ebpf_proof.v

(* (C) 2021 Digamma.ai *)

Require Import common.

Definition Gprog := ltac:(with_library prog [__mark_reg32_unbounded_spec;
                                            __reg64_bound_s32_spec;
                                            __reg64_bound_u32_spec;
                                            (___reg_combine_64_into_32_CORRECT,
                                             __reg_combine_64_into_32_spec);
                                            __reg_deduce_bounds_spec;
                                            __reg_bound_offset_spec;
                                            __update_reg_bounds_spec]).


Theorem __reg_combine_64_into_32_correctness :
  semax_body Vprog Gprog f___reg_combine_64_into_32_CORRECT
     (___reg_combine_64_into_32_CORRECT, __reg_combine_64_into_32_spec).
Proof.
  start_function.
  forward_call (reg,
         ref_obj_id,
         s32_min_value, s32_max_value,
         u32_min_value, u32_max_value,
         smin_value64, smax_value64, umin_value64, umax_value64).
  forward.  
  unfold reg_struct.
  forward_call smin_value64.
  forward_if (temp _t'2 (Val.of_bool (if (Sbounds smin_value64)
                                      then (Sbounds smax_value64)
                                      else false))).
  - repeat forward.
    forward_call smax_value64.
    forward_H H.
  - forward_H H.
  - deadvars!.
    remember (if Sbounds smin_value64 
                          then Sbounds smax_value64 
                          else false) as b.
    forward_if (PROP ( )
     LOCAL (temp _t'2 (Val.of_bool b);
            temp _reg reg)
     SEP (data_at Tsh (Tstruct _bpf_reg_state noattr)
            (Vint ref_obj_id,
            (Vint (if b then (int64_to_32 smin_value64) else S32Min),
            (Vint (if b then (int64_to_32 smax_value64) else S32Max),
            (Vint U32Min,
            (Vint U32Max,
            (Vlong smin_value64,
            (Vlong smax_value64, (Vlong umin_value64, Vlong umax_value64))))))))
            reg)).
    + forward_H H.
    + forward_H H.
    + forward.
      forward_call umin_value64.
      deadvars!.
      forward_if (temp _t'5 (Val.of_bool (if (Ubounds umin_value64)
                                          then (Ubounds umax_value64)
                                          else false))).
  -- repeat forward.
     forward_call umax_value64.
     forward_H H.
  -- forward_H H.
  -- deadvars!.
     remember (if Ubounds umin_value64 
                          then Ubounds umax_value64 
               else false) as bb.
    forward_if (PROP ( )
     LOCAL (temp _t'5 (Val.of_bool bb);
            temp _reg reg)
     SEP (data_at Tsh (Tstruct _bpf_reg_state noattr)
            (Vint ref_obj_id,
            (Vint (if b then (int64_to_32 smin_value64) else S32Min),
            (Vint (if b then (int64_to_32 smax_value64) else S32Max),
            (Vint (if bb then (int64_to_32 umin_value64) else U32Min),
            (Vint (if bb then (int64_to_32 umax_value64) else U32Max),
            (Vlong smin_value64,
            (Vlong smax_value64, (Vlong umin_value64, Vlong umax_value64))))))))
            reg)).
    ++ forward_H H.
    ++ forward_H H.
    ++ repeat forward_call (reg).
       Exists (if b then int64_to_32 smin_value64 else S32Min).
       Exists (if b then int64_to_32 smax_value64 else S32Max).
       Exists (if bb then int64_to_32 umin_value64 else U32Min).
       Exists (if bb then int64_to_32 umax_value64 else U32Max).
       entailer!.
       repeat break_if; try intuition.       
Qed.