p2 ∨ q2
⊦ ∀p. (∀x. ∃!y. p x y) ⇔ ∃f. ∀x y. p x y ⇔ f x = y
⊦ ∀p c x y. p (if c then x else y) ⇔ (c ⇒ p x) ∧ (¬c ⇒ p y)
⊦ ∀p. (∃!x. p x) ⇔ (∃x. p x) ∧ ∀x x'. p x ∧ p x' ⇒ x = x'