@@ -31,22 +31,6 @@ function encodeDecode(c : Capability) -> Capability = capBitsToCapability(c.tag
3131 */
3232function capEncodable (c : Capability ) -> bool = c == encodeDecode (c )
3333
34- // $property
35- /*
36- * THIS is not actually an invariant but is useful for characterising unusable
37- * encodings. Ideally we'd like an encoding that ensures base is less than or
38- * equal to top, but sadly this isn't true. Counterexamples are unusable
39- * encodings. This can happen when a_top ends up being zero and T < B because
40- * the attempted corrections can underflow a_top. There are other unusable
41- * encodings too, for example those with top larger than 2**32.
42- */
43- function prop_base_lteq_top (b : CapBits ) -> bool = {
44- let c = capBitsToCapability (false , b );
45- let (base , top ) = getCapBoundsBits (c );
46- a_top = c . address >> (unsigned (c . E ) + cap_mantissa_width );
47- (a_top != zeros () | (c . B <_u c . T )) --> ((0b0 @ base ) <= _u top )
48- }
49-
5034$property
5135/*!
5236 * Check that null_cap as defined in the Sail encodes to all zeros.
@@ -81,24 +65,6 @@ function prop_decEnc(t : bool, c : CapBits) -> bool = {
8165 (c == b ) & (cap . tag == t )
8266}
8367
84- // $counterexample
85- /*!
86- * THIS property attempts to prove that it is possible to recover T and B bits
87- * from the decoded base and top. This would be important in an implementation
88- * that decodes fully on load and recompresses on store. It fails when E is
89- * cap_max_E because base is only 32-bits and we lose the top bit of B, but I
90- * think it would hold if getCapBoundsBits returned a 33-bit base.
91- */
92- function prop_decEnc2 (c : CapBits ) -> bool = {
93- let cap = capBitsToCapability (false , c );
94- let (base , top ) = getCapBoundsBits (cap );
95- let newB = truncate (base >> unsigned (cap . E ), cap_mantissa_width );
96- let newT = truncate (top >> unsigned (cap . E ), cap_mantissa_width );
97- let cap2 = {cap with B = newB , T = newT };
98- let c2 = capToBits (cap2 );
99- (c == c2 )
100- }
101-
10268$property
10369/*!
10470 * THIS checks that for any capability and permissions mask [CAndPerm]
@@ -128,7 +94,8 @@ $property
12894function prop_setbounds (reqBase : CapAddrBits , reqLen : CapAddrBits ) -> bool = {
12995 let (exact , c ) = setCapBounds (root_cap_mem , reqBase , reqLen );
13096 let encodable = capEncodable (c );
131- let (b2 , t2 ) = getCapBoundsBits (c );
97+ let (b2 , l2 ) = getCapBoundsBits (c );
98+ let t2 = (0b0 @ b2 ) + l2 ;
13299 let reqTop = (0b0 @ reqBase ) + (0b0 @ reqLen );
133100 let saneTop = reqTop <= _u 0b1 @ 0x00000000 ;
134101 saneTop --> (
@@ -155,13 +122,15 @@ function prop_setbounds_monotonic(
155122 reqBase1 : CapAddrBits , reqLen1 : CapAddrBits ,
156123 reqBase2 : CapAddrBits , reqLen2 : CapAddrBits ) -> bool = {
157124 let (exact1 , c1 ) = setCapBounds (root_cap_mem , reqBase1 , reqLen1 );
158- let (b1 , t1 ) = getCapBoundsBits (c1 );
125+ let (b1 , l1 ) = getCapBoundsBits (c1 );
126+ let t1 = (0b0 @ b1 ) + l1 ;
159127 let reqTop1 = (0b0 @ reqBase1 ) + (0b0 @ reqLen1 );
160128 let saneTop1 = reqTop1 <= _u 0b1 @ 0x00000000 ;
161129 let reqTop2 = (0b0 @ reqBase2 ) + (0b0 @ reqLen2 );
162130 let saneTop2 = reqTop2 <= _u 0b1 @ 0x00000000 ;
163131 let (exact2 , c2 ) = setCapBounds (c1 , reqBase2 , reqLen2 );
164- let (b2 , t2 ) = getCapBoundsBits (c2 );
132+ let (b2 , l2 ) = getCapBoundsBits (c2 );
133+ let t2 = (0b0 @ b2 ) + l2 ;
165134 let requestMonotonic = (b1 <= _u reqBase2 ) & (reqTop2 <= _u t1 );
166135 let resultMonotonic = (b1 <= _u b2 ) & (t2 <= _u t1 );
167136 (saneTop1 & saneTop2 & requestMonotonic ) --> resultMonotonic
@@ -176,10 +145,12 @@ $property
176145function prop_setbounds_precise (reqBase1 : CapAddrBits , reqLen1 : CapAddrBits ,
177146 c2 : CapBits ) -> bool = {
178147 let (exact , c1 ) = setCapBounds (root_cap_mem , reqBase1 , reqLen1 );
179- let (b1 , t1 ) = getCapBoundsBits (c1 );
148+ let (b1 , l1 ) = getCapBoundsBits (c1 );
149+ let t1 = (0b0 @ b1 ) + l1 ;
180150 let reqTop1 = (0b0 @ reqBase1 ) + (0b0 @ reqLen1 );
181151 let saneTop1 = reqTop1 <= _u 0b1 @ 0x00000000 ;
182- let (b2 , t2 ) = getCapBoundsBits (capBitsToCapability (false , c2 ));
152+ let (b2 , l2 ) = getCapBoundsBits (capBitsToCapability (false , c2 ));
153+ let t2 = (0b0 @ b2 ) + l2 ;
183154 let validBase = b2 <= _u reqBase1 ;
184155 let betterBase = b1 <_u b2 ;
185156 let validTop = reqTop1 <= _u t2 ;
@@ -211,7 +182,8 @@ function prop_repbounds_c(reqBase : CapAddrBits, reqLen : CapAddrBits, newAddr :
211182 let (exact , c ) = setCapBounds (root_cap_mem , reqBase , reqLen );
212183 let reqTop = (0b0 @ reqBase ) + (0b0 @ reqLen );
213184 let saneTop = reqTop <= _u 0b1 @ 0x00000000 ;
214- let (b , t ) = getCapBoundsBits (c );
185+ let (b , l ) = getCapBoundsBits (c );
186+ let t = (0b0 @ b ) + l ;
215187 let (representable , newCap ) = setCapAddr (c , newAddr );
216188 let inCBounds = (b <= _u newAddr ) & ((0b0 @ newAddr ) <= _u t );
217189 (saneTop & inCBounds ) --> representable
@@ -226,7 +198,8 @@ function prop_repbounds(reqBase : CapAddrBits, reqLen : CapAddrBits, newAddr : C
226198 let (exact , c ) = setCapBounds (root_cap_mem , reqBase , reqLen );
227199 let reqTop = (0b0 @ reqBase ) + (0b0 @ reqLen );
228200 let saneTop = reqTop <= _u 0b1 @ 0x00000000 ;
229- let (b , t ) = getCapBoundsBits (c );
201+ let (b , l ) = getCapBoundsBits (c );
202+ let t = (0b0 @ b ) + l ;
230203 let (representable , newCap ) = setCapAddr (c , newAddr );
231204 let repTop = (0b0 @ b ) + ((to_bits (33 , 1 ) << unsigned (c . E )) << 9 );
232205 /* The representable bounds check: either E is max or address is in range */
@@ -266,4 +239,4 @@ function prop_crrl_cram_usage(reqLen : CapAddrBits) -> bool = {
266239 let mask = getRepresentableAlignmentMask (newLen );
267240 let mask2 = getRepresentableAlignmentMask (reqLen );
268241 ((reqLen == zeros ()) | (newLen != zeros ())) --> (mask == mask2 )
269- }
242+ }
0 commit comments