rushby-noninterference/ArrayMachine.v

146 lines
4.7 KiB
Coq

(** Instantiation of the intransitive interference with an "array machine" *)
Require Import NI.Rushby.
From stdpp Require Import list relations gmap sets fin_sets.
Module ArrayMachine.
Definition state := nat -> nat.
Inductive command :=
| Write : nat -> nat -> command
| Read : nat -> command
.
Definition action := command.
Definition out := nat.
Definition extendS (s : state) (n : nat) (m : nat) : state :=
fun x => if beq_nat x n then m else s x.
Definition preform (s : state) (a : action) : state * out :=
match a with
| Write i j => (extendS s i j, 0)
| Read i => (s, s i)
end.
Definition step s a := fst (preform s a).
Definition output s a := snd (preform s a).
Definition initial (x : nat) := 0.
End ArrayMachine.
Import ArrayMachine.
Instance ArrayMealyMachine : Mealy state action out :=
{ initial := initial;
step := step;
output := output }.
Eval compute in (do_actions [Write 1 1] 2).
(** ===> 0 *)
Definition domain := action.
Definition nameA := nat.
Definition valA := nat.
Definition observeA (u : domain) : gset nameA :=
match u with
| Read i => {[ i ]}
| Write _ _ =>
end.
Definition alterA (u : domain) : gset valA :=
match u with
| Read _ =>
| Write i _ => {[ i ]}
end.
Instance domain_dec : EqDecision domain.
Proof. intros u v.
unfold Decision.
repeat (decide equality).
Defined.
Instance domain_countable : Countable domain.
refine (inj_countable' (λ x, match x with
| Write i1 i2 => (inl (i1, i2))
| Read i => (inr i)
end) (λ x, match x with
| inl (i1, i2) => Write i1 i2
| inr i => Read i
end) _); by intros [].
Defined.
Instance arraymachine_ss : StructuredState domain :=
{ name := nameA; value := valA; contents s n := s n
; observe := observeA; alter := alterA }.
Definition interference (u v : domain) :=
(exists (n : nameA), n alterA u n observeA v).
Inductive interferenceR : relation domain :=
| interference_refl : forall (u : domain), interferenceR u u
| interference_step : forall (u v: domain), interference u v -> interferenceR u v.
Instance: Set_ nameA (gset nameA).
apply _.
Qed.
Instance policy_ss : Policy domain :=
{ policy := interferenceR
; dom := fun (a : action) => (a : domain) }.
Proof.
- intros v w.
destruct v as [i j | i]; destruct w as [m n | m].
+ destruct (decide (i = m)). destruct (decide (j = n)); subst; auto.
left. constructor.
right. intro I. inversion I; subst. apply n0. auto.
inversion H. unfold observeA in *. destruct H0 as [HH HHH].
apply (not_elem_of_empty x HHH).
right. intro. inversion H; subst. apply n0. auto.
inversion H0. unfold alterA, observeA in *. destruct H1 as [HH HHH].
apply (not_elem_of_empty x HHH).
+ destruct (decide (i = m)); subst. left. right. unfold interference.
simpl. exists m. split; apply elem_of_singleton; auto.
right. intro. inversion H; subst. inversion H0. simpl in H1.
destruct H1. apply elem_of_singleton in H1; apply elem_of_singleton in H2. subst. apply n;auto.
+ right. intro. inversion H;subst. inversion H0; subst.
simpl in H1; inversion H1. eapply (not_elem_of_empty x); eassumption.
+ destruct (decide (i = m)); subst.
left. constructor.
right. intro. inversion H; subst. auto.
inversion H0; subst. simpl in H1; inversion H1.
eapply (not_elem_of_empty x); eassumption.
- intro u. constructor.
Defined.
Instance rma_yay : RefMonAssumptions.
Proof.
split; simpl; unfold RMA_partition.
- intros a s t Hst;
unfold contents in *; simpl in *.
unfold output.
unfold preform. destruct a as [i j | i]; simpl in *. reflexivity.
apply Hst. eapply elem_of_singleton. reflexivity.
- intros a s t n Hst Hn.
unfold step, preform. destruct a as [i j | i]. simpl in *.
destruct (decide (i = n)); subst; unfold extendS; simpl.
replace (beq_nat n n) with true; auto. apply beq_nat_refl.
destruct Hn as [Hn|Hn].
unfold step in Hn; simpl in Hn. unfold extendS in Hn; simpl in Hn.
replace (beq_nat n i) with false in *; auto.
congruence. symmetry. apply beq_nat_false_iff. omega.
unfold step in Hn; simpl in Hn. unfold extendS in Hn; simpl in Hn.
replace (beq_nat n i) with false in *; auto.
congruence. symmetry. apply beq_nat_false_iff. omega.
simpl. destruct Hn as [Hn|Hn]; unfold step, preform in Hn; simpl in Hn;
congruence.
- intros a s n Hst.
unfold step, preform in Hst; simpl in Hst. destruct a; simpl in *.
unfold extendS in Hst. destruct (decide (n = n0)); subst.
apply elem_of_singleton; auto. replace (beq_nat n n0) with false in *; try (congruence). symmetry. apply beq_nat_false_iff. assumption.
congruence.
Defined.
Theorem yay : isecurity.
Proof.
apply rma_secure_intransitive.
intros u v n A1 A2. simpl. right. firstorder.
Qed.