Add tutorial for Arm

This patch adds tutorial for Arm.

The examples are copied from my repository
(https://github.com/aqjune/hol-light-materials/). :)

Author: aqjune-aws

README.md

@@ -322,6 +322,8 @@ memory.
 
 To perform the formal proof for a particular function, you will need to install
 the latest version of [HOL Light](https://github.com/jrh13/hol-light/).
+The OPAM version might not work because it does not contain sufficiently recent
+libraries.
 To install HOL Light, please follow its
 [README](https://github.com/jrh13/hol-light/blob/master/README) instruction.
 After installation, set the `HOLDIR` environment variable to the path of

arm/Makefile

@@ -389,6 +389,12 @@ UNOPT_OBJ = p256/unopt/p256_montjadd.o \
 
 OBJ = $(POINT_OBJ) $(BIGNUM_OBJ)
 
+# Tutorial assembly files
+
+TUTORIAL_PROOFS = $(wildcard tutorial/*.ml)
+
+TUTORIAL_OBJ = $(TUTORIAL_PROOFS:.ml=.o) tutorial/rel_loop2.o tutorial/rel_simp2.o tutorial/rel_veceq2.o
+
 # According to
 # https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms,
 # x18 should not be used for Apple platforms. Check this using grep.
@@ -419,6 +425,8 @@ HOLLIGHT:=$(HOLDIR)/hol.sh
 
 PROOF_BINS = $(OBJ:.o=.native)
 PROOF_LOGS = $(OBJ:.o=.correct)
+TUTORIAL_PROOF_BINS = $(TUTORIAL_PROOFS:.ml=.native)
+TUTORIAL_PROOF_LOGS = $(TUTORIAL_PROOFS:.ml=.correct)
 
 # Build precompiled native binaries of HOL Light proofs
 
@@ -477,13 +485,24 @@ p521/p521_jscalarmul_alt.native: p521/bignum_mod_n521_9.native
 sm2/sm2_montjscalarmul.native: sm2/sm2_montjadd.native sm2/sm2_montjdouble.native
 sm2/sm2_montjscalarmul_alt.native: sm2/sm2_montjadd_alt.native sm2/sm2_montjdouble_alt.native
 
+# Tutorial
+
+.SECONDEXPANSION:
+tutorial/%.native: tutorial/%.ml tutorial/%.o ; ../tools/build-proof.sh "$<" "$(HOLLIGHT)" "$@"
+# Additional dependencies on .o files
+tutorial/rel_loop.native: tutorial/rel_loop2.o
+tutorial/rel_simp.native: tutorial/rel_simp2.o
+tutorial/rel_veceq.native: tutorial/rel_veceq2.o
+
 
 unopt: $(UNOPT_OBJ)
 
 build_proofs: $(UNOPT_OBJ) $(PROOF_BINS);
+build_tutorial: $(TUTORIAL_OBJ) $(TUTORIAL_PROOF_BINS);
 run_proofs: build_proofs $(PROOF_LOGS);
 
 proofs: run_proofs ; ../tools/count-proofs.sh .
+tutorial: build_tutorial $(TUTORIAL_PROOF_LOGS);
 
 # Always run sematest regardless of dependency check
 FORCE: ;

arm/tutorial/README.md

@@ -0,0 +1,19 @@
+# Tutorials for s2n-bignum
+
+This directory includes examples for verifying Arm programs using s2n-bignum
+and HOL Light.
+
+### Unary reasoning
+
+1. `simple.ml`: Verifying a simple arithmetic property of a linear program.
+2. `sequence.ml`: Verifying a program by splitting into smaller chunks.
+3. `branch.ml`: Verifying a program that has a conditional branch.
+4. `memory.ml`: Verifying a program that manipulates a memory.
+5. `loop.ml`: Verifying a program that has a simple loop.
+6. `bignum.ml`: Writing a specification of a program dealing with big numbers & proving it.
+
+### Relational reasoning
+
+1. `rel_simp.ml`: Proving equivalence of two simple programs.
+2. `rel_loop.ml`: Proving equivalence of two simple loops.
+3. `rel_veceq.ml`: Proving equivalence of scalar vs. vectorized 128x128->256-bit squaring.

arm/tutorial/bignum.S

@@ -0,0 +1,11 @@
+  ldp x2, x3, [x0]
+  ldp x4, x5, [x1]
+  cmp x2, x4
+  bne bb_false
+  cmp x3, x5
+  bne bb_false
+  mov x0, #1
+  ret
+bb_false:
+  mov x0, xzr
+  ret

arm/tutorial/bignum.ml

@@ -0,0 +1,158 @@
+(*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT-0
+ *)
+
+(******************************************************************************
+  An example that shows how to describe big numbers in a specification.
+******************************************************************************)
+
+needs "arm/proofs/base.ml";;
+
+(* Let's prove that the following program
+
+   0:   a9400c02        ldp     x2, x3, [x0]
+   4:   a9401424        ldp     x4, x5, [x1]
+   8:   eb04005f        cmp     x2, x4
+   c:   540000a1        b.ne    20 <bb_false>  // b.any
+  10:   eb05007f        cmp     x3, x5
+  14:   54000061        b.ne    20 <bb_false>  // b.any
+  18:   d2800020        mov     x0, #0x1
+  1c:   d65f03c0        ret
+
+0000000000000020 <bb_false>:
+  20:   aa1f03e0        mov     x0, xzr
+  24:   d65f03c0        ret
+
+  .. returns 1 to x0 if a pair of 16-byte integers at buffer x0 and x1
+  are equal, 0 otherwise.
+  Since this example uses 128 bit integers, we will use 'bignum_from_memory'
+  which will state that reading a memory buffer of a specified word number will
+  return some large natural number.
+*)
+let bignum_mc = define_assert_from_elf "bignum_mc" "arm/tutorial/bignum.o" [
+  0xa9400c02;       (* arm_LDP X2 X3 X0 (Immediate_Offset (iword (&0))) *)
+  0xa9401424;       (* arm_LDP X4 X5 X1 (Immediate_Offset (iword (&0))) *)
+  0xeb04005f;       (* arm_CMP X2 X4 *)
+  0x540000a1;       (* arm_BNE (word 20) *)
+  0xeb05007f;       (* arm_CMP X3 X5 *)
+  0x54000061;       (* arm_BNE (word 12) *)
+  0xd2800020;       (* arm_MOV X0 (rvalue (word 1)) *)
+  0xd65f03c0;       (* arm_RET X30 *)
+  0xaa1f03e0;       (* arm_MOV X0 XZR *)
+  0xd65f03c0        (* arm_RET X30 *)
+];;
+
+(*
+You can get the above OCaml list data structure from
+`print_literal_from_elf "<.o file>"` or
+`save_literal_from_elf "<out.txt>" "<.o file>"`.
+*)
+
+(* ARM_MK_EXEC_RULE decodes the byte sequence into conjunction of
+  equalities between the bytes and instructions. *)
+let EXEC = ARM_MK_EXEC_RULE bignum_mc;;
+
+let BIGNUM_SPEC = prove(
+  `forall pc retpc loc0 loc1 a b.
+  ensures arm
+    // Precondition
+    (\s. aligned_bytes_loaded s (word pc) bignum_mc /\
+         read PC s = word pc /\
+         read X30 s = word retpc /\
+         read X0 s = word loc0 /\
+         read X1 s = word loc1 /\
+         // Read 2 words (=128bits) at loc0. It is equivalent to num a.
+         // Alternatively, this kind of condition can be written using
+         // bignum_of_wordlist which takes a list of 64-bit words.
+         bignum_from_memory (word loc0,2) s = a /\
+         // Read 2 words (=128bits) at loc1. It is equivalent to num b.
+         bignum_from_memory (word loc1,2) s = b
+         )
+    // Postcondition
+    (\s. read PC s = word retpc /\
+         read X0 s = word (if a = b then 1 else 0))
+    // Registers (and memory locations) that may change after execution
+    (MAYCHANGE [PC;X0;X2;X3;X4;X5] ,, MAYCHANGE SOME_FLAGS)`,
+
+  REPEAT STRIP_TAC THEN
+  (* Convert 'bignum_from_memory' into 'memory :> bytes (..)'.
+     Also, expand SOME_FLAGS *)
+  REWRITE_TAC[BIGNUM_FROM_MEMORY_BYTES;SOME_FLAGS] THEN
+  (* Start symbolic execution with state 's0' *)
+  ENSURES_INIT_TAC "s0" THEN
+  (* Split the memory :> bytes .. into a pair of memory :> bytes64.
+     This is necessary to successfully encode the symbolic result of ldps. *)
+  BIGNUM_DIGITIZE_TAC "a_" `read (memory :> bytes (word loc0,8 * 2)) s0` THEN
+  BIGNUM_DIGITIZE_TAC "b_" `read (memory :> bytes (word loc1,8 * 2)) s0` THEN
+
+  (* Symbolically run two ldp instructions *)
+  ARM_STEPS_TAC EXEC (1--2) THEN
+  (* Until first 'bne' *)
+  ARM_STEPS_TAC EXEC (3--4) THEN
+
+  (* Recognize the if condition and create two subgoals . *)
+  FIRST_X_ASSUM MP_TAC THEN
+  COND_CASES_TAC THENL [
+    (* The low 64 bits of a and b are different. *)
+    STRIP_TAC THEN
+    ARM_STEPS_TAC EXEC (5--6) THEN
+    (* Returned; Finalize symbolic execution. *)
+    ENSURES_FINAL_STATE_TAC THEN ASM_REWRITE_TAC[] THEN
+    (* From `~(val (word_sub a_0 b_0) = 0)` and `val a_0 + 2 EXP 64 * val a_1 = a`,
+       and `val b_0 + 2 EXP 64 * val b_1 = b`,
+       prove `~(a = b)`. *)
+    SUBGOAL_THEN `~(a:num = b)` (fun th -> REWRITE_TAC[th]) THEN
+    MAP_EVERY EXPAND_TAC ["a";"b"] THEN
+    (* VAL_WORD_SUB_EQ_0: |- !x y. val (word_sub x y) = 0 <=> val x = val y) *)
+    RULE_ASSUM_TAC (REWRITE_RULE [VAL_WORD_SUB_EQ_0]) THEN
+    (* EQ_DIVMOD: |- !p m n. m DIV p = n DIV p /\ m MOD p = n MOD p <=> m = n *)
+    ONCE_REWRITE_TAC[SPEC `2 EXP 64` (GSYM EQ_DIVMOD)] THEN
+    (* The first '.. DIV .. = .. DIV ..' part is irelevant. *)
+    MATCH_MP_TAC (TAUT (`~Q ==> ~(P /\ Q)`)) THEN
+    (* Simplfy! *)
+    SIMP_TAC[MOD_MULT_ADD;VAL_BOUND_64;ARITH_RULE`~(2 EXP 64 = 0)`] THEN
+    ASM_SIMP_TAC[MOD_LT;VAL_BOUND_64];
+
+    ALL_TAC
+  ] THEN
+
+  (* The low 64 bits of a and b are equivalent. *)
+  (* Until the second 'bne' *)
+  STRIP_TAC THEN
+  ARM_STEPS_TAC EXEC (5--6) THEN
+
+  (* Recognize the if condition and create two subgoals . *)
+  FIRST_X_ASSUM MP_TAC THEN
+  COND_CASES_TAC THENL [
+    (* The high 64 bits of a and b are different. *)
+    STRIP_TAC THEN
+    ARM_STEPS_TAC EXEC (7--8) THEN
+    (* Returned; Finalize symbolic execution. *)
+    ENSURES_FINAL_STATE_TAC THEN ASM_REWRITE_TAC[] THEN
+    (* Proof pattern is similar to the first branch case *)
+    SUBGOAL_THEN `~(a:num = b)` (fun th -> REWRITE_TAC[th]) THEN
+    MAP_EVERY EXPAND_TAC ["a";"b"] THEN
+    (* VAL_WORD_SUB_EQ_0: |- !x y. val (word_sub x y) = 0 <=> val x = val y) *)
+    RULE_ASSUM_TAC (REWRITE_RULE [VAL_WORD_SUB_EQ_0]) THEN
+    (* EQ_DIVMOD: |- !p m n. m DIV p = n DIV p /\ m MOD p = n MOD p <=> m = n *)
+    ONCE_REWRITE_TAC[SPEC `2 EXP 64` (GSYM EQ_DIVMOD)] THEN
+    (* The second '.. MOD .. = .. MOD ..' part is irelevant. *)
+    MATCH_MP_TAC (TAUT (`~P ==> ~(P /\ Q)`)) THEN
+    (* Simplfy! *)
+    SIMP_TAC[DIV_MULT_ADD;VAL_BOUND_64;ARITH_RULE`~(2 EXP 64 = 0)`] THEN
+    ASM_SIMP_TAC[DIV_LT;VAL_BOUND_64;ADD_CLAUSES];
+
+    ALL_TAC
+  ] THEN
+
+  (* Both limbs are equivalent! *)
+  STRIP_TAC THEN
+  ARM_STEPS_TAC EXEC (7--8) THEN
+  (* Try to prove the postcondition and frame as much as possible *)
+  ENSURES_FINAL_STATE_TAC THEN
+  (* Use ASM_REWRITE_TAC[] to rewrite the goal using equalities in assumptions. *)
+  ASM_REWRITE_TAC[] THEN
+  SUBGOAL_THEN `(a:num = b)` (fun th -> REWRITE_TAC[th]) THEN
+  RULE_ASSUM_TAC (REWRITE_RULE [VAL_WORD_SUB_EQ_0]) THEN
+  ASM_ARITH_TAC);;

arm/tutorial/branch.S

@@ -0,0 +1,7 @@
+  cmp x1, x2
+  b.hi BB2
+  mov x0, x2
+  ret
+BB2:
+  mov x0, x1
+  ret

arm/tutorial/branch.ml

@@ -0,0 +1,117 @@
+(*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT-0
+ *)
+
+(******************************************************************************
+  Prove a property of a simple program that has a conditional branch.
+******************************************************************************)
+
+needs "arm/proofs/base.ml";;
+
+(* The following program
+  0:   eb02003f        cmp     x1, x2
+  4:   54000068        b.hi    10 <BB2>
+  8:   aa0203e0        mov     x0, x2
+  c:   d65f03c0        ret
+
+0000000000000010 <BB2>:
+  10:   aa0103e0        mov     x0, x1
+  14:   d65f03c0        ret
+
+  .. copies max(x1,x2) to x0 and returns to the caller.
+  Let's prove this property.
+*)
+
+let branch_mc = new_definition `branch_mc = [
+    word 0x3f; word 0x00; word 0x02; word 0xeb; // cmp     x1, x2
+    word 0x68; word 0x00; word 0x00; word 0x54; // b.hi    10 <BB2>
+
+    word 0xe0; word 0x03; word 0x02; word 0xaa; // mov     x0, x2
+    word 0xc0; word 0x03; word 0x5f; word 0xd6; // ret
+
+  // BB2:
+    word 0xe0; word 0x03; word 0x01; word 0xaa; // mov     x0, x1
+    word 0xc0; word 0x03; word 0x5f; word 0xd6  // ret
+  ]:((8)word)list`;;
+
+let EXEC = ARM_MK_EXEC_RULE branch_mc;;
+
+let branch_SPEC = prove(
+  `forall pc pcret a b.
+  ensures arm
+    // Precondition
+    (\s. aligned_bytes_loaded s (word pc) branch_mc /\
+         read X30 s = word pcret /\
+         read PC s = word pc /\
+         read X1 s = word a /\
+         read X2 s = word b)
+    // Postcondition
+    (\s. read PC s = word pcret /\
+         read X0 s = word_umax (word a) (word b))
+    // Registers (and memory locations) that may change after execution.
+    // ',,' is composition of relations.
+    (MAYCHANGE [PC;X0] ,, MAYCHANGE SOME_FLAGS)`,
+  (* Strips the outermost universal quantifier from the conclusion of a goal *)
+  REPEAT STRIP_TAC THEN
+  (* ENSURES_FINAL_STATE_TAC does not understand SOME_FLAGS in MAYCHANGE. Let's
+     unfold this in advance. *)
+  REWRITE_TAC [SOME_FLAGS] THEN
+
+  (* Let's do symbolic execution until it hits the branch instruction. *)
+  ENSURES_INIT_TAC "s0" THEN
+  ARM_STEPS_TAC EXEC (1--2) THEN
+
+  (* The PC has the following symbolic expression:
+    `read PC s2 =
+      (if val (word b) <= val (word a) /\
+          ~(val (word_sub (word a) (word b)) = 0)
+       then word (pc + 16)
+       else word (pc + 8))`
+    Let's do case analysis on the condition of this if expression.
+
+    First, move this assumption to the antecendent of the goal so the goal
+    becomes:
+      (read PC s2 = ...) ==> eventually arm ...
+  *)
+  FIRST_X_ASSUM MP_TAC THEN
+
+  (* Recognize the if condition and create two subgoals . *)
+  COND_CASES_TAC THENL [
+    (** Case 1: if the branch was taken! **)
+    (* Let's name the hypothesis first. *)
+    POP_ASSUM (LABEL_TAC "Hcond") THEN
+    DISCH_TAC THEN
+    
+    (* Do symbolic execution on the remaining two insts. *)
+    ARM_STEPS_TAC EXEC (3--4) THEN
+    ENSURES_FINAL_STATE_TAC THEN
+    ASM_REWRITE_TAC[] THEN
+
+    (* The remaining goal is `word a = word (MAX a b).` *)
+    REMOVE_THEN "Hcond" MP_TAC THEN
+    (* WORD_UMAX: `!x y. word_umax x y = (if val x <= val y then y else x)`
+       VAL_WORD_SUB_EQ_0: `!x y. val (word_sub x y) = 0 <=> val x = val y` *)
+    REWRITE_TAC[WORD_UMAX;VAL_WORD_SUB_EQ_0] THEN
+    (* Let ARITH_TAC deal with reasoning on relational equations. *)
+    ARITH_TAC;
+
+
+    (** Case 2: if the branch was not taken! **)
+    (* Let's name the hypothesis first. *)
+    POP_ASSUM (LABEL_TAC "Hcond") THEN
+    DISCH_TAC THEN
+
+    (* Do symbolic execution on the remaining two insts. *)
+    ARM_STEPS_TAC EXEC (3--4) THEN
+    ENSURES_FINAL_STATE_TAC THEN
+    ASM_REWRITE_TAC[] THEN
+
+    (* The remaining goal is `word b = word (MAX a b).` *)
+    REMOVE_THEN "Hcond" MP_TAC THEN
+    (* WORD_UMAX: `!x y. word_umax x y = (if val x <= val y then y else x)`
+       VAL_WORD_SUB_EQ_0: `!x y. val (word_sub x y) = 0 <=> val x = val y` *)
+    REWRITE_TAC[WORD_UMAX;VAL_WORD_SUB_EQ_0] THEN
+    (* Let ARITH_TAC deal with reasoning on relational equations. *)
+    ARITH_TAC;
+  ]);;

arm/tutorial/loop.S

@@ -0,0 +1,10 @@
+  mov x1, xzr
+  mov x0, xzr
+
+loop:
+  add x1, x1, #1
+  add x0, x0, #2
+  cmp x1, #10
+  bne loop
+
+  ret