Package h-thm: Proof of memory safety for the H interface
Information
| name | h-thm |
| version | 1.110 |
| description | Proof of memory safety for the H interface |
| author | Joe Leslie-Hurd <joe@gilith.com> |
| license | MIT |
| provenance | HOL Light theory extracted on 2012-12-10 |
| requires | base h-def word10 |
| show | Data.Bool Data.Byte Data.List Data.Option Data.Pair Data.Word10 Function Number.Natural Set System.H |
Files
- Package tarball h-thm-1.110.tgz
- Theory source file h-thm.thy (included in the package tarball)
Theorems
⊦ ∀d s. View.equivalent d s s
⊦ ∀pdd. ∃f. pdd = Page.Directory.Data.mk f
⊦ ∀vpa. Virtual.Page.isKernel vpa ⇔ ¬Virtual.Page.isUser vpa
⊦ ∀pr.
length (Physical.Region.pageList pr) =
RegionLength.toNatural (Physical.Region.length pr)
⊦ ∀vr.
length (Virtual.Region.pageList vr) =
RegionLength.toNatural (Virtual.Region.length vr)
⊦ ∀p.
Page.isEnvironment p ⇒
Page.destEnvironmentOrNormal p = Page.destEnvironment p
⊦ ∀s. State.wellformed s ⇒ Page.isDirectory (State.page s (State.cr3 s))
⊦ ∀s.
State.wellformed s ⇒
Page.isDirectory (State.page s (State.reference s))
⊦ ∀pr. ∃s l. pr = Physical.Region.mk s l
⊦ ∀x. ∃a0 a1. x = State.Regions a0 a1
⊦ ∀pr. ∃s l. pr = Virtual.Region.mk s l
⊦ ∀s ppa. State.unmappedNormalPage s ppa ⇒ State.isNormalPage s ppa
⊦ ∀s ppa. State.unmappedNormalPage s ppa ⇒ State.unmappedPage s ppa
⊦ ∀vr vpa.
Virtual.Region.isKernel vr ∧ Virtual.Region.member vpa vr ⇒
Virtual.Page.isKernel vpa
⊦ ∀vr vpa.
Virtual.Region.isUser vr ∧ Virtual.Region.member vpa vr ⇒
Virtual.Page.isUser vpa
⊦ ∀d s t. View.equivalent d s t ⇒ View.equivalent d t s
⊦ ∀pde.
(∃psa. pde = Page.Directory.Entry.Superpage psa) ∨
∃pt. pde = Page.Directory.Entry.Table pt
⊦ ∀s s' pr vr.
Action.specificationAddKernelMappingH pr vr s s' ⇒
Virtual.Region.isKernel vr
⊦ ∀s s'.
State.page s = State.page s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s vpa.
State.wellformed s ∧ State.mappedPage s (State.reference s) vpa ⇒
Virtual.Page.isKernel vpa
⊦ ∀s s' ppa.
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' ppa.
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' ppa.
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.regions s = State.regions s'
⊦ ∀s s' pd.
Action.specificationExecuteH pd s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' pd.
Action.specificationExecuteH pd s s' ⇒
State.regions s = State.regions s'
⊦ ∀s s' pd.
Action.specificationExecuteH pd s s' ⇒ State.page s = State.page s'
⊦ ∀s s' pd.
Action.specificationExecuteH pd s s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s s' pd.
Action.specificationFreePageDirectoryH pd s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pd.
Action.specificationFreePageDirectoryH pd s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' pd.
Action.specificationFreePageDirectoryH pd s s' ⇒
State.regions s = State.regions s'
⊦ ∀s pd vpa.
isSome (State.translatePage s pd vpa) ⇒
Page.isDirectory (State.page s pd)
⊦ ∀x. ∃a0 a1 a2 a3. x = State a0 a1 a2 a3
⊦ ∀f1 f2.
View.ObservablePages.mk f1 = View.ObservablePages.mk f2 ⇔
∀vpa. f1 vpa = f2 vpa
⊦ ∀d.
d = Domain.Environment ∨ d = Domain.H ∨ d = Domain.Kernel ∨
d = Domain.User
⊦ ∀s pd pt.
State.wellformed s ∧ State.tableMappedInDirectory s pd pt ⇒
Page.isDirectory (State.page s pd)
⊦ ∀s pd pt.
State.wellformed s ∧ State.tableMappedInDirectory s pd pt ⇒
Page.isTable (State.page s pt)
⊦ ∀s pd vpa.
¬Page.isDirectory (State.page s pd) ⇒
State.translatePage s pd vpa = none
⊦ ∀s s' pd vr.
Action.specificationRemoveMappingH pd vr s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pr vr.
Action.specificationAddKernelMappingH pr vr s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pr vr.
Action.specificationAddKernelMappingH pr vr s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
State.regions s = State.regions s'
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒ State.cr3 s = State.cr3 s'
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒
State.regions s = State.regions s'
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s s' va b.
Action.specificationWriteUser va b s s' ⇒ State.cr3 s = State.cr3 s'
⊦ ∀s s' va b.
Action.specificationWriteUser va b s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' va b.
Action.specificationWriteUser va b s s' ⇒
State.regions s = State.regions s'
⊦ ∀s s' va b.
Action.specificationWriteUser va b s s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s s' ppa.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
¬(State.cr3 s = ppa)
⊦ ∀s s' ppa.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
¬(State.cr3 s' = ppa)
⊦ ∀s s' pd.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
¬(State.cr3 s = pd)
⊦ ∀s s' pd.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
¬(State.cr3 s' = pd)
⊦ ∀n. n < 768 ⇒ Virtual.Superpage.isUser (Virtual.Superpage.fromNatural n)
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒
Virtual.Region.isUser vr
⊦ ∀s s' pr ppa l.
Action.specificationDeriveRegionH pr ppa l s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pr ppa l.
Action.specificationDeriveRegionH pr ppa l s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' pr ppa l.
Action.specificationDeriveRegionH pr ppa l s s' ⇒
State.page s = State.page s'
⊦ ∀s s' pr ppa l.
Action.specificationDeriveRegionH pr ppa l s s' ⇒
State.translatePage s = State.translatePage s'
⊦ ∀d s1 s2 s3.
View.equivalent d s1 s2 ∧ View.equivalent d s2 s3 ⇒
View.equivalent d s1 s3
⊦ ∀s vpa.
State.wellformed s ∧ Virtual.Page.isKernel vpa ⇒
State.translatePage s (State.cr3 s) vpa =
State.translatePage s (State.reference s) vpa
⊦ ∀s s' pr vr ppa.
Action.specificationAddKernelMappingH pr vr s s' ∧
Physical.Region.member ppa pr ⇒ State.isNormalPage s ppa
⊦ ∀s s' a u.
¬interferes (domain a) u ∧ action a s s' ⇒ View.equivalent u s s'
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒ ¬(pd ∈ pts)
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒
Page.isDirectory (State.page s pd)
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒
Page.isDirectory (State.page s' pd)
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s s' va b.
Action.specificationWriteUser va b s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s s'.
(∀pd vpa.
State.translatePage s pd vpa = State.translatePage s' pd vpa) ⇒
State.translatePage s = State.translatePage s'
⊦ ∀s s' pd vr.
Action.specificationRemoveMappingH pd vr s s' ⇒
∃ppa. State.translatePage s pd (Virtual.Region.start vr) = some ppa
⊦ ∀s s' ppa.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s s' pd.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMappingH pd pts pr vr s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒
State.cr3 s = State.cr3 s'
⊦ ∀s s' pd pts pr vr.
Action.specificationAddMapping pd pts pr vr s s' ⇒
State.reference s = State.reference s'
⊦ ∀s s' va b ppa.
Action.specificationWriteEnvironment va b s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' va b ppa.
Action.specificationWriteEnvironment va b s s' ⇒
Page.destNormal (State.page s ppa) =
Page.destNormal (State.page s' ppa)
⊦ ∀s s' va b ppa.
Action.specificationWriteKernel va b s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' va b ppa.
Action.specificationWriteKernel va b s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s s' va b ppa.
Action.specificationWriteUser va b s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' va b ppa.
Action.specificationWriteUser va b s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s s' ppa ppa'.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
(Page.isEnvironment (State.page s' ppa') ⇔
Page.isEnvironment (State.page s ppa'))
⊦ ∀s s' ppa ppa'.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
Page.destEnvironment (State.page s' ppa') =
Page.destEnvironment (State.page s ppa')
⊦ ∀s s' ppa pt.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
Page.destTable (State.page s' pt) = Page.destTable (State.page s pt)
⊦ ∀s s' pd pt.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
Page.destEnvironment (State.page s' pt) =
Page.destEnvironment (State.page s pt)
⊦ ∀s s' pd pt.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
Page.destTable (State.page s' pt) = Page.destTable (State.page s pt)
⊦ ∀s s' ppa ppa'.
Action.specificationAllocatePageDirectoryH ppa s s' ∧ ¬(ppa' = ppa) ⇒
State.page s' ppa' = State.page s ppa'
⊦ ∀s s' pr ppa l.
Action.specificationDeriveRegionH pr ppa l s s' ⇒
State.translatePage s (State.cr3 s) =
State.translatePage s' (State.cr3 s')
⊦ ∀s pd vpa ppa.
State.wellformed s ∧ State.translatePage s pd vpa = some ppa ∧
Page.isEnvironment (State.page s ppa) ⇒ Virtual.Page.isKernel vpa
⊦ ∀s s' pd pts pr vr pt.
Action.specificationAddMapping pd pts pr vr s s' ∧ pt ∈ pts ⇒
State.isNormalPage s pt
⊦ ∀s s' pd pts pr vr pt.
Action.specificationAddMapping pd pts pr vr s s' ∧ pt ∈ pts ⇒
State.unmappedNormalPage s pt
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(Page.isDirectory (State.page s ppa) ⇔
Page.isDirectory (State.page s' ppa))
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(Page.isNormal (State.page s ppa) ⇔ Page.isNormal (State.page s' ppa))
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(Page.isTable (State.page s ppa) ⇔ Page.isTable (State.page s' ppa))
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
Page.destEnvironmentOrNormal (State.page s ppa) =
Page.destEnvironmentOrNormal (State.page s' ppa)
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
Page.destNormal (State.page s ppa) =
Page.destNormal (State.page s' ppa)
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
Page.destDirectory (State.page s ppa) =
Page.destDirectory (State.page s' ppa)
⊦ ∀s pd vpa.
State.wellformed s ∧ Page.isDirectory (State.page s pd) ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s pd vpa =
State.translatePage s (State.reference s) vpa
⊦ ∀s s' pd pts pr vr pt.
Action.specificationAddMapping pd pts pr vr s s' ∧ pt ∈ pts ⇒
State.tableMappedInDirectory s' pd pt
⊦ ∀s pd pt.
State.tableMappedInDirectory s pd pt ⇔
∃pdd pdi.
State.page s pd = Page.Directory pdd ∧
Page.Directory.Data.dest pdd pdi =
some (Page.Directory.Entry.Table pt)
⊦ ∀s s' ppa pd.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.translatePage s pd =
if pd = ppa then K none else State.translatePage s' pd
⊦ ∀s s' ppa pd.
State.wellformed s ∧
Action.specificationAllocatePageDirectoryH ppa s s' ⇒
State.translatePage s' pd =
State.translatePage s (if pd = ppa then State.reference s else pd)
⊦ ∀s s' pd pd'.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
State.translatePage s pd' =
State.translatePage s' (if pd' = pd then State.reference s' else pd')
⊦ ∀s s' pd pd'.
State.wellformed s' ∧ Action.specificationFreePageDirectoryH pd s s' ⇒
State.translatePage s' pd' =
if pd' = pd then K none else State.translatePage s pd'
⊦ ∀s s' pr vr pd pt.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(State.tableMappedInDirectory s pd pt ⇔
State.tableMappedInDirectory s' pd pt)
⊦ ∀s s' pr vr pt.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ⇒
(State.tableMappedInDirectory s (State.reference s) pt ⇔
State.tableMappedInDirectory s' (State.reference s') pt)
⊦ ∀s s' pr vr ppa.
Action.specificationAddKernelMappingH pr vr s s' ∧
¬State.tableMappedInDirectory s (State.reference s) ppa ⇒
State.page s ppa = State.page s' ppa
⊦ ∀s s'.
(∀ppa.
Page.isDirectoryOrTable (State.page s ppa) ∨
Page.isDirectoryOrTable (State.page s' ppa) ⇒
State.page s ppa = State.page s' ppa) ⇒
State.translatePage s = State.translatePage s'
⊦ ∀va b.
∃f.
∀s s'.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationWriteEnvironment va b s s' ⇒
view Domain.Environment s' = f (view Domain.Environment s)
⊦ ∀va b.
∃f.
∀s s'.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationWriteKernel va b s s' ⇒
view Domain.Kernel s' = f (view Domain.Kernel s)
⊦ ∀s s' pd vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationRemoveMappingH pd vr s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' pd vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationRemoveMappingH pd vr s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s pd vpa ppa.
State.wellformed s ∧ Virtual.Page.isUser vpa ∧
State.translatePage s pd vpa = some ppa ⇒
Page.destEnvironmentOrNormal (State.page s ppa) =
Page.destNormal (State.page s ppa)
⊦ ∀s s' pd pts pr vr pt.
State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ∧ pt ∈ pts ⇒
Page.isTable (State.page s' pt)
⊦ ∀s s' pr vr ppa.
State.wellformed s ∧ Action.specificationAddKernelMappingH pr vr s s' ∧
¬Page.isTable (State.page s ppa) ⇒ State.page s ppa = State.page s' ppa
⊦ ∀s pd pdd pdi pt.
State.wellformed s ∧ State.page s pd = Page.Directory pdd ∧
Page.Directory.Data.dest pdd pdi =
some (Page.Directory.Entry.Table pt) ⇒ Page.isTable (State.page s pt)
⊦ ∀p.
(∃d. p = Page.Environment d) ∨ (∃d. p = Page.Normal d) ∨
(∃pdd. p = Page.Directory pdd) ∨ (∃ptd. p = Page.Table ptd) ∨
p = Page.NotInstalled
⊦ ∀s s' pr vr vpa.
Action.specificationAddKernelMappingH pr vr s s' ∧
Virtual.Region.member vpa vr ⇒
∃ppa.
Physical.Region.member ppa pr ∧
State.translatePage s' (State.reference s') vpa = some ppa
⊦ ∀s s' pd pts pr vr.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ⇒
State.translatePage s (State.reference s) =
State.translatePage s' (State.reference s')
⊦ ∀s s' pr vr vpa ppa.
Action.specificationAddKernelMappingH pr vr s s' ∧
Virtual.Region.member vpa vr ∧
State.translatePage s (State.reference s) vpa = some ppa ⇒
¬State.isEnvironmentPage s ppa
⊦ ∀s s' pd pts pr vr vpa.
Action.specificationAddMapping pd pts pr vr s s' ∧
¬Virtual.Region.member vpa vr ⇒
State.translatePage s pd vpa = State.translatePage s' pd vpa
⊦ ∀s s' va b ppa.
Action.specificationWriteEnvironment va b s s' ∧
(¬Page.isEnvironment (State.page s ppa) ∨
¬Page.isEnvironment (State.page s' ppa)) ⇒
State.page s ppa = State.page s' ppa
⊦ ∀s s' va b ppa.
Action.specificationWriteKernel va b s s' ∧
(¬Page.isNormal (State.page s ppa) ∨
¬Page.isNormal (State.page s' ppa)) ⇒
State.page s ppa = State.page s' ppa
⊦ ∀s s' va b ppa.
Action.specificationWriteUser va b s s' ∧
(¬Page.isNormal (State.page s ppa) ∨
¬Page.isNormal (State.page s' ppa)) ⇒
State.page s ppa = State.page s' ppa
⊦ ∀s s' pd vr pd' vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationRemoveMappingH pd vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s pd' vpa = State.translatePage s' pd' vpa
⊦ ∀s s' pr vr pd vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddKernelMappingH pr vr s s' ∧
Virtual.Page.isUser vpa ⇒
State.translatePage s pd vpa = State.translatePage s' pd vpa
⊦ ∀s s' pd vr vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationRemoveMappingH pd vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s (State.cr3 s) vpa =
State.translatePage s' (State.cr3 s') vpa
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMappingH pd pts pr vr s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMappingH pd pts pr vr s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ⇒
(Page.isDirectory (State.page s ppa) ⇔
Page.isDirectory (State.page s' ppa))
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ⇒
(Page.isEnvironment (State.page s ppa) ⇔
Page.isEnvironment (State.page s' ppa))
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ⇒
Page.destEnvironment (State.page s ppa) =
Page.destEnvironment (State.page s' ppa)
⊦ ∀s s' pr vr vpa.
State.wellformed s' ∧
Action.specificationAddKernelMappingH pr vr s s' ∧
Virtual.Region.member vpa vr ⇒
∃ppa.
Physical.Region.member ppa pr ∧
State.translatePage s' (State.cr3 s') vpa = some ppa
⊦ ∀s s' pr vr pd vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddKernelMappingH pr vr s s' ∧
¬Virtual.Region.member vpa vr ⇒
State.translatePage s pd vpa = State.translatePage s' pd vpa
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ Action.specificationAddMapping pd pts pr vr s s' ∧
¬(ppa ∈ pts) ⇒
(Page.isTable (State.page s ppa) ⇔ Page.isTable (State.page s' ppa))
⊦ ∀s s' pr vr vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddKernelMappingH pr vr s s' ∧
¬Virtual.Region.member vpa vr ⇒
State.translatePage s (State.cr3 s) vpa =
State.translatePage s' (State.cr3 s') vpa
⊦ ∀s s' pd pts pr vr pd'.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ∧ ¬(pd' = pd) ⇒
State.translatePage s pd' = State.translatePage s' pd'
⊦ ∀v.
(∃f. v = View.Environment f) ∨ (∃c p g r. v = View.H c p g r) ∨
(∃f g. v = View.Kernel f g) ∨ ∃f. v = View.User f
⊦ ∀s s' pd pts pr vr pd' vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMappingH pd pts pr vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s pd' vpa = State.translatePage s' pd' vpa
⊦ ∀s s' pd pts pr vr pd' vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s pd' vpa = State.translatePage s' pd' vpa
⊦ ∀s s' pd pts pr vr vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMappingH pd pts pr vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s (State.cr3 s) vpa =
State.translatePage s' (State.cr3 s') vpa
⊦ ∀s s' pd pts pr vr ppa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ∧ ¬(ppa = pd) ⇒
Page.destDirectory (State.page s ppa) =
Page.destDirectory (State.page s' ppa)
⊦ ∀s s' pd pts pr vr ppa.
Action.specificationAddMapping pd pts pr vr s s' ∧ ¬(ppa ∈ pts) ∧
¬State.tableMappedInDirectory s pd ppa ⇒
Page.destTable (State.page s ppa) = Page.destTable (State.page s' ppa)
⊦ ∀s s' pd pts pr vr vpa.
State.wellformed s ∧ State.wellformed s' ∧
Action.specificationAddMapping pd pts pr vr s s' ∧
Virtual.Page.isKernel vpa ⇒
State.translatePage s (State.cr3 s) vpa =
State.translatePage s' (State.cr3 s') vpa
⊦ ∀s s' pd pts pr vr ppa.
Action.specificationAddMapping pd pts pr vr s s' ∧ ¬(ppa = pd) ∧
¬(ppa ∈ pts) ∧ ¬State.tableMappedInDirectory s pd ppa ⇒
State.page s ppa = State.page s' ppa
⊦ ∀s s' va b pd vpa ppa.
State.wellformed s ∧ State.wellformed s' ∧ Virtual.Page.isUser vpa ∧
State.translatePage s pd vpa = some ppa ∧
Action.specificationWriteEnvironment va b s s' ⇒
Page.destEnvironmentOrNormal (State.page s ppa) =
Page.destEnvironmentOrNormal (State.page s' ppa)
⊦ ∀s pt pd1 pd2 pdd1 pdd2 vsa1 vsa2.
State.wellformed s ∧
Page.destDirectory (State.page s pd1) = some pdd1 ∧
Page.destDirectory (State.page s pd2) = some pdd2 ∧
Page.Directory.Data.dest pdd1 vsa1 =
some (Page.Directory.Entry.Table pt) ∧
Page.Directory.Data.dest pdd2 vsa2 =
some (Page.Directory.Entry.Table pt) ⇒
vsa1 = vsa2 ∧ (Virtual.Superpage.isKernel vsa1 ∨ pd1 = pd2)
⊦ ∀s s' va b.
Action.specificationWriteEnvironment va b s s' ⇒
∃vpa i ppa d.
va = Virtual.Address.mk (vpa, i) ∧
State.translatePage s (State.cr3 s) vpa = some ppa ∧
State.page s ppa = Page.Environment d ∧
∀ppa'.
State.page s' ppa' =
if ppa' = ppa then Page.Environment (Page.Data.update i b d)
else State.page s ppa'
⊦ ∀s s' va b.
Action.specificationWriteKernel va b s s' ⇒
∃vpa i ppa d.
va = Virtual.Address.mk (vpa, i) ∧
State.translatePage s (State.cr3 s) vpa = some ppa ∧
State.page s ppa = Page.Normal d ∧
∀ppa'.
State.page s' ppa' =
if ppa' = ppa then Page.Normal (Page.Data.update i b d)
else State.page s ppa'
⊦ ∀s s' pd vr.
Action.specificationRemoveMappingH pd vr s s' ⇔
∃prs pr pts.
State.translatePage s pd (Virtual.Region.start vr) = some prs ∧
Physical.Region.mk prs (Virtual.Region.length vr) = pr ∧
{ ppa. ppa |
Page.isTable (State.page s ppa) ∧
State.page s' ppa = Page.Normal Page.Data.zero } = pts ∧
Action.specificationAddMapping pd pts pr vr s' s
⊦ (∀f f'. View.Environment f = View.Environment f' ⇔ f = f') ∧
(∀c p g r c' p' g' r'.
View.H c p g r = View.H c' p' g' r' ⇔
c = c' ∧ p = p' ∧ g = g' ∧ r = r') ∧
(∀f g f' g'. View.Kernel f g = View.Kernel f' g' ⇔ f = f' ∧ g = g') ∧
∀f f'. View.User f = View.User f' ⇔ f = f'
⊦ ∀a.
(∃va b. a = Action.WriteEnvironment va b) ∨
(∃pr ppa l. a = Action.DeriveRegionH pr ppa l) ∨
(∃ppa. a = Action.AllocatePageDirectoryH ppa) ∨
(∃pd. a = Action.FreePageDirectoryH pd) ∨
(∃pd pts pr vr. a = Action.AddMappingH pd pts pr vr) ∨
(∃pd vr. a = Action.RemoveMappingH pd vr) ∨
(∃pr vr. a = Action.AddKernelMappingH pr vr) ∨
(∃pd. a = Action.ExecuteH pd) ∨ (∃va b. a = Action.WriteKernel va b) ∨
∃va b. a = Action.WriteUser va b
External Type Operators
- →
- bool
- Data
- Byte
- byte
- List
- list
- Option
- option
- Pair
- ×
- Word10
- word10
- Byte
- Number
- Natural
- natural
- Natural
- Set
- set
- System
- H
- action
- domain
- page
- regionLength
- state
- view
- Page
- Page.data
- Page.offset
- Directory
- Page.Directory.data
- Page.Directory.entry
- Table
- Page.Table.data
- Physical
- Physical.address
- Physical.page
- Physical.region
- Physical.superpage
- State
- State.regions
- Superpage
- Superpage.offset
- View
- View.observablePages
- Virtual
- Virtual.address
- Virtual.page
- Virtual.region
- Virtual.superpage
- H
External Constants
- =
- select
- Data
- Bool
- ∀
- ∧
- ⇒
- ∃
- ∨
- ¬
- cond
- ⊥
- ⊤
- List
- ::
- @
- []
- all
- interval
- length
- map
- member
- nth
- nub
- replicate
- take
- toSet
- zipWith
- Option
- case
- isNone
- isSome
- none
- some
- Pair
- ,
- fst
- snd
- Word10
- <
- bit
- fromNatural
- modulus
- toNatural
- width
- Bits
- Bits.compare
- Bits.fromWord
- Bits.toWord
- Bool
- Function
- id
- K
- Number
- Natural
- *
- +
- -
- <
- ≤
- ↑
- bit0
- bit1
- div
- even
- mod
- odd
- suc
- zero
- Natural
- Set
- fromPredicate
- insert
- ∈
- System
- H
- action
- domain
- interferes
- view
- Action
- Action.specification
- Action.specificationAddKernelMappingH
- Action.specificationAddMapping
- Action.specificationAddMappingH
- Action.specificationAllocatePageDirectoryH
- Action.specificationDeriveRegionH
- Action.specificationExecuteH
- Action.specificationFreePageDirectoryH
- Action.specificationRemoveMappingH
- Action.specificationWriteEnvironment
- Action.specificationWriteKernel
- Action.specificationWriteUser
- Action.AddKernelMappingH
- Action.AddMappingH
- Action.AllocatePageDirectoryH
- Action.DeriveRegionH
- Action.ExecuteH
- Action.FreePageDirectoryH
- Action.RemoveMappingH
- Action.WriteEnvironment
- Action.WriteKernel
- Action.WriteUser
- Domain
- Domain.Environment
- Domain.H
- Domain.Kernel
- Domain.User
- Page
- Page.destDirectory
- Page.destEnvironment
- Page.destEnvironmentOrNormal
- Page.destNormal
- Page.destTable
- Page.isDirectory
- Page.isDirectoryOrTable
- Page.isEnvironment
- Page.isNormal
- Page.isTable
- Data
- Page.Data.update
- Page.Data.zero
- Page.Directory
- Data
- Page.Directory.Data.dest
- Page.Directory.Data.mk
- Entry
- Page.Directory.Entry.case
- Page.Directory.Entry.Superpage
- Page.Directory.Entry.Table
- Data
- Page.Environment
- Page.Normal
- Page.NotInstalled
- Page.Table
- Data
- Page.Table.Data.dest
- Data
- Physical
- Address
- Physical.Address.dest
- Physical.Address.mk
- Page
- Physical.Page.add
- Physical.Page.mk
- Region
- Physical.Region.forall
- Physical.Region.isSubregion
- Physical.Region.length
- Physical.Region.member
- Physical.Region.mk
- Physical.Region.pageList
- Address
- RegionLength
- RegionLength.toNatural
- State
- State.cr3
- State.cr3IsPageDirectory
- State.environmentOnlyInReference
- State.initialRegionsAreRegions
- State.isEnvironmentPage
- State.isNormalPage
- State.mappedPage
- State.mappedPagesAreAvailable
- State.noSharedPageTables
- State.page
- State.pageDirectoriesContainReference
- State.reference
- State.referenceIsPageDirectory
- State.referenceMapsKernelAddresses
- State.regions
- State.regionsAreNotEnvironment
- State.tableMappedInDirectory
- State.tablePointersArePageTables
- State.translatePage
- State.translation
- State.unmappedNormalPage
- State.unmappedPage
- State.wellformed
- State.Regions
- State.Regions.all
- State.Regions.initial
- View
- View.equivalent
- View.mkCurrentPageDirectoryH
- View.mkObservablePagesEnvironment
- View.mkObservablePagesKernel
- View.mkObservablePagesUser
- View.mkPagesH
- View.mkReferencePageDirectoryH
- View.mkRegionHandlesH
- View.mkRegionHandlesKernel
- View.Environment
- View.H
- View.Kernel
- ObservablePages
- View.ObservablePages.dest
- View.ObservablePages.fromTranslate
- View.ObservablePages.mk
- View.User
- Virtual
- Address
- Virtual.Address.dest
- Virtual.Address.isKernel
- Virtual.Address.isUser
- Virtual.Address.mk
- Page
- Virtual.Page.add
- Virtual.Page.dest
- Virtual.Page.isKernel
- Virtual.Page.isUser
- Virtual.Page.mk
- Region
- Virtual.Region.forall
- Virtual.Region.isKernel
- Virtual.Region.isUser
- Virtual.Region.length
- Virtual.Region.member
- Virtual.Region.mk
- Virtual.Region.pageList
- Virtual.Region.start
- Superpage
- Virtual.Superpage.dest
- Virtual.Superpage.fromNatural
- Virtual.Superpage.isKernel
- Virtual.Superpage.isUser
- Virtual.Superpage.mk
- Address
- H
Assumptions
⊦ ⊤
⊦ ¬isSome none
⊦ View.mkCurrentPageDirectoryH = State.cr3
⊦ View.mkReferencePageDirectoryH = State.reference
⊦ View.mkRegionHandlesH = State.regions
⊦ View.mkRegionHandlesKernel = State.regions
⊦ ¬⊥ ⇔ ⊤
⊦ ¬⊤ ⇔ ⊥
⊦ length [] = 0
⊦ bit0 0 = 0
⊦ ∀a. isSome (some a)
⊦ ∀t. t ⇒ t
⊦ ∀n. 0 ≤ n
⊦ ⊥ ⇔ ∀p. p
⊦ Bits.toWord [] = 0
⊦ ∀x. id x = x
⊦ ∀t. t ∨ ¬t
⊦ (¬) = λp. p ⇒ ⊥
⊦ ∀t. (∀x. t) ⇔ t
⊦ ∀t. (∃x. t) ⇔ t
⊦ ∀t. (λx. t x) = t
⊦ (∀) = λp. p = λx. ⊤
⊦ ∀a. ¬(some a = none)
⊦ ∀x. replicate x 0 = []
⊦ ∀t. ¬¬t ⇔ t
⊦ ∀t. (⊤ ⇔ t) ⇔ t
⊦ ∀t. (t ⇔ ⊤) ⇔ t
⊦ ∀t. ⊥ ∧ t ⇔ ⊥
⊦ ∀t. ⊤ ∧ t ⇔ t
⊦ ∀t. t ∧ ⊥ ⇔ ⊥
⊦ ∀t. t ∧ ⊤ ⇔ t
⊦ ∀t. t ∧ t ⇔ t
⊦ ∀t. ⊥ ⇒ t ⇔ ⊤
⊦ ∀t. ⊤ ⇒ t ⇔ t
⊦ ∀t. t ⇒ ⊤ ⇔ ⊤
⊦ ∀t. ⊥ ∨ t ⇔ t
⊦ ∀t. ⊤ ∨ t ⇔ ⊤
⊦ ∀t. t ∨ ⊥ ⇔ t
⊦ ∀t. t ∨ ⊤ ⇔ ⊤
⊦ ∀t. t ∨ t ⇔ t
⊦ ∀n. ¬(suc n = 0)
⊦ ∀n. 0 * n = 0
⊦ ∀m. m * 0 = 0
⊦ ∀n. 0 + n = n
⊦ ∀m. m + 0 = m
⊦ ∀l. [] @ l = l
⊦ ∀l. take 0 l = []
⊦ modulus = 2 ↑ width
⊦ width = 10
⊦ ∀t. (⊥ ⇔ t) ⇔ ¬t
⊦ ∀t. (t ⇔ ⊥) ⇔ ¬t
⊦ ∀t. t ⇒ ⊥ ⇔ ¬t
⊦ ∀q. Bits.compare q [] [] ⇔ q
⊦ ∀n. bit1 n = suc (bit0 n)
⊦ ∀n.
Virtual.Superpage.fromNatural n = Virtual.Superpage.mk (fromNatural n)
⊦ ∀m. m ↑ 0 = 1
⊦ ∀m. m * 1 = m
⊦ ∀m. 1 * m = m
⊦ ∀p. Page.isDirectory p ⇔ isSome (Page.destDirectory p)
⊦ ∀p. Page.isEnvironment p ⇔ isSome (Page.destEnvironment p)
⊦ ∀p. Page.isNormal p ⇔ isSome (Page.destNormal p)
⊦ ∀p. Page.isTable p ⇔ isSome (Page.destTable p)
⊦ ∀vpa. Virtual.Page.isUser vpa ⇔ ¬Virtual.Page.isKernel vpa
⊦ ∀vr.
Virtual.Region.isKernel vr ⇔
Virtual.Region.forall Virtual.Page.isKernel vr
⊦ ∀vr.
Virtual.Region.isUser vr ⇔ Virtual.Region.forall Virtual.Page.isUser vr
⊦ ∀vsa. Virtual.Superpage.isUser vsa ⇔ ¬Virtual.Superpage.isKernel vsa
⊦ ∀x y. K x y = x
⊦ (⇒) = λp q. p ∧ q ⇔ p
⊦ ∀t. (t ⇔ ⊤) ∨ (t ⇔ ⊥)
⊦ ∀n. even (suc n) ⇔ ¬even n
⊦ ∀n. odd (suc n) ⇔ ¬odd n
⊦ ∀m. m ≤ 0 ⇔ m = 0
⊦ ∀x. (fst x, snd x) = x
⊦ ∀t1 t2. (if ⊥ then t1 else t2) = t2
⊦ ∀t1 t2. (if ⊤ then t1 else t2) = t1
⊦ ∀b f. case b f none = b
⊦ ∀m n. length (interval m n) = n
⊦ ∀s l. Physical.Region.length (Physical.Region.mk s l) = l
⊦ ∀s l. Virtual.Region.length (Virtual.Region.mk s l) = l
⊦ ∀p x. p x ⇒ p ((select) p)
⊦ View.mkObservablePagesKernel =
View.ObservablePages.fromTranslate
(λs vpa. State.translatePage s (State.cr3 s) vpa)
⊦ ∀n. bit0 (suc n) = suc (suc (bit0 n))
⊦ ∀p. Page.isDirectoryOrTable p ⇔ Page.isDirectory p ∨ Page.isTable p
⊦ ∀s.
State.cr3IsPageDirectory s ⇔
Page.isDirectory (State.page s (State.cr3 s))
⊦ ∀s.
State.referenceIsPageDirectory s ⇔
Page.isDirectory (State.page s (State.reference s))
⊦ ∀x. ∃a b. x = (a, b)
⊦ ∀x y. x = y ⇔ y = x
⊦ ∀x y. x = y ⇒ y = x
⊦ ∀h t. nth (h :: t) 0 = h
⊦ ∀t1 t2. t1 ∨ t2 ⇔ t2 ∨ t1
⊦ ∀a b. (a ⇔ b) ⇒ a ⇒ b
⊦ ∀m n. m + n = n + m
⊦ ∀m n. m + n - n = m
⊦ ∀f l. length (map f l) = length l
⊦ ∀n. n < modulus ⇒ toNatural (fromNatural n) = n
⊦ ∀n. 2 * n = n + n
⊦ ∀h t. length (h :: t) = suc (length t)
⊦ ∀m n. ¬(m < n ∧ n ≤ m)
⊦ ∀m n. ¬(m ≤ n ∧ n < m)
⊦ ∀m n. ¬(m ≤ n) ⇔ n < m
⊦ ∀m n. suc m ≤ n ⇔ m < n
⊦ ∀s ppa.
State.isEnvironmentPage s ppa ⇔ Page.isEnvironment (State.page s ppa)
⊦ ∀s ppa. State.isNormalPage s ppa ⇔ Page.isNormal (State.page s ppa)
⊦ ∀ppa pr.
Physical.Region.member ppa pr ⇔
member ppa (Physical.Region.pageList pr)
⊦ ∀ppa vr.
Virtual.Region.member ppa vr ⇔ member ppa (Virtual.Region.pageList vr)
⊦ ∀x. x = none ∨ ∃a. x = some a
⊦ ∀p pr. Physical.Region.forall p pr ⇔ all p (Physical.Region.pageList pr)
⊦ ∀p vr. Virtual.Region.forall p vr ⇔ all p (Virtual.Region.pageList vr)
⊦ (∧) = λp q. (λf. f p q) = λf. f ⊤ ⊤
⊦ ∀p. ¬(∀x. p x) ⇔ ∃x. ¬p x
⊦ (∃) = λp. ∀q. (∀x. p x ⇒ q) ⇒ q
⊦ ∀a a'. some a = some a' ⇔ a = a'
⊦ ∀t1 t2. ¬t1 ⇒ ¬t2 ⇔ t2 ⇒ t1
⊦ ∀x y. x < y ⇔ toNatural x < toNatural y
⊦ ∀m n. m + suc n = suc (m + n)
⊦ ∀m n. suc m + n = suc (m + n)
⊦ ∀m n. suc m = suc n ⇔ m = n
⊦ ∀b f a. case b f (some a) = f a
⊦ ∀x n. replicate x (suc n) = x :: replicate x n
⊦ ∀t1 t2. ¬(t1 ∧ t2) ⇔ ¬t1 ∨ ¬t2
⊦ ∀w1 w2. Bits.compare ⊥ (Bits.fromWord w1) (Bits.fromWord w2) ⇔ w1 < w2
⊦ ∀m n. even (m * n) ⇔ even m ∨ even n
⊦ ∀m n. even (m + n) ⇔ even m ⇔ even n
⊦ ∀m n. m * suc n = m + m * n
⊦ ∀m n. m ↑ suc n = m * m ↑ n
⊦ ∀m n. suc m * n = m * n + n
⊦ ∀p. (∀s l. p (Physical.Region.mk s l)) ⇒ ∀pr. p pr
⊦ ∀P. (∀a0 a1. P (State.Regions a0 a1)) ⇒ ∀x. P x
⊦ ∀p. (∀s l. p (Virtual.Region.mk s l)) ⇒ ∀pr. p pr
⊦ View.mkObservablePagesUser =
View.ObservablePages.fromTranslate
(λs vpa.
if Virtual.Page.isUser vpa then
State.translatePage s (State.cr3 s) vpa
else none)
⊦ ∀f g. (∀x. f x = g x) ⇔ f = g
⊦ ∀p a. (∃x. a = x ∧ p x) ⇔ p a
⊦ (∨) = λp q. ∀r. (p ⇒ r) ⇒ (q ⇒ r) ⇒ r
⊦ ∀m n. m ≤ n ⇔ m < n ∨ m = n
⊦ ∀m n. odd (m + n) ⇔ ¬(odd m ⇔ odd n)
⊦ ∀m n. m ≤ n ∧ n ≤ m ⇔ m = n
⊦ ∀s ppa.
State.unmappedNormalPage s ppa ⇔
State.unmappedPage s ppa ∧ State.isNormalPage s ppa
⊦ ∀s.
State.referenceMapsKernelAddresses s ⇔
∀vpa.
State.mappedPage s (State.reference s) vpa ⇒
Virtual.Page.isKernel vpa
⊦ ∀f. ∃fn. ∀a b. fn (a, b) = f a b
⊦ (∀d. Page.Directory.Data.mk (Page.Directory.Data.dest d) = d) ∧
∀f. Page.Directory.Data.dest (Page.Directory.Data.mk f) = f
⊦ (∀pa. Physical.Address.mk (Physical.Address.dest pa) = pa) ∧
∀r. Physical.Address.dest (Physical.Address.mk r) = r
⊦ (∀v. View.ObservablePages.mk (View.ObservablePages.dest v) = v) ∧
∀f. View.ObservablePages.dest (View.ObservablePages.mk f) = f
⊦ (∀va. Virtual.Address.mk (Virtual.Address.dest va) = va) ∧
∀r. Virtual.Address.dest (Virtual.Address.mk r) = r
⊦ (∀vpa. Virtual.Page.mk (Virtual.Page.dest vpa) = vpa) ∧
∀r. Virtual.Page.dest (Virtual.Page.mk r) = r
⊦ (∀vsa. Virtual.Superpage.mk (Virtual.Superpage.dest vsa) = vsa) ∧
∀w. Virtual.Superpage.dest (Virtual.Superpage.mk w) = w
⊦ ∀s pd vpa.
State.mappedPage s pd vpa ⇔ isSome (State.translatePage s pd vpa)
⊦ ∀p l. (∀x. member x l ⇒ p x) ⇔ all p l
⊦ ∀p. (∃x y. p x y) ⇔ ∃y x. p x y
⊦ ∀p q. p ∧ (∃x. q x) ⇔ ∃x. p ∧ q x
⊦ ∀p q. p ∨ (∃x. q x) ⇔ ∃x. p ∨ q x
⊦ ∀s l.
Physical.Region.pageList (Physical.Region.mk s l) =
map (Physical.Page.add s) (interval 0 (RegionLength.toNatural l))
⊦ ∀s l.
Virtual.Region.pageList (Virtual.Region.mk s l) =
map (Virtual.Page.add s) (interval 0 (RegionLength.toNatural l))
⊦ ∀x y z. x = y ∧ y = z ⇒ x = z
⊦ ∀t1 t2 t3. (t1 ∧ t2) ∧ t3 ⇔ t1 ∧ t2 ∧ t3
⊦ ∀t1 t2 t3. (t1 ∨ t2) ∨ t3 ⇔ t1 ∨ t2 ∨ t3
⊦ ∀m n p. m + (n + p) = m + n + p
⊦ ∀m n p. m < n ∧ n < p ⇒ m < p
⊦ ∀n.
Bits.toWord (odd n :: Bits.fromWord (fromNatural (n div 2))) =
fromNatural n
⊦ ∀l h t. (h :: t) @ l = h :: t @ l
⊦ ∀s t. (∀x. x ∈ s ⇔ x ∈ t) ⇔ s = t
⊦ ∀s t. (∀x. x ∈ s ⇔ x ∈ t) ⇒ s = t
⊦ ∀m n. m ≤ suc n ⇔ m = suc n ∨ m ≤ n
⊦ ∀m n. m * n = 0 ⇔ m = 0 ∨ n = 0
⊦ ∀P.
(∀a. P (Page.Directory.Entry.Superpage a)) ∧
(∀a. P (Page.Directory.Entry.Table a)) ⇒ ∀x. P x
⊦ ∀d s t. View.equivalent d s t ⇔ view d s = view d t
⊦ ∀s ppa.
View.mkPagesH s ppa =
let page ← State.page s ppa in
if Page.isNormal page then none else some page
⊦ ∀p. p 0 ∧ (∀n. p n ⇒ p (suc n)) ⇒ ∀n. p n
⊦ ∀p x. x ∈ { y. y | p y } ⇔ p x
⊦ ∀p.
p Domain.Environment ∧ p Domain.H ∧ p Domain.Kernel ∧ p Domain.User ⇒
∀d. p d
⊦ ∀m n p. m * (n + p) = m * n + m * p
⊦ ∀m n p. m ↑ (n + p) = m ↑ n * m ↑ p
⊦ ∀m n p. (m + n) * p = m * p + n * p
⊦ ∀vpa.
Virtual.Page.isKernel vpa ⇔
let (vsa, si) ← Virtual.Page.dest vpa in Virtual.Superpage.isKernel vsa
⊦ ∀P. (∀a0 a1 a2 a3. P (State a0 a1 a2 a3)) ⇒ ∀x. P x
⊦ ∀l x. member x l ⇔ ∃i. i < length l ∧ x = nth l i
⊦ ∀p q. (∀x. p x ∧ q x) ⇔ (∀x. p x) ∧ ∀x. q x
⊦ ∀p q. (∃x. p x) ∨ (∃x. q x) ⇔ ∃x. p x ∨ q x
⊦ ∀h t n. n < length t ⇒ nth (h :: t) (suc n) = nth t n
⊦ ∀m n p. m * n = m * p ⇔ m = 0 ∨ n = p
⊦ ∀m n p. m * n ≤ m * p ⇔ m = 0 ∨ n ≤ p
⊦ ∀a s s'.
action a s s' ⇔
State.wellformed s ∧ State.wellformed s' ∧ Action.specification a s s'
⊦ View.mkObservablePagesEnvironment =
View.ObservablePages.fromTranslate
(λs vpa.
case State.translatePage s (State.cr3 s) vpa of
none → none
| some ppa →
if Page.isEnvironment (State.page s ppa) then some ppa
else none)
⊦ ∀l n. bit (Bits.toWord l) n ⇔ n < width ∧ n < length l ∧ nth l n
⊦ ∀m n p. m * n < m * p ⇔ ¬(m = 0) ∧ n < p
⊦ ∀pd s s'.
Action.specificationFreePageDirectoryH pd s s' ⇔
Action.specificationAllocatePageDirectoryH pd s' s ∧
State.page s' pd = Page.Normal Page.Data.zero
⊦ ∀a b a' b'. (a, b) = (a', b') ⇔ a = a' ∧ b = b'
⊦ ∀n h t. n ≤ length t ⇒ take (suc n) (h :: t) = h :: take n t
⊦ ∀l.
Bits.fromWord (Bits.toWord l) =
if length l ≤ width then l @ replicate ⊥ (width - length l)
else take width l
⊦ ∀vsa.
Virtual.Superpage.isKernel vsa ⇔
let w ← Virtual.Superpage.dest vsa in bit w 9 ∧ bit w 8
⊦ ∀p c x y. p (if c then x else y) ⇔ (c ⇒ p x) ∧ (¬c ⇒ p y)
⊦ ∀m n q r. m = q * n + r ∧ r < n ⇒ m div n = q
⊦ ∀m n q r. m = q * n + r ∧ r < n ⇒ m mod n = r
⊦ ∀f l1 l2 n. length l1 = n ∧ length l2 = n ⇒ length (zipWith f l1 l2) = n
⊦ ∀s.
State.environmentOnlyInReference s ⇔
∀pd vpa.
case State.translatePage s pd vpa of
none → ⊤
| some ppa →
Page.isEnvironment (State.page s ppa) ⇒
State.mappedPage s (State.reference s) vpa
⊦ ∀s pd pt.
State.tableMappedInDirectory s pd pt ⇔
case Page.destDirectory (State.page s pd) of
none → ⊥
| some pdd →
∃pdi.
Page.Directory.Data.dest pdd pdi =
some (Page.Directory.Entry.Table pt)
⊦ ∀s.
State.pageDirectoriesContainReference s ⇔
∀pd vpa.
Page.isDirectory (State.page s pd) ∧ Virtual.Page.isKernel vpa ⇒
State.translatePage s pd vpa =
State.translatePage s (State.reference s) vpa
⊦ (∀f g psa.
Page.Directory.Entry.case f g (Page.Directory.Entry.Superpage psa) =
f psa) ∧
∀f g pt.
Page.Directory.Entry.case f g (Page.Directory.Entry.Table pt) = g pt
⊦ ∀fe fh fk fu.
∃fn.
fn Domain.Environment = fe ∧ fn Domain.H = fh ∧
fn Domain.Kernel = fk ∧ fn Domain.User = fu
⊦ ∀s.
State.tablePointersArePageTables s ⇔
∀pd pdi.
case Page.destDirectory (State.page s pd) of
none → ⊤
| some pdd →
case Page.Directory.Data.dest pdd pdi of
none → ⊤
| some pde →
case pde of
Page.Directory.Entry.Superpage spa → ⊤
| Page.Directory.Entry.Table ppa →
Page.isTable (State.page s ppa)
⊦ ∀P.
(∀a. P (Page.Environment a)) ∧ (∀a. P (Page.Normal a)) ∧
(∀a. P (Page.Directory a)) ∧ (∀a. P (Page.Table a)) ∧
P Page.NotInstalled ⇒ ∀x. P x
⊦ ∀s va.
State.translation s va =
let (vpa, i) ← Virtual.Address.dest va in
case State.translatePage s (State.cr3 s) vpa of
none → none
| some ppa → some (Physical.Address.mk (ppa, i))
⊦ ∀q h1 h2 t1 t2.
Bits.compare q (h1 :: t1) (h2 :: t2) ⇔
Bits.compare (¬h1 ∧ h2 ∨ ¬(h1 ∧ ¬h2) ∧ q) t1 t2
⊦ ∀pd s s'.
Action.specificationExecuteH pd s s' ⇔
State.reference s = State.reference s' ∧ State.page s = State.page s' ∧
State.regions s = State.regions s' ∧ State.cr3 s' = pd
⊦ ∀s.
State.wellformed s ⇔
State.cr3IsPageDirectory s ∧ State.pageDirectoriesContainReference s ∧
State.mappedPagesAreAvailable s ∧ State.tablePointersArePageTables s ∧
State.noSharedPageTables s ∧ State.referenceIsPageDirectory s ∧
State.referenceMapsKernelAddresses s ∧
State.environmentOnlyInReference s ∧ State.initialRegionsAreRegions s ∧
State.regionsAreNotEnvironment s
⊦ (∀d. Page.destNormal (Page.Environment d) = none) ∧
(∀d. Page.destNormal (Page.Normal d) = some d) ∧
(∀pdd. Page.destNormal (Page.Directory pdd) = none) ∧
(∀ptd. Page.destNormal (Page.Table ptd) = none) ∧
Page.destNormal Page.NotInstalled = none
⊦ (∀d. Page.destDirectory (Page.Environment d) = none) ∧
(∀d. Page.destDirectory (Page.Normal d) = none) ∧
(∀pdd. Page.destDirectory (Page.Directory pdd) = some pdd) ∧
(∀ptd. Page.destDirectory (Page.Table ptd) = none) ∧
Page.destDirectory Page.NotInstalled = none
⊦ (∀d. Page.destTable (Page.Environment d) = none) ∧
(∀d. Page.destTable (Page.Normal d) = none) ∧
(∀pdd. Page.destTable (Page.Directory pdd) = none) ∧
(∀ptd. Page.destTable (Page.Table ptd) = some ptd) ∧
Page.destTable Page.NotInstalled = none
⊦ (∀d. Page.destEnvironment (Page.Environment d) = some d) ∧
(∀d. Page.destEnvironment (Page.Normal d) = none) ∧
(∀pdd. Page.destEnvironment (Page.Directory pdd) = none) ∧
(∀ptd. Page.destEnvironment (Page.Table ptd) = none) ∧
Page.destEnvironment Page.NotInstalled = none
⊦ ∀f l1 l2 n i.
length l1 = n ∧ length l2 = n ∧ i < n ⇒
nth (zipWith f l1 l2) i = f (nth l1 i) (nth l2 i)
⊦ (∀d. Page.destEnvironmentOrNormal (Page.Environment d) = some d) ∧
(∀d. Page.destEnvironmentOrNormal (Page.Normal d) = some d) ∧
(∀pdd. Page.destEnvironmentOrNormal (Page.Directory pdd) = none) ∧
(∀ptd. Page.destEnvironmentOrNormal (Page.Table ptd) = none) ∧
Page.destEnvironmentOrNormal Page.NotInstalled = none
⊦ ∀tr s.
View.ObservablePages.fromTranslate tr s =
View.ObservablePages.mk
(λvpa.
case tr s vpa of
none → none
| some ppa →
case Page.destEnvironmentOrNormal (State.page s ppa) of
none → none
| some d → some (d, { vpa'. vpa' | tr s vpa' = some ppa }))
⊦ ∀phi.
(∀f. phi (View.Environment f)) ∧ (∀c p g r. phi (View.H c p g r)) ∧
(∀f g. phi (View.Kernel f g)) ∧ (∀f. phi (View.User f)) ⇒ ∀v. phi v
⊦ ∀w.
∃x0 x1 x2 x3 x4 x5 x6 x7 x8 x9.
w =
Bits.toWord
(x0 :: x1 :: x2 :: x3 :: x4 :: x5 :: x6 :: x7 :: x8 :: x9 :: [])
⊦ (∀s.
view Domain.Environment s =
View.Environment (View.mkObservablePagesEnvironment s)) ∧
(∀s.
view Domain.H s =
View.H (View.mkCurrentPageDirectoryH s) (View.mkPagesH s)
(View.mkRegionHandlesH s) (View.mkReferencePageDirectoryH s)) ∧
(∀s.
view Domain.Kernel s =
View.Kernel (View.mkObservablePagesKernel s)
(View.mkRegionHandlesKernel s)) ∧
∀s. view Domain.User s = View.User (View.mkObservablePagesUser s)
⊦ ∀ppa s s'.
Action.specificationAllocatePageDirectoryH ppa s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ State.unmappedNormalPage s ppa ∧
∀ppa'.
State.page s' ppa' =
State.page s (if ppa' = ppa then State.reference s else ppa')
⊦ ∀pd pts pr vr s s'.
Action.specificationAddMappingH pd pts pr vr s s' ⇔
length (nub pts) = length pts ∧
pr ∈ State.Regions.all (State.regions s) ∧
∃n.
n ≤ length pts ∧
Action.specificationAddMapping pd (toSet (take n pts)) pr vr s s'
⊦ ∀f0 f1 f2 f3 f4.
∃fn.
(∀a. fn (Page.Environment a) = f0 a) ∧
(∀a. fn (Page.Normal a) = f1 a) ∧
(∀a. fn (Page.Directory a) = f2 a) ∧ (∀a. fn (Page.Table a) = f3 a) ∧
fn Page.NotInstalled = f4
⊦ ∀pd vr s s'.
Action.specificationRemoveMappingH pd vr s s' ⇔
case State.translatePage s pd (Virtual.Region.start vr) of
none → ⊥
| some prs →
let pr ← Physical.Region.mk prs (Virtual.Region.length vr) in
let pts ←
{ ppa. ppa |
Page.isTable (State.page s ppa) ∧
State.page s' ppa = Page.Normal Page.Data.zero } in
Action.specificationAddMapping pd pts pr vr s' s
⊦ ∀s pd vpa.
State.translatePage s pd vpa =
let (vsa, si) ← Virtual.Page.dest vpa in
case Page.destDirectory (State.page s pd) of
none → none
| some pdd →
case Page.Directory.Data.dest pdd vsa of
none → none
| some pde →
case pde of
Page.Directory.Entry.Superpage psa →
some (Physical.Page.mk (psa, si))
| Page.Directory.Entry.Table pt →
case Page.destTable (State.page s pt) of
none → none
| some ptd → Page.Table.Data.dest ptd si
⊦ ∀fe fh fk fu.
∃fn.
(∀f. fn (View.Environment f) = fe f) ∧
(∀c p g r. fn (View.H c p g r) = fh c p g r) ∧
(∀f g. fn (View.Kernel f g) = fk f g) ∧ ∀f. fn (View.User f) = fu f
⊦ ∀s.
State.noSharedPageTables s ⇔
∀pt pd1 pd2 pdd1 pdd2 vsa1 vsa2.
Page.destDirectory (State.page s pd1) = some pdd1 ∧
Page.destDirectory (State.page s pd2) = some pdd2 ∧
Page.Directory.Data.dest pdd1 vsa1 =
some (Page.Directory.Entry.Table pt) ∧
Page.Directory.Data.dest pdd2 vsa2 =
some (Page.Directory.Entry.Table pt) ⇒
vsa1 = vsa2 ∧ (Virtual.Superpage.isKernel vsa1 ∨ pd1 = pd2)
⊦ ∀pr ppa l s s'.
Action.specificationDeriveRegionH pr ppa l s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.page s = State.page s' ∧
State.Regions.initial (State.regions s) =
State.Regions.initial (State.regions s') ∧
let r ← Physical.Region.mk ppa l in
Physical.Region.isSubregion r pr ∧
¬(r ∈ State.Regions.all (State.regions s)) ∧
State.Regions.all (State.regions s') =
insert r (State.Regions.all (State.regions s))
⊦ ∀va b s s'.
Action.specificationWriteEnvironment va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destEnvironment (State.page s ppa') of
none → ⊥
| some d →
Page.destEnvironment (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀va b s s'.
Action.specificationWriteKernel va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ Virtual.Address.isKernel va ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destNormal (State.page s ppa') of
none → ⊥
| some d →
Page.destNormal (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀va b s s'.
Action.specificationWriteUser va b s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧ Virtual.Address.isUser va ∧
case State.translation s va of
none → ⊥
| some pa →
let (ppa, i) ← Physical.Address.dest pa in
∀ppa'.
if ppa' = ppa then
case Page.destNormal (State.page s ppa') of
none → ⊥
| some d →
Page.destNormal (State.page s' ppa') =
some (Page.Data.update i b d)
else State.page s ppa' = State.page s' ppa'
⊦ ∀p.
(∀va b. p (Action.WriteEnvironment va b)) ∧
(∀pr ppa l. p (Action.DeriveRegionH pr ppa l)) ∧
(∀ppa. p (Action.AllocatePageDirectoryH ppa)) ∧
(∀pd. p (Action.FreePageDirectoryH pd)) ∧
(∀pd pts pr vr. p (Action.AddMappingH pd pts pr vr)) ∧
(∀pd vr. p (Action.RemoveMappingH pd vr)) ∧
(∀pr vr. p (Action.AddKernelMappingH pr vr)) ∧
(∀pd. p (Action.ExecuteH pd)) ∧ (∀va b. p (Action.WriteKernel va b)) ∧
(∀va b. p (Action.WriteUser va b)) ⇒ ∀a. p a
⊦ ∀x y.
interferes x y ⇔
x = Domain.Environment ∧ y = Domain.Environment ∨
x = Domain.Environment ∧ y = Domain.H ∨
x = Domain.Environment ∧ y = Domain.Kernel ∨
x = Domain.H ∧ y = Domain.H ∨ x = Domain.H ∧ y = Domain.Kernel ∨
x = Domain.H ∧ y = Domain.User ∨
x = Domain.Kernel ∧ y = Domain.Kernel ∨
x = Domain.Kernel ∧ y = Domain.User ∨
x = Domain.User ∧ y = Domain.Kernel ∨ x = Domain.User ∧ y = Domain.User
⊦ (∀va b. domain (Action.WriteEnvironment va b) = Domain.Environment) ∧
(∀pr ppa l. domain (Action.DeriveRegionH pr ppa l) = Domain.H) ∧
(∀ppa. domain (Action.AllocatePageDirectoryH ppa) = Domain.H) ∧
(∀pd. domain (Action.FreePageDirectoryH pd) = Domain.H) ∧
(∀pd pts pr vr. domain (Action.AddMappingH pd pts pr vr) = Domain.H) ∧
(∀pd vr. domain (Action.RemoveMappingH pd vr) = Domain.H) ∧
(∀pr vr. domain (Action.AddKernelMappingH pr vr) = Domain.H) ∧
(∀pd. domain (Action.ExecuteH pd) = Domain.H) ∧
(∀va b. domain (Action.WriteKernel va b) = Domain.Kernel) ∧
∀va b. domain (Action.WriteUser va b) = Domain.User
⊦ ∀pr vr s s'.
Action.specificationAddKernelMappingH pr vr s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
pr ∈ State.Regions.all (State.regions s) ∧
Physical.Region.forall (State.isNormalPage s) pr ∧
Physical.Region.length pr = Virtual.Region.length vr ∧
Virtual.Region.isKernel vr ∧
(∀vpa.
¬Virtual.Region.member vpa vr ⇒
State.translatePage s' (State.reference s') vpa =
State.translatePage s (State.reference s) vpa) ∧
Virtual.Region.forall
(λvpa.
case State.translatePage s (State.reference s) vpa of
none → ⊤
| some ppa → ¬State.isEnvironmentPage s ppa) vr ∧
all id
(zipWith
(λvpa ppa.
State.translatePage s' (State.reference s') vpa = some ppa)
(Virtual.Region.pageList vr) (Physical.Region.pageList pr)) ∧
∀ppa.
if State.tableMappedInDirectory s (State.reference s) ppa then
Page.isTable (State.page s' ppa)
else State.page s ppa = State.page s' ppa
⊦ (∀va b.
Action.specification (Action.WriteEnvironment va b) =
Action.specificationWriteEnvironment va b) ∧
(∀pr ppa l.
Action.specification (Action.DeriveRegionH pr ppa l) =
Action.specificationDeriveRegionH pr ppa l) ∧
(∀ppa.
Action.specification (Action.AllocatePageDirectoryH ppa) =
Action.specificationAllocatePageDirectoryH ppa) ∧
(∀pd.
Action.specification (Action.FreePageDirectoryH pd) =
Action.specificationFreePageDirectoryH pd) ∧
(∀pd pts pr vr.
Action.specification (Action.AddMappingH pd pts pr vr) =
Action.specificationAddMappingH pd pts pr vr) ∧
(∀pd vr.
Action.specification (Action.RemoveMappingH pd vr) =
Action.specificationRemoveMappingH pd vr) ∧
(∀pr vr.
Action.specification (Action.AddKernelMappingH pr vr) =
Action.specificationAddKernelMappingH pr vr) ∧
(∀pd.
Action.specification (Action.ExecuteH pd) =
Action.specificationExecuteH pd) ∧
(∀va b.
Action.specification (Action.WriteKernel va b) =
Action.specificationWriteKernel va b) ∧
∀va b.
Action.specification (Action.WriteUser va b) =
Action.specificationWriteUser va b
⊦ ∀pd pts pr vr s s'.
Action.specificationAddMapping pd pts pr vr s s' ⇔
State.cr3 s = State.cr3 s' ∧ State.reference s = State.reference s' ∧
State.regions s = State.regions s' ∧
Page.isDirectory (State.page s pd) ∧
(∀pt. pt ∈ pts ⇒ State.unmappedNormalPage s pt) ∧
(∀pt. pt ∈ pts ⇒ ¬Physical.Region.member pt pr) ∧
Physical.Region.forall (State.isNormalPage s) pr ∧
Physical.Region.length pr = Virtual.Region.length vr ∧
Virtual.Region.isUser vr ∧
(∀vpa.
if Virtual.Region.member vpa vr then
isNone (State.translatePage s pd vpa)
else State.translatePage s' pd vpa = State.translatePage s pd vpa) ∧
all id
(zipWith (λvpa ppa. State.translatePage s' pd vpa = some ppa)
(Virtual.Region.pageList vr) (Physical.Region.pageList pr)) ∧
∀ppa.
if ppa ∈ pts then State.tableMappedInDirectory s' pd ppa
else if ppa = pd then Page.isDirectory (State.page s' ppa)
else if State.tableMappedInDirectory s pd ppa then
Page.isTable (State.page s' ppa)
else State.page s ppa = State.page s' ppa