diff --git a/Makefile b/Makefile index c49a8b5a..46e82dfc 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,7 @@ FILES = \ dist/SizeClass.c \ dist/SizeClassSelection.c \ dist/PtrdiffWrapper.c \ + dist/Constants.c \ c/utils.c \ c/fatal_error.c \ c/memory.c \ @@ -126,6 +127,10 @@ SHARED_FLAGS = \ -std=c17 -D_DEFAULT_SOURCE \ -shared -fPIC +# use HACL*'s zeroing function +SHARED_FLAGS += -I vendor/hacl-star +FILES += vendor/hacl-star/Lib_Memzero0.c + INCLUDE_FLAGS = \ -I $(KRML_HOME)/include \ -I $(KRML_LIB)/dist/minimal \ diff --git a/c/lib-alloc.c b/c/lib-alloc.c index 27867565..efc538b3 100644 --- a/c/lib-alloc.c +++ b/c/lib-alloc.c @@ -7,6 +7,7 @@ #include "internal/StarMalloc.h" #include "fatal_error.h" +// https://sourceware.org/glibc/manual/latest/html_node/Replacing-malloc.html __attribute__((tls_model("initial-exec"))) static _Thread_local unsigned thread_arena = CONFIG_NB_ARENAS; static atomic_uint thread_arena_counter = 0; diff --git a/c/memory.c b/c/memory.c index 0bb58081..7e1aab5e 100644 --- a/c/memory.c +++ b/c/memory.c @@ -5,17 +5,27 @@ #include "internal/StarMalloc.h" #include "fatal_error.h" +#include "Constants.h" /// Mman.fst // syscall wrapper: initialization (fatal error on failure) uint8_t *mmap_init(size_t size) { - void* ptr = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_NORESERVE, -1, 0); + size_t size2 = size + Constants_max_slab_size; + void* ptr = mmap(NULL, size2, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_NORESERVE, -1, 0); if (ptr == MAP_FAILED) { if (errno != ENOMEM) { fatal_error("non-ENOMEM mmap failure"); } - fatal_error ("mmap failed during initialization (returned NULL)"); + fatal_error("mmap failed during initialization (returned NULL)"); + } + uintptr_t addr = (uintptr_t) ptr; + if (addr % Constants_max_slab_size != 0) { + ptr += (size_t) (Constants_max_slab_size - addr % Constants_max_slab_size); + } + addr = (uintptr_t) ptr; + if (addr % Constants_max_slab_size != 0) { + fatal_error("mmap failed during initialization (misaligned)"); } return ptr; } @@ -115,10 +125,6 @@ void mmap_strict_untrap (uint8_t* ptr, size_t len) { // syscall wrapper void mmap_trap (uint8_t* ptr, size_t len) { - int r = madvise((void*) ptr, len, MADV_DONTNEED); - if (r && errno != ENOMEM) { - fatal_error("non-ENOMEM MADV_DONTNEED madvise failure"); - } return; } diff --git a/c/utils.c b/c/utils.c index c6030226..b2041dbc 100644 --- a/c/utils.c +++ b/c/utils.c @@ -2,6 +2,7 @@ #include #include "internal/StarMalloc.h" #include "fatal_error.h" +#include "lib_memzero0.h" // glue uint32_t ffs64(uint64_t x) { @@ -45,7 +46,7 @@ uint8_t* memcpy_u8(uint8_t* dest, uint8_t* src, size_t n) { // monomorphized (from void* to uint8_t*) glue // TODO: compat, use hacl-star libmemzero void apply_zeroing_u8(uint8_t* dest, size_t n) { - explicit_bzero(dest, n); + Lib_Memzero0_memzero0(dest, (size_t) n); return; } diff --git a/dist/Config.c b/dist/Config.c index af377f69..c9e1e71d 100644 --- a/dist/Config.c +++ b/dist/Config.c @@ -3,10 +3,10 @@ #include "Config.h" -bool Config_enable_sc_fast_selection = true; - size_t Config_metadata_max = (size_t)16777216U; +bool Config_enable_sc_fast_selection = true; + bool Config_enable_guard_pages = true; size_t Config_guard_pages_interval = (size_t)2U; diff --git a/dist/Config.h b/dist/Config.h index 5797bbc5..15e85f2a 100644 --- a/dist/Config.h +++ b/dist/Config.h @@ -6,14 +6,14 @@ #include "krmllib.h" -#define CONFIG_NB_SIZE_CLASSES ((size_t)27U) - -extern bool Config_enable_sc_fast_selection; - #define CONFIG_NB_ARENAS ((size_t)4U) extern size_t Config_metadata_max; +#define CONFIG_NB_SIZE_CLASSES ((size_t)47U) + +extern bool Config_enable_sc_fast_selection; + extern bool Config_enable_guard_pages; extern size_t Config_guard_pages_interval; diff --git a/dist/Constants.c b/dist/Constants.c index a657abdb..1f63e2a9 100644 --- a/dist/Constants.c +++ b/dist/Constants.c @@ -5,3 +5,5 @@ uint32_t Constants_page_size = 4096U; +uint32_t Constants_max_slab_size = 131072U; + diff --git a/dist/Constants.h b/dist/Constants.h index 003af537..aa19170c 100644 --- a/dist/Constants.h +++ b/dist/Constants.h @@ -8,6 +8,16 @@ extern uint32_t Constants_page_size; +extern uint32_t Constants_max_slab_size; + +typedef struct Constants_sc_full__s +{ + uint32_t sc; + uint32_t slab_size; + size_t md_max; +} +Constants_sc_full_; + #define Constants_H_DEFINED #endif /* Constants_H */ diff --git a/dist/SizeClass.c b/dist/SizeClass.c index d2736c1f..97b83399 100644 --- a/dist/SizeClass.c +++ b/dist/SizeClass.c @@ -3,6 +3,7 @@ #include "SizeClass.h" +#include "Constants.h" #include "ArrayList.h" #include "internal/Slabs.h" diff --git a/dist/SizeClass.h b/dist/SizeClass.h index 5327854f..47f39e81 100644 --- a/dist/SizeClass.h +++ b/dist/SizeClass.h @@ -6,11 +6,12 @@ #include "krmllib.h" +#include "Constants.h" #include "ArrayList.h" typedef struct SizeClass_size_class_struct__s { - uint32_t size; + Constants_sc_full_ size; size_t *slabs_idxs; size_t *md_count; uint8_t *slab_region; diff --git a/dist/SizeClassSelection.c b/dist/SizeClassSelection.c index 9b0e330b..d267e7c7 100644 --- a/dist/SizeClassSelection.c +++ b/dist/SizeClassSelection.c @@ -5,6 +5,10 @@ #include "ExternUtils.h" +krml_checked_int_t SizeClassSelection__n = (krml_checked_int_t)131072; + +krml_checked_int_t SizeClassSelection__k = (krml_checked_int_t)17; + uint32_t SizeClassSelection_log2u64(uint64_t x) { uint32_t r = clz(x); diff --git a/dist/SizeClassSelection.h b/dist/SizeClassSelection.h index bd4871a4..8f42a42c 100644 --- a/dist/SizeClassSelection.h +++ b/dist/SizeClassSelection.h @@ -6,6 +6,10 @@ #include "krmllib.h" +extern krml_checked_int_t SizeClassSelection__n; + +extern krml_checked_int_t SizeClassSelection__k; + uint32_t SizeClassSelection_log2u64(uint64_t x); uint32_t SizeClassSelection_inv_impl(uint32_t x); diff --git a/dist/Slabs.c b/dist/Slabs.c index 2c732fe6..ba4fae02 100644 --- a/dist/Slabs.c +++ b/dist/Slabs.c @@ -5,6 +5,7 @@ #include "Utils2.h" #include "MemoryTrap.h" +#include "Constants.h" #include "ArrayList.h" #include "internal/Slots.h" #include "internal/ArrayList.h" @@ -70,25 +71,26 @@ update_quarantine2( } } -static void update_quarantine3_aux(uint8_t *slab_region, tuple4 idxs) +static void update_quarantine3_aux(Constants_sc_full_ sc, uint8_t *slab_region, tuple4 idxs) { size_t idx = idxs.x; uint8_t *ptr = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t = idx * page_size_t; - mmap_untrap(ptr + shift_size_t, (size_t)4096U); + mmap_untrap(ptr + shift_size_t, (size_t)sc.slab_size); } -static void update_quarantine3(uint8_t *slab_region, size_t idx7, tuple4 idxs) +static void +update_quarantine3(Constants_sc_full_ sc, uint8_t *slab_region, size_t idx7, tuple4 idxs) { if (!(idx7 < (size_t)1024U)) - update_quarantine3_aux(slab_region, idxs); + update_quarantine3_aux(sc, slab_region, idxs); } bool SlabsFree_deallocate_slab( uint8_t *ptr, - uint32_t size_class, + Constants_sc_full_ sc, uint8_t *slab_region, uint64_t *md_bm_region, ArrayList_cell *md_region, @@ -104,8 +106,8 @@ SlabsFree_deallocate_slab( size_t idx5_ = r_idxs[4U]; size_t idx6_ = r_idxs[5U]; size_t idx7_ = r_idxs[6U]; - size_t pos = diff_ / (size_t)4096U; - size_t pos2 = diff_ % (size_t)4096U; + size_t pos = diff_ / (size_t)sc.slab_size; + size_t pos2 = diff_ % (size_t)sc.slab_size; if (pos < md_count_v_) { uint32_t status1 = ArrayList_read_in_place(md_region, pos); @@ -114,27 +116,22 @@ SlabsFree_deallocate_slab( uint64_t *ptr10 = md_bm_region; size_t shift_size_t0 = pos * (size_t)4U; uint8_t *ptr11 = slab_region; - size_t page_size_t0 = (size_t)4096U; + size_t page_size_t0 = (size_t)sc.slab_size; size_t shift_size_t1 = pos * page_size_t0; bool - b = - SlotsFree_deallocate_slot(size_class, - ptr10 + shift_size_t0, - ptr11 + shift_size_t1, - ptr, - pos2); + b = SlotsFree_deallocate_slot(sc, ptr10 + shift_size_t0, ptr11 + shift_size_t1, ptr, pos2); if (b) { uint64_t *ptr1 = md_bm_region; size_t shift_size_t = pos * (size_t)4U; - bool r1 = Utils2_is_empty_s(size_class, ptr1 + shift_size_t); + bool r1 = Utils2_is_empty_s(sc, ptr1 + shift_size_t); bool cond = r1; if (cond) { uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t = pos * page_size_t; - mmap_trap(ptr1 + shift_size_t, (size_t)4096U); + mmap_trap(ptr1 + shift_size_t, (size_t)sc.slab_size); tuple4 idxs = update_quarantine2(md_region, idx1_, idx5_, idx6_, idx7_); size_t v = ArrayList_remove(md_region, idx3_, pos); size_t idx3_ = v; @@ -153,7 +150,7 @@ SlabsFree_deallocate_slab( tl_ = idxs.z; size_t sz_ = idxs.w + (size_t)1U; ArrayListGen_tuple2 idxs_ = { .x1 = tl_, .y1 = sz_ }; - update_quarantine3(slab_region, idx7_, idxs); + update_quarantine3(sc, slab_region, idx7_, idxs); r_idxs[0U] = idxs.x; r_idxs[2U] = idx3_; r_idxs[4U] = pos; @@ -179,27 +176,22 @@ SlabsFree_deallocate_slab( uint64_t *ptr10 = md_bm_region; size_t shift_size_t0 = pos * (size_t)4U; uint8_t *ptr11 = slab_region; - size_t page_size_t0 = (size_t)4096U; + size_t page_size_t0 = (size_t)sc.slab_size; size_t shift_size_t1 = pos * page_size_t0; bool - b = - SlotsFree_deallocate_slot(size_class, - ptr10 + shift_size_t0, - ptr11 + shift_size_t1, - ptr, - pos2); + b = SlotsFree_deallocate_slot(sc, ptr10 + shift_size_t0, ptr11 + shift_size_t1, ptr, pos2); if (b) { uint64_t *ptr1 = md_bm_region; size_t shift_size_t = pos * (size_t)4U; - bool r1 = Utils2_is_empty_s(size_class, ptr1 + shift_size_t); + bool r1 = Utils2_is_empty_s(sc, ptr1 + shift_size_t); bool cond = r1; if (cond) { uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t = pos * page_size_t; - mmap_trap(ptr1 + shift_size_t, (size_t)4096U); + mmap_trap(ptr1 + shift_size_t, (size_t)sc.slab_size); tuple4 idxs = update_quarantine2(md_region, idx1_, idx5_, idx6_, idx7_); size_t v = ArrayList_remove(md_region, idx2_, pos); size_t idx2_ = v; @@ -218,7 +210,7 @@ SlabsFree_deallocate_slab( tl_ = idxs.z; size_t sz_ = idxs.w + (size_t)1U; ArrayListGen_tuple2 idxs_ = { .x1 = tl_, .y1 = sz_ }; - update_quarantine3(slab_region, idx7_, idxs); + update_quarantine3(sc, slab_region, idx7_, idxs); r_idxs[0U] = idxs.x; r_idxs[1U] = idx2_; r_idxs[4U] = pos; @@ -239,22 +231,25 @@ SlabsFree_deallocate_slab( return false; } -static void allocate_slab_aux_3_3_2_2(uint8_t *slab_region, size_t md_count_v) +static void +allocate_slab_aux_3_3_2_2(Constants_sc_full_ sc, uint8_t *slab_region, size_t md_count_v) { uint8_t *ptr = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t = (md_count_v + (size_t)1U) * page_size_t; - mmap_strict_trap(ptr + shift_size_t, (size_t)4096U); + mmap_strict_trap(ptr + shift_size_t, (size_t)sc.slab_size); } -static void allocate_slab_aux_3_3_2(uint8_t *slab_region, size_t md_count_v) +static void +allocate_slab_aux_3_3_2(Constants_sc_full_ sc, uint8_t *slab_region, size_t md_count_v) { - allocate_slab_aux_3_3_2_2(slab_region, md_count_v); + allocate_slab_aux_3_3_2_2(sc, slab_region, md_count_v); } -static void allocate_slab_aux_3_3(uint8_t *slab_region, size_t md_count_v) +static void +allocate_slab_aux_3_3(Constants_sc_full_ sc, uint8_t *slab_region, size_t md_count_v) { - allocate_slab_aux_3_3_2(slab_region, md_count_v); + allocate_slab_aux_3_3_2(sc, slab_region, md_count_v); } typedef struct bounded_tuple__s @@ -300,16 +295,18 @@ allocate_slab_aux_4_aux1( return ((bounded_tuple_){ .x = idx6, .y = idxs.x, .z = idxs.y, .w = idxs.z }); } -static void allocate_slab_aux_4_aux2(uint8_t *slab_region, bounded_tuple_ idxs) +static void +allocate_slab_aux_4_aux2(Constants_sc_full_ sc, uint8_t *slab_region, bounded_tuple_ idxs) { uint8_t *ptr = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t = idxs.x * page_size_t; - mmap_untrap(ptr + shift_size_t, (size_t)4096U); + mmap_untrap(ptr + shift_size_t, (size_t)sc.slab_size); } static bounded_tuple_ allocate_slab_aux_4( + Constants_sc_full_ sc, uint8_t *slab_region, ArrayList_cell *md_region, size_t *r_idxs, @@ -320,7 +317,7 @@ allocate_slab_aux_4( ) { bounded_tuple_ r = allocate_slab_aux_4_aux1(md_region, idx1, idx5, idx6, idx7); - allocate_slab_aux_4_aux2(slab_region, r); + allocate_slab_aux_4_aux2(sc, slab_region, r); r_idxs[0U] = r.x; r_idxs[4U] = r.y; r_idxs[5U] = r.z; @@ -330,7 +327,7 @@ allocate_slab_aux_4( uint8_t *SlabsAlloc_allocate_slab( - uint32_t size_class, + Constants_sc_full_ sc, uint8_t *slab_region, uint64_t *md_bm_region, ArrayList_cell *md_region, @@ -351,12 +348,12 @@ uint8_t uint64_t *ptr0 = md_bm_region; size_t shift_size_t0 = idx2_ * (size_t)4U; uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t1 = idx2_ * page_size_t; - uint8_t *r = SlotsAlloc_allocate_slot(size_class, ptr0 + shift_size_t0, ptr1 + shift_size_t1); + uint8_t *r = SlotsAlloc_allocate_slot(sc, ptr0 + shift_size_t0, ptr1 + shift_size_t1); uint64_t *ptr = md_bm_region; size_t shift_size_t = idx2_ * (size_t)4U; - bool r1 = Utils2_is_full_s(size_class, ptr + shift_size_t); + bool r1 = Utils2_is_full_s(sc, ptr + shift_size_t); bool cond = r1; if (cond) { @@ -374,12 +371,12 @@ uint8_t uint64_t *ptr0 = md_bm_region; size_t shift_size_t0 = idx1_ * (size_t)4U; uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t1 = idx1_ * page_size_t; - uint8_t *r = SlotsAlloc_allocate_slot(size_class, ptr0 + shift_size_t0, ptr1 + shift_size_t1); + uint8_t *r = SlotsAlloc_allocate_slot(sc, ptr0 + shift_size_t0, ptr1 + shift_size_t1); uint64_t *ptr = md_bm_region; size_t shift_size_t = idx1_ * (size_t)4U; - bool r1 = Utils2_is_full_s(size_class, ptr + shift_size_t); + bool r1 = Utils2_is_full_s(sc, ptr + shift_size_t); bool cond = r1; if (cond) { @@ -404,16 +401,16 @@ uint8_t if (b) { bounded_tuple_ - idxs = allocate_slab_aux_4(slab_region, md_region, r_idxs, idx1_, idx5_, idx6_, idx7_); + idxs = allocate_slab_aux_4(sc, slab_region, md_region, r_idxs, idx1_, idx5_, idx6_, idx7_); uint64_t *ptr0 = md_bm_region; size_t shift_size_t0 = idxs.x * (size_t)4U; uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t1 = idxs.x * page_size_t; - uint8_t *r = SlotsAlloc_allocate_slot(size_class, ptr0 + shift_size_t0, ptr1 + shift_size_t1); + uint8_t *r = SlotsAlloc_allocate_slot(sc, ptr0 + shift_size_t0, ptr1 + shift_size_t1); uint64_t *ptr = md_bm_region; size_t shift_size_t = idxs.x * (size_t)4U; - bool r1 = Utils2_is_full_s(size_class, ptr + shift_size_t); + bool r1 = Utils2_is_full_s(sc, ptr + shift_size_t); bool cond = r1; if (cond) { @@ -435,7 +432,7 @@ uint8_t else { size_t md_count_v_0 = *md_count; - bool b1 = md_count_v_0 + (size_t)2U <= (size_t)16777216U; + bool b1 = md_count_v_0 + (size_t)2U <= sc.md_max; if (b1) { ArrayList_insert(md_region, idx1_, md_count_v_, 0U); @@ -451,7 +448,7 @@ uint8_t md_count_v_, 0U); ArrayList_insert(md_region, idx4_, md_count_v_ + (size_t)2U - (size_t)1U, 3U); - allocate_slab_aux_3_3(slab_region, md_count_v_); + allocate_slab_aux_3_3(sc, slab_region, md_count_v_); size_t v = *md_count; *md_count = v + (size_t)2U; r_idxs[0U] = v + (size_t)2U - (size_t)2U; @@ -459,13 +456,12 @@ uint8_t uint64_t *ptr0 = md_bm_region; size_t shift_size_t0 = (md_count_v_ + (size_t)2U - (size_t)2U) * (size_t)4U; uint8_t *ptr1 = slab_region; - size_t page_size_t = (size_t)4096U; + size_t page_size_t = (size_t)sc.slab_size; size_t shift_size_t1 = (md_count_v_ + (size_t)2U - (size_t)2U) * page_size_t; - uint8_t - *r = SlotsAlloc_allocate_slot(size_class, ptr0 + shift_size_t0, ptr1 + shift_size_t1); + uint8_t *r = SlotsAlloc_allocate_slot(sc, ptr0 + shift_size_t0, ptr1 + shift_size_t1); uint64_t *ptr = md_bm_region; size_t shift_size_t = (md_count_v_ + (size_t)2U - (size_t)2U) * (size_t)4U; - bool r1 = Utils2_is_full_s(size_class, ptr + shift_size_t); + bool r1 = Utils2_is_full_s(sc, ptr + shift_size_t); bool cond = r1; if (cond) { diff --git a/dist/Slots.c b/dist/Slots.c index 1e45ad9e..c1d5a078 100644 --- a/dist/Slots.c +++ b/dist/Slots.c @@ -5,23 +5,25 @@ #include "Utils2.h" #include "ExternUtils.h" +#include "Constants.h" #include "Bitmap5.h" -static uint8_t *slot_array(uint32_t size_class, uint8_t *arr, uint32_t pos) +static uint8_t *slot_array(Constants_sc_full_ size_class, uint8_t *arr, uint32_t pos) { uint8_t *ptr = arr; - uint32_t shift = pos * size_class; + uint32_t shift = pos * size_class.sc; size_t shift_size_t = (size_t)shift; return ptr + shift_size_t; } -static uint8_t *get_slot_as_returned_value(uint32_t size_class, uint8_t *arr, uint32_t pos) +static uint8_t +*get_slot_as_returned_value(Constants_sc_full_ size_class, uint8_t *arr, uint32_t pos) { uint8_t *r = slot_array(size_class, arr, pos); return r; } -static uint32_t get_free_slot(uint32_t size_class, uint64_t *bitmap) +static uint32_t get_free_slot(Constants_sc_full_ size_class, uint64_t *bitmap) { uint32_t nb_slots_v = Utils2_nb_slots(size_class); uint32_t bound = nb_slots_v / 64U; @@ -73,7 +75,7 @@ static uint32_t get_free_slot(uint32_t size_class, uint64_t *bitmap) } } -uint8_t *SlotsAlloc_allocate_slot(uint32_t size_class, uint64_t *md, uint8_t *arr) +uint8_t *SlotsAlloc_allocate_slot(Constants_sc_full_ size_class, uint64_t *md, uint8_t *arr) { uint32_t pos = get_free_slot(size_class, md); Bitmap5_bm_set(md, pos); @@ -82,23 +84,24 @@ uint8_t *SlotsAlloc_allocate_slot(uint32_t size_class, uint64_t *md, uint8_t *ar return r0; } -static bool deallocate_slot_aux0(uint32_t size_class, uint32_t diff) +static bool deallocate_slot_aux0(Constants_sc_full_ size_class, uint32_t diff) { size_t diff_sz = (size_t)diff; return diff_sz < Utils2_rounding(size_class); } -static uint32_t deallocate_slot_aux1(uint32_t size_class, uint32_t diff) +static uint32_t deallocate_slot_aux1(Constants_sc_full_ size_class, uint32_t diff) { - return diff / size_class; + return diff / size_class.sc; } -static void deallocate_zeroing(uint32_t size_class, uint8_t *ptr) +static void deallocate_zeroing(Constants_sc_full_ size_class, uint8_t *ptr) { - apply_zeroing_u8(ptr, (size_t)size_class); + apply_zeroing_u8(ptr, (size_t)size_class.sc); } -static bool deallocate_slot_(uint32_t size_class, uint64_t *md, uint8_t *ptr, size_t diff_) +static bool +deallocate_slot_(Constants_sc_full_ size_class, uint64_t *md, uint8_t *ptr, size_t diff_) { uint32_t diff_u32 = (uint32_t)diff_; bool b = deallocate_slot_aux0(size_class, diff_u32); @@ -126,7 +129,7 @@ static bool fst__bool___(bool x) bool SlotsFree_deallocate_slot( - uint32_t size_class, + Constants_sc_full_ size_class, uint64_t *md, uint8_t *arr, uint8_t *ptr, diff --git a/dist/StarMalloc.c b/dist/StarMalloc.c index e14b4f0e..50e517e1 100644 --- a/dist/StarMalloc.c +++ b/dist/StarMalloc.c @@ -9,9 +9,10 @@ #include "PtrdiffWrapper.h" #include "Mman.h" #include "ExternUtils.h" +#include "Constants.h" #include "ArrayList.h" -static uint32_t avl_data_size = 64U; +uint32_t Impl_Trees_Cast_M_avl_data_size = 64U; extern int64_t Impl_Trees_Cast_M_cmp(Impl_Trees_Cast_M_data uu___, Impl_Trees_Cast_M_data x0); @@ -30,7 +31,7 @@ static void init_idxs(size_t *r_idxs) r_idxs[6U] = (size_t)0U; } -static size_t slab_region_size = (size_t)7421703487488U; +static size_t full_slab_region_size = (size_t)12919261626368U; static void init_size_class( @@ -39,10 +40,10 @@ init_size_class( uint64_t *md_bm_region, ArrayList_cell *md_region, size_class *size_classes, - const uint32_t *sizes + const Constants_sc_full_ *sizes ) { - uint32_t size = sizes[k]; + Constants_sc_full_ size = sizes[k]; static_assert(UINT32_MAX <= SIZE_MAX); uint8_t *slab_region_ = slab_region + (size_t)16777216U * (size_t)4096U * k; uint64_t *md_bm_region_ = md_bm_region + (size_t)67108864U * k; @@ -62,6 +63,8 @@ init_size_class( size_classes[k].data = data; } +Constants_sc_full_ Impl_Trees_Types_sc_avl; + void Impl_Trees_Types_init_mmap_md_slabs(Impl_Trees_Types_mmap_md_slabs *ret) { size_t slab_region_size = (size_t)16777216U * (size_t)4096U; @@ -77,8 +80,8 @@ void Impl_Trees_Types_init_mmap_md_slabs(Impl_Trees_Types_mmap_md_slabs *ret) SizeClass_size_class_struct_ scs = { - .size = avl_data_size, .slabs_idxs = r_idxs, .md_count = md_count, .slab_region = slab_region, - .md_bm_region = md_bm_region, .md_region = md_region + .size = Impl_Trees_Types_sc_avl, .slabs_idxs = r_idxs, .md_count = md_count, + .slab_region = slab_region, .md_bm_region = md_bm_region, .md_region = md_region }; SizeClass_size_class_struct_ scs0 = scs; Steel_SpinLock_new_lock(&ret->lock); @@ -1274,25 +1277,205 @@ static size_t large_getsize(uint8_t *ptr) } static const -uint32_t -sizes[108U] = - { - 16U, 32U, 64U, 80U, 96U, 112U, 128U, 160U, 192U, 224U, 256U, 320U, 384U, 448U, 512U, 640U, 768U, - 896U, 1024U, 1280U, 1536U, 1792U, 2048U, 2560U, 3072U, 3584U, 4096U, 16U, 32U, 64U, 80U, 96U, - 112U, 128U, 160U, 192U, 224U, 256U, 320U, 384U, 448U, 512U, 640U, 768U, 896U, 1024U, 1280U, - 1536U, 1792U, 2048U, 2560U, 3072U, 3584U, 4096U, 16U, 32U, 64U, 80U, 96U, 112U, 128U, 160U, - 192U, 224U, 256U, 320U, 384U, 448U, 512U, 640U, 768U, 896U, 1024U, 1280U, 1536U, 1792U, 2048U, - 2560U, 3072U, 3584U, 4096U, 16U, 32U, 64U, 80U, 96U, 112U, 128U, 160U, 192U, 224U, 256U, 320U, - 384U, 448U, 512U, 640U, 768U, 896U, 1024U, 1280U, 1536U, 1792U, 2048U, 2560U, 3072U, 3584U, - 4096U +Constants_sc_full_ +sizes[188U] = + { + { .sc = 16U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 32U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 64U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 80U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 96U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 112U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 128U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 160U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 192U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 224U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 256U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 320U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 384U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 448U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 512U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 640U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 768U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 896U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1024U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1280U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1536U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1792U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2048U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2560U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3072U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3584U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 4096U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 5120U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 6144U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 7168U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 8192U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 10240U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 12288U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 14336U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 16384U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 20480U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 24576U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 28672U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 32768U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 40960U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 49152U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 57344U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 65536U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 81920U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 98304U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 114688U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 131072U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 16U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 32U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 64U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 80U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 96U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 112U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 128U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 160U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 192U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 224U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 256U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 320U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 384U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 448U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 512U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 640U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 768U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 896U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1024U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1280U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1536U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1792U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2048U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2560U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3072U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3584U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 4096U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 5120U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 6144U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 7168U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 8192U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 10240U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 12288U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 14336U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 16384U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 20480U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 24576U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 28672U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 32768U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 40960U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 49152U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 57344U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 65536U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 81920U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 98304U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 114688U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 131072U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 16U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 32U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 64U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 80U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 96U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 112U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 128U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 160U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 192U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 224U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 256U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 320U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 384U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 448U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 512U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 640U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 768U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 896U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1024U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1280U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1536U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1792U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2048U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2560U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3072U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3584U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 4096U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 5120U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 6144U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 7168U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 8192U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 10240U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 12288U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 14336U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 16384U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 20480U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 24576U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 28672U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 32768U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 40960U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 49152U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 57344U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 65536U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 81920U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 98304U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 114688U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 131072U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 16U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 32U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 64U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 80U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 96U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 112U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 128U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 160U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 192U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 224U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 256U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 320U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 384U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 448U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 512U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 640U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 768U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 896U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1024U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1280U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1536U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 1792U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2048U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 2560U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3072U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 3584U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 4096U, .slab_size = 4096U, .md_max = (size_t)16777216U }, + { .sc = 5120U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 6144U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 7168U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 8192U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 10240U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 12288U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 14336U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 16384U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 20480U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 24576U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 28672U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 32768U, .slab_size = 32768U, .md_max = (size_t)2097152U }, + { .sc = 40960U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 49152U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 57344U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 65536U, .slab_size = 65536U, .md_max = (size_t)1048576U }, + { .sc = 81920U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 98304U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 114688U, .slab_size = 131072U, .md_max = (size_t)524288U }, + { .sc = 131072U, .slab_size = 131072U, .md_max = (size_t)524288U } }; Main_Meta_size_classes_all Main_Meta_init(void) { - uint8_t *slab_region = mmap_u8_init((size_t)16777216U * (size_t)4096U * (size_t)108U); - uint64_t *md_bm_region = mmap_u64_init((size_t)7247757312U); - ArrayList_cell *md_region = mmap_cell_status_init((size_t)1811939328U); - size_class *size_classes = mmap_sc_init((size_t)108U); + uint8_t *slab_region = mmap_u8_init((size_t)16777216U * (size_t)4096U * (size_t)188U); + uint64_t *md_bm_region = mmap_u64_init((size_t)12616466432U); + ArrayList_cell *md_region = mmap_cell_status_init((size_t)3154116608U); + size_class *size_classes = mmap_sc_init((size_t)188U); init_size_class((size_t)0U, slab_region, md_bm_region, md_region, size_classes, sizes); init_size_class((size_t)1U, slab_region, md_bm_region, md_region, size_classes, sizes); init_size_class((size_t)2U, slab_region, md_bm_region, md_region, size_classes, sizes); @@ -1401,6 +1584,86 @@ Main_Meta_size_classes_all Main_Meta_init(void) init_size_class((size_t)105U, slab_region, md_bm_region, md_region, size_classes, sizes); init_size_class((size_t)106U, slab_region, md_bm_region, md_region, size_classes, sizes); init_size_class((size_t)107U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)108U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)109U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)110U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)111U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)112U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)113U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)114U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)115U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)116U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)117U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)118U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)119U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)120U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)121U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)122U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)123U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)124U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)125U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)126U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)127U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)128U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)129U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)130U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)131U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)132U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)133U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)134U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)135U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)136U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)137U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)138U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)139U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)140U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)141U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)142U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)143U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)144U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)145U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)146U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)147U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)148U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)149U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)150U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)151U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)152U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)153U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)154U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)155U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)156U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)157U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)158U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)159U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)160U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)161U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)162U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)163U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)164U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)165U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)166U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)167U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)168U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)169U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)170U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)171U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)172U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)173U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)174U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)175U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)176U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)177U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)178U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)179U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)180U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)181U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)182U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)183U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)184U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)185U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)186U, slab_region, md_bm_region, md_region, size_classes, sizes); + init_size_class((size_t)187U, slab_region, md_bm_region, md_region, size_classes, sizes); return ((Main_Meta_size_classes_all){ .size_classes = size_classes, .slab_region = slab_region }); } @@ -1417,703 +1680,1703 @@ static uint8_t *slab_malloc(size_t arena_id, uint32_t bytes) { uint32_t r0 = SizeClassSelection_inv_impl(bytes + 2U); size_t i = (size_t)r0; - uint32_t size = sizes[arena_id * (size_t)27U + i]; - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + i].lock); + Constants_sc_full_ size = sizes[arena_id * (size_t)47U + i]; + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + i].lock); uint8_t - *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + i].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + i].lock); + *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + i].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + i].lock); uint8_t *ptr = r; uint8_t *ptr0 = ptr; if (!(ptr0 == NULL)) { - ptr0[(size_t)(size - 2U)] = 42U; - ptr0[(size_t)(size - 1U)] = 23U; + ptr0[(size_t)(size.sc - 2U)] = 42U; + ptr0[(size_t)(size.sc - 1U)] = 23U; } return ptr0; } static uint8_t *slab_aligned_alloc(size_t arena_id, uint32_t alignment, uint32_t bytes) { - uint32_t size = sizes[arena_id * (size_t)27U + (size_t)0U]; - bool b = 4096U % size == 0U; - if (b && bytes <= size - 2U && alignment <= size) + Constants_sc_full_ size = sizes[arena_id * (size_t)47U + (size_t)0U]; + bool b = size.slab_size % size.sc == 0U; + if (b && bytes <= size.sc - 2U && alignment <= size.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)0U].lock); + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)0U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)0U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)0U].lock); + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)0U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)0U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size - 2U)] = 42U; - ptr0[(size_t)(size - 1U)] = 23U; + r0[(size_t)(size.sc - 2U)] = 42U; + r0[(size_t)(size.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size1 = sizes[arena_id * (size_t)27U + (size_t)1U]; - bool b1 = 4096U % size1 == 0U; - if (b1 && bytes <= size1 - 2U && alignment <= size1) + Constants_sc_full_ size1 = sizes[arena_id * (size_t)47U + (size_t)1U]; + bool b1 = size1.slab_size % size1.sc == 0U; + if (b1 && bytes <= size1.sc - 2U && alignment <= size1.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)1U].lock); + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)1U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)1U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)1U].lock); + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)1U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)1U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size1 - 2U)] = 42U; - ptr0[(size_t)(size1 - 1U)] = 23U; + r0[(size_t)(size1.sc - 2U)] = 42U; + r0[(size_t)(size1.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size2 = sizes[arena_id * (size_t)27U + (size_t)2U]; - bool b2 = 4096U % size2 == 0U; - if (b2 && bytes <= size2 - 2U && alignment <= size2) + Constants_sc_full_ size2 = sizes[arena_id * (size_t)47U + (size_t)2U]; + bool b2 = size2.slab_size % size2.sc == 0U; + if (b2 && bytes <= size2.sc - 2U && alignment <= size2.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)2U].lock); + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)2U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)2U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)2U].lock); + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)2U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)2U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size2 - 2U)] = 42U; - ptr0[(size_t)(size2 - 1U)] = 23U; + r0[(size_t)(size2.sc - 2U)] = 42U; + r0[(size_t)(size2.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size3 = sizes[arena_id * (size_t)27U + (size_t)3U]; - bool b3 = 4096U % size3 == 0U; - if (b3 && bytes <= size3 - 2U && alignment <= size3) + Constants_sc_full_ size3 = sizes[arena_id * (size_t)47U + (size_t)3U]; + bool b3 = size3.slab_size % size3.sc == 0U; + if (b3 && bytes <= size3.sc - 2U && alignment <= size3.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)3U].lock); + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)3U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)3U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)3U].lock); + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)3U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)3U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size3 - 2U)] = 42U; - ptr0[(size_t)(size3 - 1U)] = 23U; + r0[(size_t)(size3.sc - 2U)] = 42U; + r0[(size_t)(size3.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size4 = sizes[arena_id * (size_t)27U + (size_t)4U]; - bool b4 = 4096U % size4 == 0U; - if (b4 && bytes <= size4 - 2U && alignment <= size4) + Constants_sc_full_ size4 = sizes[arena_id * (size_t)47U + (size_t)4U]; + bool b4 = size4.slab_size % size4.sc == 0U; + if (b4 && bytes <= size4.sc - 2U && alignment <= size4.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)4U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + (size_t)4U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)4U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)4U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size4 - 2U)] = 42U; - ptr0[(size_t)(size4 - 1U)] = 23U; + r0[(size_t)(size4.sc - 2U)] = 42U; + r0[(size_t)(size4.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size5 = sizes[arena_id * (size_t)27U + (size_t)5U]; - bool b5 = 4096U % size5 == 0U; - if (b5 && bytes <= size5 - 2U && alignment <= size5) + Constants_sc_full_ size5 = sizes[arena_id * (size_t)47U + (size_t)5U]; + bool b5 = size5.slab_size % size5.sc == 0U; + if (b5 && bytes <= size5.sc - 2U && alignment <= size5.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)5U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)5U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)5U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size5 - 2U)] = 42U; - ptr0[(size_t)(size5 - 1U)] = 23U; + r0[(size_t)(size5.sc - 2U)] = 42U; + r0[(size_t)(size5.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size6 = sizes[arena_id * (size_t)27U + (size_t)6U]; - bool b6 = 4096U % size6 == 0U; - if (b6 && bytes <= size6 - 2U && alignment <= size6) + Constants_sc_full_ size6 = sizes[arena_id * (size_t)47U + (size_t)6U]; + bool b6 = size6.slab_size % size6.sc == 0U; + if (b6 && bytes <= size6.sc - 2U && alignment <= size6.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)6U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)6U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)6U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size6 - 2U)] = 42U; - ptr0[(size_t)(size6 - 1U)] = 23U; + r0[(size_t)(size6.sc - 2U)] = 42U; + r0[(size_t)(size6.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size7 = sizes[arena_id * (size_t)27U + (size_t)7U]; - bool b7 = 4096U % size7 == 0U; - if (b7 && bytes <= size7 - 2U && alignment <= size7) + Constants_sc_full_ size7 = sizes[arena_id * (size_t)47U + (size_t)7U]; + bool b7 = size7.slab_size % size7.sc == 0U; + if (b7 && bytes <= size7.sc - 2U && alignment <= size7.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)7U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)7U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)7U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size7 - 2U)] = 42U; - ptr0[(size_t)(size7 - 1U)] = 23U; + r0[(size_t)(size7.sc - 2U)] = 42U; + r0[(size_t)(size7.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size8 = sizes[arena_id * (size_t)27U + (size_t)8U]; - bool b8 = 4096U % size8 == 0U; - if (b8 && bytes <= size8 - 2U && alignment <= size8) + Constants_sc_full_ size8 = sizes[arena_id * (size_t)47U + (size_t)8U]; + bool b8 = size8.slab_size % size8.sc == 0U; + if (b8 && bytes <= size8.sc - 2U && alignment <= size8.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)8U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)8U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)8U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size8 - 2U)] = 42U; - ptr0[(size_t)(size8 - 1U)] = 23U; + r0[(size_t)(size8.sc - 2U)] = 42U; + r0[(size_t)(size8.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size9 = sizes[arena_id * (size_t)27U + (size_t)9U]; - bool b9 = 4096U % size9 == 0U; - if (b9 && bytes <= size9 - 2U && alignment <= size9) + Constants_sc_full_ size9 = sizes[arena_id * (size_t)47U + (size_t)9U]; + bool b9 = size9.slab_size % size9.sc == 0U; + if (b9 && bytes <= size9.sc - 2U && alignment <= size9.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)9U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)9U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)9U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size9 - 2U)] = 42U; - ptr0[(size_t)(size9 - 1U)] = 23U; + r0[(size_t)(size9.sc - 2U)] = 42U; + r0[(size_t)(size9.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size10 = sizes[arena_id * (size_t)27U + (size_t)10U]; - bool b10 = 4096U % size10 == 0U; - if (b10 && bytes <= size10 - 2U && alignment <= size10) + Constants_sc_full_ size10 = sizes[arena_id * (size_t)47U + (size_t)10U]; + bool b10 = size10.slab_size % size10.sc == 0U; + if (b10 && bytes <= size10.sc - 2U && alignment <= size10.sc) { - Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)10U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)10U].data); - Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)10U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size10 - 2U)] = 42U; - ptr0[(size_t)(size10 - 1U)] = 23U; + r0[(size_t)(size10.sc - 2U)] = 42U; + r0[(size_t)(size10.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size11 = sizes[arena_id * (size_t)27U + (size_t)11U]; - bool b11 = 4096U % size11 == 0U; - if (b11 && bytes <= size11 - 2U && alignment <= size11) + Constants_sc_full_ size11 = sizes[arena_id * (size_t)47U + (size_t)11U]; + bool b11 = size11.slab_size % size11.sc == 0U; + if (b11 && bytes <= size11.sc - 2U && alignment <= size11.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)11U].lock); uint8_t *r = - allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)27U + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * (size_t)47U + (size_t)11U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)11U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size11 - 2U)] = 42U; - ptr0[(size_t)(size11 - 1U)] = 23U; + r0[(size_t)(size11.sc - 2U)] = 42U; + r0[(size_t)(size11.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size12 = sizes[arena_id * (size_t)27U + (size_t)12U]; - bool b12 = 4096U % size12 == 0U; - if (b12 && bytes <= size12 - 2U && alignment <= size12) + Constants_sc_full_ size12 = sizes[arena_id * (size_t)47U + (size_t)12U]; + bool b12 = size12.slab_size % size12.sc == 0U; + if (b12 && bytes <= size12.sc - 2U && alignment <= size12.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)12U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)12U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)12U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size12 - 2U)] = 42U; - ptr0[(size_t)(size12 - 1U)] = 23U; + r0[(size_t)(size12.sc - 2U)] = 42U; + r0[(size_t)(size12.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size13 = sizes[arena_id * (size_t)27U + (size_t)13U]; - bool b13 = 4096U % size13 == 0U; - if (b13 && bytes <= size13 - 2U && alignment <= size13) + Constants_sc_full_ size13 = sizes[arena_id * (size_t)47U + (size_t)13U]; + bool b13 = size13.slab_size % size13.sc == 0U; + if (b13 && bytes <= size13.sc - 2U && alignment <= size13.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)13U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)13U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)13U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size13 - 2U)] = 42U; - ptr0[(size_t)(size13 - 1U)] = 23U; + r0[(size_t)(size13.sc - 2U)] = 42U; + r0[(size_t)(size13.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size14 = sizes[arena_id * (size_t)27U + (size_t)14U]; - bool b14 = 4096U % size14 == 0U; - if (b14 && bytes <= size14 - 2U && alignment <= size14) + Constants_sc_full_ + size14 = sizes[arena_id * (size_t)47U + (size_t)14U]; + bool b14 = size14.slab_size % size14.sc == 0U; + if (b14 && bytes <= size14.sc - 2U && alignment <= size14.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)14U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)14U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)14U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size14 - 2U)] = 42U; - ptr0[(size_t)(size14 - 1U)] = 23U; + r0[(size_t)(size14.sc - 2U)] = 42U; + r0[(size_t)(size14.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size15 = sizes[arena_id * (size_t)27U + (size_t)15U]; - bool b15 = 4096U % size15 == 0U; - if (b15 && bytes <= size15 - 2U && alignment <= size15) + Constants_sc_full_ + size15 = sizes[arena_id * (size_t)47U + (size_t)15U]; + bool b15 = size15.slab_size % size15.sc == 0U; + if (b15 && bytes <= size15.sc - 2U && alignment <= size15.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)15U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)15U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)15U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size15 - 2U)] = 42U; - ptr0[(size_t)(size15 - 1U)] = 23U; + r0[(size_t)(size15.sc - 2U)] = 42U; + r0[(size_t)(size15.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size16 = sizes[arena_id * (size_t)27U + (size_t)16U]; - bool b16 = 4096U % size16 == 0U; - if (b16 && bytes <= size16 - 2U && alignment <= size16) + Constants_sc_full_ + size16 = sizes[arena_id * (size_t)47U + (size_t)16U]; + bool b16 = size16.slab_size % size16.sc == 0U; + if (b16 && bytes <= size16.sc - 2U && alignment <= size16.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)16U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)16U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)16U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size16 - 2U)] = 42U; - ptr0[(size_t)(size16 - 1U)] = 23U; + r0[(size_t)(size16.sc - 2U)] = 42U; + r0[(size_t)(size16.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size17 = sizes[arena_id * (size_t)27U + (size_t)17U]; - bool b17 = 4096U % size17 == 0U; - if (b17 && bytes <= size17 - 2U && alignment <= size17) + Constants_sc_full_ + size17 = sizes[arena_id * (size_t)47U + (size_t)17U]; + bool b17 = size17.slab_size % size17.sc == 0U; + if (b17 && bytes <= size17.sc - 2U && alignment <= size17.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)17U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id * - (size_t)27U + (size_t)47U + (size_t)17U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)17U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size17 - 2U)] = 42U; - ptr0[(size_t)(size17 - 1U)] = 23U; + r0[(size_t)(size17.sc - 2U)] = 42U; + r0[(size_t)(size17.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t size18 = sizes[arena_id * (size_t)27U + (size_t)18U]; - bool b18 = 4096U % size18 == 0U; - if (b18 && bytes <= size18 - 2U && alignment <= size18) + Constants_sc_full_ + size18 = sizes[arena_id * (size_t)47U + (size_t)18U]; + bool b18 = size18.slab_size % size18.sc == 0U; + if (b18 && bytes <= size18.sc - 2U && alignment <= size18.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)18U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)18U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)18U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size18 - 2U)] = 42U; - ptr0[(size_t)(size18 - 1U)] = 23U; + r0[(size_t)(size18.sc - 2U)] = 42U; + r0[(size_t)(size18.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t - size19 = sizes[arena_id * (size_t)27U + (size_t)19U]; - bool b19 = 4096U % size19 == 0U; - if (b19 && bytes <= size19 - 2U && alignment <= size19) + Constants_sc_full_ + size19 = sizes[arena_id * (size_t)47U + (size_t)19U]; + bool b19 = size19.slab_size % size19.sc == 0U; + if + (b19 && bytes <= size19.sc - 2U && alignment <= size19.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)19U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)19U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)19U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size19 - 2U)] = 42U; - ptr0[(size_t)(size19 - 1U)] = 23U; + r0[(size_t)(size19.sc - 2U)] = 42U; + r0[(size_t)(size19.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t - size20 = sizes[arena_id * (size_t)27U + (size_t)20U]; - bool b20 = 4096U % size20 == 0U; - if (b20 && bytes <= size20 - 2U && alignment <= size20) + Constants_sc_full_ + size20 = sizes[arena_id * (size_t)47U + (size_t)20U]; + bool b20 = size20.slab_size % size20.sc == 0U; + if + (b20 && bytes <= size20.sc - 2U && alignment <= size20.sc) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)20U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)20U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)20U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size20 - 2U)] = 42U; - ptr0[(size_t)(size20 - 1U)] = 23U; + r0[(size_t)(size20.sc - 2U)] = 42U; + r0[(size_t)(size20.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t - size21 = sizes[arena_id * (size_t)27U + (size_t)21U]; - bool b21 = 4096U % size21 == 0U; - if (b21 && bytes <= size21 - 2U && alignment <= size21) + Constants_sc_full_ + size21 = sizes[arena_id * (size_t)47U + (size_t)21U]; + bool b21 = size21.slab_size % size21.sc == 0U; + if + ( + b21 && bytes <= size21.sc - 2U && + alignment <= size21.sc + ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)21U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)21U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)21U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size21 - 2U)] = 42U; - ptr0[(size_t)(size21 - 1U)] = 23U; + r0[(size_t)(size21.sc - 2U)] = 42U; + r0[(size_t)(size21.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t - size22 = sizes[arena_id * (size_t)27U + (size_t)22U]; - bool b22 = 4096U % size22 == 0U; + Constants_sc_full_ + size22 = sizes[arena_id * (size_t)47U + (size_t)22U]; + bool b22 = size22.slab_size % size22.sc == 0U; if - (b22 && bytes <= size22 - 2U && alignment <= size22) + ( + b22 && bytes <= size22.sc - 2U && + alignment <= size22.sc + ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)22U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)22U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)22U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size22 - 2U)] = 42U; - ptr0[(size_t)(size22 - 1U)] = 23U; + r0[(size_t)(size22.sc - 2U)] = 42U; + r0[(size_t)(size22.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t - size23 = sizes[arena_id * (size_t)27U + (size_t)23U]; - bool b23 = 4096U % size23 == 0U; + Constants_sc_full_ + size23 = sizes[arena_id * (size_t)47U + (size_t)23U]; + bool b23 = size23.slab_size % size23.sc == 0U; if - (b23 && bytes <= size23 - 2U && alignment <= size23) + ( + b23 && bytes <= size23.sc - 2U && + alignment <= size23.sc + ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)23U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)23U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)23U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size23 - 2U)] = 42U; - ptr0[(size_t)(size23 - 1U)] = 23U; + r0[(size_t)(size23.sc - 2U)] = 42U; + r0[(size_t)(size23.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t + Constants_sc_full_ size24 = - sizes[arena_id * (size_t)27U + (size_t)24U]; - bool b24 = 4096U % size24 == 0U; + sizes[arena_id * (size_t)47U + (size_t)24U]; + bool b24 = size24.slab_size % size24.sc == 0U; if ( - b24 && bytes <= size24 - 2U && - alignment <= size24 + b24 && bytes <= size24.sc - 2U && + alignment <= size24.sc ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)24U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)24U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)24U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size24 - 2U)] = 42U; - ptr0[(size_t)(size24 - 1U)] = 23U; + r0[(size_t)(size24.sc - 2U)] = 42U; + r0[(size_t)(size24.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t + Constants_sc_full_ size25 = - sizes[arena_id * (size_t)27U + (size_t)25U]; - bool b25 = 4096U % size25 == 0U; + sizes[arena_id * (size_t)47U + (size_t)25U]; + bool b25 = size25.slab_size % size25.sc == 0U; if ( - b25 && bytes <= size25 - 2U && - alignment <= size25 + b25 && bytes <= size25.sc - 2U && + alignment <= size25.sc ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)25U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)25U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)25U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size25 - 2U)] = 42U; - ptr0[(size_t)(size25 - 1U)] = 23U; + r0[(size_t)(size25.sc - 2U)] = 42U; + r0[(size_t)(size25.sc - 1U)] = 23U; } - return ptr0; + return r0; } else { - uint32_t + Constants_sc_full_ size26 = - sizes[arena_id * (size_t)27U + (size_t)26U]; - bool b26 = 4096U % size26 == 0U; + sizes[arena_id * (size_t)47U + (size_t)26U]; + bool b26 = size26.slab_size % size26.sc == 0U; if ( - b26 && bytes <= size26 - 2U && - alignment <= size26 + b26 && bytes <= size26.sc - 2U && + alignment <= size26.sc ) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)26U].lock); uint8_t *r = allocate_size_class(Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)26U].data); Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id - * (size_t)27U + * (size_t)47U + (size_t)26U].lock); uint8_t *ptr = r; - uint8_t *ptr0 = ptr; - if (!(ptr0 == NULL)) + uint8_t *r0 = ptr; + if (!(r0 == NULL)) { - ptr0[(size_t)(size26 - 2U)] = 42U; - ptr0[(size_t)(size26 - 1U)] = 23U; + r0[(size_t)(size26.sc - 2U)] = 42U; + r0[(size_t)(size26.sc - 1U)] = 23U; } - return ptr0; + return r0; } else - return NULL; + { + Constants_sc_full_ + size27 = + sizes[arena_id * (size_t)47U + (size_t)27U]; + bool + b27 = size27.slab_size % size27.sc == 0U; + if + ( + b27 && bytes <= size27.sc - 2U && + alignment <= size27.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)27U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)27U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)27U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size27.sc - 2U)] = 42U; + r0[(size_t)(size27.sc - 1U)] = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size28 = + sizes[arena_id * (size_t)47U + + (size_t)28U]; + bool + b28 = size28.slab_size % size28.sc == 0U; + if + ( + b28 && bytes <= size28.sc - 2U && + alignment <= size28.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)28U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)28U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)28U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size28.sc - 2U)] = 42U; + r0[(size_t)(size28.sc - 1U)] = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size29 = + sizes[arena_id * (size_t)47U + + (size_t)29U]; + bool + b29 = size29.slab_size % size29.sc == 0U; + if + ( + b29 && bytes <= size29.sc - 2U && + alignment <= size29.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)29U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)29U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)29U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size29.sc - 2U)] = 42U; + r0[(size_t)(size29.sc - 1U)] = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size30 = + sizes[arena_id * (size_t)47U + + (size_t)30U]; + bool + b30 = + size30.slab_size % size30.sc == 0U; + if + ( + b30 && bytes <= size30.sc - 2U && + alignment <= size30.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)30U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)30U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)30U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size30.sc - 2U)] = 42U; + r0[(size_t)(size30.sc - 1U)] = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size31 = + sizes[arena_id * (size_t)47U + + (size_t)31U]; + bool + b31 = + size31.slab_size % size31.sc == 0U; + if + ( + b31 && bytes <= size31.sc - 2U && + alignment <= size31.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)31U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)31U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)31U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size31.sc - 2U)] = + 42U; + r0[(size_t)(size31.sc - 1U)] = + 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size32 = + sizes[arena_id * (size_t)47U + + (size_t)32U]; + bool + b32 = + size32.slab_size % size32.sc == + 0U; + if + ( + b32 && bytes <= size32.sc - 2U + && alignment <= size32.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)32U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)32U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)32U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size32.sc - 2U)] = + 42U; + r0[(size_t)(size32.sc - 1U)] = + 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size33 = + sizes[arena_id * (size_t)47U + + (size_t)33U]; + bool + b33 = + size33.slab_size % size33.sc + == 0U; + if + ( + b33 && bytes <= size33.sc - 2U + && alignment <= size33.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)33U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)33U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)33U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size33.sc - 2U)] + = 42U; + r0[(size_t)(size33.sc - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size34 = + sizes[arena_id * (size_t)47U + + (size_t)34U]; + bool + b34 = + size34.slab_size % size34.sc + == 0U; + if + ( + b34 && + bytes <= size34.sc - 2U + && alignment <= size34.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)34U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)34U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)34U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size34.sc - 2U)] + = 42U; + r0[(size_t)(size34.sc - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size35 = + sizes[arena_id * + (size_t)47U + + (size_t)35U]; + bool + b35 = + size35.slab_size % + size35.sc + == 0U; + if + ( + b35 && + bytes <= size35.sc - 2U + && alignment <= size35.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)35U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)35U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)35U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size35.sc - + 2U)] + = 42U; + r0[(size_t)(size35.sc - + 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size36 = + sizes[arena_id * + (size_t)47U + + (size_t)36U]; + bool + b36 = + size36.slab_size % + size36.sc + == 0U; + if + ( + b36 && + bytes <= + size36.sc - 2U + && + alignment <= size36.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)36U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)36U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)36U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size36.sc + - 2U)] + = 42U; + r0[(size_t)(size36.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size37 = + sizes[arena_id * + (size_t)47U + + (size_t)37U]; + bool + b37 = + size37.slab_size % + size37.sc + == 0U; + if + ( + b37 && + bytes <= + size37.sc - 2U + && + alignment <= + size37.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)37U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)37U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)37U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size37.sc + - 2U)] + = 42U; + r0[(size_t)(size37.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size38 = + sizes[arena_id * + (size_t)47U + + (size_t)38U]; + bool + b38 = + size38.slab_size % + size38.sc + == 0U; + if + ( + b38 && + bytes <= + size38.sc - 2U + && + alignment <= + size38.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)38U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)38U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)38U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size38.sc + - 2U)] + = 42U; + r0[(size_t)(size38.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size39 = + sizes[arena_id * + (size_t)47U + + (size_t)39U]; + bool + b39 = + size39.slab_size % + size39.sc + == 0U; + if + ( + b39 && + bytes <= + size39.sc - 2U + && + alignment <= + size39.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)39U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)39U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)39U].lock); + uint8_t *ptr = r; + uint8_t *r0 = ptr; + if (!(r0 == NULL)) + { + r0[(size_t)(size39.sc + - 2U)] + = 42U; + r0[(size_t)(size39.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size40 = + sizes[arena_id * + (size_t)47U + + (size_t)40U]; + bool + b40 = + size40.slab_size + % size40.sc + == 0U; + if + ( + b40 && + bytes <= + size40.sc - + 2U + && + alignment <= + size40.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)40U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)40U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * (size_t)47U + + (size_t)40U].lock); + uint8_t + *ptr = r; + uint8_t + *r0 = ptr; + if + (!(r0 == NULL)) + { + r0[(size_t)(size40.sc + - 2U)] + = 42U; + r0[(size_t)(size40.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size41 = + sizes[arena_id + * (size_t)47U + + (size_t)41U]; + bool + b41 = + size41.slab_size + % size41.sc + == 0U; + if + ( + b41 && + bytes <= + size41.sc + - 2U + && + alignment <= + size41.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)41U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)41U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)41U].lock); + uint8_t + *ptr = r; + uint8_t + *r0 = ptr; + if + ( + !(r0 == NULL) + ) + { + r0[(size_t)(size41.sc + - 2U)] + = 42U; + r0[(size_t)(size41.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size42 = + sizes[arena_id + * + (size_t)47U + + + (size_t)42U]; + bool + b42 = + size42.slab_size + % size42.sc + == 0U; + if + ( + b42 && + bytes <= + size42.sc + - 2U + && + alignment + <= + size42.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)42U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)42U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)42U].lock); + uint8_t + *ptr = r; + uint8_t + *r0 = ptr; + if + ( + !(r0 == + NULL) + ) + { + r0[(size_t)(size42.sc + - 2U)] + = 42U; + r0[(size_t)(size42.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size43 = + sizes[arena_id + * + (size_t)47U + + + (size_t)43U]; + bool + b43 = + size43.slab_size + % + size43.sc + == 0U; + if + ( + b43 && + bytes <= + size43.sc + - 2U + && + alignment + <= + size43.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)43U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)43U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)43U].lock); + uint8_t + *ptr = r; + uint8_t + *r0 = ptr; + if + ( + !(r0 == + NULL) + ) + { + r0[(size_t)(size43.sc + - 2U)] + = 42U; + r0[(size_t)(size43.sc + - 1U)] + = 23U; + } + return r0; + } + else + { + Constants_sc_full_ + size44 = + sizes[arena_id + * + (size_t)47U + + + (size_t)44U]; + bool + b44 = + size44.slab_size + % + size44.sc + == 0U; + if + ( + b44 && + bytes + <= + size44.sc + - 2U + && + alignment + <= + size44.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)44U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)44U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)44U].lock); + uint8_t + *ptr = r; + uint8_t + *r0 = + ptr; + if + ( + !(r0 + == + NULL) + ) + { + r0[(size_t)(size44.sc + - 2U)] + = 42U; + r0[(size_t)(size44.sc + - 1U)] + = 23U; + } + return + r0; + } + else + { + Constants_sc_full_ + size45 = + sizes[arena_id + * + (size_t)47U + + + (size_t)45U]; + bool + b45 = + size45.slab_size + % + size45.sc + == 0U; + if + ( + b45 && + bytes + <= + size45.sc + - + 2U + && + alignment + <= + size45.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)45U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)45U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)45U].lock); + uint8_t + *ptr = + r; + uint8_t + *r0 = + ptr; + if + ( + !(r0 + == + NULL) + ) + { + r0[(size_t)(size45.sc + - 2U)] + = + 42U; + r0[(size_t)(size45.sc + - 1U)] + = + 23U; + } + return + r0; + } + else + { + Constants_sc_full_ + size46 = + sizes[arena_id + * + (size_t)47U + + + (size_t)46U]; + bool + b46 = + size46.slab_size + % + size46.sc + == + 0U; + if + ( + b46 + && + bytes + <= + size46.sc + - + 2U + && + alignment + <= + size46.sc + ) + { + Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)46U].lock); + uint8_t + *r = + allocate_size_class(Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)46U].data); + Steel_SpinLock_release(&Main_Meta_sc_all.size_classes[arena_id + * + (size_t)47U + + + (size_t)46U].lock); + uint8_t + *ptr = + r; + uint8_t + *r0 = + ptr; + if + ( + !(r0 + == + NULL) + ) + { + r0[(size_t)(size46.sc + - + 2U)] + = + 42U; + r0[(size_t)(size46.sc + - + 1U)] + = + 23U; + } + return + r0; + } + else + return + NULL; + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } + } } } } @@ -2149,10 +3412,10 @@ static size_t slab_getsize(uint8_t *ptr) ptrdiff_t diff = pt0 - pt1; size_t diff_sz = (size_t)diff; size_t index = diff_sz / (size_t)68719476736U; - uint32_t size = sizes[index]; - size_t rem_slot = diff_sz % (size_t)4096U; - if (rem_slot % (size_t)size == (size_t)0U) - return (size_t)(size - 2U); + Constants_sc_full_ size = sizes[index]; + size_t rem_slot = diff_sz % (size_t)size.slab_size; + if (rem_slot % (size_t)size.sc == (size_t)0U) + return (size_t)(size.sc - 2U); else return (size_t)0U; } @@ -2164,13 +3427,13 @@ static bool slab_free(uint8_t *ptr) ptrdiff_t diff = pt0 - pt1; size_t diff_sz = (size_t)diff; size_t index = diff_sz / (size_t)68719476736U; - uint32_t size = sizes[index]; + Constants_sc_full_ size = sizes[index]; size_t rem_slab = diff_sz % (size_t)68719476736U; - size_t rem_slot = diff_sz % (size_t)4096U; - if (rem_slot % (size_t)size == (size_t)0U) + size_t rem_slot = diff_sz % (size_t)size.slab_size; + if (rem_slot % (size_t)size.sc == (size_t)0U) { - uint8_t magic1 = ptr[(size_t)(size - 2U)]; - uint8_t magic2 = ptr[(size_t)(size - 1U)]; + uint8_t magic1 = ptr[(size_t)(size.sc - 2U)]; + uint8_t magic2 = ptr[(size_t)(size.sc - 1U)]; if (magic1 == 42U && magic2 == 23U) { Steel_SpinLock_acquire(&Main_Meta_sc_all.size_classes[index].lock); @@ -2187,7 +3450,7 @@ static bool slab_free(uint8_t *ptr) return false; } -size_t StarMalloc_threshold = (size_t)4096U - (size_t)2U; +size_t StarMalloc_threshold; uint8_t *StarMalloc_malloc(size_t arena_id, size_t size) { @@ -2211,8 +3474,8 @@ uint8_t *StarMalloc_malloc(size_t arena_id, size_t size) else { size_t size_; - if (size <= (size_t)4096U) - size_ = (size_t)4096U + (size_t)1U; + if (size <= (size_t)Constants_max_slab_size) + size_ = (size_t)Constants_max_slab_size + (size_t)1U; else size_ = size; uint8_t *r = large_malloc(size_); @@ -2222,37 +3485,38 @@ uint8_t *StarMalloc_malloc(size_t arena_id, size_t size) uint8_t *StarMalloc_aligned_alloc(size_t arena_id, size_t alignment, size_t size) { - bool check = alignment > (size_t)0U && (size_t)4096U % alignment == (size_t)0U; - if (check) + uint32_t alignment_as_u32 = (uint32_t)alignment; + bool + check1 = + alignment > (size_t)0U && (size_t)Constants_max_slab_size % alignment == (size_t)0U && + size <= StarMalloc_threshold; + bool check2 = alignment > (size_t)0U && (size_t)4096U % alignment == (size_t)0U; + if (check1) { - uint32_t alignment_as_u32 = (uint32_t)alignment; - if (size <= StarMalloc_threshold) + uint8_t *ptr = slab_aligned_alloc(arena_id, alignment_as_u32, (uint32_t)size); + if (ptr == NULL || false) + return ptr; + else { - uint8_t *ptr = slab_aligned_alloc(arena_id, alignment_as_u32, (uint32_t)size); - if (ptr == NULL || false) + bool b = check_zeroing_u8(ptr, size); + if (b) return ptr; else { - bool b = check_zeroing_u8(ptr, size); - if (b) - return ptr; - else - { - FatalError_die_from_malloc_zeroing_check_failure(ptr); - return NULL; - } + FatalError_die_from_malloc_zeroing_check_failure(ptr); + return NULL; } } + } + else if (check2) + { + size_t size_; + if (size <= (size_t)Constants_max_slab_size) + size_ = (size_t)Constants_max_slab_size + (size_t)1U; else - { - size_t size_; - if (size <= (size_t)4096U) - size_ = (size_t)4096U + (size_t)1U; - else - size_ = size; - uint8_t *ptr = large_malloc(size_); - return ptr; - } + size_ = size; + uint8_t *ptr = large_malloc(size_); + return ptr; } else return NULL; @@ -2268,7 +3532,7 @@ bool StarMalloc_free(uint8_t *ptr) b = within_bounds_ptr(Main_Meta_sc_all.slab_region, ptr, - Main_Meta_sc_all.slab_region + slab_region_size); + Main_Meta_sc_all.slab_region + full_slab_region_size); bool b0 = b; if (b0) return slab_free(ptr); @@ -2283,7 +3547,7 @@ size_t StarMalloc_getsize(uint8_t *ptr) b = within_bounds_ptr(Main_Meta_sc_all.slab_region, ptr, - Main_Meta_sc_all.slab_region + slab_region_size); + Main_Meta_sc_all.slab_region + full_slab_region_size); bool b0 = b; if (b0) { @@ -2318,7 +3582,7 @@ uint8_t *StarMalloc_realloc(size_t arena_id, uint8_t *ptr, size_t new_size) else { size_t old_size = StarMalloc_getsize(ptr); - bool old_allocation_is_small = old_size <= (size_t)4096U; + bool old_allocation_is_small = old_size <= (size_t)Constants_max_slab_size; bool new_allocation_is_small = new_size <= StarMalloc_threshold; bool same_case = old_allocation_is_small == new_allocation_is_small; bool small_case_optim_condition; diff --git a/dist/Utils2.c b/dist/Utils2.c index c6dc0d1e..9c88ba12 100644 --- a/dist/Utils2.c +++ b/dist/Utils2.c @@ -3,14 +3,16 @@ #include "Utils2.h" -uint32_t Utils2_nb_slots(uint32_t size_class) +#include "Constants.h" + +uint32_t Utils2_nb_slots(Constants_sc_full_ size_class) { - return 4096U / size_class; + return size_class.slab_size / size_class.sc; } -size_t Utils2_rounding(uint32_t size_class) +size_t Utils2_rounding(Constants_sc_full_ size_class) { - return (size_t)(Utils2_nb_slots(size_class) * size_class); + return (size_t)(Utils2_nb_slots(size_class) * size_class.sc); } uint64_t Utils2_full_n_aux(uint32_t bound) @@ -30,7 +32,7 @@ uint64_t Utils2_full_n(uint32_t bound) } } -bool Utils2_has_free_slot_s(uint32_t size_class, uint64_t *md) +bool Utils2_has_free_slot_s(Constants_sc_full_ size_class, uint64_t *md) { uint32_t nb_slots_v = Utils2_nb_slots(size_class); uint32_t bound = nb_slots_v / 64U; @@ -51,7 +53,7 @@ bool Utils2_has_free_slot_s(uint32_t size_class, uint64_t *md) || (bound > 3U && !(v3 == 18446744073709551615ULL)); } -bool Utils2_is_empty_s(uint32_t size_class, uint64_t *md) +bool Utils2_is_empty_s(Constants_sc_full_ size_class, uint64_t *md) { uint32_t bound = Utils2_nb_slots(size_class) / 64U; uint64_t v0 = md[0U]; @@ -63,14 +65,14 @@ bool Utils2_is_empty_s(uint32_t size_class, uint64_t *md) (bound <= 3U || v3 == 0ULL); } -bool Utils2_is_partial_s(uint32_t size_class, uint64_t *md) +bool Utils2_is_partial_s(Constants_sc_full_ size_class, uint64_t *md) { bool b1 = Utils2_has_free_slot_s(size_class, md); bool b2 = Utils2_is_empty_s(size_class, md); return b1 && !b2; } -bool Utils2_is_full_s(uint32_t size_class, uint64_t *md) +bool Utils2_is_full_s(Constants_sc_full_ size_class, uint64_t *md) { bool b = Utils2_has_free_slot_s(size_class, md); return !b; diff --git a/dist/Utils2.h b/dist/Utils2.h index bf71bc7f..be255cc1 100644 --- a/dist/Utils2.h +++ b/dist/Utils2.h @@ -6,21 +6,23 @@ #include "krmllib.h" -uint32_t Utils2_nb_slots(uint32_t size_class); +#include "Constants.h" -size_t Utils2_rounding(uint32_t size_class); +uint32_t Utils2_nb_slots(Constants_sc_full_ size_class); + +size_t Utils2_rounding(Constants_sc_full_ size_class); uint64_t Utils2_full_n_aux(uint32_t bound); uint64_t Utils2_full_n(uint32_t bound); -bool Utils2_has_free_slot_s(uint32_t size_class, uint64_t *md); +bool Utils2_has_free_slot_s(Constants_sc_full_ size_class, uint64_t *md); -bool Utils2_is_empty_s(uint32_t size_class, uint64_t *md); +bool Utils2_is_empty_s(Constants_sc_full_ size_class, uint64_t *md); -bool Utils2_is_partial_s(uint32_t size_class, uint64_t *md); +bool Utils2_is_partial_s(Constants_sc_full_ size_class, uint64_t *md); -bool Utils2_is_full_s(uint32_t size_class, uint64_t *md); +bool Utils2_is_full_s(Constants_sc_full_ size_class, uint64_t *md); #define Utils2_H_DEFINED diff --git a/dist/internal/Slabs.h b/dist/internal/Slabs.h index ddeddf83..b12487b7 100644 --- a/dist/internal/Slabs.h +++ b/dist/internal/Slabs.h @@ -6,12 +6,13 @@ #include "krmllib.h" +#include "Constants.h" #include "ArrayList.h" bool SlabsFree_deallocate_slab( uint8_t *ptr, - uint32_t size_class, + Constants_sc_full_ sc, uint8_t *slab_region, uint64_t *md_bm_region, ArrayList_cell *md_region, @@ -22,7 +23,7 @@ SlabsFree_deallocate_slab( uint8_t *SlabsAlloc_allocate_slab( - uint32_t size_class, + Constants_sc_full_ sc, uint8_t *slab_region, uint64_t *md_bm_region, ArrayList_cell *md_region, diff --git a/dist/internal/Slots.h b/dist/internal/Slots.h index bbfdf3fe..f9dc8cce 100644 --- a/dist/internal/Slots.h +++ b/dist/internal/Slots.h @@ -6,11 +6,13 @@ #include "krmllib.h" -uint8_t *SlotsAlloc_allocate_slot(uint32_t size_class, uint64_t *md, uint8_t *arr); +#include "Constants.h" + +uint8_t *SlotsAlloc_allocate_slot(Constants_sc_full_ size_class, uint64_t *md, uint8_t *arr); bool SlotsFree_deallocate_slot( - uint32_t size_class, + Constants_sc_full_ size_class, uint64_t *md, uint8_t *arr, uint8_t *ptr, diff --git a/dist/internal/StarMalloc.h b/dist/internal/StarMalloc.h index e5d4520e..d02d043b 100644 --- a/dist/internal/StarMalloc.h +++ b/dist/internal/StarMalloc.h @@ -8,8 +8,11 @@ #include "SizeClass.h" #include "Mman.h" +#include "Constants.h" #include "../StarMalloc.h" +extern uint32_t Impl_Trees_Cast_M_avl_data_size; + typedef struct Impl_Trees_Cast_M_data_s { uint8_t *fst; @@ -31,6 +34,8 @@ typedef struct Impl_Trees_Cast_M_node_s } Impl_Trees_Cast_M_node; +extern Constants_sc_full_ Impl_Trees_Types_sc_avl; + typedef struct Impl_Trees_Types_mmap_md_slabs_s { uint8_t *slab_region; diff --git a/dist/krmlinit.c b/dist/krmlinit.c index 1bd3fb59..e1500ae7 100644 --- a/dist/krmlinit.c +++ b/dist/krmlinit.c @@ -3,6 +3,8 @@ #include "krmlinit.h" +#include "StarMalloc.h" +#include "Constants.h" #include "internal/StarMalloc.h" #if defined(__GNUC__) && !(defined(_WIN32) || defined(_WIN64)) @@ -11,8 +13,17 @@ __attribute__ ((visibility ("hidden"))) void krmlinit_globals(void) { + Impl_Trees_Types_sc_avl = + ( + (Constants_sc_full_){ + .sc = Impl_Trees_Cast_M_avl_data_size, + .slab_size = 4096U, + .md_max = (size_t)16777216U + } + ); Impl_Trees_Types_init_mmap_md_slabs(&Impl_Trees_Types_metadata_slabs); init_mmap_md(&metadata); Main_Meta_sc_all = Main_Meta_init(); + StarMalloc_threshold = (size_t)Constants_max_slab_size - (size_t)2U; } diff --git a/flake.nix b/flake.nix index 681115db..4ab39cf1 100644 --- a/flake.nix +++ b/flake.nix @@ -65,6 +65,7 @@ "lib_misc(/.*)?" "lib_ringbuffer(/.*)?" "src(/.*)?" + "vendor(/.*)?" "c(/.*)?" "Makefile.include" "Makefile" diff --git a/lib_avl_mono/Impl.Trees.Cast.M.fst b/lib_avl_mono/Impl.Trees.Cast.M.fst index 6bcd2356..43537eb2 100644 --- a/lib_avl_mono/Impl.Trees.Cast.M.fst +++ b/lib_avl_mono/Impl.Trees.Cast.M.fst @@ -25,7 +25,7 @@ let avl_data_size : v:sc{U32.v avl_data_size_aux <= U32.v v} = 64ul type data = x: (array U8.t * US.t){ ( US.v (snd x) > 0 /\ - US.v (snd x) > U32.v page_size /\ + US.v (snd x) > U32.v max_slab_size /\ A.length (fst x) == US.v (snd x) /\ A.is_full_array (fst x) ) diff --git a/lib_avl_mono/Impl.Trees.Types.fst b/lib_avl_mono/Impl.Trees.Types.fst index 2cb26b2b..6b89a1aa 100644 --- a/lib_avl_mono/Impl.Trees.Types.fst +++ b/lib_avl_mono/Impl.Trees.Types.fst @@ -36,6 +36,9 @@ let cmp = cmp inline_for_extraction noextract let avl_data_size = avl_data_size +let sc_avl : sc_full + = {sc = avl_data_size; slab_size = page_size; md_max = metadata_max} + inline_for_extraction noextract val init_avl_scs (slab_region: array U8.t) : Steel (size_class_struct) @@ -44,11 +47,11 @@ val init_avl_scs (slab_region: array U8.t) (requires fun h0 -> A.is_full_array slab_region /\ A.length slab_region = US.v metadata_max `FStar.Mul.op_Star` U32.v page_size /\ - array_u8_alignment slab_region page_size /\ + array_u8_alignment slab_region max_slab_size /\ zf_u8 (A.asel slab_region h0) ) (ensures fun _ r _ -> - r.size = avl_data_size /\ + r.size = sc_avl /\ r.slab_region == slab_region /\ A.is_full_array r.slab_region ) @@ -60,7 +63,7 @@ let init_avl_scs (slab_region: array U8.t) let md_region_size = metadata_max in let md_bm_region = mmap_u64_init md_bm_region_size in let md_region = mmap_cell_status_init md_region_size in - let scs = init_struct_aux avl_data_size slab_region md_bm_region md_region in + let scs = init_struct_aux sc_avl slab_region md_bm_region md_region in return scs module L = Steel.SpinLock @@ -70,7 +73,7 @@ type mmap_md_slabs = { slab_region: array U8.t; scs: v:size_class_struct{ - v.size = avl_data_size /\ + v.size = sc_avl /\ v.slab_region == A.split_r slab_region 0sz /\ A.is_full_array v.slab_region }; @@ -119,7 +122,7 @@ let p : hpred data same_base_array ptr metadata_slabs.scs.slab_region /\ UP.fits (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of metadata_slabs.scs.slab_region)) /\ A.offset (A.ptr_of ptr) - A.offset (A.ptr_of metadata_slabs.scs.slab_region) >= 0 /\ - ((A.offset (A.ptr_of ptr) - A.offset (A.ptr_of metadata_slabs.scs.slab_region)) % U32.v page_size) % U32.v metadata_slabs.scs.size = 0) + ((A.offset (A.ptr_of ptr) - A.offset (A.ptr_of metadata_slabs.scs.slab_region)) % U32.v sc_avl.slab_size) % U32.v sc_avl.sc = 0) ) ) #pop-options diff --git a/lib_avl_mono/Map.M.fst b/lib_avl_mono/Map.M.fst index afc78cc0..0d690d56 100644 --- a/lib_avl_mono/Map.M.fst +++ b/lib_avl_mono/Map.M.fst @@ -126,7 +126,7 @@ let rec find (Some? r ==> ( let size = Some?.v r in A.length (fst v) == US.v size /\ - US.v size > U32.v page_size /\ + US.v size > U32.v max_slab_size /\ A.is_full_array (fst v) /\ Spec.mem (spec_convert cmp) (v_linked_tree p ptr h0) (fst v, Some?.v r) diff --git a/src/Config.fst b/src/Config.fst index f3ac93ae..8b3d249e 100644 --- a/src/Config.fst +++ b/src/Config.fst @@ -16,16 +16,98 @@ let _ : squash (US.fits_u64) let _ : squash (UP.fits (FStar.Int.max_int 64)) = A.intro_fits_ptrdiff64 () -let sc_list1 : list sc = [ - 16ul; 32ul; - 64ul; 80ul; 96ul; 112ul; - 128ul; 160ul; 192ul; 224ul; - 256ul; 320ul; 384ul; 448ul; - 512ul; 640ul; 768ul; 896ul; - 1024ul; 1280ul; 1536ul; 1792ul; - 2048ul; 2560ul; 3072ul; 3584ul; - 4096ul - ] + +// CONFIGURABLE +let nb_arenas = 4sz + +// CONFIGURABLE +inline_for_extraction noextract +let metadata_max' = 16777216UL + +//DO NOT EDIT +let metadata_max_fits_lemma (_:unit) + : Lemma + (let x = U32.v page_size * U64.v metadata_max' in// * US.v nb_size_classes * US.v nb_arenas in + x < FStar.UInt.max_int U64.n /\ + x < FStar.Int.max_int U64.n) + = + () + //let l = normalize_term (L.length sc_list) in + //normalize_term_spec (L.length sc_list); + //assert (US.v nb_size_classes = l) + +//DO NOT EDIT, edit metadata_max' instead +let metadata_max = + //metadata_max_fits_lemma (); + //US.fits_u64_implies_fits (U32.v page_size * U64.v metadata_max' * US.v nb_size_classes * US.v nb_arenas); + assert_norm (U64.v metadata_max' < pow2 64); + assert_norm (U64.v metadata_max' * U32.v page_size < pow2 64); + US.fits_u64_implies_fits (U64.v metadata_max'); + US.fits_u64_implies_fits (U64.v metadata_max' * U32.v page_size); + US.of_u64 metadata_max' + +#push-options "--fuel 0 --ifuel 0" +let sc_list1 : list sc_full = [ + // special cases + {sc = 16ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 32ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 64ul; slab_size = 4096ul; md_max = metadata_max}; + // 16 + {sc = 80ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 96ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 112ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 128ul; slab_size = 4096ul; md_max = metadata_max}; + // 32 + {sc = 160ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 192ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 224ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 256ul; slab_size = 4096ul; md_max = metadata_max}; + // 64 + {sc = 320ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 384ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 448ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 512ul; slab_size = 4096ul; md_max = metadata_max}; + // 128 + {sc = 640ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 768ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 896ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 1024ul; slab_size = 4096ul; md_max = metadata_max}; + // 256 + {sc = 1280ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 1536ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 1792ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 2048ul; slab_size = 4096ul; md_max = metadata_max}; + // 512 + {sc = 2560ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 3072ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 3584ul; slab_size = 4096ul; md_max = metadata_max}; + {sc = 4096ul; slab_size = 4096ul; md_max = metadata_max}; + // 1024 + {sc = 5120ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 6144ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 7168ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 8192ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + // 2048 + {sc = 10240ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 12288ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 14336ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 16384ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + // 4096: large internal fragmentation + {sc = 20480ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 24576ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 28672ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + {sc = 32768ul; slab_size = 32768ul; md_max = US.div metadata_max 8sz}; + // 8192: large internal fragmentation + {sc = 40960ul; slab_size = 65536ul; md_max = US.div metadata_max 16sz}; + {sc = 49152ul; slab_size = 65536ul; md_max = US.div metadata_max 16sz}; + {sc = 57344ul; slab_size = 65536ul; md_max = US.div metadata_max 16sz}; + {sc = 65536ul; slab_size = 65536ul; md_max = US.div metadata_max 16sz}; + // 16384: large internal fragmentation + {sc = 81920ul; slab_size = 131072ul; md_max = US.div metadata_max 32sz}; + {sc = 98304ul; slab_size = 131072ul; md_max = US.div metadata_max 32sz}; + {sc = 114688ul; slab_size = 131072ul; md_max = US.div metadata_max 32sz}; + {sc = 131072ul; slab_size = 131072ul; md_max = US.div metadata_max 32sz}; +] //let sc_list = [ // 16ul; 32ul; 64ul; @@ -38,8 +120,8 @@ let sc_list_f1 : nat -> nat = SizeClassSelection.sc_list_f open MiscList let sc_list = - assert_norm (L.last sc_list1 = page_size); - last_mem_lemma sc_list1; + //assert_norm (L.last sc_list1 = page_size); + //last_mem_lemma sc_list1; sc_list1 let sc_list_f = SizeClassSelection.sc_list_f @@ -49,26 +131,26 @@ module T = FStar.Tactics let sc_list_check (_:unit) : Lemma (let l1 : list nat - = L.map (fun (k:sc) -> U32.v k <: nat) sc_list in + = L.map (fun (k:sc_full) -> U32.v k.sc <: nat) sc_list in let l2 : list nat = L.map (fun k -> sc_list_f k) (init (L.length sc_list)) in l1 == l2) = let l1 : list nat - = L.map (fun (k:sc) -> U32.v k <: nat) sc_list in + = L.map (fun (k:sc_full) -> U32.v k.sc <: nat) sc_list in let l2 : list nat = L.map (fun k -> sc_list_f k) (init (L.length sc_list)) in assert (l1 = l2) by T.compute () let sc_list_lemma (i:nat{i < L.length sc_list}) : Lemma - (U32.v (L.index sc_list i) == sc_list_f i) + (U32.v (L.index sc_list i).sc == sc_list_f i) = sc_list_check (); - lemma_map_eq_to_index_eq - (fun (k:sc) -> U32.v k <: nat) + lemma_map_eq_to_index_eq #sc_full #nat #nat + (fun (k:sc_full) -> U32.v k.sc <: nat) (fun k -> sc_list_f k) - (sc_list) + sc_list (init (L.length sc_list)) i; lemma_init_index (L.length sc_list) i @@ -77,7 +159,7 @@ let sc_list_lemma (i:nat{i < L.length sc_list}) //DO NOT EDIT, edit sc_list instead let nb_size_classes = - assert_norm (L.length sc_list < U32.n); + assert_norm (L.length sc_list < 256); [@inline_let] let l = normalize_term (L.length sc_list) in normalize_term_spec (L.length sc_list); assert (l == L.length sc_list); @@ -92,9 +174,13 @@ let nb_size_classes US.fits_u64_implies_fits_32 (); US.of_u32 l_as_u32 +let metadata_max_fits () = + US.fits_u64_implies_fits (U32.v page_size * U64.v metadata_max' * US.v nb_size_classes * US.v nb_arenas) + let sc_selection x = let r = SizeClassSelection.inv_impl x in - assert_norm (L.length sc_list = 27); + // TODO: FIXME number of size classes is hardcoded + assert_norm (L.length sc_list = 47); sc_list_lemma (U32.v r); US.uint32_to_sizet r @@ -102,38 +188,14 @@ let enable_sc_fast_selection = true let sc_selection_is_exact1 k = - assert_norm (L.length sc_list = 27); sc_list_lemma k; SizeClassSelection.inv_exact k let sc_selection_is_exact2 k = - assert_norm (L.length sc_list = 27); sc_list_lemma k; SizeClassSelection.inv_exact2 k -let nb_arenas = 4sz - -inline_for_extraction noextract -let metadata_max' = 16777216UL - -//DO NOT EDIT -let metadata_max_fits_lemma (_:unit) - : Lemma - (let x = U32.v page_size * U64.v metadata_max' * US.v nb_size_classes * US.v nb_arenas in - x < FStar.UInt.max_int U64.n /\ - x < FStar.Int.max_int U64.n) - = - let l = normalize_term (L.length sc_list) in - normalize_term_spec (L.length sc_list); - assert (US.v nb_size_classes = l) - -//DO NOT EDIT, edit metadata_max' instead -let metadata_max = - metadata_max_fits_lemma (); - US.fits_u64_implies_fits (U32.v page_size * U64.v metadata_max' * US.v nb_size_classes * US.v nb_arenas); - US.fits_u64_implies_fits (U64.v metadata_max'); - US.of_u64 metadata_max' //DO NOT EDIT let metadata_max_up_fits _ = diff --git a/src/Config.fsti b/src/Config.fsti index a127c31f..1be45ee3 100644 --- a/src/Config.fsti +++ b/src/Config.fsti @@ -10,6 +10,9 @@ module L = FStar.List.Tot open FStar.Mul open Prelude +open Constants + + inline_for_extraction noextract let u32_to_sz (x:U32.t) @@ -17,24 +20,50 @@ let u32_to_sz = US.uint32_to_sizet x -open Constants +/// Number of arenas +inline_for_extraction +[@ CMacro ] +val nb_arenas: v:US.t{US.v v > 0} + +inline_for_extraction +val metadata_max: v:US.t{ + US.v v > 0 /\ + //US.fits (US.v v * U32.v page_size * US.v nb_size_classes * US.v nb_arenas) /\ + US.fits (US.v v * U32.v page_size) /\ + (US.v v * U32.v page_size) % U32.v max_slab_size = 0 +} + + +inline_for_extraction noextract +let sc_full = v:sc_full'{ + US.v v.md_max <= US.v metadata_max /\ + US.v v.md_max * U32.v v.slab_size == US.v metadata_max * U32.v page_size +} /// List of size classes used in each arena inline_for_extraction noextract -val sc_list : (l:list sc{Cons? l /\ L.mem page_size l}) +val sc_list : (l:list sc_full{ + Cons? l /\ + //L.mem (U32.v max_slab_size) (L.map (fun (x: sc_full) -> U32.v x.sc) l) + True +}) /// Number of size classes per arena inline_for_extraction [@ CMacro ] val nb_size_classes: v:US.t{US.v v > 0 /\ US.v v == L.length sc_list} +val metadata_max_fits (_:unit) + : Lemma + (US.fits (US.v metadata_max * U32.v page_size * US.v nb_size_classes * US.v nb_arenas)) + noextract unfold type sc_selection_f = (x:U32.t) -> Pure US.t (requires - U32.v x <= max_sc) + U32.v x <= U32.v max_slab_size) (ensures fun r -> US.v r < US.v nb_size_classes /\ - U32.v x <= U32.v (L.index sc_list (US.v r)) + U32.v x <= U32.v (L.index sc_list (US.v r)).sc ) /// Size class selection (fast path) @@ -52,7 +81,7 @@ val sc_selection_is_exact1 (k:nat) k < US.v nb_size_classes ) (ensures - US.v (sc_selection (L.index sc_list k)) == k + US.v (sc_selection (L.index sc_list k).sc) == k ) val sc_selection_is_exact2 (k:nat) @@ -61,20 +90,10 @@ val sc_selection_is_exact2 (k:nat) k < US.v nb_size_classes ) (ensures - US.v (sc_selection (U32.sub (L.index sc_list k) 2ul)) == k + US.v (sc_selection (U32.sub (L.index sc_list k).sc 2ul)) == k ) -/// Number of arenas -inline_for_extraction -[@ CMacro ] -val nb_arenas: v:US.t{US.v v > 0} -inline_for_extraction -val metadata_max: v:US.t{ - US.v v > 0 /\ - US.fits (US.v v * U32.v page_size * US.v nb_size_classes * US.v nb_arenas) /\ - US.fits (US.v v * U32.v page_size) -} val metadata_max_up_fits (_:unit) : Lemma diff --git a/src/Constants.fst b/src/Constants.fst index 2f7571c6..07e645e4 100644 --- a/src/Constants.fst +++ b/src/Constants.fst @@ -1,17 +1,20 @@ module Constants module U32 = FStar.UInt32 +module US = FStar.SizeT open FStar.Mul +open Prelude // LATER: code could be improved so that this value is not hardcoded anymore inline_for_extraction let page_size: U32.t = 4096ul -noextract -let min_sc = 64 -noextract -let max_sc = U32.v page_size +//inline_for_extraction +let max_slab_size: U32.t = 131072ul + +//inline_for_extraction +//let max_slab_size: US.t = US.uint32_to_sizet max_slab_size' // TODO: this could be improved // currently does not support size classes @@ -24,13 +27,53 @@ let max_sc = U32.v page_size // note: this mechanism does not rely on any loop! inline_for_extraction noextract let sc = x:U32.t{ - ( - U32.eq x 16ul \/ - U32.eq x 32ul \/ - (min_sc <= U32.v x /\ U32.v x <= max_sc) - ) /\ + //( + // U32.eq x 16ul \/ + // U32.eq x 32ul \/ + // (min_sc <= U32.v x /\ U32.v x <= max_sc) + //) /\ // https://www.intel.com/content/dam/develop/external/us/en/documents/mpx-linux64-abi.pdf // allocated arrays should have alignment of at least 16 bytes, // allowing use of SSE instructions - (U32.v x % 16 == 0) + U32.v x > 0 /\ + (U32.v x) % 16 == 0 /\ + U32.fits (U32.v x * 256) +} + +inline_for_extraction noextract +let sc_p (x: sc) (y: U32.t) + = + // bitmap handling: 256 bits max + // supported number of slots: any value in S \cup {128, 256}, + // where S is the integer interval [[1, 64]] + U32.v y <= 256 * U32.v x /\ + ( + // x = 16 + (U32.eq y (U32.mul x 256ul)) \/ + //(U32.div y 256ul)) \/ + // x = 32 + (U32.eq y (U32.mul x 128ul)) \/ + //(U32.div y 128ul)) \/ + // x >= 64 + (U32.lte y (U32.mul x 64ul)) + ) /\ + // why is this useful? + U32.v y <= U32.v max_slab_size /\ + // one slot fits on a slab + U32.v x <= U32.v y /\ + // for guard pages + quarantined pages: permission management is done using pages + (U32.v y) % (U32.v page_size) == 0 /\ + // alignement + (U32.v max_slab_size) % (U32.v y) == 0 /\ + // small sizeclasses: no page boundary crossing, useful in SizeClass.fst + // to retrieve alignment + (U32.v x <= 4096 ==> U32.v y <= 4096) /\ + True + +type sc_full' = { + sc: sc; + slab_size: v:U32.t{sc_p sc v}; + md_max: v:US.t{ + US.fits (U32.v slab_size * US.v v) + }; } diff --git a/src/Guards.fst b/src/Guards.fst index c69ae873..3d35574f 100644 --- a/src/Guards.fst +++ b/src/Guards.fst @@ -3,13 +3,13 @@ module Guards open Constants open Config -let guard_slab arr = if enable_guard_pages then trap_array arr else A.varray arr +let guard_slab sc arr = if enable_guard_pages then trap_array sc arr else A.varray arr -let mmap_trap_guard arr len = +let mmap_trap_guard sc arr len = if enable_guard_pages then ( - mmap_strict_trap arr len; - change_equal_slprop (trap_array arr) (guard_slab arr) + mmap_strict_trap sc arr len; + change_equal_slprop (trap_array sc arr) (guard_slab sc arr) ) else ( noop (); - change_equal_slprop (A.varray arr) (guard_slab arr) + change_equal_slprop (A.varray arr) (guard_slab sc arr) ) diff --git a/src/Guards.fsti b/src/Guards.fsti index cf2e4f84..9b4979e3 100644 --- a/src/Guards.fsti +++ b/src/Guards.fsti @@ -22,11 +22,13 @@ open MemoryTrap /// `enable_guard_pages` is enabled, this either /// corresponds to `trap_array` or to `varray` val guard_slab - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : vprop inline_for_extraction noextract val mmap_trap_guard - (arr: array U8.t{A.length arr = U32.v page_size}) - (len: US.t{US.v len = U32.v page_size}) - : SteelT unit (A.varray arr) (fun _ -> guard_slab arr) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) + (len: US.t{US.v len = U32.v size_class.slab_size}) + : SteelT unit (A.varray arr) (fun _ -> guard_slab size_class arr) diff --git a/src/Helpers.fst b/src/Helpers.fst index 8b0d4474..62af3923 100644 --- a/src/Helpers.fst +++ b/src/Helpers.fst @@ -405,13 +405,13 @@ let empty_md_lemma #push-options "--z3rlimit 50 --fuel 1 --ifuel 1" let slab_to_slots_aux - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma (slab_vprop_aux_f size_class (Seq.create 4 0UL) arr pos == - some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (SlotsAlloc.slot_vprop size_class arr pos)) + some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (SlotsAlloc.slot_vprop size_class arr pos)) = let bm = a2bv (Seq.create 4 0UL) in let idx = Bitmap5.f #4 (U32.v pos) in @@ -421,20 +421,20 @@ let slab_to_slots_aux assert ( (slab_vprop_aux_f size_class (Seq.create 4 0UL) arr pos) == - some_as_vp #(Seq.lseq U8.t (U32.v size_class)) + some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (SlotsAlloc.slot_vprop size_class arr pos) ) #pop-options let slab_to_slots (#opened:_) - (size_class: sc) - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : SteelGhostT unit opened (A.varray arr) (fun _ -> starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Seq.create 4 0UL) (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class (Seq.create 4 0UL) @@ -445,16 +445,16 @@ let slab_to_slots (#opened:_) ) = A.ghost_split arr (rounding size_class); - array_to_pieces size_class (nb_slots size_class) (A.split_l arr (rounding size_class)); + array_to_pieces size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class)); starseq_weakening #_ #(pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) - (slot_vprop size_class (nb_slots size_class) + #(Seq.lseq U8.t (U32.v size_class.sc)) + (slot_vprop size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class))) (SlotsAlloc.slot_vprop size_class (A.split_l arr (rounding size_class))) - (slot_vprop_lemma size_class (nb_slots size_class) + (slot_vprop_lemma size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class))) (SlotsAlloc.slot_vprop_lemma size_class (A.split_l arr (rounding size_class))) @@ -465,7 +465,7 @@ let slab_to_slots (#opened:_) starseq_weakening_rel_some #_ #(pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) + #(Seq.lseq U8.t (U32.v size_class.sc)) (SlotsAlloc.slot_vprop size_class (A.split_l arr (rounding size_class))) (slab_vprop_aux_f size_class (Seq.create 4 0UL) @@ -479,7 +479,7 @@ let slab_to_slots (#opened:_) noextract let zero_beyond_bound - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) : prop = @@ -491,7 +491,7 @@ let zero_beyond_bound #push-options "--z3rlimit 100 --fuel 0 --ifuel 0" let empty_not_bitmap - (size_class:sc) + (size_class:sc_full) (s:Seq.lseq U64.t 4) (i:U32.t{U32.v i < U32.v (nb_slots size_class)}) : Lemma @@ -507,14 +507,14 @@ let empty_not_bitmap #pop-options let slots_to_slabs (#opened:_) - (size_class: sc) - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (md: G.erased (Seq.lseq U64.t 4)) : SteelGhost unit opened ( starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class md @@ -531,11 +531,11 @@ let slots_to_slabs (#opened:_) Classical.forall_intro (Classical.move_requires (empty_not_bitmap size_class md)); assert (forall (k:nat{k < U32.v (nb_slots size_class)}). slab_vprop_aux_f size_class md (A.split_l arr (rounding size_class)) (Seq.index s k) == - some_as_vp #((Seq.lseq U8.t (U32.v size_class))) (SlotsAlloc.slot_vprop size_class (A.split_l arr (rounding size_class)) (Seq.index s k))); + some_as_vp #((Seq.lseq U8.t (U32.v size_class.sc))) (SlotsAlloc.slot_vprop size_class (A.split_l arr (rounding size_class)) (Seq.index s k))); starseq_weakening_rel_from_some #_ #(pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) + #(Seq.lseq U8.t (U32.v size_class.sc)) (slab_vprop_aux_f size_class md (A.split_l arr (rounding size_class))) (SlotsAlloc.slot_vprop size_class @@ -549,18 +549,18 @@ let slots_to_slabs (#opened:_) starseq_weakening #_ #(pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) + #(Seq.lseq U8.t (U32.v size_class.sc)) (SlotsAlloc.slot_vprop size_class (A.split_l arr (rounding size_class))) - (slot_vprop size_class (nb_slots size_class) + (slot_vprop size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class))) (SlotsAlloc.slot_vprop_lemma size_class (A.split_l arr (rounding size_class))) - (slot_vprop_lemma size_class (nb_slots size_class) + (slot_vprop_lemma size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))); - pieces_to_array size_class (nb_slots size_class) + pieces_to_array size_class.sc (nb_slots size_class) (A.split_l arr (rounding size_class)); A.ghost_join (A.split_l arr (rounding size_class)) @@ -574,9 +574,9 @@ let slots_to_slabs (#opened:_) #push-options "--fuel 1 --ifuel 1" let intro_empty_slab_varray (#opened:_) - (size_class: sc) + (size_class: sc_full) (md_as_seq: G.erased (Seq.lseq U64.t 4)) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : SteelGhost unit opened ( slab_vprop_aux size_class (A.split_l arr (rounding size_class)) (G.reveal md_as_seq) `star` @@ -593,7 +593,7 @@ let intro_empty_slab_varray (#opened:_) (slab_vprop_aux size_class (A.split_l arr (rounding size_class)) (G.reveal md_as_seq)) (starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class md_as_seq diff --git a/src/LargeAlloc.fst b/src/LargeAlloc.fst index 05e6e002..0fadcfd1 100644 --- a/src/LargeAlloc.fst +++ b/src/LargeAlloc.fst @@ -292,7 +292,7 @@ let large_malloc_aux let t : wdm data = v_ind_tree metadata_ptr h0 in Spec.size_of_tree t < c /\ US.v size > 0 /\ - US.v size > U32.v page_size /\ + US.v size > U32.v max_slab_size /\ US.fits (US.v size + U32.v page_size) ) (ensures fun h0 r h1 -> @@ -301,7 +301,7 @@ let large_malloc_aux let s : t_of (null_or_varray r) = h1 (null_or_varray r) in US.fits (US.v size + U32.v page_size) /\ - US.v size > U32.v page_size /\ + US.v size > U32.v max_slab_size /\ Spec.is_avl (spec_convert cmp) t /\ (not (A.is_null r) ==> ( (let size' = mmap_actual_size size in @@ -397,7 +397,7 @@ let large_free_aux b ==> ( US.fits (A.length ptr) /\ A.is_full_array ptr /\ - A.length ptr > U32.v page_size /\ + A.length ptr > U32.v max_slab_size /\ (let size = US.uint_to_t (A.length ptr) in Spec.mem (spec_convert cmp) t (ptr, size) /\ @@ -460,7 +460,7 @@ let large_malloc (size: US.t) (fun ptr -> null_or_varray ptr) (requires fun _ -> US.v size > 0 /\ - US.v size > U32.v page_size /\ + US.v size > U32.v max_slab_size /\ US.fits (US.v size + U32.v page_size) ) (ensures fun _ ptr h1 -> @@ -547,7 +547,7 @@ let large_getsize_aux (metadata: ref t) (ptr: array U8.t) //h0 (ind_linked_wf_tree metadata) /\ (US.v r > 0 ==> A.length ptr == US.v r /\ - US.v r > U32.v page_size + US.v r > U32.v max_slab_size ) ) = @@ -579,7 +579,7 @@ let large_getsize (ptr: array U8.t) A.asel ptr h1 == A.asel ptr h0 /\ (US.v r > 0 ==> A.length ptr == US.v r /\ - US.v r > U32.v page_size + US.v r > U32.v max_slab_size ) ) = @@ -599,7 +599,7 @@ let large_getsize (ptr: array U8.t) x0 `Seq.equal` x1 /\ (US.v r > 0 ==> A.length ptr == US.v r /\ - US.v r > U32.v page_size + US.v r > U32.v max_slab_size ) ) (fun _ -> large_getsize_aux metadata.data ptr) diff --git a/src/LargeAlloc.fsti b/src/LargeAlloc.fsti index e6fbda74..49586848 100644 --- a/src/LargeAlloc.fsti +++ b/src/LargeAlloc.fsti @@ -21,7 +21,7 @@ val large_malloc (size: US.t) (fun ptr -> null_or_varray ptr) (requires fun _ -> US.v size > 0 /\ - US.v size > U32.v page_size /\ + US.v size > U32.v max_slab_size /\ US.fits (US.v size + U32.v page_size) ) (ensures fun _ ptr h1 -> @@ -52,6 +52,6 @@ val large_getsize (ptr: array U8.t) A.asel ptr h1 == A.asel ptr h0 /\ (US.v r > 0 ==> A.length ptr == US.v r /\ - US.v r > U32.v page_size + US.v r > U32.v max_slab_size ) ) diff --git a/src/Main.Meta.fst b/src/Main.Meta.fst index ff9f30c1..923d6d1e 100644 --- a/src/Main.Meta.fst +++ b/src/Main.Meta.fst @@ -4,7 +4,7 @@ friend Config [@@ reduce_attr] inline_for_extraction noextract -let sc_list: l:list sc{US.v nb_size_classes == List.length sc_list} +let sc_list: l:list sc_full{US.v nb_size_classes == List.length sc_list} = normalize_term sc_list /// Number of arenas as a nat, for specification purposes. Not relying on US.v @@ -38,11 +38,11 @@ module ML = MiscList inline_for_extraction noextract let rec arena_sc_list' (i:nat{i <= US.v nb_arenas}) - (acc:list sc{ + (acc:list sc_full{ List.length acc = i * US.v nb_size_classes /\ (forall (k:nat{k < L.length acc}). L.index acc k == L.index sc_list (k % (US.v nb_size_classes))) }) - : Tot (l:list sc{ + : Tot (l:list sc_full{ L.length l == total_nb_sc /\ (forall (k:nat{k < L.length l}). L.index l k == L.index sc_list (k % (US.v nb_size_classes))) }) @@ -59,7 +59,7 @@ let rec arena_sc_list' ) else ( List.append_length acc sc_list; let l = acc `List.append` sc_list in - ML.lemma_append_repeat #sc i sc_list (US.v nb_size_classes) acc; + ML.lemma_append_repeat #sc_full i sc_list (US.v nb_size_classes) acc; assert (forall (k:nat{k < L.length acc}). L.index l k == L.index sc_list (k % (US.v nb_size_classes)) ); @@ -70,7 +70,7 @@ let rec arena_sc_list' /// Fuel needed to establish that the length of [] is 0 #push-options "--fuel 1" [@@ reduce_attr] -let arena_sc_list : l:list sc{ +let arena_sc_list : l:list sc_full{ (forall (i:nat{i < L.length l}). L.index l i == L.index sc_list (i % US.v nb_size_classes)) } = arena_sc_list' 0 [] @@ -79,7 +79,7 @@ let arena_sc_list : l:list sc{ #restart-solver [@"opaque_to_smt"] -let sizes_t_pred (r: TLA.t sc) +let sizes_t_pred (r: TLA.t sc_full) = TLA.length r == total_nb_sc /\ (forall (k:US.t{US.v k < total_nb_sc}). @@ -94,7 +94,7 @@ let sizes_t_pred_elim (r: sizes_t) let sizes : sizes_t = normalize_term_spec arena_sc_list; reveal_opaque (`%sizes_t_pred) sizes_t_pred; - TLA.create #sc (normalize_term arena_sc_list) + TLA.create #sc_full (normalize_term arena_sc_list) #pop-options #push-options "--z3rlimit 300 --fuel 0 --ifuel 0" @@ -105,6 +105,7 @@ let init (fun _ r _ -> True) = metadata_max_up_fits (); + metadata_max_fits (); US.fits_lte (US.v nb_size_classes * US.v nb_arenas) ((US.v metadata_max * U32.v page_size) * US.v nb_size_classes * US.v nb_arenas); @@ -194,9 +195,9 @@ val allocate_size_class let scs' = (Seq.index (G.reveal sc_all.g_size_classes) (US.v (G.reveal idx))).data in scs' == scs /\ not (is_null r) ==> ( - A.length r == U32.v scs'.size /\ + A.length r == U32.v scs'.size.sc /\ array_u8_alignment r 16ul /\ - ((U32.v scs'.size > 0 /\ (U32.v page_size) % (U32.v scs.size) == 0) ==> array_u8_alignment r scs.size) + (U32.v scs.size.slab_size % U32.v scs.size.sc == 0 ==> array_u8_alignment r scs.size.sc) ) ) @@ -224,10 +225,10 @@ let slab_malloc_one (i:US.t{US.v i < total_nb_sc}) (bytes: U32.t) (fun _ _ r x1 -> let size = (Seq.index (G.reveal sc_all.g_size_classes) (US.v i)).data.size in not (is_null r) ==> ( - A.length r == U32.v size /\ + A.length r == U32.v size.sc /\ A.length r >= U32.v bytes /\ array_u8_alignment r 16ul /\ - ((U32.v page_size) % (U32.v size) == 0 ==> array_u8_alignment r size) + ((U32.v size.slab_size) % (U32.v size.sc) == 0 ==> array_u8_alignment r size.sc) ) ) (fun sc_data -> allocate_size_class (G.hide i) sc_data) @@ -243,7 +244,7 @@ let cons_implies_positive_length (#a: Type) (l: list a) #push-options "--fuel 0 --ifuel 0 --z3rlimit 100" let aux_lemma - (l:list sc{List.length l <= length sc_all.size_classes /\ Cons? l}) + (l:list sc_full{List.length l <= length sc_all.size_classes /\ Cons? l}) (i:US.t{US.v i + List.length l == US.v nb_size_classes}) (arena_id:US.t{US.v arena_id < US.v nb_arenas}) : Lemma @@ -288,7 +289,7 @@ let aux_lemma [@@ reduce_attr] noextract let rec slab_malloc_i - (l:list sc{List.length l <= length sc_all.size_classes}) + (l:list sc_full{List.length l <= length sc_all.size_classes}) (i:US.t{US.v i + List.length l == US.v nb_size_classes}) (arena_id:US.t{US.v arena_id < US.v nb_arenas}) bytes @@ -310,7 +311,7 @@ let rec slab_malloc_i | hd::tl -> aux_lemma l i arena_id; [@inline_let] let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in - let size = TLA.get sizes idx in + let size = (TLA.get sizes idx).sc in if bytes `U32.lte` size then slab_malloc_one idx bytes else @@ -337,7 +338,7 @@ let set_canary ptr size [@@ reduce_attr] noextract let rec slab_malloc_canary_i - (l:list sc{List.length l <= length sc_all.size_classes}) + (l:list sc_full{List.length l <= length sc_all.size_classes}) (i:US.t{US.v i + List.length l == US.v nb_size_classes}) (arena_id:US.t{US.v arena_id < US.v nb_arenas}) bytes @@ -361,7 +362,7 @@ let rec slab_malloc_canary_i | hd::tl -> aux_lemma l i arena_id; [@inline_let] let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in - let size = TLA.get sizes idx in + let size = (TLA.get sizes idx).sc in if bytes `U32.lte` (size `U32.sub` 2ul) then let ptr = slab_malloc_one idx bytes in set_canary ptr size; @@ -374,6 +375,25 @@ open MiscArith #restart-solver +#push-options "--fuel 0 --ifuel 0 --z3rlimit 50" +let mod_lemma + (sc: sc_full) + : Lemma + (requires + U32.v sc.slab_size % U32.v sc.sc == 0) + (ensures + U32.v max_slab_size % U32.v sc.sc == 0) + = + assert (U32.v max_slab_size % U32.v sc.slab_size == 0); + let k = U32.v max_slab_size / U32.v sc.slab_size in + assert (U32.v max_slab_size == k * U32.v sc.slab_size); + assert (U32.v sc.slab_size % U32.v sc.sc == 0); + let k' = U32.v sc.slab_size / U32.v sc.sc in + assert (U32.v sc.slab_size == k' * U32.v sc.sc); + () +#pop-options + + #push-options "--fuel 1 --ifuel 1 --z3rlimit 200" /// `slab_aligned_alloc` works in a very similar way as `slab_malloc_i` /// The key difference lies in the condition of the if-branch: we only @@ -382,10 +402,10 @@ open MiscArith [@@ reduce_attr] noextract let rec slab_aligned_alloc_i - (l:list sc{List.length l <= length sc_all.size_classes}) + (l:list sc_full{List.length l <= length sc_all.size_classes}) (i:US.t{US.v i + List.length l == US.v nb_size_classes}) (arena_id:US.t{US.v arena_id < US.v nb_arenas}) - (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v page_size) % (U32.v v) = 0})) + (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v max_slab_size) % (U32.v v) = 0})) bytes : Steel (array U8.t) emp @@ -406,17 +426,19 @@ let rec slab_aligned_alloc_i | hd::tl -> aux_lemma l i arena_id; [@inline_let] let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in - let size = TLA.get sizes idx in - let b = U32.eq (U32.rem page_size size) 0ul in - if b && bytes `U32.lte` size && alignment `U32.lte` size then ( + let size = (TLA.get sizes idx) in + let b = U32.eq (U32.rem size.slab_size size.sc) 0ul in + if b && bytes `U32.lte` size.sc && alignment `U32.lte` size.sc then ( let r = slab_malloc_one idx bytes in let size_ = G.hide (Seq.index sc_all.g_size_classes (US.v idx)).data.size in - assert (G.reveal size_ = size); - assert ((U32.v page_size) % (U32.v (G.reveal size_ )) = 0); - assert_norm (U32.v page_size = pow2 12); - alignment_lemma (U32.v page_size) 12 (U32.v alignment) (U32.v size); - assert (U32.v size % U32.v alignment = 0); - array_u8_alignment_lemma2 r size alignment; + assert (G.reveal size_.sc = size.sc); + assert (G.reveal size_.slab_size = size.slab_size); + mod_lemma size; + assert ((U32.v max_slab_size) % (U32.v (G.reveal size_.sc)) = 0); + assert_norm (U32.v max_slab_size = pow2 17); + alignment_lemma (U32.v max_slab_size) 17 (U32.v alignment) (U32.v size.sc); + assert (U32.v size.sc % U32.v alignment = 0); + array_u8_alignment_lemma2 r size.sc alignment; return r ) else ( slab_aligned_alloc_i tl (i `US.add` 1sz) arena_id alignment bytes @@ -430,10 +452,10 @@ let rec slab_aligned_alloc_i [@@ reduce_attr] noextract let rec slab_aligned_alloc_canary_i - (l:list sc{List.length l <= length sc_all.size_classes}) + (l:list sc_full{List.length l <= length sc_all.size_classes}) (i:US.t{US.v i + List.length l == US.v nb_size_classes}) (arena_id:US.t{US.v arena_id < US.v nb_arenas}) - (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v page_size) % (U32.v v) = 0})) + (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v max_slab_size) % (U32.v v) = 0})) bytes : Steel (array U8.t) emp @@ -456,19 +478,21 @@ let rec slab_aligned_alloc_canary_i | hd::tl -> aux_lemma l i arena_id; [@inline_let] let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in - let size = TLA.get sizes idx in - let b = U32.eq (U32.rem page_size size) 0ul in - if b && bytes `U32.lte` (size `U32.sub` 2ul) && alignment `U32.lte` size then ( - let ptr = slab_malloc_one idx bytes in + let size = (TLA.get sizes idx) in + let b = U32.eq (U32.rem size.slab_size size.sc) 0ul in + if b && bytes `U32.lte` (size.sc `U32.sub` 2ul) && alignment `U32.lte` size.sc then ( + let r = slab_malloc_one idx bytes in let size_ = G.hide (Seq.index sc_all.g_size_classes (US.v idx)).data.size in - assert (G.reveal size_ = size); - assert ((U32.v page_size) % (U32.v (G.reveal size_ )) = 0); - assert_norm (U32.v page_size = pow2 12); - alignment_lemma (U32.v page_size) 12 (U32.v alignment) (U32.v size); - assert (U32.v size % U32.v alignment = 0); - array_u8_alignment_lemma2 ptr size alignment; - set_canary ptr size; - return ptr + assert (G.reveal size_.sc = size.sc); + assert (G.reveal size_.slab_size = size.slab_size); + mod_lemma size; + assert ((U32.v max_slab_size) % (U32.v (G.reveal size_.sc)) = 0); + assert_norm (U32.v max_slab_size = pow2 17); + alignment_lemma (U32.v max_slab_size) 17 (U32.v alignment) (U32.v size.sc); + assert (U32.v size.sc % U32.v alignment = 0); + array_u8_alignment_lemma2 r size.sc alignment; + set_canary r size.sc; + return r ) else ( slab_aligned_alloc_canary_i tl (i `US.add` 1sz) arena_id alignment bytes ) diff --git a/src/Main.Meta.fsti b/src/Main.Meta.fsti index 0e07b769..74f29e70 100644 --- a/src/Main.Meta.fsti +++ b/src/Main.Meta.fsti @@ -38,11 +38,11 @@ val total_nb_sc_lemma (_: unit) (total_nb_sc == US.v nb_size_classes * US.v nb_arenas) inline_for_extraction noextract -val arena_sc_list : (l:list sc{List.length l == total_nb_sc /\ Cons? l}) +val arena_sc_list : (l:list sc_full{List.length l == total_nb_sc /\ Cons? l}) -val sizes_t_pred (r: TLA.t sc) : prop +val sizes_t_pred (r: TLA.t sc_full) : prop -unfold type sizes_t = r:TLA.t sc{ +unfold type sizes_t = r:TLA.t sc_full{ TLA.length r == total_nb_sc /\ sizes_t_pred r } @@ -70,7 +70,7 @@ type size_classes_all = //ro_sizes: ro_array sizes g_sizes; slab_region: arr:array U8.t{ // The region of memory handled by this size class synced_sizes total_nb_sc sizes g_size_classes /\ - A.length arr == US.v slab_region_size /\ + A.length arr == US.v full_slab_region_size /\ (forall (i:nat{i < Seq.length g_size_classes}). size_class_pred arr (Seq.index g_size_classes i) i) } @@ -84,16 +84,16 @@ val slab_malloc_one (i:US.t{US.v i < total_nb_sc}) (bytes: U32.t) (array U8.t) emp (fun r -> null_or_varray r) (requires fun _ -> - U32.v bytes <= U32.v (Seq.index (G.reveal sc_all.g_size_classes) (US.v i)).data.size + U32.v bytes <= U32.v (Seq.index (G.reveal sc_all.g_size_classes) (US.v i)).data.size.sc ) (ensures fun _ r _ -> let size = (Seq.index sc_all.g_size_classes (US.v i)).data.size in - U32.v size > 0 /\ + U32.v size.sc > 0 /\ not (is_null r) ==> ( - A.length r == U32.v (Seq.index (G.reveal sc_all.g_size_classes) (US.v i)).data.size /\ + A.length r == U32.v size.sc /\ A.length r >= U32.v bytes /\ array_u8_alignment r 16ul /\ - ((U32.v page_size) % (U32.v size) == 0 ==> array_u8_alignment r size) + ((U32.v size.slab_size) % (U32.v size.sc) == 0 ==> array_u8_alignment r size.sc) ) ) @@ -169,7 +169,7 @@ val slab_malloc_generic_canary inline_for_extraction noextract val slab_aligned_alloc_generic_nocanary (arena_id:US.t{US.v arena_id < US.v nb_arenas}) - (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v page_size) % (U32.v v) = 0})) + (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v max_slab_size) % (U32.v v) = 0})) bytes : Steel (array U8.t) emp @@ -190,7 +190,7 @@ val slab_aligned_alloc_generic_nocanary inline_for_extraction noextract val slab_aligned_alloc_generic_canary (arena_id:US.t{US.v arena_id < US.v nb_arenas}) - (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v page_size) % (U32.v v) = 0})) + (alignment: (v:U32.t{U32.v v > 0 /\ (U32.v max_slab_size) % (U32.v v) = 0})) bytes : Steel (array U8.t) emp diff --git a/src/Main.fst b/src/Main.fst index 5e94316e..02cabb85 100644 --- a/src/Main.fst +++ b/src/Main.fst @@ -94,7 +94,7 @@ let intro_ind_varraylist_nil r r_idxs = (SlabsCommon.ind_varraylist_aux r) val intro_left_vprop_empty (#opened:_) - (sc:sc) + (sc:sc_full) (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) @@ -160,6 +160,7 @@ let intro_left_vprop_empty sc slab_region md_bm_region md_region r_idxs (left_vprop2 sc slab_region md_bm_region md_region r_idxs 0sz) val intro_right_vprop_empty (#opened:_) + (sc: sc_full) (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) @@ -167,37 +168,37 @@ val intro_right_vprop_empty (#opened:_) (A.varray (split_r slab_region 0sz) `star` A.varray (split_r md_bm_region 0sz) `star` A.varray (split_r md_region 0sz)) - (fun _ -> SlabsCommon.right_vprop slab_region md_bm_region md_region 0sz) + (fun _ -> SlabsCommon.right_vprop sc slab_region md_bm_region md_region 0sz) (requires fun h -> A.asel (split_r slab_region 0sz) h `Seq.equal` Seq.create (A.length slab_region) U8.zero /\ A.asel (split_r md_bm_region 0sz) h `Seq.equal` Seq.create (A.length md_bm_region) U64.zero) (ensures fun _ _ _ -> True) -let intro_right_vprop_empty slab_region md_bm_region md_region = +let intro_right_vprop_empty sc slab_region md_bm_region md_region = change_equal_slprop (A.varray (A.split_r slab_region 0sz)) - (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz page_size)))); + (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz sc.slab_size)))); change_equal_slprop (A.varray (A.split_r md_bm_region 0sz)) (A.varray (A.split_r md_bm_region (US.mul 0sz 4sz))); intro_vrefine - (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz page_size)))) zf_u8; + (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz sc.slab_size)))) zf_u8; intro_vrefine (A.varray (A.split_r md_bm_region (US.mul 0sz 4sz))) zf_u64; assert_norm ( - (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul 0sz 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region 0sz) == - (right_vprop slab_region md_bm_region md_region 0sz)); + (right_vprop sc slab_region md_bm_region md_region 0sz)); change_equal_slprop - ((A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz page_size))) + ((A.varray (A.split_r slab_region (US.mul 0sz (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul 0sz 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region 0sz)) - (right_vprop slab_region md_bm_region md_region 0sz) + (right_vprop sc slab_region md_bm_region md_region 0sz) #restart-solver @@ -238,7 +239,7 @@ let init_idxs (r_idxs: array US.t{A.length r_idxs == 7}) #push-options "--z3rlimit 200 --compat_pre_typed_indexed_effects --fuel 0 --ifuel 0" noextract inline_for_extraction let init_struct_aux - (sc:sc) + (sc:sc_full) (slab_region: array U8.t{A.length slab_region == U32.v page_size * US.v metadata_max}) (md_bm_region: array U64.t{A.length md_bm_region == US.v 4sz * US.v metadata_max}) (md_region: array AL.cell{A.length md_region == US.v metadata_max}) @@ -250,12 +251,12 @@ let init_struct_aux ) (fun scs -> size_class_vprop scs) (requires fun h0 -> - array_u8_alignment slab_region page_size /\ + array_u8_alignment slab_region max_slab_size /\ zf_u8 (A.asel slab_region h0) /\ zf_u64 (A.asel md_bm_region h0) ) (ensures fun _ r h1 -> - U32.eq r.size sc /\ + r.size == sc /\ //zf_u8 (A.asel (A.split_l slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) (US.sub n 1sz))) h1) /\ //zf_u64 (A.asel (A.split_l md_bm_region (US.mul (US.mul metadata_max 4sz) (US.sub n 1sz))) h1) /\ r.slab_region == slab_region /\ @@ -275,7 +276,7 @@ let init_struct_aux drop (A.varray (A.split_l md_bm_region 0sz)); drop (A.varray (A.split_l slab_region 0sz)); - intro_right_vprop_empty slab_region md_bm_region md_region; + intro_right_vprop_empty sc slab_region md_bm_region md_region; let r_idxs = mmap_array_us_init 7sz in init_idxs r_idxs; @@ -290,13 +291,13 @@ let init_struct_aux intro_vrefinedep (R.vptr md_count) - vrefinedep_prop + (vrefinedep_prop sc) (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) (left_vprop sc slab_region md_bm_region md_region r_idxs 0sz `star` - right_vprop slab_region md_bm_region md_region 0sz); + right_vprop sc slab_region md_bm_region md_region 0sz); [@inline_let] @@ -312,7 +313,7 @@ let init_struct_aux change_slprop_rel (vrefinedep (R.vptr md_count) - vrefinedep_prop + (vrefinedep_prop sc) (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) @@ -325,7 +326,7 @@ let init_struct_aux == vrefinedep (R.vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop sc) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) ) by (norm [delta_only [`%size_class_vprop]]; trefl ()) @@ -349,7 +350,7 @@ let init_struct US.v metadata_max * US.v 4sz <= US.v metadata_max * US.v 4sz * US.v n /\ US.v metadata_max <= US.v metadata_max * US.v n }) - (sc:sc) + (sc:sc_full) (slab_region: array U8.t{A.length slab_region == U32.v page_size * US.v metadata_max * US.v n}) (md_bm_region: array U64.t{A.length md_bm_region == US.v 4sz * US.v metadata_max * US.v n}) (md_region: array AL.cell{A.length md_region == US.v metadata_max * US.v n}) @@ -365,13 +366,13 @@ let init_struct A.varray (A.split_r md_region metadata_max) ) (requires fun h0 -> - array_u8_alignment slab_region page_size /\ + array_u8_alignment slab_region max_slab_size /\ zf_u8 (A.asel slab_region h0) /\ zf_u64 (A.asel md_bm_region h0) ) (ensures fun _ r h1 -> - U32.eq r.size sc /\ - array_u8_alignment (A.split_r slab_region (US.mul metadata_max (u32_to_sz page_size))) page_size /\ + r.size == sc /\ + array_u8_alignment (A.split_r slab_region (US.mul metadata_max (u32_to_sz page_size))) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul metadata_max (u32_to_sz page_size))) h1) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul metadata_max 4sz)) h1) /\ A.ptr_of r.slab_region == A.ptr_of slab_region /\ @@ -410,11 +411,11 @@ let init_struct ); lemma_mod_mul2 (US.v metadata_max) (U32.v page_size) 16; assert (US.v (US.mul metadata_max (u32_to_sz page_size)) % 16 == 0); - array_u8_alignment_lemma slab_region slab_region' page_size page_size; + array_u8_alignment_lemma slab_region slab_region' max_slab_size max_slab_size; array_u8_alignment_lemma slab_region (A.split_r slab_region (US.mul metadata_max (u32_to_sz page_size))) - page_size page_size; - assert (array_u8_alignment slab_region' page_size); + max_slab_size max_slab_size; + assert (array_u8_alignment (A.split_r slab_region (US.mul metadata_max (u32_to_sz page_size))) max_slab_size); let scs = init_struct_aux sc slab_region' md_bm_region' md_region' in return scs @@ -521,13 +522,13 @@ let f_lemma unfold let size_class_pred (slab_region:array U8.t) (sc:size_class) (i:nat) : prop = same_base_array slab_region sc.data.slab_region /\ - A.offset (A.ptr_of sc.data.slab_region) == A.offset (A.ptr_of slab_region) + i * US.v slab_size + A.offset (A.ptr_of sc.data.slab_region) == A.offset (A.ptr_of slab_region) + i * US.v sc_slab_region_size #push-options "--fuel 0 --ifuel 0 --z3rlimit 200" noextract inline_for_extraction val init_wrapper2 - (sc: sc) + (sc: sc_full) (n: US.t{ US.fits (US.v metadata_max * US.v (u32_to_sz page_size) * US.v n) /\ US.fits (US.v metadata_max * US.v 4sz * US.v n) /\ @@ -564,16 +565,16 @@ val init_wrapper2 (requires fun h0 -> US.v k < US.v n /\ US.v k' == US.v k + 1 /\ - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) h0) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) k)) h0) /\ True ) (ensures fun _ r h1 -> - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) h1) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) k')) h1) /\ - U32.eq r.data.size sc /\ + r.data.size == sc /\ size_class_pred slab_region r (US.v k) //same_base_array slab_region r.data.slab_region /\ //A.offset (A.ptr_of r.data.slab_region) == A.offset (A.ptr_of slab_region) + US.v metadata_max * US.v (u32_to_sz page_size) * US.v k @@ -635,14 +636,15 @@ let init_wrapper2 sc n k k' slab_region md_bm_region md_region module G = FStar.Ghost module UP = FStar.PtrdiffT -let slab_region_size +let full_slab_region_size : v:US.t{ US.v v == US.v metadata_max * U32.v page_size * US.v nb_size_classes * US.v nb_arenas /\ UP.fits (US.v v) } = + metadata_max_fits (); metadata_max_up_fits (); - slab_size `US.mul` nb_size_classes `US.mul` nb_arenas + sc_slab_region_size `US.mul` nb_size_classes `US.mul` nb_arenas ///// A logical predicate indicating that a list of sizes corresponds ///// to the sizes of a list of size_classes @@ -652,8 +654,10 @@ let slab_region_size /// A logical predicate indicating that a list of sizes corresponds /// to the sizes of a list of size_classes let synced_sizes (#n:nat{US.fits n}) (k:nat{k <= n}) - (sizes:TLA.t sc{TLA.length sizes >= n}) - (size_classes:Seq.lseq size_class n) : prop = + (sizes:TLA.t sc_full{TLA.length sizes >= n}) + (size_classes:Seq.lseq size_class n) + : prop + = forall (i:nat{i < k}). TLA.get sizes (US.uint_to_t i) == (Seq.index size_classes i).data.size @@ -687,7 +691,7 @@ val init_size_class A.length md_region >= US.v metadata_max * US.v k' }) (size_classes: array size_class{A.length size_classes == US.v n}) - (sizes: TLA.t sc{TLA.length sizes >= US.v n}) + (sizes: TLA.t sc_full{TLA.length sizes >= US.v n}) : Steel unit ( A.varray (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) `star` @@ -707,14 +711,14 @@ val init_size_class ) (requires fun h0 -> US.v k' == US.v k + 1 /\ - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) h0) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) k)) h0) /\ synced_sizes (US.v k) sizes (asel size_classes h0) /\ (forall (i:nat{i < US.v k}) . size_class_pred slab_region (Seq.index (asel size_classes h0) i) i) ) (ensures fun _ r h1 -> - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k')) h1) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) k')) h1) /\ synced_sizes (US.v k') sizes (asel size_classes h1) /\ @@ -748,7 +752,7 @@ irreducible let reduce_attr : unit = () /// to `init_size_class` [@@ reduce_attr] noextract -val init_size_classes_aux (l:list sc) +val init_size_classes_aux (l:list sc_full) (n: US.t{ UInt.size (US.v n) U32.n /\ US.fits (US.v n) /\ @@ -774,7 +778,7 @@ val init_size_classes_aux (l:list sc) A.length md_region >= US.v metadata_max * US.v k' }) (size_classes: array size_class{A.length size_classes == US.v n}) - (sizes: TLA.t sc{TLA.length sizes >= US.v n}) + (sizes: TLA.t sc_full{TLA.length sizes >= US.v n}) //(sizes: array sc{A.length sizes == US.v n}) : Steel unit ( @@ -800,14 +804,14 @@ val init_size_classes_aux (l:list sc) Cons? l /\ US.v k' == US.v k + 1 /\ - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) k)) h0) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) k)) h0) /\ synced_sizes (US.v k) sizes (asel size_classes h0) /\ (forall (i:nat{i < US.v k}) . size_class_pred slab_region (Seq.index (asel size_classes h0) i) i) ) (ensures fun _ r h1 -> - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) h1) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) n)) h1) /\ synced_sizes (US.v n) sizes (asel size_classes h1) /\ @@ -850,7 +854,7 @@ let rec init_size_classes_aux l n k k' slab_region md_bm_region md_region size_c #push-options "--fuel 0 --ifuel 0" /// Entrypoint, allocating all size classes according to the list of sizes [l] inline_for_extraction noextract -val init_size_classes (l:list sc) +val init_size_classes (l:list sc_full) (n: US.t{ UInt.size (US.v n) U32.n /\ US.fits (US.v n) /\ @@ -874,7 +878,7 @@ val init_size_classes (l:list sc) A.length md_region >= US.v metadata_max * 1 }) (size_classes: array size_class{A.length size_classes == US.v n}) - (sizes: TLA.t sc{TLA.length sizes >= US.v n}) + (sizes: TLA.t sc_full{TLA.length sizes >= US.v n}) //(sizes: array sc{A.length sizes == US.v n}) : Steel unit ( @@ -899,14 +903,14 @@ val init_size_classes (l:list sc) List.length l == US.v n /\ Cons? l /\ - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) 0sz)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) 0sz)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) 0sz)) h0) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) 0sz)) h0) /\ synced_sizes 0 sizes (asel size_classes h0) /\ (forall (i:nat{i < 0}) . size_class_pred slab_region (Seq.index (asel size_classes h0) i) i) ) (ensures fun _ r h1 -> - array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) page_size /\ + array_u8_alignment (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) max_slab_size /\ zf_u8 (A.asel (A.split_r slab_region (US.mul (US.mul metadata_max (u32_to_sz page_size)) n)) h1) /\ zf_u64 (A.asel (A.split_r md_bm_region (US.mul (US.mul metadata_max 4sz) n)) h1) /\ synced_sizes (US.v n) sizes (asel size_classes h1) /\ @@ -950,9 +954,9 @@ val allocate_size_class (requires fun h0 -> True) (ensures fun h0 r h1 -> not (is_null r) ==> ( - A.length r == U32.v scs.size /\ + A.length r == U32.v scs.size.sc /\ array_u8_alignment r 16ul /\ - ((U32.v scs.size > 0 /\ (U32.v page_size) % (U32.v scs.size) == 0) ==> array_u8_alignment r scs.size) + (U32.v scs.size.slab_size % U32.v scs.size.sc == 0 ==> array_u8_alignment r scs.size.sc) ) ) diff --git a/src/Main2.fst b/src/Main2.fst index feb80451..a77293ac 100644 --- a/src/Main2.fst +++ b/src/Main2.fst @@ -37,8 +37,8 @@ val slab_malloc_fast emp (fun r -> null_or_varray r) (requires fun _ -> - (enable_slab_canaries_malloc ==> U32.v bytes <= U32.v page_size - 2) /\ - (not enable_slab_canaries_malloc ==> U32.v bytes <= U32.v page_size) + (enable_slab_canaries_malloc ==> U32.v bytes <= U32.v max_slab_size - 2) /\ + (not enable_slab_canaries_malloc ==> U32.v bytes <= U32.v max_slab_size) ) (ensures fun _ r h1 -> let s : t_of (null_or_varray r) @@ -99,14 +99,14 @@ let slab_malloc_fast_lemma : Lemma (requires US.v i < US.v nb_size_classes /\ - U32.v size <= U32.v (L.index sc_list (US.v i)) + U32.v size <= U32.v (L.index sc_list (US.v i)).sc ) (ensures US.fits (US.v arena_id * US.v nb_size_classes) /\ US.fits (US.v arena_id * US.v nb_size_classes + US.v i) /\ US.v arena_id * US.v nb_size_classes + US.v i < TLA.length sizes /\ (let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in - U32.v size <= U32.v (Seq.index (G.reveal sc_all.g_size_classes) (US.v idx)).data.size + U32.v size <= U32.v (Seq.index (G.reveal sc_all.g_size_classes) (US.v idx)).data.size.sc )) = total_nb_sc_lemma (); @@ -137,7 +137,7 @@ let slab_malloc_fast arena_id bytes [@inline_let] let idx = (arena_id `US.mul` nb_size_classes) `US.add` i in let size = TLA.get sizes idx in let ptr = slab_malloc_one idx bytes in - set_canary ptr size; + set_canary ptr size.sc; return ptr ) else ( let i = sc_selection bytes in @@ -179,9 +179,9 @@ let slab_free' (i:US.t{US.v i < US.v nb_size_classes * US.v nb_arenas}) (ptr: ar let diff' = offset (ptr_of ptr) - offset (ptr_of sc.data.slab_region) in same_base_array ptr sc.data.slab_region /\ 0 <= diff' /\ - diff' < US.v slab_size /\ - (diff' % U32.v page_size) % U32.v sc.data.size == 0 /\ - A.length ptr == U32.v sc.data.size /\ + diff' < US.v sc_slab_region_size /\ + (diff' % U32.v sc.data.size.slab_size) % U32.v sc.data.size.sc == 0 /\ + A.length ptr == U32.v sc.data.size.sc /\ US.v diff = diff' )) (ensures fun h0 _ h1 -> True) @@ -211,20 +211,21 @@ let slab_free' (i:US.t{US.v i < US.v nb_size_classes * US.v nb_arenas}) (ptr: ar /// entire memory provided by the allocator: /// If a pointer is within a size class and aligned with /// the slots, then its length corresponds to the slot size -let within_size_class_i (ptr:A.array U8.t) (sc: size_class_struct) : prop = ( - // If ptr is within the size class sc - same_base_array sc.slab_region ptr /\ - A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region)) >= 0 /\ - A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region)) < US.v slab_size /\ - // and it is aligned on the slots - ((A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region))) % U32.v page_size) % U32.v sc.size = 0) ==> - // then its length is the length of a slot - A.length ptr == U32.v sc.size +let within_size_class_i (ptr:A.array U8.t) (sc: size_class_struct) : prop = + ( + // If ptr is within the size class sc + same_base_array sc.slab_region ptr /\ + A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region)) >= 0 /\ + A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region)) < US.v sc_slab_region_size /\ + // and it is aligned on the slots + ((A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.slab_region))) % U32.v sc.size.slab_size) % U32.v sc.size.sc = 0 + ) + // then its length is the length of a slot + ==> A.length ptr == U32.v sc.size.sc -#push-options "--fuel 0 --ifuel 1 --z3rlimit 150" /// Elimination lemma for `within_size_class_i`, triggering F* to prove the precondition /// of the implication -let elim_within_size_class_i (ptr:A.array U8.t) (i:nat{i < Seq.length sc_all.g_size_classes}) (size:sc) +val elim_within_size_class_i (ptr:A.array U8.t) (i:nat{i < Seq.length sc_all.g_size_classes}) (size:sc_full) : Lemma (requires ( let sc : size_class = G.reveal (Seq.index sc_all.g_size_classes i) in @@ -232,29 +233,55 @@ let elim_within_size_class_i (ptr:A.array U8.t) (i:nat{i < Seq.length sc_all.g_s within_size_class_i ptr sc.data /\ same_base_array sc.data.slab_region ptr /\ A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc.data.slab_region)) >= 0 /\ - A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc.data.slab_region)) < US.v slab_size /\ - ((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc_all.slab_region))) % U32.v page_size) % U32.v size = 0)) + A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc.data.slab_region)) < US.v sc_slab_region_size /\ + ((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc_all.slab_region))) % U32.v size.slab_size) % U32.v size.sc = 0)) (ensures ( let sc : size_class = G.reveal (Seq.index sc_all.g_size_classes i) in - ((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc.data.slab_region))) % U32.v page_size) % U32.v size = 0 /\ - A.length ptr == U32.v size + ((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc.data.slab_region))) % U32.v size.slab_size) % U32.v size.sc = 0 /\ + A.length ptr == U32.v size.sc )) + +let aux_lemma + (n x1 y1 x2 y2: nat) + : Lemma + (requires + x1 > 0 /\ y1 > 0 /\ + x1 == x2 /\ y1 == y2 + ) + (ensures + (n % x1) % y1 == (n % x2) % y2 + ) + = + () + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 150"// --query_stats --split_queries always" +let elim_within_size_class_i ptr i size = let sc : size_class = G.reveal (Seq.index sc_all.g_size_classes i) in + assert (size.sc == sc.data.size.sc); + assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.data.slab_region)) >= 0); + assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc.data.slab_region)) < US.v sc_slab_region_size); + assert (((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc_all.slab_region))) % U32.v size.slab_size) % U32.v size.sc = 0); + aux_lemma (A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc_all.slab_region))) + (U32.v size.slab_size) + (U32.v size.sc) + (U32.v sc.data.size.slab_size) + (U32.v sc.data.size.sc); + assert (((A.offset (A.ptr_of ptr) - A.offset (ptr_of (G.reveal sc_all.slab_region))) % U32.v sc.data.size.slab_size) % U32.v sc.data.size.sc = 0); let off_ptr = A.offset (A.ptr_of ptr) in let off1 = A.offset (A.ptr_of (G.reveal sc_all.slab_region)) in let off2 = A.offset (A.ptr_of (G.reveal sc.data.slab_region)) in - assert (off2 - off1 = i * US.v slab_size); - assert (off_ptr - off1 = off_ptr - off2 + i * US.v slab_size); - assert (i * US.v slab_size == i * US.v metadata_max * U32.v page_size); + assert (off2 - off1 = i * US.v sc_slab_region_size); + assert (off_ptr - off1 = off_ptr - off2 + i * US.v sc_slab_region_size); + assert (i * US.v sc_slab_region_size == i * US.v sc.data.size.md_max * U32.v sc.data.size.slab_size); Math.Lemmas.lemma_mod_plus (off_ptr - off2) - (i * US.v metadata_max) - (U32.v page_size); + (i * US.v sc.data.size.md_max) + (U32.v sc.data.size.slab_size); assert ( - (off_ptr - off1) % U32.v page_size + (off_ptr - off1) % U32.v sc.data.size.slab_size == - (off_ptr - off2) % U32.v page_size + (off_ptr - off2) % U32.v sc.data.size.slab_size ) #pop-options @@ -278,7 +305,9 @@ open Main #restart-solver -#push-options "--fuel 0 --ifuel 0 --z3rlimit 300" +#restart-solver + +#push-options "--fuel 1 --ifuel 1 --z3rlimit 300" let slab_getsize ptr = SAA.within_bounds_elim (A.split_l sc_all.slab_region 0sz) @@ -293,8 +322,8 @@ let slab_getsize ptr = ptr (A.split_l sc_all.slab_region 0sz) in let diff_sz = UP.ptrdifft_to_sizet diff in - let index = US.div diff_sz slab_size in - lemma_div_lt (US.v slab_size) (US.v nb_size_classes) (US.v nb_arenas) (US.v diff_sz); + let index = US.div diff_sz sc_slab_region_size in + lemma_div_lt (US.v sc_slab_region_size) (US.v nb_size_classes) (US.v nb_arenas) (US.v diff_sz); total_nb_sc_lemma (); assert (US.v index < US.v nb_size_classes * US.v nb_arenas); assert (TLA.length sizes == US.v nb_size_classes * US.v nb_arenas); @@ -303,32 +332,33 @@ let slab_getsize ptr = sizes_t_pred_elim sizes; let index' = G.hide (US.v index % US.v nb_size_classes) in assert (size = L.index sc_list index'); + assert (U32.v size.sc <= U32.v max_slab_size) by (let open FStar.Tactics in set_fuel 1; set_ifuel 1); if enable_sc_fast_selection then ( sc_selection_is_exact1 index'; sc_selection_is_exact2 index'; - let index'' = G.hide (sc_selection size) in + let index'' = G.hide (sc_selection size.sc) in assert (L.index sc_list (G.reveal index') == L.index sc_list (US.v (G.reveal index''))); assert (size = L.index sc_list (US.v (G.reveal index''))) ) else (); - let rem_slab = US.rem diff_sz slab_size in - let rem_slot = US.rem diff_sz (u32_to_sz page_size) in + let rem_slab = US.rem diff_sz sc_slab_region_size in + let rem_slot = US.rem diff_sz (US.uint32_to_sizet size.slab_size) in // TODO: some refactor needed wrt SlotsFree - if US.rem rem_slot (US.uint32_to_sizet size) = 0sz then ( + if US.rem rem_slot (US.uint32_to_sizet size.sc) = 0sz then ( (**) let sc : G.erased size_class = G.hide (Seq.index (G.reveal sc_all.g_size_classes) (US.v index)) in assert (size_class_pred sc_all.slab_region (G.reveal sc) (US.v index)); - assert (A.offset (A.ptr_of (G.reveal sc).data.slab_region) == A.offset (A.ptr_of sc_all.slab_region) + (US.v index) * (US.v slab_size)); + assert (A.offset (A.ptr_of (G.reveal sc).data.slab_region) == A.offset (A.ptr_of sc_all.slab_region) + (US.v index) * (US.v sc_slab_region_size)); assert (US.v rem_slab == A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc).data.slab_region)); - mod_lt diff_sz slab_size; - assert (US.v rem_slab < US.v slab_size); - mod_lt diff_sz (u32_to_sz page_size); - assert (US.v rem_slot == (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of sc_all.slab_region)) % (U32.v page_size)); - mod_lt rem_slot (US.uint32_to_sizet size); + mod_lt diff_sz sc_slab_region_size; + assert (US.v rem_slab < US.v sc_slab_region_size); + mod_lt diff_sz (u32_to_sz size.slab_size); + assert (US.v rem_slot == (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of sc_all.slab_region)) % (U32.v size.slab_size)); + mod_lt rem_slot (US.uint32_to_sizet size.sc); (**) elim_within_size_class_i ptr (US.v index) size; - (**) assert (A.length ptr == U32.v size); + (**) assert (A.length ptr == U32.v size.sc); if enable_slab_canaries_malloc then - return (US.uint32_to_sizet (size `U32.sub` 2ul)) + return (US.uint32_to_sizet (size.sc `U32.sub` 2ul)) else - return (US.uint32_to_sizet size) + return (US.uint32_to_sizet size.sc) ) else ( // invalid pointer return 0sz @@ -347,37 +377,37 @@ let slab_free ptr = (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (A.split_l sc_all.slab_region 0sz))) - (US.v slab_region_size); + (US.v full_slab_region_size); let diff = A.ptrdiff ptr (A.split_l sc_all.slab_region 0sz) in let diff_sz = UP.ptrdifft_to_sizet diff in - let index = US.div diff_sz slab_size in - lemma_div_lt (US.v slab_size) (US.v nb_size_classes) (US.v nb_arenas) (US.v diff_sz); + let index = US.div diff_sz sc_slab_region_size in + lemma_div_lt (US.v sc_slab_region_size) (US.v nb_size_classes) (US.v nb_arenas) (US.v diff_sz); total_nb_sc_lemma (); assert (US.v index < US.v nb_size_classes * US.v nb_arenas); assert (TLA.length sizes == US.v nb_size_classes * US.v nb_arenas); assert (US.v index < TLA.length sizes); let size = TLA.get sizes index in - let rem_slab = US.rem diff_sz slab_size in - let rem_slot = US.rem diff_sz (u32_to_sz page_size) in + let rem_slab = US.rem diff_sz sc_slab_region_size in + let rem_slot = US.rem diff_sz (US.uint32_to_sizet size.slab_size) in // TODO: some refactor needed wrt SlotsFree - if US.rem rem_slot (US.uint32_to_sizet size) = 0sz then ( + if US.rem rem_slot (US.uint32_to_sizet size.sc) = 0sz then ( (**) let sc = G.hide (Seq.index (G.reveal sc_all.g_size_classes) (US.v index)) in assert (size_class_pred sc_all.slab_region (G.reveal sc) (US.v index)); - assert (A.offset (A.ptr_of (G.reveal sc).data.slab_region) == A.offset (A.ptr_of sc_all.slab_region) + (US.v index) * (US.v slab_size)); + assert (A.offset (A.ptr_of (G.reveal sc).data.slab_region) == A.offset (A.ptr_of sc_all.slab_region) + (US.v index) * (US.v sc_slab_region_size)); assert (US.v rem_slab == A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (G.reveal sc).data.slab_region)); - mod_lt diff_sz slab_size; - assert (US.v rem_slab < US.v slab_size); - mod_lt diff_sz (u32_to_sz page_size); - assert (US.v rem_slot == (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of sc_all.slab_region)) % (U32.v page_size)); - mod_lt rem_slot (US.uint32_to_sizet size); + mod_lt diff_sz sc_slab_region_size; + assert (US.v rem_slab < US.v sc_slab_region_size); + mod_lt diff_sz (u32_to_sz size.slab_size); + assert (US.v rem_slot == (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of sc_all.slab_region)) % (U32.v size.slab_size)); + mod_lt rem_slot (US.uint32_to_sizet size.sc); (**) elim_within_size_class_i ptr (US.v index) size; - (**) assert (A.length ptr == U32.v size); + (**) assert (A.length ptr == U32.v size.sc); if enable_slab_canaries_free then ( enable_slab_canaries_lemma (); - let magic1 = A.index ptr (US.uint32_to_sizet (size `U32.sub` 2ul)) in - let magic2 = A.index ptr (US.uint32_to_sizet (size `U32.sub` 1ul)) in + let magic1 = A.index ptr (US.uint32_to_sizet (size.sc `U32.sub` 2ul)) in + let magic2 = A.index ptr (US.uint32_to_sizet (size.sc `U32.sub` 1ul)) in if magic1 = slab_canaries_magic1 && magic2 = slab_canaries_magic2 then slab_free' index ptr rem_slab else diff --git a/src/Main2.fsti b/src/Main2.fsti index beba8d4d..cc11a324 100644 --- a/src/Main2.fsti +++ b/src/Main2.fsti @@ -29,8 +29,8 @@ val slab_malloc emp (fun r -> null_or_varray r) (requires fun _ -> - (enable_slab_canaries_malloc ==> U32.v bytes <= U32.v page_size - 2) /\ - (not enable_slab_canaries_malloc ==> U32.v bytes <= U32.v page_size) + (enable_slab_canaries_malloc ==> U32.v bytes <= U32.v max_slab_size - 2) /\ + (not enable_slab_canaries_malloc ==> U32.v bytes <= U32.v max_slab_size) ) (ensures fun _ r h1 -> let s : t_of (null_or_varray r) @@ -52,13 +52,13 @@ val slab_aligned_alloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (alignmen (fun r -> null_or_varray r) (requires fun _ -> U32.v alignment > 0 /\ - (U32.v page_size) % (U32.v alignment) = 0 + (U32.v max_slab_size) % (U32.v alignment) = 0 ) (ensures fun _ r h1 -> let s : t_of (null_or_varray r) = h1 (null_or_varray r) in U32.v alignment > 0 /\ - (U32.v page_size) % (U32.v alignment) = 0 /\ + (U32.v max_slab_size) % (U32.v alignment) = 0 /\ not (is_null r) ==> ( A.length r >= U32.v bytes /\ array_u8_alignment r 16ul /\ @@ -74,7 +74,7 @@ val slab_aligned_alloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (alignmen val within_size_classes_pred (ptr:A.array U8.t) : prop inline_for_extraction noextract -let slab_region_size = Main.slab_region_size +let slab_region_size = Main.full_slab_region_size val slab_getsize (ptr: array U8.t) : Steel US.t @@ -89,10 +89,10 @@ val slab_getsize (ptr: array U8.t) ) (ensures fun h0 result h1 -> A.asel ptr h1 == A.asel ptr h0 /\ - US.v result <= U32.v page_size /\ + US.v result <= U32.v max_slab_size /\ (result <> 0sz ==> ( let idx = sc_selection (US.sizet_to_uint32 result) in - A.length ptr <= U32.v page_size /\ + A.length ptr <= U32.v max_slab_size /\ (enable_slab_canaries_malloc ==> A.length ptr == US.v result + 2 ) /\ @@ -100,7 +100,7 @@ val slab_getsize (ptr: array U8.t) A.length ptr == US.v result ) /\ (enable_sc_fast_selection ==> - A.length ptr == U32.v (L.index sc_list (US.v idx))) + A.length ptr == U32.v (L.index sc_list (US.v idx)).sc) )) ) @@ -116,7 +116,7 @@ val slab_free (ptr:array U8.t) SAA.within_bounds (A.split_l (G.reveal sc_all.slab_region) 0sz) ptr - (A.split_r (G.reveal sc_all.slab_region) slab_region_size) + (A.split_r (G.reveal sc_all.slab_region) Main.full_slab_region_size) ) (ensures fun h0 r _ -> let s = A.asel ptr h0 in diff --git a/src/MemoryTrap.fst b/src/MemoryTrap.fst index 120e5f50..657766a4 100644 --- a/src/MemoryTrap.fst +++ b/src/MemoryTrap.fst @@ -23,44 +23,45 @@ open Config /// this predicate is abstract, does not expose any /// primitive to use it, and can only be introduced /// through the mmap_trap function below -assume val trap_array (arr: array U8.t) : vprop +assume val trap_array (sc: sc_full) + (arr: array U8.t{A.length arr = U32.v sc.slab_size}) : vprop /// Introduction function for the abstract `trap_array` /// predicate above. Under the hood, this function will /// be implemented in C as a mmap(PROT_NONE) -assume val mmap_strict_trap - (arr: array U8.t) +assume val mmap_strict_trap (sc: G.erased sc_full) + (arr: array U8.t{A.length arr = U32.v (G.reveal sc).slab_size}) (len: US.t{US.v len == A.length arr /\ US.v len > 0}) : SteelT unit (A.varray arr) - (fun _ -> trap_array arr) + (fun _ -> trap_array sc arr) /// Introduction function for the abstract `trap_array` /// predicate above. Under the hood, this function will /// be implemented in C as a madvise(MADV_DONTNEED) -assume val mmap_trap - (arr: array U8.t) +assume val mmap_trap (sc: G.erased sc_full) + (arr: array U8.t{A.length arr = U32.v (G.reveal sc).slab_size}) (len: US.t{US.v len == A.length arr /\ US.v len > 0}) : SteelT unit (A.varray arr) - (fun _ -> trap_array arr) + (fun _ -> trap_array sc arr) /// Elimination function for the abstract `trap_array` /// predicate above. Under the hood, this function will /// be implemented in C as a mmap(PROT_READ|PROT_WRITE) -assume val mmap_strict_untrap - (arr: array U8.t) +assume val mmap_strict_untrap (sc: G.erased sc_full) + (arr: array U8.t{A.length arr = U32.v (G.reveal sc).slab_size}) (len: US.t{US.v len == A.length arr /\ US.v len > 0}) : SteelT unit - (trap_array arr) + (trap_array sc arr) (fun _ -> A.varray arr) /// Elimination function for the abstract `trap_array` /// predicate above. Under the hood, this function will /// be implemented in C as a noop. -assume val mmap_untrap - (arr: array U8.t) +assume val mmap_untrap (sc: G.erased sc_full) + (arr: array U8.t{A.length arr = U32.v (G.reveal sc).slab_size}) (len: US.t{US.v len == A.length arr /\ US.v len > 0}) : SteelT unit - (trap_array arr) + (trap_array sc arr) (fun _ -> A.varray arr) diff --git a/src/Mman.fst b/src/Mman.fst index 7c69e450..905efcf5 100644 --- a/src/Mman.fst +++ b/src/Mman.fst @@ -35,7 +35,7 @@ assume val mmap_u8_init (len: US.t) A.length r == US.v len /\ A.is_full_array r /\ A.asel r h1 == Seq.create (US.v len) U8.zero /\ - array_u8_alignment r page_size + array_u8_alignment r max_slab_size ) assume val mmap_u64_init (len: US.t) diff --git a/src/Quarantine.fst b/src/Quarantine.fst index 201450ed..29b93244 100644 --- a/src/Quarantine.fst +++ b/src/Quarantine.fst @@ -3,33 +3,33 @@ module Quarantine open Constants open Config -let quarantine_slab arr = +let quarantine_slab sc arr = if enable_quarantine_trap - then trap_array arr + then trap_array sc arr else A.varray arr -let mmap_trap_quarantine arr len = +let mmap_trap_quarantine sc arr len = if enable_quarantine_trap then ( if enable_quarantine_strict_trap then ( - mmap_strict_trap arr len + mmap_strict_trap (G.hide sc) arr len ) else ( - mmap_trap arr len + mmap_trap (G.hide sc) arr len ); - change_equal_slprop (trap_array arr) (quarantine_slab arr) + change_equal_slprop (trap_array sc arr) (quarantine_slab sc arr) ) else ( noop (); - change_equal_slprop (A.varray arr) (quarantine_slab arr) + change_equal_slprop (A.varray arr) (quarantine_slab sc arr) ) -let mmap_untrap_quarantine arr len = +let mmap_untrap_quarantine sc arr len = if enable_quarantine_trap then ( - change_equal_slprop (quarantine_slab arr) (trap_array arr); + change_equal_slprop (quarantine_slab sc arr) (trap_array sc arr); if enable_quarantine_strict_trap then ( - mmap_strict_untrap arr len + mmap_strict_untrap sc arr len ) else ( - mmap_untrap arr len + mmap_untrap sc arr len ) ) else ( noop (); - change_equal_slprop (quarantine_slab arr) (A.varray arr) + change_equal_slprop (quarantine_slab sc arr) (A.varray arr) ) diff --git a/src/Quarantine.fsti b/src/Quarantine.fsti index 0836364a..b9954795 100644 --- a/src/Quarantine.fsti +++ b/src/Quarantine.fsti @@ -22,17 +22,20 @@ open MemoryTrap /// `enable_quarantine_trap` is enabled, this either /// corresponds to `trap_array` or to `varray` val quarantine_slab - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : vprop inline_for_extraction noextract val mmap_trap_quarantine - (arr: array U8.t{A.length arr = U32.v page_size}) - (len: US.t{US.v len = U32.v page_size}) - : SteelT unit (A.varray arr) (fun _ -> quarantine_slab arr) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) + (len: US.t{US.v len = U32.v size_class.slab_size}) + : SteelT unit (A.varray arr) (fun _ -> quarantine_slab size_class arr) inline_for_extraction noextract val mmap_untrap_quarantine - (arr: array U8.t{A.length arr = U32.v page_size}) - (len: US.t{US.v len = U32.v page_size}) - : SteelT unit (quarantine_slab arr) (fun _ -> A.varray arr) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) + (len: US.t{US.v len = U32.v size_class.slab_size}) + : SteelT unit (quarantine_slab size_class arr) (fun _ -> A.varray arr) diff --git a/src/SizeClass.fst b/src/SizeClass.fst index bb0ae91c..8bd6826d 100644 --- a/src/SizeClass.fst +++ b/src/SizeClass.fst @@ -28,7 +28,7 @@ open SlabsAlloc noeq type size_class_struct' = { - size: sc; + size: sc_full; slabs_idxs: A.array US.t; md_count: ref US.t; slab_region: array U8.t; @@ -40,12 +40,12 @@ open Prelude open FStar.Mul inline_for_extraction noextract -let slab_size : (v:US.t{US.v v == US.v metadata_max * U32.v page_size /\ US.v v > 0}) +let sc_slab_region_size : (v:US.t{US.v v == US.v metadata_max * U32.v page_size /\ US.v v > 0}) = US.mul metadata_max (US.of_u32 page_size) type size_class_struct = s:size_class_struct'{ - A.length s.slab_region == US.v slab_size /\ - array_u8_alignment s.slab_region page_size /\ + A.length s.slab_region == US.v sc_slab_region_size /\ + array_u8_alignment s.slab_region max_slab_size /\ A.length s.md_bm_region == US.v metadata_max * 4 /\ A.length s.md_region == US.v metadata_max /\ A.length s.slabs_idxs == 7 @@ -59,7 +59,7 @@ let size_class_vprop = vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) @@ -74,7 +74,7 @@ let allocate_size_class_sl_lemma1 SM.interp (hp_of ( vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) )) m /\ @@ -83,7 +83,7 @@ let allocate_size_class_sl_lemma1 sel_of ( vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) ) m @@ -98,7 +98,7 @@ let allocate_size_class_sl_lemma2 SM.interp (hp_of ( vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) )) m @@ -110,7 +110,7 @@ let allocate_size_class_sl_lemma2 sel_of ( vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs) ) m @@ -146,53 +146,58 @@ let mod_arith_lemma_applied lemma_mod_mul2 (n/page_size) page_size align; lemma_mod_plus2 0 ((n/page_size)*page_size) align -let allocate_size_class_aux +#push-options "--z3rlimit 100 --compat_pre_typed_indexed_effects" +val allocate_size_class_aux (scs: size_class_struct) (r: array U8.t) : Lemma (requires not (A.is_null r) ==> ( - A.length r == U32.v scs.size /\ + A.length r == U32.v scs.size.sc /\ same_base_array r scs.slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v page_size) % (U32.v scs.size) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v scs.size.slab_size) % (U32.v scs.size.sc) == 0 ) ) (ensures not (A.is_null r) ==> ( - A.length r == U32.v scs.size /\ + A.length r == U32.v scs.size.sc /\ same_base_array r scs.slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v page_size) % (U32.v scs.size) == 0 /\ + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v scs.size.slab_size) % (U32.v scs.size.sc) == 0 /\ + //(U32.v scs.size.sc <= U32.v page_size ==> array_u8_alignment r 16ul /\ - ((U32.v page_size) % (U32.v scs.size) == 0 ==> array_u8_alignment r scs.size) + ((U32.v scs.size.slab_size) % (U32.v scs.size.sc) == 0 ==> array_u8_alignment r scs.size.sc) ) ) + +let allocate_size_class_aux scs r = if not (A.is_null r) then ( assert (same_base_array r scs.slab_region); assert (same_base_array scs.slab_region r); - assert (array_u8_alignment scs.slab_region page_size); + assert (array_u8_alignment scs.slab_region max_slab_size); mod_arith_lemma_applied (A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) - (U32.v page_size) - (U32.v scs.size) + (U32.v scs.size.slab_size) + (U32.v scs.size.sc) 16; assert ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % 16 == 0); - array_u8_alignment_lemma scs.slab_region r page_size 16ul; - if ((U32.v page_size) % (U32.v scs.size) = 0) then ( + array_u8_alignment_lemma scs.slab_region r max_slab_size 16ul; + // no boundary crossing of allocations for size classes <= 4096 + // allows to retrieve alignment, see Constants.fst + if ((U32.v scs.size.slab_size) % (U32.v scs.size.sc) = 0) then ( mod_arith_lemma_applied (A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) - (U32.v page_size) - (U32.v scs.size) - (U32.v scs.size); - assert ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % (U32.v scs.size) == 0); - array_u8_alignment_lemma scs.slab_region r page_size scs.size + (U32.v scs.size.slab_size) + (U32.v scs.size.sc) + (U32.v scs.size.sc); + assert ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % (U32.v scs.size.sc) == 0); + array_u8_alignment_lemma scs.slab_region r max_slab_size scs.size.sc ) else () ) else () -#push-options "--z3rlimit 100 --compat_pre_typed_indexed_effects" let allocate_size_class (scs: size_class_struct) : Steel (array U8.t) @@ -203,12 +208,13 @@ let allocate_size_class (requires fun h0 -> True) (ensures fun h0 r h1 -> not (A.is_null r) ==> ( - A.length r == U32.v scs.size /\ + A.length r == U32.v scs.size.sc /\ same_base_array r scs.slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v page_size) % (U32.v scs.size) == 0 /\ + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of scs.slab_region)) % U32.v scs.size.slab_size) % (U32.v scs.size.sc) == 0 /\ + //(U32.v scs.size.sc <= U32.v page_size ==> array_u8_alignment r 16ul /\ - ((U32.v page_size) % (U32.v scs.size) == 0 ==> array_u8_alignment r scs.size) + ((U32.v scs.size.slab_size) % (U32.v scs.size.sc) == 0 ==> array_u8_alignment r scs.size.sc) ) ) = @@ -216,7 +222,7 @@ let allocate_size_class (size_class_vprop scs) (vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs)) (fun x y -> x == y) @@ -228,7 +234,7 @@ let allocate_size_class change_slprop_rel (vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs)) (size_class_vprop scs) @@ -257,8 +263,8 @@ let deallocate_size_class let diff' = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of scs.slab_region) in 0 <= diff' /\ US.v diff = diff' /\ - (diff' % U32.v page_size) % U32.v scs.size == 0 /\ - A.length ptr == U32.v scs.size /\ + (diff' % U32.v scs.size.slab_size) % U32.v scs.size.sc == 0 /\ + A.length ptr == U32.v scs.size.sc /\ same_base_array ptr scs.slab_region) (ensures fun h0 _ h1 -> True) = @@ -266,7 +272,7 @@ let deallocate_size_class (size_class_vprop scs) (vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs)) (fun x y -> x == y) @@ -278,7 +284,7 @@ let deallocate_size_class change_slprop_rel (vrefinedep (vptr scs.md_count) - vrefinedep_prop + (vrefinedep_prop scs.size) (size_class_vprop_aux scs.size scs.slab_region scs.md_bm_region scs.md_region scs.slabs_idxs)) (size_class_vprop scs) diff --git a/src/SizeClassSelection.fst b/src/SizeClassSelection.fst index 21623c87..b0ef35e2 100644 --- a/src/SizeClassSelection.fst +++ b/src/SizeClassSelection.fst @@ -15,6 +15,12 @@ open FStar.Mul #push-options "--fuel 0 --ifuel 0" +// CONFIGURABLE values, with _n = pow2 _k +let _n = 131072 +let _k = 17 + +let _ = assert_norm (pow2 _k == _n) + // misc let from_vec_property (#n: pos) (a: FBV.bv_t n) (s:nat{s <= n}) : Lemma @@ -175,7 +181,7 @@ let log2u64_spec (x: nat) : Pure nat (requires x > 0 /\ - x <= 4096) + x <= _n) (ensures fun r -> r < 64 /\ x >= pow2 r /\ @@ -189,7 +195,7 @@ let log2u64_spec_eq_lemma (x:nat) (r: nat) : Lemma (requires x > 0 /\ - x <= 4096 /\ + x <= _n /\ x >= pow2 r /\ x < pow2 (r + 1)) (ensures @@ -248,8 +254,8 @@ let upper_div_impl (y: U32.t) : Pure U32.t (requires - U32.v x <= 4096 /\ - U32.v y <= 4096 /\ + U32.v x <= _n /\ + U32.v y <= _n /\ (exists (k:nat). U32.v y == pow2 k) ) (ensures fun r -> @@ -268,8 +274,8 @@ let fast_upper_div_impl (k: U32.t) : Pure U32.t (requires - U32.v x <= 4096 /\ - U32.v y <= 4096 /\ + U32.v x <= _n /\ + U32.v y <= _n /\ //(exists (k:nat). U32.v y == pow2 (U32.v k) /\ U32.v k < 32 @@ -291,22 +297,22 @@ let inv_aux_2 (x: nat) : Pure (nat & nat) (requires 64 <= x /\ - x <= 4096 + x <= _n ) (ensures fun r -> let y, z = r in x <= sc_list_f_aux_2 y z /\ - y <= 6 /\ + y <= _k - 6 /\ z <= 4 /\ - (y = 6 ==> z = 0) + (y = _k - 6 ==> z = 0) ) = let log = log2u64_spec x in assert_norm (pow2 6 == 64); - assert_norm (pow2 12 == 4096); + assert_norm (pow2 _k == _n); if log < 6 then FML.pow2_le_compat 6 (log+1); - if log > 12 then FML.pow2_lt_compat log 12; - assert (6 <= log /\ log <= 12); + if log > _k then FML.pow2_lt_compat log _k; + assert (6 <= log /\ log <= _k); let align = pow2 log in let align2 = pow2 (log - 2) in let y = log - 6 in @@ -321,14 +327,15 @@ let inv_aux_2 (x: nat) assert (align + align == pow2 (log + 1)) ) else (); - if (y = 6) - then ( - assert (log == 12); - assert (x >= pow2 12); - assert_norm (pow2 12 == 4096); - assert (z == 0) - ) else (); y, z + //if (y = 6) + //then ( + // assert (log == 12); + // assert (x >= pow2 12); + // assert_norm (pow2 12 == 4096); + // assert (z == 0) + //) else (); + //y, z #pop-options noextract @@ -336,11 +343,11 @@ let inv_aux (x: nat) : Pure (nat) (requires 64 <= x /\ - x <= 4096 + x <= _n ) (ensures fun r -> x <= sc_list_f_aux r /\ - r <= 24 + r <= 4 * (_k - 6) ) = let y, z = inv_aux_2 x in @@ -352,11 +359,11 @@ noextract let inv (x: nat) : Pure (nat) (requires - x <= 4096 + x <= _n ) (ensures fun r -> x <= sc_list_f r /\ - r <= 26 + r <= 4 * (_k - 6) + 2 ) = if x <= 16 @@ -382,7 +389,7 @@ inline_for_extraction noextract let inv_impl_aux_2 (x: U32.t) : Pure (U32.t & U32.t) (requires U32.v x >= 64 /\ - U32.v x <= 4096 + U32.v x <= _n ) (ensures fun r -> let y, z = r in @@ -397,9 +404,9 @@ let inv_impl_aux_2 (x: U32.t) assert (U64.v x_as_u64 == U32.v x); let log = log2u64 x_as_u64 in assert_norm (pow2 6 == 64); - assert_norm (pow2 12 == 4096); + assert_norm (pow2 _k == _n); if U32.v log < 6 then FML.pow2_le_compat 6 (U32.v log + 1); - if U32.v log > 12 then FML.pow2_lt_compat (U32.v log) 12; + if U32.v log > _k then FML.pow2_lt_compat (U32.v log) _k; let align = U32.shift_left 1ul log in let align2 = U32.shift_left 1ul (U32.sub log 2ul) in FML.pow2_lt_compat (U32.v log) (U32.v log - 2); @@ -413,7 +420,7 @@ inline_for_extraction noextract let inv_impl_aux (x: U32.t) : Pure (U32.t) (requires U32.v x >= 64 /\ - U32.v x <= 4096 + U32.v x <= _n ) (ensures fun r -> let r' = inv_aux (U32.v x) in @@ -427,12 +434,13 @@ let inv_impl_aux (x: U32.t) let inv_impl (x: U32.t) : Pure (U32.t) (requires - U32.v x <= 4096 + U32.v x <= _n ) (ensures fun r -> let r' = inv (U32.v x) in U32.v r == r' /\ - U32.v x <= sc_list_f (U32.v r) + U32.v x <= sc_list_f (U32.v r) /\ + U32.v r <= 4 * (_k - 6) + 2 ) = if U32.lte x 16ul @@ -450,7 +458,7 @@ let log2u64_is_mon_increasing (x y: nat) (requires 0 < x /\ x <= y /\ - y <= 4096 + y <= _n ) (ensures log2u64_spec x <= log2u64_spec y @@ -484,7 +492,7 @@ let inv_aux_is_mon_increasing (x y: nat) (requires 64 <= x /\ x <= y /\ - y <= 4096 + y <= _n ) (ensures ( let rx = inv_aux x in @@ -496,10 +504,10 @@ let inv_aux_is_mon_increasing (x y: nat) let log_y = log2u64_spec y in log2u64_is_mon_increasing x y; assert_norm (pow2 6 == 64); - assert_norm (pow2 12 == 4096); + assert_norm (pow2 _k == _n); if log_x < 6 then FML.pow2_le_compat 6 (log_x+1); - if log_y > 12 then FML.pow2_lt_compat log_y 12; - assert (6 <= log_x /\ log_x <= log_y /\ log_y <= 12); + if log_y > _k then FML.pow2_lt_compat log_y _k; + assert (6 <= log_x /\ log_x <= log_y /\ log_y <= _k); if log_x = log_y then ( let align = pow2 log_x in @@ -511,8 +519,8 @@ let inv_aux_is_mon_increasing (x y: nat) let inv_is_mon_increasing (x y: nat) : Lemma (requires - x <= 4096 /\ - y <= 4096 + x <= _n /\ + y <= _n ) (ensures ( let rx = inv x in @@ -651,10 +659,10 @@ let sc_list_f_is_smon_increasing_lte #push-options "--z3rlimit 50" let inv_exact_log (k: nat) : Lemma - (requires k <= 24) + (requires k <= 4 * (_k - 6)) (ensures 64 <= sc_list_f_aux k /\ - sc_list_f_aux k <= 4096 /\ + sc_list_f_aux k <= _n /\ (let r = sc_list_f_aux k in log2u64_spec r = (k/4) + 6 )) @@ -663,8 +671,8 @@ let inv_exact_log (k: nat) let k2 = k%4 in let r = sc_list_f_aux k in sc_list_f_aux_min k; - sc_list_f_aux_is_smon_increasing_lte k 24; - assert_norm (sc_list_f_aux 24 == 4096); + sc_list_f_aux_is_smon_increasing_lte k (4 * (_k - 6)); + assert_norm (sc_list_f_aux (4 * (_k - 6)) == _n); assert (r == pow2 (k1 + 6) + k2 * pow2 (k1 + 4)); assert (k2 < 4); FML.pow2_plus (k1 + 4) 2; @@ -679,25 +687,25 @@ let inv_exact_log (k: nat) #push-options "--z3rlimit 50" let inv_exact_aux (k: nat) : Lemma - (requires k <= 24) + (requires k <= 4 * (_k - 6)) (ensures 64 <= sc_list_f_aux k /\ - sc_list_f_aux k <= 4096 /\ + sc_list_f_aux k <= _n /\ inv_aux (sc_list_f_aux k) == k ) = let x = sc_list_f_aux k in sc_list_f_aux_min k; - sc_list_f_aux_is_smon_increasing_lte k 24; - assert_norm (sc_list_f_aux 24 == 4096); + sc_list_f_aux_is_smon_increasing_lte k (4 * (_k - 6)); + assert_norm (sc_list_f_aux (4 * (_k - 6)) == _n); let log = log2u64_spec x in assert_norm (pow2 6 == 64); - assert_norm (pow2 12 == 4096); + assert_norm (pow2 _k == _n); inv_exact_log k; assert (log = k/4 +6); if log < 6 then FML.pow2_le_compat 6 (log+1); - if log > 12 then FML.pow2_lt_compat log 12; - assert (6 <= log /\ log <= 12); + if log > _k then FML.pow2_lt_compat log _k; + assert (6 <= log /\ log <= _k); let align = pow2 log in let align2 = pow2 (log - 2) in let y = log - 6 in @@ -709,13 +717,13 @@ let inv_exact_aux (k: nat) let inv_exact (k: nat) : Lemma - (requires k <= 26) + (requires k <= 4 * (_k - 6) + 2) (ensures - sc_list_f k <= 4096 /\ + sc_list_f k <= _n /\ inv (sc_list_f k) == k ) = - sc_list_f_is_smon_increasing_lte k 26; + sc_list_f_is_smon_increasing_lte k (4 * (_k - 6) + 2); assert (sc_list_f 26 = 4096) by T.compute(); if k = 0 then ( assert (sc_list_f 0 == 16) by T.compute() @@ -736,10 +744,10 @@ let inv_exact (k: nat) let inv_exact_log2 (k: nat) : Lemma - (requires 1 <= k /\ k <= 24) + (requires 1 <= k /\ k <= 4 * (_k - 6)) (ensures 64 <= sc_list_f_aux (k-1) /\ - sc_list_f_aux (k-1) < 4096 /\ + sc_list_f_aux (k-1) < _n /\ (let r = sc_list_f_aux (k-1) + 1 in log2u64_spec r = (k-1)/4 + 6 )) @@ -748,8 +756,8 @@ let inv_exact_log2 (k: nat) let k2 = (k-1)%4 in let r = sc_list_f_aux (k-1) + 1 in sc_list_f_aux_min (k-1); - sc_list_f_aux_is_smon_increasing_lt (k-1) 24; - assert_norm (sc_list_f_aux 24 == 4096); + sc_list_f_aux_is_smon_increasing_lt (k-1) (4 * (_k - 6)); + assert_norm (sc_list_f_aux (4 * (_k - 6)) == _n); assert (r == pow2 (k1 + 6) + k2 * pow2 (k1 + 4) + 1); assert (r >= pow2 (k1 + 6)); assert (k2 < 4); @@ -764,25 +772,25 @@ let inv_exact_log2 (k: nat) #push-options "--z3rlimit 50" let inv_exact_aux2 (k: nat) : Lemma - (requires 1 <= k /\ k <= 24) + (requires 1 <= k /\ k <= 4 * (_k - 6)) (ensures 64 <= sc_list_f_aux (k-1) /\ - sc_list_f_aux (k-1) < 4096 /\ + sc_list_f_aux (k-1) < _n /\ inv_aux (sc_list_f_aux (k-1) + 1) == k ) = let x = sc_list_f_aux (k-1) + 1 in sc_list_f_aux_min (k-1); - sc_list_f_aux_is_smon_increasing_lt (k-1) 24; - assert_norm (sc_list_f_aux 24 == 4096); + sc_list_f_aux_is_smon_increasing_lt (k-1) (4 * (_k - 6)); + assert_norm (sc_list_f_aux (4 * (_k - 6)) == _n); let log = log2u64_spec x in assert_norm (pow2 6 == 64); assert_norm (pow2 12 == 4096); inv_exact_log2 k; assert (log = (k-1)/4+6); if log < 6 then FML.pow2_le_compat 6 (log+1); - if log > 12 then FML.pow2_lt_compat log 12; - assert (6 <= log /\ log <= 12); + if log > _k then FML.pow2_lt_compat log _k; + assert (6 <= log /\ log <= _k); let align = pow2 log in let align2 = pow2 (log - 2) in let y = log - 6 in @@ -794,15 +802,15 @@ let inv_exact_aux2 (k: nat) let inv_exact2 (k: nat) : Lemma - (requires k <= 26) + (requires k <= 4 * (_k - 6) + 2) (ensures 2 <= sc_list_f k /\ - sc_list_f k <= 4096 /\ + sc_list_f k <= _n /\ inv (sc_list_f k - 2) == k ) = sc_list_f_is_smon_increasing_lte 0 k; - sc_list_f_is_smon_increasing_lte k 26; + sc_list_f_is_smon_increasing_lte k (4 * (_k - 6) + 2); assert_norm (sc_list_f 0 = 16); assert_norm (sc_list_f 26 = 4096); if k = 0 then ( diff --git a/src/SlabsAlloc.fst b/src/SlabsAlloc.fst index 2b436e94..5693ef44 100644 --- a/src/SlabsAlloc.fst +++ b/src/SlabsAlloc.fst @@ -36,9 +36,9 @@ open SlabsCommon #push-options "--z3rlimit 75" inline_for_extraction noextract let allocate_slab_aux_cond - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : Steel bool (slab_vprop size_class arr md) (fun _ -> slab_vprop size_class arr md) @@ -68,36 +68,37 @@ let allocate_slab_aux_cond #push-options "--fuel 1 --ifuel 1 --z3rlimit 50 --compat_pre_typed_indexed_effects" let slab_region_mon_split (#opened:_) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_count: US.t{US.v md_count < US.v metadata_max}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) + (md_count: US.t{US.v md_count < US.v sc.md_max}) : SteelGhost unit opened - (A.varray (A.split_r slab_region (US.mul md_count (u32_to_sz page_size)))) + (A.varray (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size)))) (fun _ -> - A.varray (slab_array slab_region md_count) `star` - A.varray (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz page_size))) + A.varray (slab_array sc slab_region md_count) `star` + A.varray (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz sc.slab_size))) ) (requires fun h0 -> - zf_u8 (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) h0)) + zf_u8 (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) h0)) (ensures fun h0 _ h1 -> - zf_u8 (A.asel (slab_array slab_region md_count) h1) /\ - zf_u8 (A.asel (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz page_size))) h1) + zf_u8 (A.asel (slab_array sc slab_region md_count) h1) /\ + zf_u8 (A.asel (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz sc.slab_size))) h1) ) = let h0 = get () in A.ghost_split - (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) - (u32_to_sz page_size); - zf_u8_slice (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) h0) 0 (US.v (u32_to_sz page_size)); - zf_u8_slice (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) h0) (US.v (u32_to_sz page_size)) (A.length (A.split_r slab_region (US.mul md_count (u32_to_sz page_size)))); - pack_slab_array slab_region md_count; - let x1 = A.split_r (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size) in - let x2 = A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz page_size)) in + (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) + (u32_to_sz sc.slab_size); + zf_u8_slice (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) h0) 0 (US.v (u32_to_sz sc.slab_size)); + zf_u8_slice (A.asel (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) h0) (US.v (u32_to_sz sc.slab_size)) (A.length (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size)))); + pack_slab_array sc slab_region md_count; + let x1 = A.split_r (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) (u32_to_sz sc.slab_size) in + let x2 = A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz sc.slab_size)) in A.ptr_base_offset_inj (A.ptr_of x1) (A.ptr_of x2); assert (A.length x1 = A.length x2); assert (x1 == x2); change_equal_slprop - (A.varray (A.split_r (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size))) - (A.varray (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz page_size)))) + (A.varray (A.split_r (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) (u32_to_sz sc.slab_size))) + (A.varray (A.split_r slab_region (US.mul (US.add md_count 1sz) (u32_to_sz sc.slab_size)))) let md_bm_region_mon_split (#opened:_) @@ -165,13 +166,13 @@ open SteelVRefineDep // Slab moves from empty to partial inline_for_extraction noextract let allocate_slab_aux_1_partial - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1: US.t{US.v idx1 < US.v md_count_v}) (idx2 idx3 idx4 idx5 idx6 idx7: US.t) @@ -184,16 +185,16 @@ let allocate_slab_aux_1_partial (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 1ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 1ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 1ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 1ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -217,8 +218,8 @@ let allocate_slab_aux_1_partial let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -250,20 +251,20 @@ let allocate_slab_aux_1_partial assert (ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) gs0 `FStar.FiniteSet.Base.equal` ALG.ptrs_all #AL.status (US.v idx1') (US.v idx1) (US.v idx3) (US.v idx4) (US.v idx5) gs1); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v idx1) 1ul)) idx1' idx1 idx3 idx4 idx5 idx6 idx7 // Slab moves from empty to full inline_for_extraction noextract let allocate_slab_aux_1_full - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1: US.t{US.v idx1 < US.v md_count_v}) (idx2 idx3 idx4 idx5 idx6 idx7: US.t) @@ -276,16 +277,16 @@ let allocate_slab_aux_1_full (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 2ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 2ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 2ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx1) 2ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -309,8 +310,8 @@ let allocate_slab_aux_1_full let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -342,7 +343,7 @@ let allocate_slab_aux_1_full assert (ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) gs0 `FStar.FiniteSet.Base.equal` ALG.ptrs_all #AL.status (US.v idx1') (US.v idx2) (US.v idx1) (US.v idx4) (US.v idx5) gs1); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v idx1) 2ul)) idx1' idx2 idx1 idx4 idx5 idx6 idx7 @@ -352,13 +353,13 @@ let allocate_slab_aux_1_full // Slab initially empty inline_for_extraction noextract let allocate_slab_aux_1 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel (array U8.t) @@ -370,17 +371,17 @@ let allocate_slab_aux_1 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun r -> A.varray r `star` vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -404,14 +405,14 @@ let allocate_slab_aux_1 let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1 /\ - A.length r == U32.v size_class /\ + A.length r == U32.v sc.sc /\ same_base_array r slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v page_size) % (U32.v size_class) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v sc.slab_size) % (U32.v sc.sc) == 0 ) = (**) ALG.lemma_head1_in_bounds pred1 pred2 pred3 pred4 pred5 @@ -420,9 +421,9 @@ let allocate_slab_aux_1 (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx1); @@ -437,34 +438,34 @@ let allocate_slab_aux_1 (**) ALG.lemma_dataify_index #AL.status gs0 (US.v idx1); (**) SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idx1); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx1))) - (p_empty size_class (md_bm_array md_bm_region idx1, slab_array slab_region idx1)); + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx1))) + (p_empty sc (md_bm_array md_bm_region idx1, slab_array sc slab_region idx1)); - (**) p_empty_unpack size_class - (md_bm_array md_bm_region idx1, slab_array slab_region idx1) - (md_bm_array md_bm_region idx1, slab_array slab_region idx1); - let r = allocate_slot size_class + (**) p_empty_unpack sc + (md_bm_array md_bm_region idx1, slab_array sc slab_region idx1) + (md_bm_array md_bm_region idx1, slab_array sc slab_region idx1); + let r = allocate_slot sc (md_bm_array md_bm_region idx1) - (slab_array slab_region idx1) + (slab_array sc slab_region idx1) in - let cond = allocate_slab_aux_cond size_class + let cond = allocate_slab_aux_cond sc (md_bm_array md_bm_region idx1) - (slab_array slab_region idx1) + (slab_array sc slab_region idx1) in if cond then ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv idx1 2ul; - allocate_slab_aux_1_full size_class + allocate_slab_aux_1_full sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; return r ) else ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv idx1 1ul; - allocate_slab_aux_1_partial size_class + allocate_slab_aux_1_partial sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; @@ -477,13 +478,13 @@ let allocate_slab_aux_1 // Slab moves from partial to full inline_for_extraction noextract let allocate_slab_aux_2_full - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1: US.t) (idx2: US.t{US.v idx2 < US.v md_count_v}) @@ -497,16 +498,16 @@ let allocate_slab_aux_2_full (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 2ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 2ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 2ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 2ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -530,8 +531,8 @@ let allocate_slab_aux_2_full let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -563,7 +564,7 @@ let allocate_slab_aux_2_full assert (ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) gs0 `FStar.FiniteSet.Base.equal` ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2') (US.v idx2) (US.v idx4) (US.v idx5) gs1); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v idx2) 2ul)) idx1 idx2' idx2 idx4 idx5 idx6 idx7 @@ -574,13 +575,13 @@ let allocate_slab_aux_2_full // Slab moves from partial to partial inline_for_extraction noextract let allocate_slab_aux_2_partial - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1: US.t) (idx2: US.t{US.v idx2 < US.v md_count_v}) @@ -594,16 +595,16 @@ let allocate_slab_aux_2_partial (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) - (f_lemma size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + (f_lemma sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -627,12 +628,12 @@ let allocate_slab_aux_2_partial let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 @@ -643,21 +644,21 @@ let allocate_slab_aux_2_partial #push-options "--fuel 1 --ifuel 1 --compat_pre_typed_indexed_effects --z3rlimit 300" inline_for_extraction noextract let allocate_slab_aux_2_aux - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1: US.t) (idx2: US.t{US.v idx2 < US.v md_count_v}) (idx3 idx4 idx5 idx6 idx7: US.t) : Steel unit ( - slab_vprop size_class - (slab_array slab_region idx2) + slab_vprop sc + (slab_array sc slab_region idx2) (md_bm_array md_bm_region idx2) `star` (vptr md_count `star` A.varray r_idxs `star` @@ -666,22 +667,22 @@ let allocate_slab_aux_2_aux (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v idx2)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx2 + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -689,14 +690,14 @@ let allocate_slab_aux_2_aux (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) h0 in let idxs0 = A.asel r_idxs h0 in let blob0 - : t_of (slab_vprop size_class - (slab_array slab_region idx2) + : t_of (slab_vprop sc + (slab_array sc slab_region idx2) (md_bm_array md_bm_region idx2)) - = h0 (slab_vprop size_class - (slab_array slab_region idx2) + = h0 (slab_vprop sc + (slab_array sc slab_region idx2) (md_bm_array md_bm_region idx2)) in let v0 : Seq.lseq U64.t 4 = dfst (fst blob0) in - not (is_empty size_class v0) /\ + not (is_empty sc v0) /\ US.v md_count_v <> AL.null /\ sel md_count h0 == md_count_v /\ Seq.index idxs0 0 == idx1 /\ @@ -715,40 +716,40 @@ let allocate_slab_aux_2_aux let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1 ) = - let cond = allocate_slab_aux_cond size_class + let cond = allocate_slab_aux_cond sc (md_bm_array md_bm_region idx2) - (slab_array slab_region idx2) + (slab_array sc slab_region idx2) in if cond then ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv idx2 2ul; - allocate_slab_aux_2_full size_class + allocate_slab_aux_2_full sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 ) else ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv idx2 1ul; assert (Seq.upd (G.reveal md_region_lv) (US.v idx2) 1ul `Seq.equal` md_region_lv); (**) starseq_weakening #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 1ul)) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 1ul)) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 1ul)) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx2) 1ul)) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)); - allocate_slab_aux_2_partial size_class + allocate_slab_aux_2_partial sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 @@ -757,13 +758,13 @@ let allocate_slab_aux_2_aux // Slab initially partial inline_for_extraction noextract let allocate_slab_aux_2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel (array U8.t) @@ -775,17 +776,17 @@ let allocate_slab_aux_2 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun r -> A.varray r `star` vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -809,14 +810,14 @@ let allocate_slab_aux_2 let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1 /\ - A.length r == U32.v size_class /\ + A.length r == U32.v sc.sc /\ same_base_array r slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v page_size) % (U32.v size_class) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v sc.slab_size) % (U32.v sc.sc) == 0 ) = (**) ALG.lemma_head2_in_bounds pred1 pred2 pred3 pred4 pred5 @@ -825,9 +826,9 @@ let allocate_slab_aux_2 (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx2); @@ -842,17 +843,17 @@ let allocate_slab_aux_2 (**) ALG.lemma_dataify_index #AL.status gs0 (US.v idx2); (**) SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idx2); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx2))) - (p_partial size_class (md_bm_array md_bm_region idx2, slab_array slab_region idx2)); - (**) p_partial_unpack size_class - (md_bm_array md_bm_region idx2, slab_array slab_region idx2) - (md_bm_array md_bm_region idx2, slab_array slab_region idx2); + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx2))) + (p_partial sc (md_bm_array md_bm_region idx2, slab_array sc slab_region idx2)); + (**) p_partial_unpack sc + (md_bm_array md_bm_region idx2, slab_array sc slab_region idx2) + (md_bm_array md_bm_region idx2, slab_array sc slab_region idx2); - let r = allocate_slot size_class + let r = allocate_slot sc (md_bm_array md_bm_region idx2) - (slab_array slab_region idx2) + (slab_array sc slab_region idx2) in - allocate_slab_aux_2_aux size_class + allocate_slab_aux_2_aux sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; return r @@ -861,16 +862,17 @@ let allocate_slab_aux_2 #restart-solver let alloc_metadata_sl1 - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: G.erased (v:US.t{US.v v < US.v metadata_max})) - (md_count_v0: US.t{US.v md_count_v0 < US.v metadata_max}) + (md_count_v: G.erased (v:US.t{US.v v < US.v sc.md_max})) + (md_count_v0: US.t{US.v md_count_v0 < US.v sc.md_max}) (m: SM.mem) : Lemma (requires SM.interp (hp_of - (A.varray (A.split_r slab_region (US.mul (G.reveal md_count_v) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (G.reveal md_count_v) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (G.reveal md_count_v) 4sz)) `star` A.varray (A.split_r md_region (G.reveal md_count_v))) ) m /\ @@ -878,18 +880,18 @@ let alloc_metadata_sl1 ) (ensures SM.interp (hp_of - (A.varray (A.split_r slab_region (US.mul md_count_v0 (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul md_count_v0 (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul md_count_v0 4sz)) `star` A.varray (A.split_r md_region md_count_v0)) ) m /\ sel_of - (A.varray (A.split_r slab_region (US.mul (G.reveal md_count_v) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (G.reveal md_count_v) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (G.reveal md_count_v) 4sz)) `star` A.varray (A.split_r md_region (G.reveal md_count_v))) m == sel_of - (A.varray (A.split_r slab_region (US.mul md_count_v0 (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul md_count_v0 (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul md_count_v0 4sz)) `star` A.varray (A.split_r md_region md_count_v0)) m @@ -898,16 +900,17 @@ let alloc_metadata_sl1 () let alloc_metadata_sl2 - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: G.erased (v:US.t{US.v v < US.v metadata_max})) - (md_count_v0: US.t{US.v md_count_v0 < US.v metadata_max}) + (md_count_v: G.erased (v:US.t{US.v v < US.v sc.md_max})) + (md_count_v0: US.t{US.v md_count_v0 < US.v sc.md_max}) (m: SM.mem) : Lemma (requires SM.interp (hp_of - (A.varray (A.split_r slab_region (US.mul (US.add md_count_v0 1sz) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (US.add md_count_v0 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (US.add md_count_v0 1sz) 4sz)) `star` A.varray (A.split_r md_region (US.add md_count_v0 1sz))) ) m /\ @@ -915,18 +918,18 @@ let alloc_metadata_sl2 ) (ensures SM.interp (hp_of - (A.varray (A.split_r slab_region (US.mul (US.add (G.reveal md_count_v) 1sz) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (US.add (G.reveal md_count_v) 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (US.add (G.reveal md_count_v) 1sz) 4sz)) `star` A.varray (A.split_r md_region (US.add (G.reveal md_count_v) 1sz))) ) m /\ sel_of - (A.varray (A.split_r slab_region (US.mul (US.add md_count_v0 1sz) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (US.add md_count_v0 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (US.add md_count_v0 1sz) 4sz)) `star` A.varray (A.split_r md_region (US.add md_count_v0 1sz))) m == sel_of - (A.varray (A.split_r slab_region (US.mul (US.add (G.reveal md_count_v) 1sz) (u32_to_sz page_size))) `star` + (A.varray (A.split_r slab_region (US.mul (US.add (G.reveal md_count_v) 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul (US.add (G.reveal md_count_v) 1sz) 4sz)) `star` A.varray (A.split_r md_region (US.add (G.reveal md_count_v) 1sz))) m @@ -937,60 +940,62 @@ let alloc_metadata_sl2 #restart-solver let right_vprop_sl_lemma1 - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (v: US.t{US.v v + US.v guard_pages_interval <= US.v metadata_max}) + (v: US.t{US.v v + US.v guard_pages_interval <= US.v sc.md_max}) (m: SM.mem) : Lemma (requires SM.interp (hp_of ( - right_vprop slab_region md_bm_region md_region v + right_vprop sc slab_region md_bm_region md_region v )) m) (ensures SM.interp (hp_of ( - (A.varray (A.split_r slab_region (US.mul v (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region v) )) m /\ sel_of ( - (A.varray (A.split_r slab_region (US.mul v (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region v) ) m == - sel_of (right_vprop slab_region md_bm_region md_region v) m + sel_of (right_vprop sc slab_region md_bm_region md_region v) m ) = () let right_vprop_sl_lemma2 - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (v: US.t{US.v v <= US.v metadata_max}) + (v: US.t{US.v v <= US.v sc.md_max}) (m: SM.mem) : Lemma (requires SM.interp (hp_of ( - (A.varray (A.split_r slab_region (US.mul v (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region v) )) m) (ensures SM.interp (hp_of ( - right_vprop slab_region md_bm_region md_region v + right_vprop sc slab_region md_bm_region md_region v )) m /\ sel_of ( - (A.varray (A.split_r slab_region (US.mul v (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region v) ) m == - sel_of (right_vprop slab_region md_bm_region md_region v) m + sel_of (right_vprop sc slab_region md_bm_region md_region v) m ) = () @@ -1002,8 +1007,9 @@ let right_vprop_sl_lemma2 inline_for_extraction noextract let allocate_slab_aux_3_1_varraylist (#opened: _) + (sc: sc_full) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : SteelGhost unit opened (AL.varraylist pred1 pred2 pred3 pred4 pred5 @@ -1103,27 +1109,28 @@ let split_r_r_mul (#opened:_) (#a: Type) #push-options "--z3rlimit 75 --compat_pre_typed_indexed_effects --query_stats --fuel 1 --ifuel 1" let allocate_slab_aux_3_1_right_aux (#opened: _) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) : SteelGhost unit opened ( - A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size))) `star` + A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r md_bm_region (US.mul md_count_v 4sz)) `star` A.varray (A.split_r md_region md_count_v) ) (fun _ -> ((A.varray (A.split_r slab_region - (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz page_size))) `vrefine` zf_u8) `star` + (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul (US.add md_count_v guard_pages_interval) 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region (US.add md_count_v guard_pages_interval))) `star` A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -1135,7 +1142,7 @@ let allocate_slab_aux_3_1_right_aux ) (requires fun h0 -> zf_u8 (A.asel - (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size))) + (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size))) h0 ) /\ zf_u64 (A.asel @@ -1151,13 +1158,13 @@ let allocate_slab_aux_3_1_right_aux (US.mul guard_pages_interval 4sz)) h1) ) = - let slab_region0 = gget (A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size)))) in + let slab_region0 = gget (A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size)))) in let md_bm_region0 = gget (A.varray (A.split_r md_bm_region (US.mul md_count_v 4sz))) in - zf_u8_split slab_region0 (US.v guard_pages_interval * U32.v page_size); + zf_u8_split slab_region0 (US.v guard_pages_interval * U32.v sc.slab_size); zf_u64_split md_bm_region0 (US.v guard_pages_interval * 4); A.ghost_split - (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size)); + (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size)); A.ghost_split (A.split_r md_bm_region (US.mul md_count_v 4sz)) (US.mul guard_pages_interval 4sz); @@ -1165,7 +1172,7 @@ let allocate_slab_aux_3_1_right_aux (A.split_r md_region md_count_v) guard_pages_interval; split_r_r_mul md_count_v guard_pages_interval - (u32_to_sz page_size) slab_region; + (u32_to_sz sc.slab_size) slab_region; split_r_r_mul md_count_v guard_pages_interval 4sz md_bm_region; split_r_r @@ -1174,7 +1181,7 @@ let allocate_slab_aux_3_1_right_aux md_region; intro_vrefine (A.varray (A.split_r slab_region - (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz page_size)))) + (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz sc.slab_size)))) zf_u8; intro_vrefine (A.varray (A.split_r md_bm_region @@ -1183,20 +1190,21 @@ let allocate_slab_aux_3_1_right_aux let allocate_slab_aux_3_1_right (#opened: _) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) : SteelGhost unit opened ( - right_vprop slab_region md_bm_region md_region md_count_v + right_vprop sc slab_region md_bm_region md_region md_count_v ) (fun _ -> - right_vprop slab_region md_bm_region md_region (md_count_v `US.add` guard_pages_interval) `star` + right_vprop sc slab_region md_bm_region md_region (md_count_v `US.add` guard_pages_interval) `star` A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -1216,57 +1224,58 @@ let allocate_slab_aux_3_1_right ) = change_slprop_rel - (right_vprop slab_region md_bm_region md_region md_count_v) - ((A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size))) + (right_vprop sc slab_region md_bm_region md_region md_count_v) + ((A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul md_count_v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region md_count_v)) (fun x y -> x == y) - (fun m -> right_vprop_sl_lemma1 slab_region md_bm_region md_region md_count_v m); + (fun m -> right_vprop_sl_lemma1 sc slab_region md_bm_region md_region md_count_v m); elim_vrefine - (A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz page_size)))) + (A.varray (A.split_r slab_region (US.mul md_count_v (u32_to_sz sc.slab_size)))) zf_u8; elim_vrefine (A.varray (A.split_r md_bm_region (US.mul md_count_v 4sz))) zf_u64; allocate_slab_aux_3_1_right_aux - slab_region md_bm_region md_region md_count_v; + sc slab_region md_bm_region md_region md_count_v; change_slprop_rel - ((A.varray (A.split_r slab_region (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz page_size))) + ((A.varray (A.split_r slab_region (US.mul (US.add md_count_v guard_pages_interval) (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul (US.add md_count_v guard_pages_interval) 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region (US.add md_count_v guard_pages_interval))) - (right_vprop slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval)) + (right_vprop sc slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval)) (fun x y -> x == y) - (fun m -> right_vprop_sl_lemma2 slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval) m) + (fun m -> right_vprop_sl_lemma2 sc slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval) m) // Extension function, is SteelGhost inline_for_extraction noextract let allocate_slab_aux_3_1 (#opened: _) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : SteelGhost unit opened ( - right_vprop slab_region md_bm_region md_region md_count_v `star` + right_vprop sc slab_region md_bm_region md_region md_count_v `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) ) (fun _ -> - right_vprop slab_region md_bm_region md_region (md_count_v `US.add` guard_pages_interval) `star` + right_vprop sc slab_region md_bm_region md_region (md_count_v `US.add` guard_pages_interval) `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region (md_count_v `US.add` guard_pages_interval)) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -1299,9 +1308,9 @@ let allocate_slab_aux_3_1 ) = allocate_slab_aux_3_1_right - slab_region md_bm_region md_region md_count_v; + sc slab_region md_bm_region md_region md_count_v; allocate_slab_aux_3_1_varraylist - md_region md_count_v idx1 idx2 idx3 idx4 idx5 idx6 idx7; + sc md_region md_count_v idx1 idx2 idx3 idx4 idx5 idx6 idx7; let gs1 = gget (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region (md_count_v `US.add` guard_pages_interval)) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in @@ -1314,7 +1323,8 @@ module FS = FStar.FiniteSet.Base #push-options "--fuel 0 --ifuel 0 --z3rlimit 100" let allocate_slab_aux_3_2_seq_equality - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (sc: sc_full) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (s1 s2 s3 s4: Seq.lseq AL.cell (US.v md_count_v + US.v guard_pages_interval)) : Lemma (requires @@ -1403,7 +1413,8 @@ let fs_subset_elim = () let allocate_slab_aux_3_2_list_partition - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (sc: sc_full) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (s1 s2 s3 s4: Seq.lseq AL.cell (US.v md_count_v + US.v guard_pages_interval)) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Lemma @@ -1517,8 +1528,9 @@ let allocate_slab_aux_3_2_list_partition // Insertion function inline_for_extraction noextract let allocate_slab_aux_3_2 + (sc: sc_full) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel unit ( @@ -1646,11 +1658,11 @@ let allocate_slab_aux_3_2 (US.v idx5) (US.v idx6) (US.v idx7)) in - allocate_slab_aux_3_2_seq_equality md_count_v + allocate_slab_aux_3_2_seq_equality sc md_count_v gs0 gs1 gs2 gs3; ALG.is_dlist2_implies_spec #AL.status pred5 (US.v idx5) (US.v idx6) gs0; - allocate_slab_aux_3_2_list_partition md_count_v + allocate_slab_aux_3_2_list_partition sc md_count_v gs0 gs1 gs2 gs3 idx1 idx2 idx3 idx4 idx5 idx6 idx7; change_slprop_rel @@ -1692,15 +1704,15 @@ let allocate_slab_aux_3_2 //#pop-options let lemma_slab_aux_3_3_1 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : Lemma - (let f1 = f size_class slab_region md_bm_region md_count_v md_region_lv in - let f2 = f size_class slab_region md_bm_region + (let f1 = f sc slab_region md_bm_region md_count_v md_region_lv in + let f2 = f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1714,8 +1726,8 @@ let lemma_slab_aux_3_3_1 (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)) in - let f1 = f size_class slab_region md_bm_region md_count_v md_region_lv in - let f2 = f size_class slab_region md_bm_region (US.add md_count_v guard_pages_interval) md_region_lv' in + let f1 = f sc slab_region md_bm_region md_count_v md_region_lv in + let f2 = f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) md_region_lv' in let s1 = SeqUtils.init_us_refined (US.v md_count_v) in let s2 = Seq.slice (SeqUtils.init_us_refined (US.v (US.add md_count_v guard_pages_interval))) 0 (US.v md_count_v) in @@ -1727,31 +1739,31 @@ let lemma_slab_aux_3_3_1 #restart-solver let allocate_slab_aux_3_3_1 (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : SteelGhost unit opened ( starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1761,21 +1773,21 @@ let allocate_slab_aux_3_3_1 (#opened:_) (requires fun _ -> True) (ensures fun _ _ _ -> True) = - lemma_slab_aux_3_3_1 size_class slab_region md_bm_region md_region md_count_v md_region_lv; + lemma_slab_aux_3_3_1 sc slab_region md_bm_region md_region md_count_v md_region_lv; starseq_weakening_ref #_ #(pos:US.t{US.v pos < US.v md_count_v}) #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1831,20 +1843,20 @@ let split_l_l_mul (#opened:_) (#a: Type) open Helpers let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (i: US.t{0 < US.v i /\ US.v i < US.v guard_pages_interval}) : SteelGhost unit opened ( A.varray (A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size))) - (US.mul (US.sub i 1sz) (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size))) + (US.mul (US.sub i 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -1854,13 +1866,13 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1882,10 +1894,10 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) A.ptr_base_offset_inj (A.ptr_of (A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size))) - (US.mul (US.sub i 1sz) (u32_to_sz page_size)))) - (A.ptr_of (slab_array slab_region (US.add md_count_v (US.sub i 1sz)))); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size))) + (US.mul (US.sub i 1sz) (u32_to_sz sc.slab_size)))) + (A.ptr_of (slab_array sc slab_region (US.add md_count_v (US.sub i 1sz)))); A.ptr_base_offset_inj (A.ptr_of (A.split_r (A.split_l (A.split_r md_bm_region @@ -1896,10 +1908,10 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) change_equal_slprop (A.varray (A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size))) - (US.mul (US.sub i 1sz) (u32_to_sz page_size)))) - (A.varray (slab_array slab_region (US.add md_count_v (US.sub i 1sz)))); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size))) + (US.mul (US.sub i 1sz) (u32_to_sz sc.slab_size)))) + (A.varray (slab_array sc slab_region (US.add md_count_v (US.sub i 1sz)))); change_equal_slprop (A.varray (A.split_r (A.split_l (A.split_r md_bm_region @@ -1910,25 +1922,25 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) let md_as_seq = gget (A.varray (md_bm_array md_bm_region (US.add md_count_v (US.sub i 1sz)))) in assert (G.reveal md_as_seq == Seq.create 4 0UL); - slab_to_slots size_class (slab_array slab_region (US.add md_count_v (US.sub i 1sz))); - empty_md_is_properly_zeroed size_class; - intro_slab_vprop size_class + slab_to_slots sc (slab_array sc slab_region (US.add md_count_v (US.sub i 1sz))); + empty_md_is_properly_zeroed sc; + intro_slab_vprop sc (md_bm_array md_bm_region (US.add md_count_v (US.sub i 1sz))) (Seq.create 4 0UL) - (slab_array slab_region (US.add md_count_v (US.sub i 1sz))); - p_empty_pack size_class + (slab_array sc slab_region (US.add md_count_v (US.sub i 1sz))); + p_empty_pack sc (md_bm_array md_bm_region (US.add md_count_v (US.sub i 1sz)), - slab_array slab_region (US.add md_count_v (US.sub i 1sz))) + slab_array sc slab_region (US.add md_count_v (US.sub i 1sz))) (md_bm_array md_bm_region (US.add md_count_v (US.sub i 1sz)), - slab_array slab_region (US.add md_count_v (US.sub i 1sz))); + slab_array sc slab_region (US.add md_count_v (US.sub i 1sz))); SeqUtils.init_us_refined_index (US.v (US.add md_count_v guard_pages_interval)) (US.v (US.add md_count_v (US.sub i 1sz))); change_equal_slprop - (p_empty size_class + (p_empty sc (md_bm_array md_bm_region (US.add md_count_v (US.sub i 1sz)), - slab_array slab_region (US.add md_count_v (US.sub i 1sz)))) - (f size_class slab_region md_bm_region + slab_array sc slab_region (US.add md_count_v (US.sub i 1sz)))) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1939,13 +1951,13 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) starseq_intro_singleton #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -1956,19 +1968,19 @@ let allocate_slab_aux_3_3_2_1_aux2 (#opened:_) (US.v md_count_v + US.v i) let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (i: US.t{US.v i < US.v guard_pages_interval}) : SteelGhost unit opened ( A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -1977,13 +1989,13 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2008,8 +2020,8 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) //TODO: add corresponding builtin (at least in lib_misc) drop (A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size)))); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size)))); drop (A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -2017,13 +2029,13 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) starseq_intro_empty #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2034,9 +2046,9 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) | _ -> A.ghost_split (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul i (u32_to_sz page_size))) - (US.mul (US.sub i 1sz) (u32_to_sz page_size)); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul i (u32_to_sz sc.slab_size))) + (US.mul (US.sub i 1sz) (u32_to_sz sc.slab_size)); let s0 = gget (A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -2050,34 +2062,34 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) split_l_l_mul (US.sub i 1sz) i - (u32_to_sz page_size) + (u32_to_sz sc.slab_size) (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))); + (US.mul md_count_v (u32_to_sz sc.slab_size))); split_l_l_mul (US.sub i 1sz) i 4sz (A.split_r md_bm_region (US.mul md_count_v 4sz)); - allocate_slab_aux_3_3_2_1_aux size_class + allocate_slab_aux_3_3_2_1_aux sc slab_region md_bm_region md_region md_count_v md_region_lv (US.sub i 1sz); //dedicated lemma - allocate_slab_aux_3_3_2_1_aux2 size_class + allocate_slab_aux_3_3_2_1_aux2 sc slab_region md_bm_region md_region md_count_v md_region_lv i; change_equal_slprop (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2088,13 +2100,13 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) )) (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2106,13 +2118,13 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) starseq_append_s #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2123,19 +2135,19 @@ let rec allocate_slab_aux_3_3_2_1_aux (#opened:_) (US.v md_count_v + US.v i) let allocate_slab_aux_3_3_2_1 (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : SteelGhost unit opened ( A.varray (A.split_l (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) - (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) + (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -2145,13 +2157,13 @@ let allocate_slab_aux_3_3_2_1 (#opened:_) (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2173,29 +2185,29 @@ let allocate_slab_aux_3_3_2_1 (#opened:_) split_l_l_mul (US.sub guard_pages_interval 1sz) guard_pages_interval - (u32_to_sz page_size) + (u32_to_sz sc.slab_size) (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))); + (US.mul md_count_v (u32_to_sz sc.slab_size))); split_l_l_mul (US.sub guard_pages_interval 1sz) guard_pages_interval 4sz (A.split_r md_bm_region (US.mul md_count_v 4sz)); - allocate_slab_aux_3_3_2_1_aux size_class + allocate_slab_aux_3_3_2_1_aux sc slab_region md_bm_region md_region md_count_v md_region_lv (US.sub guard_pages_interval 1sz); change_slprop_rel (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2205,13 +2217,13 @@ let allocate_slab_aux_3_3_2_1 (#opened:_) (US.v md_count_v + US.v (US.sub guard_pages_interval 1sz)))) (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2229,19 +2241,19 @@ let allocate_slab_aux_3_3_2_1 (#opened:_) open Guards let allocate_slab_aux_3_3_2_2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : Steel unit ( A.varray (A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) - (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) + (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz sc.slab_size))) `star` A.varray (A.split_r (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -2251,13 +2263,13 @@ let allocate_slab_aux_3_3_2_2 (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2279,17 +2291,17 @@ let allocate_slab_aux_3_3_2_2 A.ptr_base_offset_inj (A.ptr_of (A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) - (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz page_size)))) - (A.ptr_of (slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) + (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz sc.slab_size)))) + (A.ptr_of (slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))); change_equal_slprop (A.varray(A.split_r (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) - (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz page_size)))) - (A.varray (slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) + (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz sc.slab_size)))) + (A.varray (slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))); A.ptr_base_offset_inj (A.ptr_of (A.split_r (A.split_l (A.split_r md_bm_region @@ -2306,25 +2318,25 @@ let allocate_slab_aux_3_3_2_2 (A.varray (md_bm_array md_bm_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))); let md_as_seq = gget (A.varray (md_bm_array md_bm_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))) in assert (G.reveal md_as_seq == Seq.create 4 0UL); - slab_to_slots size_class (slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); - empty_md_is_properly_zeroed size_class; - intro_empty_slab_varray size_class + slab_to_slots sc (slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); + empty_md_is_properly_zeroed sc; + intro_empty_slab_varray sc (Seq.create 4 0UL) - (slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); - mmap_trap_guard - (slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))) - (u32_to_sz page_size); - p_guard_pack size_class + (slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); + mmap_trap_guard sc + (slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))) + (u32_to_sz sc.slab_size); + p_guard_pack sc (md_bm_array md_bm_region (US.add md_count_v (US.sub guard_pages_interval 1sz)), - slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); + slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz))); SeqUtils.init_us_refined_index (US.v (US.add md_count_v guard_pages_interval)) (US.v (US.add md_count_v (US.sub guard_pages_interval 1sz))); change_equal_slprop - (p_guard size_class + (p_guard sc (md_bm_array md_bm_region (US.add md_count_v (US.sub guard_pages_interval 1sz)), - slab_array slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))) - (f size_class slab_region md_bm_region + slab_array sc slab_region (US.add md_count_v (US.sub guard_pages_interval 1sz)))) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2335,13 +2347,13 @@ let allocate_slab_aux_3_3_2_2 starseq_intro_singleton #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2353,18 +2365,18 @@ let allocate_slab_aux_3_3_2_2 #pop-options let allocate_slab_aux_3_3_2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : Steel unit ( A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) @@ -2373,13 +2385,13 @@ let allocate_slab_aux_3_3_2 (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2405,29 +2417,29 @@ let allocate_slab_aux_3_3_2 A.ghost_split (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) - (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz page_size)); + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) + (US.mul (US.sub guard_pages_interval 1sz) (u32_to_sz sc.slab_size)); A.ghost_split (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) (US.mul guard_pages_interval 4sz)) (US.mul (US.sub guard_pages_interval 1sz) 4sz); - allocate_slab_aux_3_3_2_1 size_class + allocate_slab_aux_3_3_2_1 sc slab_region md_bm_region md_region md_count_v md_region_lv; - allocate_slab_aux_3_3_2_2 size_class + allocate_slab_aux_3_3_2_2 sc slab_region md_bm_region md_region md_count_v md_region_lv; starseq_append_s #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2439,39 +2451,39 @@ let allocate_slab_aux_3_3_2 (US.v md_count_v + US.v guard_pages_interval) let allocate_slab_aux_3_3 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) : Steel unit ( A.varray (A.split_l (A.split_r slab_region - (US.mul md_count_v (u32_to_sz page_size))) - (US.mul guard_pages_interval (u32_to_sz page_size))) `star` + (US.mul md_count_v (u32_to_sz sc.slab_size))) + (US.mul guard_pages_interval (u32_to_sz sc.slab_size))) `star` A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count_v 4sz)) (US.mul guard_pages_interval 4sz)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2486,22 +2498,22 @@ let allocate_slab_aux_3_3 ) (ensures fun _ _ _ -> True) = - allocate_slab_aux_3_3_1 size_class + allocate_slab_aux_3_3_1 sc slab_region md_bm_region md_region md_count_v md_region_lv; - allocate_slab_aux_3_3_2 size_class + allocate_slab_aux_3_3_2 sc slab_region md_bm_region md_region md_count_v md_region_lv; starseq_append_s #_ #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2514,13 +2526,13 @@ let allocate_slab_aux_3_3 change_equal_slprop (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2530,13 +2542,13 @@ let allocate_slab_aux_3_3 0 (US.v md_count_v + US.v guard_pages_interval))) (starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2549,34 +2561,34 @@ let allocate_slab_aux_3_3 #push-options "--z3rlimit 100" inline_for_extraction noextract let allocate_slab_aux_3 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v + US.v guard_pages_interval <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel unit//US.t ( vptr md_count `star` A.varray r_idxs `star` - right_vprop slab_region md_bm_region md_region md_count_v `star` + right_vprop sc slab_region md_bm_region md_region md_count_v `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vptr md_count `star` A.varray r_idxs `star` - right_vprop slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval) `star` + right_vprop sc slab_region md_bm_region md_region (US.add md_count_v guard_pages_interval) `star` AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region (md_count_v `US.add` guard_pages_interval)) (US.v md_count_v + US.v guard_pages_interval - 2) @@ -2587,13 +2599,13 @@ let allocate_slab_aux_3 (US.v idx7) `star` starseq #(pos:US.t{US.v pos < US.v (US.add md_count_v guard_pages_interval)}) - #(t size_class) - (f size_class slab_region md_bm_region + #(t sc) + (f sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) (Seq.create 1 3ul)))) - (f_lemma size_class slab_region md_bm_region + (f_lemma sc slab_region md_bm_region (US.add md_count_v guard_pages_interval) (Seq.append md_region_lv (Seq.append (Seq.create (US.v guard_pages_interval - 1) 0ul) @@ -2652,17 +2664,17 @@ let allocate_slab_aux_3 let gs0 = gget (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in - allocate_slab_aux_3_1 + allocate_slab_aux_3_1 sc slab_region md_bm_region md_region md_count_v idx1 idx2 idx3 idx4 idx5 idx6 idx7; let gs1 = gget (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region (md_count_v `US.add` guard_pages_interval)) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in ALG.lemma_dataify_slice #AL.status gs1 (US.v md_count_v); - allocate_slab_aux_3_2 + allocate_slab_aux_3_2 sc md_region md_count_v idx1 idx2 idx3 idx4 idx5 idx6 idx7; - allocate_slab_aux_3_3 size_class + allocate_slab_aux_3_3 sc slab_region md_bm_region md_region md_count_v md_region_lv; let v = read md_count in write md_count (US.add v guard_pages_interval); @@ -2695,13 +2707,13 @@ let bounded_tuple (up: US.t) = s:bounded_tuple'{ #push-options "--fuel 1 --ifuel 1 --z3rlimit 100 --query_stats --compat_pre_typed_indexed_effects" let allocate_slab_aux_4_aux1 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel (bounded_tuple md_count_v) @@ -2810,13 +2822,13 @@ let allocate_slab_aux_4_aux1 return r let allocate_slab_aux_4_aux2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (idxs: bounded_tuple md_count_v) @@ -2824,17 +2836,17 @@ let allocate_slab_aux_4_aux2 ( starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun h0 -> @@ -2846,39 +2858,39 @@ let allocate_slab_aux_4_aux2 (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idxs.x); SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idxs.x); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idxs.x))) - (p_quarantine size_class (md_bm_array md_bm_region idxs.x, slab_array slab_region idxs.x)); - p_quarantine_unpack size_class (md_bm_array md_bm_region idxs.x, slab_array slab_region idxs.x); - Quarantine.mmap_untrap_quarantine (slab_array slab_region idxs.x) (u32_to_sz page_size); - Helpers.slab_to_slots size_class (slab_array slab_region idxs.x); + (p_quarantine sc (md_bm_array md_bm_region idxs.x, slab_array sc slab_region idxs.x)); + p_quarantine_unpack sc (md_bm_array md_bm_region idxs.x, slab_array sc slab_region idxs.x); + Quarantine.mmap_untrap_quarantine sc (slab_array sc slab_region idxs.x) (u32_to_sz sc.slab_size); + Helpers.slab_to_slots sc (slab_array sc slab_region idxs.x); let md = gget (A.varray (md_bm_array md_bm_region idxs.x)) in - empty_md_is_properly_zeroed size_class; - intro_slab_vprop size_class + empty_md_is_properly_zeroed sc; + intro_slab_vprop sc (md_bm_array md_bm_region idxs.x) (Seq.create 4 0UL) - (slab_array slab_region idxs.x); - pack_slab_starseq size_class + (slab_array sc slab_region idxs.x); + pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv idxs.x 0ul //inline_for_extraction noextract val allocate_slab_aux_4 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) //(r_ringbuffer: A.array US.t{A.length r_ringbuffer == US.v max_size}) @@ -2894,9 +2906,9 @@ val allocate_slab_aux_4 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun idxs -> @@ -2912,9 +2924,9 @@ val allocate_slab_aux_4 ) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun h0 -> @@ -2974,24 +2986,24 @@ val allocate_slab_aux_4 #push-options "--z3rlimit 200 --compat_pre_typed_indexed_effects" let allocate_slab_aux_4 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count: ref US.t) - (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) - (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) - (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) + sc + slab_region + md_bm_region + md_region + md_count + r_idxs + md_count_v + md_region_lv + idx1 idx2 idx3 idx4 idx5 idx6 idx7 = (**) let gs0 = gget (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in - let r = allocate_slab_aux_4_aux1 size_class + let r = allocate_slab_aux_4_aux1 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in - allocate_slab_aux_4_aux2 size_class + allocate_slab_aux_4_aux2 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 r; @@ -3011,36 +3023,36 @@ let allocate_slab_aux_4 inline_for_extraction noextract let allocate_slab' - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel (array U8.t) ( vptr md_count `star` A.varray r_idxs `star` - right_vprop slab_region md_bm_region md_region md_count_v `star` + right_vprop sc slab_region md_bm_region md_region md_count_v `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun r -> (if (A.is_null r) then emp else A.varray r) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -3061,10 +3073,10 @@ let allocate_slab' ) (ensures fun _ r _ -> not (A.is_null r) ==> ( - A.length r == U32.v size_class /\ + A.length r == U32.v sc.sc /\ same_base_array r slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v page_size) % (U32.v size_class) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v sc.slab_size) % (U32.v sc.sc) == 0 ) ) = @@ -3075,12 +3087,12 @@ let allocate_slab' // Lemma above used to derive assert (US.v md_count_v <> AL.null); // TODO! - let r = allocate_slab_aux_2 size_class + let r = allocate_slab_aux_2 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; A.varrayp_not_null r P.full_perm; change_equal_slprop @@ -3094,12 +3106,12 @@ let allocate_slab' // Lemma above used to derive assert (US.v md_count_v <> AL.null); // TODO! - let r = allocate_slab_aux_1 size_class + let r = allocate_slab_aux_1 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; A.varrayp_not_null r P.full_perm; change_equal_slprop @@ -3109,17 +3121,17 @@ let allocate_slab' ) else ( let b = US.gte idx7 quarantine_queue_threshold in if enable_quarantine && b then ( - let idxs = allocate_slab_aux_4 size_class + let idxs = allocate_slab_aux_4 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in - let r = allocate_slab_aux_1 size_class + let r = allocate_slab_aux_1 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v idxs.x) 0ul)) idxs.x idx2 idx3 idx4 idxs.y idxs.z idxs.w in A.varrayp_not_null r P.full_perm; pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; change_equal_slprop (A.varray r) @@ -3127,9 +3139,9 @@ let allocate_slab' return r ) else ( let md_count_v' = read md_count in - let b = US.lte (US.add md_count_v' guard_pages_interval) metadata_max in + let b = US.lte (US.add md_count_v' guard_pages_interval) sc.md_max in if b then ( - allocate_slab_aux_3 size_class + allocate_slab_aux_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; @@ -3168,7 +3180,7 @@ let allocate_slab' (US.v idx7) m ); - let r = allocate_slab_aux_1 size_class + let r = allocate_slab_aux_1 sc slab_region md_bm_region md_region md_count r_idxs (US.add md_count_v guard_pages_interval) (G.hide (Seq.append @@ -3182,7 +3194,7 @@ let allocate_slab' (US.sub (US.add md_count_v guard_pages_interval) 1sz) idx5 idx6 idx7 in pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs (US.add md_count_v guard_pages_interval); A.varrayp_not_null r P.full_perm; @@ -3191,12 +3203,12 @@ let allocate_slab' (if (A.is_null r) then emp else A.varray r); return r ) else ( - pack_3 size_class + pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; change_equal_slprop @@ -3213,8 +3225,8 @@ let allocate_slab' #push-options "--z3rlimit 300 --compat_pre_typed_indexed_effects" let allocate_slab - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) @@ -3223,23 +3235,23 @@ let allocate_slab ( vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (fun r -> (if (A.is_null r) then emp else A.varray r) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun _ -> True) (ensures fun _ r _ -> not (A.is_null r) ==> ( - A.length r == U32.v size_class /\ + A.length r == U32.v sc.sc /\ same_base_array r slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v page_size) % (U32.v size_class) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v sc.slab_size) % (U32.v sc.sc) == 0 ) ) = @@ -3247,28 +3259,28 @@ let allocate_slab : G.erased _ = elim_vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) in + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) in let md_count_v_ = read md_count in change_equal_slprop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs (G.reveal md_count_v)) - (left_vprop size_class slab_region md_bm_region md_region + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs (G.reveal md_count_v)) + (left_vprop sc slab_region md_bm_region md_region r_idxs md_count_v_ `star` - right_vprop slab_region md_bm_region md_region md_count_v_); + right_vprop sc slab_region md_bm_region md_region md_count_v_); change_equal_slprop - (left_vprop size_class slab_region md_bm_region md_region + (left_vprop sc slab_region md_bm_region md_region r_idxs md_count_v_) (left_vprop1 md_region r_idxs md_count_v_ `vdep` - left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_); + left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_); let x : G.erased _ = elim_vdep (left_vprop1 md_region r_idxs md_count_v_) - (left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_) in + (left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_) in let idxs : G.erased _ @@ -3336,18 +3348,18 @@ let allocate_slab // NOT OK change_equal_slprop - (left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_ x) - (left_vprop2_aux size_class slab_region md_bm_region md_count_v_ x'); + (left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_ x) + (left_vprop2_aux sc slab_region md_bm_region md_count_v_ x'); change_equal_slprop - (left_vprop2_aux size_class slab_region md_bm_region md_count_v_ x') + (left_vprop2_aux sc slab_region md_bm_region md_count_v_ x') (starseq #(pos:US.t{US.v pos < US.v md_count_v_}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v_ x') - (f_lemma size_class slab_region md_bm_region md_count_v_ x') + #(t sc) + (f sc slab_region md_bm_region md_count_v_ x') + (f_lemma sc slab_region md_bm_region md_count_v_ x') (SeqUtils.init_us_refined (US.v md_count_v_))); - let r = allocate_slab' size_class + let r = allocate_slab' sc slab_region md_bm_region md_region md_count r_idxs md_count_v_ x' idx1_ idx2_ idx3_ idx4_ idx5_ idx6_ idx7_ in diff --git a/src/SlabsAlloc.fsti b/src/SlabsAlloc.fsti index 531ea98b..49bab81f 100644 --- a/src/SlabsAlloc.fsti +++ b/src/SlabsAlloc.fsti @@ -21,8 +21,8 @@ open Utils2 include SlabsCommon val allocate_slab - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) @@ -31,22 +31,22 @@ val allocate_slab ( vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (fun r -> (if (A.is_null r) then emp else A.varray r) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun _ -> True) (ensures fun _ r _ -> not (A.is_null r) ==> ( - A.length r == U32.v size_class /\ + A.length r == U32.v sc.sc /\ same_base_array r slab_region /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region) >= 0 /\ - ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v page_size) % (U32.v size_class) == 0 + ((A.offset (A.ptr_of r) - A.offset (A.ptr_of slab_region)) % U32.v sc.slab_size) % (U32.v sc.sc) == 0 ) ) diff --git a/src/SlabsCommon.fst b/src/SlabsCommon.fst index 5c2c75e6..d5a2a89e 100644 --- a/src/SlabsCommon.fst +++ b/src/SlabsCommon.fst @@ -59,15 +59,14 @@ let lemma_partition_and_pred_implies_mem5 Classical.move_requires (ALG.lemma_mem_implies_pred pred5 hd5 s) idx #pop-options -let t (size_class: sc) : Type0 = +let t size_class : Type0 = dtuple2 (x:Seq.lseq U64.t 4{slab_vprop_aux2 size_class x}) - (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) (U32.v (nb_slots size_class))) - & Seq.lseq U8.t (U32.v page_size - US.v (rounding size_class)) + (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (U32.v (nb_slots size_class))) + & Seq.lseq U8.t (U32.v size_class.slab_size - US.v (rounding size_class)) #push-options "--fuel 0 --ifuel 0 --z3rlimit 50" -let empty_md_is_properly_zeroed - (size_class: sc) +let empty_md_is_properly_zeroed size_class : Lemma (slab_vprop_aux2 size_class (Seq.create 4 0UL)) = @@ -88,14 +87,12 @@ let empty_md_is_properly_zeroed let empty_t size_class = empty_md_is_properly_zeroed size_class; - ((| Seq.create 4 0UL, Seq.create (U32.v (nb_slots size_class)) (Ghost.hide None) |), Seq.create (U32.v page_size - US.v (rounding size_class)) U8.zero) + ((| Seq.create 4 0UL, Seq.create (U32.v (nb_slots size_class)) (Ghost.hide None) |), Seq.create (U32.v size_class.slab_size - US.v (rounding size_class)) U8.zero) #push-options "--z3rlimit 50 --compat_pre_typed_indexed_effects" -let p_empty_unpack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_empty_unpack sc b1 b2 = change_slprop_rel ((p_empty sc) b1) @@ -108,9 +105,7 @@ let p_empty_unpack (#opened:_) (slab_vprop sc (snd b2) (fst b2)) (fun ((|s,_|),_) -> is_empty sc s == true) -let p_partial_unpack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_partial_unpack sc b1 b2 = change_slprop_rel ((p_partial sc) b1) @@ -123,9 +118,7 @@ let p_partial_unpack (#opened:_) (slab_vprop sc (snd b2) (fst b2)) (fun ((|s,_|),_) -> is_partial sc s == true) -let p_full_unpack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_full_unpack sc b1 b2 = change_slprop_rel ((p_full sc) b1) @@ -138,9 +131,7 @@ let p_full_unpack (#opened:_) (slab_vprop sc (snd b2) (fst b2)) (fun ((|s,_|),_) -> is_full sc s == true) -let p_empty_pack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_empty_pack sc b1 b2 = VR2.intro_vrefine (slab_vprop sc (snd b1) (fst b1)) @@ -153,9 +144,7 @@ let p_empty_pack (#opened:_) (fun x y -> x == y) (fun _ -> ()) -let p_partial_pack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_partial_pack sc b1 b2 = VR2.intro_vrefine (slab_vprop sc (snd b1) (fst b1)) @@ -168,9 +157,7 @@ let p_partial_pack (#opened:_) (fun x y -> x == y) (fun _ -> ()) -let p_full_pack (#opened:_) - (sc: sc) - (b1 b2: blob) +let p_full_pack sc b1 b2 = VR2.intro_vrefine (slab_vprop sc (snd b1) (fst b1)) @@ -183,72 +170,54 @@ let p_full_pack (#opened:_) (fun x y -> x == y) (fun _ -> ()) -let p_guard_pack (#opened:_) size_class b +let p_guard_pack size_class b = - intro_vrewrite (guard_slab (snd b) `star` A.varray (fst b)) (fun _ -> empty_t size_class) + intro_vrewrite (guard_slab size_class (snd b) `star` A.varray (fst b)) (fun _ -> empty_t size_class) -let p_quarantine_pack (#opened:_) size_class b +let p_quarantine_pack sc b = VR2.intro_vrefine - (quarantine_slab (snd b) `star` A.varray (fst b)) + (quarantine_slab sc (snd b) `star` A.varray (fst b)) (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL); intro_vrewrite - (quarantine_slab (snd b) `star` A.varray (fst b) + (quarantine_slab sc (snd b) `star` A.varray (fst b) `VR2.vrefine` (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL)) - (fun _ -> empty_t size_class) + (fun _ -> empty_t sc) -let p_quarantine_unpack (#opened:_) size_class b +let p_quarantine_unpack sc b = elim_vrewrite - (quarantine_slab (snd b) `star` A.varray (fst b) + (quarantine_slab sc (snd b) `star` A.varray (fst b) `VR2.vrefine` (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL)) - (fun _ -> empty_t size_class); + (fun _ -> empty_t sc); VR2.elim_vrefine - (quarantine_slab (snd b) `star` A.varray (fst b)) + (quarantine_slab sc (snd b) `star` A.varray (fst b)) (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL) #pop-options #restart-solver - -inline_for_extraction noextract let slab_array - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_count: US.t{US.v md_count < US.v metadata_max}) - : Pure (array U8.t) - (requires - A.length slab_region = US.v metadata_max * U32.v page_size /\ - US.v md_count < US.v metadata_max) - (ensures fun r -> - A.length r = U32.v page_size /\ - same_base_array r slab_region /\ - A.offset (A.ptr_of r) == A.offset (A.ptr_of slab_region) + US.v md_count * U32.v page_size - ) + sc + slab_region + md_count = let ptr = A.ptr_of slab_region in - let page_size_t = u32_to_sz page_size in + let page_size_t = u32_to_sz sc.slab_size in let shift_size_t = US.mul md_count page_size_t in let ptr_shifted = A.ptr_shift ptr shift_size_t in - (|ptr_shifted, G.hide (U32.v page_size)|) + (|ptr_shifted, G.hide (U32.v sc.slab_size)|) -let pack_slab_array (#opened:_) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_count: US.t{US.v md_count < US.v metadata_max}) - : SteelGhost unit opened - (A.varray (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size))) - (fun _ -> A.varray (slab_array slab_region md_count)) - (requires fun _ -> True) - (ensures fun h0 _ h1 -> - A.asel (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size)) h0 == - A.asel (slab_array slab_region md_count) h1) +let pack_slab_array + sc + slab_region + md_count = change_equal_slprop - (A.varray (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size))) - (A.varray (slab_array slab_region md_count)) - + (A.varray (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) (u32_to_sz sc.slab_size))) + (A.varray (slab_array sc slab_region md_count)) -inline_for_extraction noextract let md_bm_array (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_count: US.t{US.v md_count < US.v metadata_max}) @@ -280,7 +249,6 @@ let pack_md_bm_array (#opened:_) (A.varray (A.split_l (A.split_r md_bm_region (US.mul md_count 4sz)) 4sz)) (A.varray (md_bm_array md_bm_region md_count)) -inline_for_extraction noextract let md_array (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: US.t{US.v md_count < US.v metadata_max}) @@ -327,18 +295,15 @@ let unpack_md_array (#opened:_) (A.varray (A.split_l (A.split_r md_region md_count) 1sz)) let f_lemma - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) - (md_region_lv: Seq.lseq AL.status (US.v md_count_v)) - (i: US.t{US.v i < US.v md_count_v}) - : Lemma - (t_of (f size_class slab_region md_bm_region md_count_v md_region_lv i) - == t size_class) + sc + slab_region + md_bm_region + md_coutn_v + md_region_lv + i = - slab_vprop_lemma size_class - (slab_array slab_region i) + slab_vprop_lemma sc + (slab_array sc slab_region i) (md_bm_array md_bm_region i) #restart-solver @@ -400,16 +365,15 @@ let ind_varraylist_aux2_lemma Seq.lemma_eq_intro idxs s let pack_3 - (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count: ref US.t) + sc + slab_region + md_bm_region + md_region + md_count r_idxs - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) - (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) - (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) + md_count_v + md_region_lv + idx1 idx2 idx3 idx4 idx5 idx6 idx7 = let h0 = get () in let idxs : G.erased (Seq.lseq US.t 7) @@ -448,44 +412,44 @@ let pack_3 change_equal_slprop (starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) - (f_lemma size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + (f_lemma sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) (SeqUtils.init_us_refined (US.v md_count_v))) - (left_vprop2_aux size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)); + (left_vprop2_aux sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)); intro_vdep (left_vprop1 md_region r_idxs md_count_v) - (left_vprop2_aux size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) - (left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v); + (left_vprop2_aux sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + (left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v); intro_vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) - (left_vprop size_class slab_region md_bm_region md_region r_idxs md_count_v) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) + (left_vprop sc slab_region md_bm_region md_region r_idxs md_count_v) #pop-options #restart-solver let lemma_slab_aux_starseq - (size_class: sc) + (sc: sc_full) (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx:nat{idx < US.v md_count_v}) (v:AL.status) : Lemma - (let f1 = f size_class slab_region md_bm_region md_count_v md_region_lv in - let f2 = f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) idx v) in + (let f1 = f sc slab_region md_bm_region md_count_v md_region_lv in + let f2 = f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) idx v) in let s = SeqUtils.init_us_refined (US.v md_count_v) in forall (k:nat{k <> idx /\ k < Seq.length s}). f1 (Seq.index s k) == f2 (Seq.index s k)) = - let f1 = f size_class slab_region md_bm_region md_count_v md_region_lv in - let f2 = f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) idx v) in + let f1 = f sc slab_region md_bm_region md_count_v md_region_lv in + let f2 = f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) idx v) in let md_region_lv' = Seq.upd (G.reveal md_region_lv) idx v in let s = SeqUtils.init_us_refined (US.v md_count_v) in let aux (k:nat{k <> idx /\ k < Seq.length s}) @@ -497,115 +461,71 @@ let lemma_slab_aux_starseq #push-options "--z3rlimit 75 --compat_pre_typed_indexed_effects" let pack_slab_starseq - (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count: ref US.t) - //(r_idxs: array US.t{A.length r_idxs = 7}) - //(r1 r2 r3 r4 r5: ref US.t) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) - (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) - (idx: US.t{US.v idx < US.v md_count_v}) - (v: AL.status) - : SteelGhost unit opened - ( - slab_vprop size_class - (slab_array slab_region idx) - (md_bm_array md_bm_region idx) `star` - (starseq - #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v idx)) `star` - starseq - #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) - ) - (fun _ -> - starseq - #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) - (SeqUtils.init_us_refined (US.v md_count_v)) - ) - (requires fun h0 -> - let md_blob : t_of (slab_vprop size_class - (slab_array slab_region idx) - (md_bm_array md_bm_region idx)) - = h0 (slab_vprop size_class - (slab_array slab_region idx) - (md_bm_array md_bm_region idx)) in - let md : Seq.lseq U64.t 4 = dfst (fst md_blob) in - v <> 4ul /\ v <> 3ul /\ - (v == 2ul ==> is_full size_class md) /\ - (v == 1ul ==> is_partial size_class md) /\ - (v == 0ul ==> is_empty size_class md) /\ - idx <> AL.null_ptr - ) - (ensures fun h0 _ h1 -> True) + sc + slab_region + md_bm_region + md_region + md_count + md_count_v + md_region_lv + idx + v = SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idx); if (U32.eq v 2ul) then ( - p_full_pack size_class + p_full_pack sc (md_bm_array md_bm_region idx, - slab_array slab_region idx) + slab_array sc slab_region idx) (md_bm_array md_bm_region idx, - slab_array slab_region idx); + slab_array sc slab_region idx); change_equal_slprop - (p_full size_class (md_bm_array md_bm_region idx, slab_array slab_region idx)) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) + (p_full sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx)) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx))) ) else if (U32.eq v 1ul) then ( - p_partial_pack size_class + p_partial_pack sc (md_bm_array md_bm_region idx, - slab_array slab_region idx) + slab_array sc slab_region idx) (md_bm_array md_bm_region idx, - slab_array slab_region idx); + slab_array sc slab_region idx); change_equal_slprop - (p_partial size_class (md_bm_array md_bm_region idx, slab_array slab_region idx)) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) + (p_partial sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx)) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx))) ) else ( - p_empty_pack size_class + p_empty_pack sc (md_bm_array md_bm_region idx, - slab_array slab_region idx) + slab_array sc slab_region idx) (md_bm_array md_bm_region idx, - slab_array slab_region idx); + slab_array sc slab_region idx); change_equal_slprop - (p_empty size_class (md_bm_array md_bm_region idx, slab_array slab_region idx)) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) + (p_empty sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx)) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v) (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx))) ); - lemma_slab_aux_starseq size_class + lemma_slab_aux_starseq sc slab_region md_bm_region md_region md_count_v md_region_lv (US.v idx) v; starseq_upd_pack #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) v)) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) v)) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) v)) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) v)) (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx) #pop-options let is_empty_and_slab_vprop_aux2_implies_zeroed - (size_class: sc) + (sc: sc_full) (md: Seq.lseq U64.t 4) : Lemma (requires - is_empty size_class md /\ - slab_vprop_aux2 size_class md + is_empty sc md /\ + slab_vprop_aux2 sc md ) (ensures md `Seq.equal` Seq.create 4 0UL @@ -614,7 +534,8 @@ let is_empty_and_slab_vprop_aux2_implies_zeroed () #push-options "--z3rlimit 40" -let upd_and_pack_slab_starseq_quarantine size_class +let upd_and_pack_slab_starseq_quarantine + sc slab_region md_bm_region md_region @@ -623,31 +544,31 @@ let upd_and_pack_slab_starseq_quarantine size_class md_region_lv idx = - let md_as_seq = elim_slab_vprop size_class - (md_bm_array md_bm_region idx) (slab_array slab_region idx) in - Helpers.intro_empty_slab_varray size_class md_as_seq (slab_array slab_region idx); - mmap_trap_quarantine - (slab_array slab_region idx) - (u32_to_sz page_size); + let md_as_seq = elim_slab_vprop sc + (md_bm_array md_bm_region idx) (slab_array sc slab_region idx) in + Helpers.intro_empty_slab_varray sc md_as_seq (slab_array sc slab_region idx); + mmap_trap_quarantine sc + (slab_array sc slab_region idx) + (u32_to_sz sc.slab_size); SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idx); - is_empty_and_slab_vprop_aux2_implies_zeroed size_class md_as_seq; - p_quarantine_pack size_class (md_bm_array md_bm_region idx, slab_array slab_region idx); + is_empty_and_slab_vprop_aux2_implies_zeroed sc md_as_seq; + p_quarantine_pack sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx); change_equal_slprop - (p_quarantine size_class (md_bm_array md_bm_region idx, slab_array slab_region idx)) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul) + (p_quarantine sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx)) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul) (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx))); - lemma_slab_aux_starseq size_class + lemma_slab_aux_starseq sc slab_region md_bm_region md_region md_count_v md_region_lv (US.v idx) 4ul; starseq_upd_pack #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 4ul)) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 4ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 4ul)) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 4ul)) (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx) @@ -655,66 +576,27 @@ let upd_and_pack_slab_starseq_quarantine size_class #push-options "--z3rlimit 20 --compat_pre_typed_indexed_effects" let pack_right_and_refactor_vrefine_dep - (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (md_count: ref US.t) - (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) - : SteelGhost unit opened - ( - vrefinedep - (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) - `star` - right_vprop slab_region md_bm_region md_region md_count_v - ) - (fun _ -> - vrefinedep - (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) - ) - (requires fun h0 -> - let blob0 - = h0 (vrefinedep - (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) - ) in - md_count_v == dfst blob0) - (ensures fun h0 _ h1 -> - let blob0 - = h0 (vrefinedep - (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) - ) in - let blob1 - = h1 (vrefinedep - (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) - ) in - dfst blob0 == dfst blob1 - ) + sc + slab_region + md_bm_region + md_region + md_count + r_idxs + md_count_v = let md_count_v' = elim_vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) in + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) in assert (G.reveal md_count_v' == md_count_v); change_equal_slprop - (right_vprop slab_region md_bm_region md_region md_count_v) - (right_vprop slab_region md_bm_region md_region (G.reveal md_count_v')); + (right_vprop sc slab_region md_bm_region md_region md_count_v) + (right_vprop sc slab_region md_bm_region md_region (G.reveal md_count_v')); intro_vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) - (left_vprop size_class slab_region md_bm_region md_region r_idxs (G.reveal md_count_v') `star` - right_vprop slab_region md_bm_region md_region (G.reveal md_count_v')) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) + (left_vprop sc slab_region md_bm_region md_region r_idxs (G.reveal md_count_v') `star` + right_vprop sc slab_region md_bm_region md_region (G.reveal md_count_v')) #pop-options diff --git a/src/SlabsCommon.fsti b/src/SlabsCommon.fsti index bbe8e792..83c73da0 100644 --- a/src/SlabsCommon.fsti +++ b/src/SlabsCommon.fsti @@ -99,48 +99,48 @@ val lemma_partition_and_pred_implies_mem5 open Guards open Quarantine -val t (size_class: sc) : Type0 +val t (size_class: sc_full) : Type0 val empty_md_is_properly_zeroed - (size_class: sc) + (size_class: sc_full) : Lemma (slab_vprop_aux2 size_class (Seq.create 4 0UL)) /// A trivial, non-informative selector for quarantined and guard pages inline_for_extraction noextract -val empty_t (size_class:sc) : t size_class +val empty_t (size_class:sc_full) : t size_class unfold -let blob +let blob (size_class: sc_full) = slab_metadata & - (arr:array U8.t{A.length arr = U32.v page_size}) + (arr:array U8.t{A.length arr = U32.v size_class.slab_size}) /// Predicates capturing that a slab is empty, partially full, or full respectively -let p_empty (size_class: sc) : blob -> vprop +let p_empty (size_class: sc_full) : blob size_class -> vprop = - fun (b:blob) -> + fun b -> slab_vprop size_class (snd b) (fst b) `VR2.vrefine` (fun ((|s,_|),_) -> is_empty size_class s == true) -let p_partial (size_class: sc) : blob -> vprop +let p_partial (size_class: sc_full) : blob size_class -> vprop = - fun (b:blob) -> + fun b -> slab_vprop size_class (snd b) (fst b) `VR2.vrefine` (fun ((|s,_|),_) -> is_partial size_class s == true) -let p_full (size_class: sc) : blob -> vprop +let p_full (size_class: sc_full) : blob size_class -> vprop = - fun (b:blob) -> + fun b -> slab_vprop size_class (snd b) (fst b) `VR2.vrefine` (fun ((|s,_|),_) -> is_full size_class s == true) -let p_guard (sc:sc) : blob -> vprop +let p_guard (sc:sc_full) : blob sc -> vprop = - fun (b:blob) -> - (guard_slab (snd b) `star` A.varray (fst b)) + fun b -> + (guard_slab sc (snd b) `star` A.varray (fst b)) `vrewrite` (fun _ -> empty_t sc) //( @@ -149,18 +149,18 @@ let p_guard (sc:sc) : blob -> vprop // (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL) //) `vrewrite` (fun _ -> empty_t sc) -let p_quarantine (sc:sc) : blob -> vprop +let p_quarantine (sc:sc_full) : blob sc -> vprop = - fun (b:blob) -> + fun b -> ( - (quarantine_slab (snd b) `star` A.varray (fst b)) + (quarantine_slab sc (snd b) `star` A.varray (fst b)) `VR2.vrefine` (fun (_,s) -> s `Seq.equal` Seq.create 4 0UL) ) `vrewrite` (fun _ -> empty_t sc) val p_empty_unpack (#opened:_) - (sc: sc) - (b1 b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened ((p_empty sc) b1) (fun _ -> slab_vprop sc (snd b2) (fst b2)) @@ -178,9 +178,8 @@ val p_empty_unpack (#opened:_) ) val p_partial_unpack (#opened:_) - (sc: sc) - (b1: blob) - (b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened ((p_partial sc) b1) (fun _ -> slab_vprop sc (snd b2) (fst b2)) @@ -198,9 +197,8 @@ val p_partial_unpack (#opened:_) ) val p_full_unpack (#opened:_) - (sc: sc) - (b1: blob) - (b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened ((p_full sc) b1) (fun _ -> slab_vprop sc (snd b2) (fst b2)) @@ -218,9 +216,8 @@ val p_full_unpack (#opened:_) ) val p_empty_pack (#opened:_) - (sc: sc) - (b1: blob) - (b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened (slab_vprop sc (snd b1) (fst b1)) (fun _ -> (p_empty sc) b2) @@ -240,9 +237,8 @@ val p_empty_pack (#opened:_) ) val p_partial_pack (#opened:_) - (sc: sc) - (b1: blob) - (b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened (slab_vprop sc (snd b1) (fst b1)) (fun _ -> (p_partial sc) b2) @@ -262,9 +258,8 @@ val p_partial_pack (#opened:_) ) val p_full_pack (#opened:_) - (sc: sc) - (b1: blob) - (b2: blob) + (sc: sc_full) + (b1 b2: blob sc) : SteelGhost unit opened (slab_vprop sc (snd b1) (fst b1)) (fun _ -> (p_full sc) b2) @@ -284,17 +279,17 @@ val p_full_pack (#opened:_) ) val p_guard_pack (#opened:_) - (size_class:sc) - (b: blob) + (size_class:sc_full) + (b: blob size_class) : SteelGhostT unit opened - (guard_slab (snd b) `star` A.varray (fst b)) + (guard_slab size_class (snd b) `star` A.varray (fst b)) (fun _ -> p_guard size_class b) val p_quarantine_pack (#opened:_) - (size_class:sc) - (b: blob) + (size_class:sc_full) + (b: blob size_class) : SteelGhost unit opened - (quarantine_slab (snd b) `star` A.varray (fst b)) + (quarantine_slab size_class (snd b) `star` A.varray (fst b)) (fun _ -> p_quarantine size_class b) (requires fun h0 -> let s : Seq.lseq U64.t 4 = A.asel (fst b) h0 in @@ -303,11 +298,11 @@ val p_quarantine_pack (#opened:_) (ensures fun _ _ _ -> True) val p_quarantine_unpack (#opened:_) - (size_class:sc) - (b: blob) + (size_class:sc_full) + (b: blob size_class) : SteelGhost unit opened (p_quarantine size_class b) - (fun _ -> quarantine_slab (snd b) `star` A.varray (fst b)) + (fun _ -> quarantine_slab size_class (snd b) `star` A.varray (fst b)) (requires fun _ -> True) (ensures fun _ _ h1 -> let s : Seq.lseq U64.t 4 = A.asel (fst b) h1 in @@ -319,30 +314,32 @@ val p_quarantine_unpack (#opened:_) /// Retrieving the slab at index [md_count] in the [slab_region] inline_for_extraction noextract val slab_array - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_count: US.t{US.v md_count < US.v metadata_max}) + (sc: sc_full) + (slab_region: array U8.t) + (md_count: US.t) : Pure (array U8.t) (requires - A.length slab_region = US.v metadata_max * U32.v page_size /\ - US.v md_count < US.v metadata_max) + A.length slab_region = US.v sc.md_max * U32.v sc.slab_size /\ + US.v md_count < US.v sc.md_max) (ensures fun r -> - A.length r = U32.v page_size /\ + A.length r = U32.v sc.slab_size /\ same_base_array r slab_region /\ - A.offset (A.ptr_of r) == A.offset (A.ptr_of slab_region) + US.v md_count * U32.v page_size + A.offset (A.ptr_of r) == A.offset (A.ptr_of slab_region) + US.v md_count * U32.v sc.slab_size ) #push-options "--print_implicits" val pack_slab_array (#opened:_) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) - (md_count: US.t{US.v md_count < US.v metadata_max}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) + (md_count: US.t{US.v md_count < US.v sc.md_max}) : SteelGhost unit opened - (A.varray (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size))) - (fun _ -> A.varray (slab_array slab_region md_count)) + (A.varray (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) (u32_to_sz sc.slab_size))) + (fun _ -> A.varray (slab_array sc slab_region md_count)) (requires fun _ -> True) (ensures fun h0 _ h1 -> - A.asel (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz page_size))) (u32_to_sz page_size)) h0 == - A.asel (slab_array slab_region md_count) h1) + A.asel (A.split_l (A.split_r slab_region (US.mul md_count (u32_to_sz sc.slab_size))) (u32_to_sz sc.slab_size)) h0 == + A.asel (slab_array sc slab_region md_count) h1) /// Retrieving the metadata bitmap at index [md_count] in array [md_bm_region] inline_for_extraction noextract @@ -412,31 +409,31 @@ val unpack_md_array (#opened:_) // TODO: Document what the vprops represent let f - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: Seq.lseq AL.status (US.v md_count_v)) (i: US.t{US.v i < US.v md_count_v}) : vprop = match Seq.index md_region_lv (US.v i) with - | 0ul -> p_empty size_class (md_bm_array md_bm_region i, slab_array slab_region i) - | 1ul -> p_partial size_class (md_bm_array md_bm_region i, slab_array slab_region i) - | 2ul -> p_full size_class (md_bm_array md_bm_region i, slab_array slab_region i) - | 3ul -> p_guard size_class (md_bm_array md_bm_region i, slab_array slab_region i) - | 4ul -> p_quarantine size_class (md_bm_array md_bm_region i, slab_array slab_region i) + | 0ul -> p_empty sc (md_bm_array md_bm_region i, slab_array sc slab_region i) + | 1ul -> p_partial sc (md_bm_array md_bm_region i, slab_array sc slab_region i) + | 2ul -> p_full sc (md_bm_array md_bm_region i, slab_array sc slab_region i) + | 3ul -> p_guard sc (md_bm_array md_bm_region i, slab_array sc slab_region i) + | 4ul -> p_quarantine sc (md_bm_array md_bm_region i, slab_array sc slab_region i) val f_lemma - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: Seq.lseq AL.status (US.v md_count_v)) (i: US.t{US.v i < US.v md_count_v}) : Lemma - (t_of (f size_class slab_region md_bm_region md_count_v md_region_lv i) - == t size_class) + (t_of (f sc slab_region md_bm_region md_count_v md_region_lv i) + == t sc) let ind_varraylist_aux2 (r_varraylist: A.array AL.cell) @@ -522,92 +519,93 @@ let left_vprop1 r_idxs let left_vprop2_aux - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (x: Seq.lseq AL.status (US.v md_count_v)) : vprop = starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v x) - (f_lemma size_class slab_region md_bm_region md_count_v x) + #(t sc) + (f sc slab_region md_bm_region md_count_v x) + (f_lemma sc slab_region md_bm_region md_count_v x) (SeqUtils.init_us_refined (US.v md_count_v)) let left_vprop2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (r_idxs: A.array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (x: t_of (ind_varraylist (A.split_l md_region md_count_v) r_idxs)) : vprop = starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (ALG.dataify (dsnd x))) - (f_lemma size_class slab_region md_bm_region md_count_v (ALG.dataify (dsnd x))) + #(t sc) + (f sc slab_region md_bm_region md_count_v (ALG.dataify (dsnd x))) + (f_lemma sc slab_region md_bm_region md_count_v (ALG.dataify (dsnd x))) (SeqUtils.init_us_refined (US.v md_count_v)) let left_vprop - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (r_idxs: A.array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) = left_vprop1 md_region r_idxs md_count_v `vdep` - left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v + left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v unfold -let vrefinedep_prop (x:US.t) : prop = - US.v x <= US.v metadata_max /\ +let vrefinedep_prop (sc: sc_full) (x:US.t): prop = + US.v x <= US.v sc.md_max /\ US.v x <> AL.null let right_vprop - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) - (v: US.t{US.v v <= US.v metadata_max}) + (v: US.t{US.v v <= US.v sc.md_max}) : vprop = - (A.varray (A.split_r slab_region (US.mul v (u32_to_sz page_size))) + (A.varray (A.split_r slab_region (US.mul v (u32_to_sz sc.slab_size))) `vrefine` zf_u8) `star` (A.varray (A.split_r md_bm_region (US.mul v 4sz)) `vrefine` zf_u64) `star` A.varray (A.split_r md_region v) let size_class_vprop_aux - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (r_idxs: array US.t{A.length r_idxs = 7}) - (v: US.t{US.v v <= US.v metadata_max == true}) + (v: US.t{US.v v <= US.v sc.md_max == true}) : vprop = - left_vprop size_class + left_vprop sc slab_region md_bm_region md_region r_idxs v `star` - right_vprop + right_vprop sc slab_region md_bm_region md_region v open SteelVRefineDep val pack_3 (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : SteelGhost unit opened @@ -619,16 +617,16 @@ val pack_3 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) - (f_lemma size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + (f_lemma sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -652,144 +650,144 @@ val pack_3 let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) val pack_slab_starseq (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) //(r1 r2 r3 r4 r5: ref US.t) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx: US.t{US.v idx < US.v md_count_v}) (v: AL.status) : SteelGhost unit opened ( - slab_vprop size_class - (slab_array slab_region idx) + slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx) `star` (starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v idx)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) ) (fun _ -> starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) v)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun h0 -> - let md_blob : t_of (slab_vprop size_class - (slab_array slab_region idx) + let md_blob : t_of (slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx)) - = h0 (slab_vprop size_class - (slab_array slab_region idx) + = h0 (slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx)) in let md : Seq.lseq U64.t 4 = dfst (fst md_blob) in v <> 4ul /\ v <> 3ul /\ - (v == 2ul ==> is_full size_class md) /\ - (v == 1ul ==> is_partial size_class md) /\ - (v == 0ul ==> is_empty size_class md) /\ + (v == 2ul ==> is_full sc md) /\ + (v == 1ul ==> is_partial sc md) /\ + (v == 0ul ==> is_empty sc md) /\ idx <> AL.null_ptr ) (ensures fun _ _ _ -> True) inline_for_extraction noextract val upd_and_pack_slab_starseq_quarantine - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx: US.t{US.v idx < US.v md_count_v}) : Steel unit ( - slab_vprop size_class - (slab_array slab_region idx) + slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx) `star` (starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v idx)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) ) (fun _ -> starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd md_region_lv (US.v idx) 4ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun h0 -> - let md_blob : t_of (slab_vprop size_class - (slab_array slab_region idx) + let md_blob : t_of (slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx)) - = h0 (slab_vprop size_class - (slab_array slab_region idx) + = h0 (slab_vprop sc + (slab_array sc slab_region idx) (md_bm_array md_bm_region idx)) in let md : Seq.lseq U64.t 4 = dfst (fst md_blob) in - is_empty size_class md + is_empty sc md ) (ensures fun _ _ _ -> True) val pack_right_and_refactor_vrefine_dep (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) : SteelGhost unit opened ( vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) `star` - right_vprop slab_region md_bm_region md_region md_count_v + right_vprop sc slab_region md_bm_region md_region md_count_v ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let blob0 = h0 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob0 ) @@ -797,14 +795,14 @@ val pack_right_and_refactor_vrefine_dep let blob0 = h0 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) in dfst blob0 == dfst blob1 ) diff --git a/src/SlabsFree.fst b/src/SlabsFree.fst index 5a6bc96e..ebe640e3 100644 --- a/src/SlabsFree.fst +++ b/src/SlabsFree.fst @@ -114,13 +114,13 @@ module FS = FStar.FiniteSet.Base // - idxs.z is the new tl of quarantine list // - idxs.w is the new sz of quarantine list let update_quarantine2_aux - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel tuple4 @@ -281,13 +281,13 @@ let lemma_head1_implies_pred1 (#opened:_) ) let update_quarantine2 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel tuple4 @@ -374,7 +374,7 @@ let update_quarantine2 ); return r ) else ( - let idxs = update_quarantine2_aux size_class + let idxs = update_quarantine2_aux sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in @@ -382,13 +382,13 @@ let update_quarantine2 ) let update_quarantine3_aux - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (idxs: tuple4) @@ -396,17 +396,17 @@ let update_quarantine3_aux ( starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun md_region_lv' -> starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv') - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv') + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv') + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv') (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun _ -> @@ -424,26 +424,26 @@ let update_quarantine3_aux (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx); SeqUtils.init_us_refined_index (US.v md_count_v) (US.v idx); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v idx))) - (p_quarantine size_class (md_bm_array md_bm_region idx, slab_array slab_region idx)); - p_quarantine_unpack size_class (md_bm_array md_bm_region idx, slab_array slab_region idx); + (p_quarantine sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx)); + p_quarantine_unpack sc (md_bm_array md_bm_region idx, slab_array sc slab_region idx); let md = gget (A.varray (md_bm_array md_bm_region idx)) in - empty_md_is_properly_zeroed size_class; - Quarantine.mmap_untrap_quarantine (slab_array slab_region idx) (u32_to_sz page_size); - Helpers.slab_to_slots size_class (slab_array slab_region idx); - intro_slab_vprop size_class + empty_md_is_properly_zeroed sc; + Quarantine.mmap_untrap_quarantine sc (slab_array sc slab_region idx) (u32_to_sz sc.slab_size); + Helpers.slab_to_slots sc (slab_array sc slab_region idx); + intro_slab_vprop sc (md_bm_array md_bm_region idx) (Seq.create 4 0UL) - (slab_array slab_region idx); - pack_slab_starseq size_class + (slab_array sc slab_region idx); + pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv @@ -452,25 +452,25 @@ let update_quarantine3_aux starseq_weakening #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 0ul)) - (f size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv')) - (f_lemma size_class slab_region md_bm_region md_count_v + (f sc slab_region md_bm_region md_count_v (G.reveal md_region_lv')) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v idx) 0ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv')) + (f_lemma sc slab_region md_bm_region md_count_v (G.reveal md_region_lv')) (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)); md_region_lv' let update_quarantine3 - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (idxs: tuple4) @@ -478,17 +478,17 @@ let update_quarantine3 ( starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun md_region_lv' -> starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv') - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv') + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv') + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv') (SeqUtils.init_us_refined (US.v md_count_v)) ) (requires fun _ -> @@ -515,16 +515,16 @@ let update_quarantine3 starseq_weakening #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f size_class slab_region md_bm_region md_count_v md_region_lv') - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv') + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f sc slab_region md_bm_region md_count_v md_region_lv') + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv') (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)); return md_region_lv' ) else ( - let md_region_lv' = update_quarantine3_aux size_class + let md_region_lv' = update_quarantine3_aux sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 idxs in @@ -534,32 +534,32 @@ let update_quarantine3 #push-options "--z3rlimit 75 --compat_pre_typed_indexed_effects" inline_for_extraction noextract let deallocate_slab_aux_cond - (size_class: sc) + (sc: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v sc.slab_size}) : Steel bool - (slab_vprop size_class arr md) - (fun _ -> slab_vprop size_class arr md) + (slab_vprop sc arr md) + (fun _ -> slab_vprop sc arr md) (requires fun _ -> True) (ensures fun h0 r h1 -> let blob0 - : t_of (slab_vprop size_class arr md) - = h0 (slab_vprop size_class arr md) in + : t_of (slab_vprop sc arr md) + = h0 (slab_vprop sc arr md) in let blob1 - : t_of (slab_vprop size_class arr md) - = h1 (slab_vprop size_class arr md) in + : t_of (slab_vprop sc arr md) + = h1 (slab_vprop sc arr md) in let v0 : Seq.lseq U64.t 4 = dfst (fst blob0) in dfst (fst blob0) == dfst (fst blob1) /\ dsnd (fst blob0) == dsnd (fst blob1) /\ blob0 == blob1 /\ - r == is_empty size_class v0 + r == is_empty sc v0 ) = assert (t_of (A.varray md) == Seq.lseq U64.t 4); let md_as_seq : G.erased (Seq.lseq U64.t 4) - = elim_slab_vprop size_class md arr in - let r = is_empty_s size_class md in - intro_slab_vprop size_class md md_as_seq arr; + = elim_slab_vprop sc md arr in + let r = is_empty_s sc md in + intro_slab_vprop sc md md_as_seq arr; return r module FS = FStar.FiniteSet.Base @@ -567,13 +567,13 @@ module FS = FStar.FiniteSet.Base // Slab moves from full to partial inline_for_extraction noextract let deallocate_slab_aux_1_partial - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) @@ -586,16 +586,16 @@ let deallocate_slab_aux_1_partial (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -619,8 +619,8 @@ let deallocate_slab_aux_1_partial let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -655,20 +655,20 @@ let deallocate_slab_aux_1_partial ALG.ptrs_all #AL.status (US.v idx1) (US.v pos) (US.v idx3') (US.v idx4) (US.v idx5) gs1); //assert (ALG.partition #AL.status gs1 (US.v idx1) (US.v pos) (US.v idx3')); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) idx1 pos idx3' idx4 idx5 idx6 idx7 // Slab moves from full to empty inline_for_extraction noextract let deallocate_slab_aux_1_empty - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) @@ -681,16 +681,16 @@ let deallocate_slab_aux_1_empty (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -714,8 +714,8 @@ let deallocate_slab_aux_1_empty let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -749,7 +749,7 @@ let deallocate_slab_aux_1_empty assert (ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) gs0 `FStar.FiniteSet.Base.equal` ALG.ptrs_all #AL.status (US.v pos) (US.v idx2) (US.v idx3') (US.v idx4) (US.v idx5) gs1); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) pos idx2 idx3' idx4 idx5 idx6 idx7 @@ -758,20 +758,20 @@ let deallocate_slab_aux_1_empty inline_for_extraction noextract let deallocate_slab_aux_1_fail (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) : SteelGhost unit opened ( - slab_vprop size_class - (slab_array slab_region pos) + slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos) `star` (vptr md_count `star` A.varray r_idxs `star` @@ -780,36 +780,36 @@ let deallocate_slab_aux_1_fail (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v pos)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) h0 in - let md_blob : t_of (slab_vprop size_class - (slab_array slab_region pos) + let md_blob : t_of (slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos)) - = h0 (slab_vprop size_class - (slab_array slab_region pos) + = h0 (slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos)) in let md : Seq.lseq U64.t 4 = dfst (fst md_blob) in let idxs0 = A.asel r_idxs h0 in - is_full size_class md /\ + is_full sc md /\ US.v md_count_v <> AL.null /\ sel md_count h0 == md_count_v /\ Seq.index idxs0 0 == idx1 /\ @@ -827,27 +827,27 @@ let deallocate_slab_aux_1_fail let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = - p_full_pack size_class - (md_bm_array md_bm_region pos, slab_array slab_region pos) - (md_bm_array md_bm_region pos, slab_array slab_region pos); + p_full_pack sc + (md_bm_array md_bm_region pos, slab_array sc slab_region pos) + (md_bm_array md_bm_region pos, slab_array sc slab_region pos); SeqUtils.init_us_refined_index (US.v md_count_v) (US.v pos); change_equal_slprop - (p_full size_class (md_bm_array md_bm_region pos, slab_array slab_region pos)) - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))); + (p_full sc (md_bm_array md_bm_region pos, slab_array sc slab_region pos)) + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))); starseq_pack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos); - pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 @@ -857,13 +857,13 @@ let deallocate_slab_aux_1_fail // Slab moves from full to quarantine inline_for_extraction noextract let deallocate_slab_aux_1_quarantine - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) @@ -876,16 +876,16 @@ let deallocate_slab_aux_1_quarantine (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -909,8 +909,8 @@ let deallocate_slab_aux_1_quarantine let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -919,7 +919,7 @@ let deallocate_slab_aux_1_quarantine (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in // Ensuring the quarantine is not full by dequeuing if needed - let idxs = update_quarantine2 size_class + let idxs = update_quarantine2 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in @@ -953,7 +953,7 @@ let deallocate_slab_aux_1_quarantine assert (ALG.ptrs_all #AL.status (US.v idxs.x) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idxs.y) gs1 `FS.equal` ALG.ptrs_all #AL.status (US.v idxs.x) (US.v idx2) (US.v idx3') (US.v idx4) (US.v pos) gs2); - let md_region_lv' = update_quarantine3 size_class + let md_region_lv' = update_quarantine3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul) @@ -972,7 +972,7 @@ let deallocate_slab_aux_1_quarantine let gs_idxs1 : G.erased (Seq.lseq US.t 7) = gget (A.varray r_idxs) in - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv' idxs.x idx2 idx3' idx4 pos idxs'.x idxs'.y @@ -986,17 +986,17 @@ open Quarantine inline_for_extraction noextract let deallocate_slab_aux_1 (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{US.v pos < US.v md_count_v}) - (pos2: US.t{US.v pos2 < U32.v page_size}) + (pos2: US.t{US.v pos2 < U32.v sc.slab_size}) : Steel bool ( A.varray ptr `star` @@ -1007,23 +1007,23 @@ let deallocate_slab_aux_1 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) h0 in - let arr' = slab_array slab_region pos in + let arr' = slab_array sc slab_region pos in let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr') in let idxs0 = A.asel r_idxs h0 in US.v md_count_v <> AL.null /\ @@ -1037,76 +1037,76 @@ let deallocate_slab_aux_1 Seq.index idxs0 6 == idx7 /\ same_base_array arr' ptr /\ 0 <= diff /\ - diff < U32.v page_size /\ - (diff % U32.v page_size) % U32.v size_class == 0 /\ + diff < U32.v sc.slab_size /\ + (diff % U32.v sc.slab_size) % U32.v sc.sc == 0 /\ US.v pos2 == diff /\ ALG.dataify gs0 `Seq.equal` G.reveal md_region_lv /\ ALG.partition #AL.status gs0 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) /\ Seq.index (G.reveal md_region_lv) (US.v pos) = 2ul /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v sc.sc ) (ensures fun _ _ h1 -> let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos); (**) SeqUtils.init_us_refined_index (US.v md_count_v) (US.v pos); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))) - (p_full size_class (md_bm_array md_bm_region pos, slab_array slab_region pos)); - (**) p_full_unpack size_class - (md_bm_array md_bm_region pos, slab_array slab_region pos) - (md_bm_array md_bm_region pos, slab_array slab_region pos); - let b = deallocate_slot size_class + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))) + (p_full sc (md_bm_array md_bm_region pos, slab_array sc slab_region pos)); + (**) p_full_unpack sc + (md_bm_array md_bm_region pos, slab_array sc slab_region pos) + (md_bm_array md_bm_region pos, slab_array sc slab_region pos); + let b = deallocate_slot sc (md_bm_array md_bm_region pos) - (slab_array slab_region pos) + (slab_array sc slab_region pos) ptr pos2 in if b then ( // deallocation success, slab no longer full - let cond = deallocate_slab_aux_cond size_class + let cond = deallocate_slab_aux_cond sc (md_bm_array md_bm_region pos) - (slab_array slab_region pos) in + (slab_array sc slab_region pos) in if cond then ( if enable_quarantine then ( - upd_and_pack_slab_starseq_quarantine size_class + upd_and_pack_slab_starseq_quarantine sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos; - deallocate_slab_aux_1_quarantine size_class + deallocate_slab_aux_1_quarantine sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) else ( - pack_slab_starseq size_class + pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos 0ul; - deallocate_slab_aux_1_empty size_class + deallocate_slab_aux_1_empty sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) ) else ( - pack_slab_starseq size_class + pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos 1ul; - deallocate_slab_aux_1_partial size_class + deallocate_slab_aux_1_partial sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) ) else ( - deallocate_slab_aux_1_fail size_class + deallocate_slab_aux_1_fail sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b @@ -1116,13 +1116,13 @@ let deallocate_slab_aux_1 // Slab moves from partial to empty inline_for_extraction noextract let deallocate_slab_aux_2_empty - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) @@ -1135,16 +1135,16 @@ let deallocate_slab_aux_2_empty (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -1168,8 +1168,8 @@ let deallocate_slab_aux_2_empty let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -1203,7 +1203,7 @@ let deallocate_slab_aux_2_empty assert (ALG.ptrs_all #AL.status (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) gs0 `FStar.FiniteSet.Base.equal` ALG.ptrs_all #AL.status (US.v pos) (US.v idx2') (US.v idx3) (US.v idx4) (US.v idx5) gs1); - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (G.hide (Seq.upd (G.reveal md_region_lv) (US.v pos) 0ul)) pos idx2' idx3 idx4 idx5 idx6 idx7 @@ -1212,13 +1212,13 @@ let deallocate_slab_aux_2_empty // Slab moves from partial to partial inline_for_extraction noextract let deallocate_slab_aux_2_partial - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{US.v pos < US.v md_count_v}) @@ -1231,16 +1231,16 @@ let deallocate_slab_aux_2_partial (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) - (f_lemma size_class slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) + (f_lemma sc slab_region md_bm_region md_count_v (G.reveal md_region_lv)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -1264,32 +1264,32 @@ let deallocate_slab_aux_2_partial let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 inline_for_extraction noextract let deallocate_slab_aux_2_fail (#opened:_) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) : SteelGhost unit opened ( - slab_vprop size_class - (slab_array slab_region pos) + slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos) `star` (vptr md_count `star` A.varray r_idxs `star` @@ -1298,37 +1298,37 @@ let deallocate_slab_aux_2_fail (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) 0 (US.v pos)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (Seq.slice (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos + 1) (Seq.length (SeqUtils.init_us_refined (US.v md_count_v))))) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) h0 in - let md_blob : t_of (slab_vprop size_class - (slab_array slab_region pos) + let md_blob : t_of (slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos)) - = h0 (slab_vprop size_class - (slab_array slab_region pos) + = h0 (slab_vprop sc + (slab_array sc slab_region pos) (md_bm_array md_bm_region pos)) in let md : Seq.lseq U64.t 4 = dfst (fst md_blob) in let idxs0 = A.asel r_idxs h0 in - is_partial size_class md /\ + is_partial sc md /\ US.v md_count_v <> AL.null /\ sel md_count h0 == md_count_v /\ Seq.index idxs0 0 == idx1 /\ @@ -1346,27 +1346,27 @@ let deallocate_slab_aux_2_fail let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = - p_partial_pack size_class - (md_bm_array md_bm_region pos, slab_array slab_region pos) - (md_bm_array md_bm_region pos, slab_array slab_region pos); + p_partial_pack sc + (md_bm_array md_bm_region pos, slab_array sc slab_region pos) + (md_bm_array md_bm_region pos, slab_array sc slab_region pos); SeqUtils.init_us_refined_index (US.v md_count_v) (US.v pos); change_equal_slprop - (p_partial size_class (md_bm_array md_bm_region pos, slab_array slab_region pos)) - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))); + (p_partial sc (md_bm_array md_bm_region pos, slab_array sc slab_region pos)) + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))); starseq_pack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos); - pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 @@ -1375,13 +1375,13 @@ let deallocate_slab_aux_2_fail // Slab moves from partial to quarantine inline_for_extraction noextract let deallocate_slab_aux_2_quarantine - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{pos <> AL.null_ptr /\ US.v pos < US.v md_count_v}) @@ -1394,16 +1394,16 @@ let deallocate_slab_aux_2_quarantine (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul)) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun _ -> vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -1427,8 +1427,8 @@ let deallocate_slab_aux_2_quarantine let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = @@ -1437,7 +1437,7 @@ let deallocate_slab_aux_2_quarantine (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) in // Ensuring the quarantine is not full by dequeuing if needed - let idxs = update_quarantine2 size_class + let idxs = update_quarantine2 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 in @@ -1470,7 +1470,7 @@ let deallocate_slab_aux_2_quarantine assert (ALG.ptrs_all #AL.status (US.v idxs.x) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idxs.y) gs1 `FS.equal` ALG.ptrs_all #AL.status (US.v idxs.x) (US.v idx2') (US.v idx3) (US.v idx4) (US.v pos) gs2); - let md_region_lv' = update_quarantine3 size_class + let md_region_lv' = update_quarantine3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 4ul) @@ -1489,7 +1489,7 @@ let deallocate_slab_aux_2_quarantine let gs_idxs1 : G.erased (Seq.lseq US.t 7) = gget (A.varray r_idxs) in - (**) pack_3 size_class slab_region md_bm_region md_region md_count r_idxs + (**) pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv' idxs.x idx2' idx3 idx4 pos idxs'.x idxs'.y @@ -1501,17 +1501,17 @@ let deallocate_slab_aux_2_quarantine inline_for_extraction noextract let deallocate_slab_aux_2 (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (pos: US.t{US.v pos < US.v md_count_v}) - (pos2: US.t{US.v pos2 < U32.v page_size}) + (pos2: US.t{US.v pos2 < U32.v sc.slab_size}) : Steel bool ( A.varray ptr `star` @@ -1522,23 +1522,23 @@ let deallocate_slab_aux_2 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) h0 in - let arr' = slab_array slab_region pos in + let arr' = slab_array sc slab_region pos in let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr') in let idxs0 = A.asel r_idxs h0 in US.v md_count_v <> AL.null /\ @@ -1552,87 +1552,87 @@ let deallocate_slab_aux_2 Seq.index idxs0 6 == idx7 /\ same_base_array arr' ptr /\ 0 <= diff /\ - diff < U32.v page_size /\ - (diff % U32.v page_size) % U32.v size_class == 0 /\ + diff < U32.v sc.slab_size /\ + (diff % U32.v sc.slab_size) % U32.v sc.sc == 0 /\ US.v pos2 == diff /\ ALG.dataify gs0 `Seq.equal` G.reveal md_region_lv /\ ALG.partition #AL.status gs0 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) /\ Seq.index (G.reveal md_region_lv) (US.v pos) = 1ul /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v sc.sc ) (ensures fun _ _ h1 -> let blob1 = h1 (vrefinedep (vptr md_count) - vrefinedep_prop - (left_vprop size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (left_vprop sc slab_region md_bm_region md_region r_idxs) ) in md_count_v == dfst blob1) = (**) starseq_unpack_s #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos); (**) SeqUtils.init_us_refined_index (US.v md_count_v) (US.v pos); (**) change_equal_slprop - (f size_class slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))) - (p_partial size_class (md_bm_array md_bm_region pos, slab_array slab_region pos)); - (**) p_partial_unpack size_class - (md_bm_array md_bm_region pos, slab_array slab_region pos) - (md_bm_array md_bm_region pos, slab_array slab_region pos); - let b = deallocate_slot size_class + (f sc slab_region md_bm_region md_count_v md_region_lv (Seq.index (SeqUtils.init_us_refined (US.v md_count_v)) (US.v pos))) + (p_partial sc (md_bm_array md_bm_region pos, slab_array sc slab_region pos)); + (**) p_partial_unpack sc + (md_bm_array md_bm_region pos, slab_array sc slab_region pos) + (md_bm_array md_bm_region pos, slab_array sc slab_region pos); + let b = deallocate_slot sc (md_bm_array md_bm_region pos) - (slab_array slab_region pos) + (slab_array sc slab_region pos) ptr pos2 in if b then ( // deallocation success, slab no longer full - let cond = deallocate_slab_aux_cond size_class + let cond = deallocate_slab_aux_cond sc (md_bm_array md_bm_region pos) - (slab_array slab_region pos) in + (slab_array sc slab_region pos) in if cond then ( if enable_quarantine then ( - upd_and_pack_slab_starseq_quarantine size_class + upd_and_pack_slab_starseq_quarantine sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos; - deallocate_slab_aux_2_quarantine size_class + deallocate_slab_aux_2_quarantine sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) else ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos 0ul; - deallocate_slab_aux_2_empty size_class + deallocate_slab_aux_2_empty sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) ) else ( - (**) pack_slab_starseq size_class + (**) pack_slab_starseq sc slab_region md_bm_region md_region md_count md_count_v md_region_lv pos 1ul; assert (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul `Seq.equal` md_region_lv); (**) starseq_weakening #_ #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v (Seq.upd (G.reveal md_region_lv) (US.v pos) 1ul)) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) (SeqUtils.init_us_refined (US.v md_count_v)); - deallocate_slab_aux_2_partial size_class + deallocate_slab_aux_2_partial sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b ) ) else ( - deallocate_slab_aux_2_fail size_class + deallocate_slab_aux_2_fail sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos; return b @@ -1644,13 +1644,13 @@ let deallocate_slab_aux_2 inline_for_extraction noextract let deallocate_slab_fail (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) : Steel bool @@ -1658,23 +1658,23 @@ let deallocate_slab_fail A.varray ptr `star` vptr md_count `star` A.varray r_idxs `star` - right_vprop slab_region md_bm_region md_region md_count_v `star` + right_vprop sc slab_region md_bm_region md_region md_count_v `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -1696,13 +1696,13 @@ let deallocate_slab_fail (ensures fun _ _ _ -> True) = let b = false in - pack_3 size_class + pack_3 sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7; pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; change_equal_slprop (A.varray ptr) @@ -1713,13 +1713,13 @@ let deallocate_slab_fail inline_for_extraction noextract let deallocate_slab' (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) (r_idxs: array US.t{A.length r_idxs = 7}) - (md_count_v: US.t{US.v md_count_v <= US.v metadata_max}) + (md_count_v: US.t{US.v md_count_v <= US.v sc.md_max}) (md_region_lv: G.erased (Seq.lseq AL.status (US.v md_count_v))) (idx1 idx2 idx3 idx4 idx5 idx6 idx7: US.t) (diff: US.t) @@ -1728,23 +1728,23 @@ let deallocate_slab' A.varray ptr `star` vptr md_count `star` A.varray r_idxs `star` - right_vprop slab_region md_bm_region md_region md_count_v `star` + right_vprop sc slab_region md_bm_region md_region md_count_v `star` (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7)) `star` starseq #(pos:US.t{US.v pos < US.v md_count_v}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v md_region_lv) - (f_lemma size_class slab_region md_bm_region md_count_v md_region_lv) + #(t sc) + (f sc slab_region md_bm_region md_count_v md_region_lv) + (f_lemma sc slab_region md_bm_region md_count_v md_region_lv) (SeqUtils.init_us_refined (US.v md_count_v)) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun h0 -> let gs0 = AL.v_arraylist pred1 pred2 pred3 pred4 pred5 @@ -1762,27 +1762,27 @@ let deallocate_slab' Seq.index idxs0 5 == idx6 /\ Seq.index idxs0 6 == idx7 /\ 0 <= diff' /\ - (diff' % U32.v page_size) % U32.v size_class == 0 /\ - //UP.v diff < US.v metadata_max * U32.v page_size /\ + (diff' % U32.v sc.slab_size) % U32.v sc.sc == 0 /\ + //UP.v diff < US.v metadata_max * U32.v sc.slab_size /\ US.v diff == diff' /\ same_base_array ptr slab_region /\ ALG.dataify gs0 `Seq.equal` G.reveal md_region_lv /\ ALG.partition #AL.status gs0 (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v sc.sc ) (ensures fun _ _ _ -> True) = //let diff_sz = UP.ptrdifft_to_sizet diff in assert_norm (4 < FI.max_int 16); - let pos = US.div diff (u32_to_sz page_size) in - let pos2 = US.rem diff (u32_to_sz page_size) in - // check diff/page_size < md_count + let pos = US.div diff (u32_to_sz sc.slab_size) in + let pos2 = US.rem diff (u32_to_sz sc.slab_size) in + // check diff/sc.slab_size < md_count if US.lt pos md_count_v then ( A.ptr_shift_zero (A.ptr_of slab_region); - let r = slab_array slab_region pos in - assert (same_base_array ptr (slab_array slab_region pos)); - assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (slab_array slab_region pos)) >= 0); - assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (slab_array slab_region pos)) < U32.v page_size); + let r = slab_array sc slab_region pos in + assert (same_base_array ptr (slab_array sc slab_region pos)); + assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (slab_array sc slab_region pos)) >= 0); + assert (A.offset (A.ptr_of ptr) - A.offset (A.ptr_of (slab_array sc slab_region pos)) < U32.v sc.slab_size); // selector equality propagation let gs0 = gget (AL.varraylist pred1 pred2 pred3 pred4 pred5 (A.split_l md_region md_count_v) @@ -1792,31 +1792,31 @@ let deallocate_slab' (A.split_l md_region md_count_v) (US.v idx1) (US.v idx2) (US.v idx3) (US.v idx4) (US.v idx5) (US.v idx6) (US.v idx7) pos in if (U32.eq status1 2ul) then ( - let b = deallocate_slab_aux_1 ptr size_class + let b = deallocate_slab_aux_1 ptr sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos pos2 in pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; return b ) else if (U32.eq status1 1ul) then ( - let b = deallocate_slab_aux_2 ptr size_class + let b = deallocate_slab_aux_2 ptr sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 pos pos2 in pack_right_and_refactor_vrefine_dep - size_class slab_region md_bm_region md_region md_count + sc slab_region md_bm_region md_region md_count r_idxs md_count_v; return b ) else ( - deallocate_slab_fail ptr size_class + deallocate_slab_fail ptr sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 ) ) else ( - deallocate_slab_fail ptr size_class + deallocate_slab_fail ptr sc slab_region md_bm_region md_region md_count r_idxs md_count_v md_region_lv idx1 idx2 idx3 idx4 idx5 idx6 idx7 @@ -1827,8 +1827,8 @@ let deallocate_slab' #push-options "--compat_pre_typed_indexed_effects --z3rlimit 300" let deallocate_slab (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) @@ -1839,51 +1839,51 @@ let deallocate_slab A.varray ptr `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun _ -> let diff' = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of slab_region) in 0 <= diff' /\ - (diff' % U32.v page_size) % U32.v size_class == 0 /\ + (diff' % U32.v sc.slab_size) % U32.v sc.sc == 0 /\ US.v diff_ == diff' /\ same_base_array ptr slab_region /\ - A.length ptr == U32.v size_class) + A.length ptr == U32.v sc.sc) (ensures fun _ _ _ -> True) = let md_count_v : G.erased _ = elim_vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) in + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) in let md_count_v_ = read md_count in change_equal_slprop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs (G.reveal md_count_v)) - (left_vprop size_class slab_region md_bm_region md_region + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs (G.reveal md_count_v)) + (left_vprop sc slab_region md_bm_region md_region r_idxs md_count_v_ `star` - right_vprop slab_region md_bm_region md_region md_count_v_); + right_vprop sc slab_region md_bm_region md_region md_count_v_); change_equal_slprop - (left_vprop size_class slab_region md_bm_region md_region + (left_vprop sc slab_region md_bm_region md_region r_idxs md_count_v_) (left_vprop1 md_region r_idxs md_count_v_ `vdep` - left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_); + left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_); let x : G.erased _ = elim_vdep (left_vprop1 md_region r_idxs md_count_v_) - (left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_) in + (left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_) in let idxs : G.erased _ @@ -1952,18 +1952,18 @@ let deallocate_slab // NOT OK change_equal_slprop - (left_vprop2 size_class slab_region md_bm_region md_region r_idxs md_count_v_ x) - (left_vprop2_aux size_class slab_region md_bm_region md_count_v_ x'); + (left_vprop2 sc slab_region md_bm_region md_region r_idxs md_count_v_ x) + (left_vprop2_aux sc slab_region md_bm_region md_count_v_ x'); change_equal_slprop - (left_vprop2_aux size_class slab_region md_bm_region md_count_v_ x') + (left_vprop2_aux sc slab_region md_bm_region md_count_v_ x') (starseq #(pos:US.t{US.v pos < US.v md_count_v_}) - #(t size_class) - (f size_class slab_region md_bm_region md_count_v_ x') - (f_lemma size_class slab_region md_bm_region md_count_v_ x') + #(t sc) + (f sc slab_region md_bm_region md_count_v_ x') + (f_lemma sc slab_region md_bm_region md_count_v_ x') (SeqUtils.init_us_refined (US.v md_count_v_))); - let b : bool = deallocate_slab' ptr size_class + let b : bool = deallocate_slab' ptr sc slab_region md_bm_region md_region md_count r_idxs md_count_v_ x' idx1_ idx2_ idx3_ idx4_ idx5_ idx6_ idx7_ diff_ in return b diff --git a/src/SlabsFree.fsti b/src/SlabsFree.fsti index 8a1bcd40..4c4fe361 100644 --- a/src/SlabsFree.fsti +++ b/src/SlabsFree.fsti @@ -23,8 +23,8 @@ include SlabsCommon val deallocate_slab (ptr: array U8.t) - (size_class: sc) - (slab_region: array U8.t{A.length slab_region = US.v metadata_max * U32.v page_size}) + (sc: sc_full) + (slab_region: array U8.t{A.length slab_region = US.v sc.md_max * U32.v sc.slab_size}) (md_bm_region: array U64.t{A.length md_bm_region = US.v metadata_max * 4}) (md_region: array AL.cell{A.length md_region = US.v metadata_max}) (md_count: ref US.t) @@ -35,24 +35,24 @@ val deallocate_slab A.varray ptr `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (fun b -> (if b then emp else A.varray ptr) `star` vrefinedep (vptr md_count) - vrefinedep_prop - (size_class_vprop_aux size_class slab_region md_bm_region md_region r_idxs) + (vrefinedep_prop sc) + (size_class_vprop_aux sc slab_region md_bm_region md_region r_idxs) ) (requires fun _ -> let diff' = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of slab_region) in same_base_array ptr slab_region /\ US.v diff_ = diff' /\ 0 <= diff' /\ - (diff' % U32.v page_size) % U32.v size_class == 0 /\ + (diff' % U32.v sc.slab_size) % U32.v sc.sc == 0 /\ //diff' < US.v metadata_max * U32.v page_size /\ //diff' % U32.v size_class = 0 /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v sc.sc ) (ensures fun _ _ _ -> True) diff --git a/src/SlotsAlloc.fst b/src/SlotsAlloc.fst index 4b7beb43..bf337ec3 100644 --- a/src/SlotsAlloc.fst +++ b/src/SlotsAlloc.fst @@ -27,36 +27,35 @@ open SteelStarSeqUtils #push-options "--fuel 0 --ifuel 0" #push-options "--z3rlimit 50" -let slot_array (size_class: sc) (arr: array U8.t) (pos: U32.t) +let slot_array (size_class: sc_full) + (arr: array U8.t) (pos: U32.t) : Pure (array U8.t) (requires U32.v pos < U32.v (nb_slots size_class) /\ A.length arr >= US.v (rounding size_class)) (ensures fun r -> - A.length r == U32.v size_class /\ + A.length r == U32.v size_class.sc /\ same_base_array r arr /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) >= 0 /\ - A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v page_size /\ - (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class) == 0 + A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v size_class.slab_size /\ + (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class.sc) == 0 ) = let ptr = A.ptr_of arr in - let shift = U32.mul pos size_class in - Math.Lemmas.cancel_mul_mod (U32.v pos) (U32.v size_class); - assert (U32.v shift % U32.v size_class == 0); + let shift = U32.mul pos size_class.sc in + Math.Lemmas.cancel_mul_mod (U32.v pos) (U32.v size_class.sc); + assert (U32.v shift % U32.v size_class.sc == 0); nb_slots_correct size_class pos; - assert (U32.v shift <= U32.v page_size); - assert_norm (U32.v shift <= FI.max_int U16.n); - assert (U32.v shift <= FI.max_int U16.n); + assert (U32.v shift <= U32.v size_class.slab_size); let shift_size_t = US.uint32_to_sizet shift in assert (US.v shift_size_t < A.length arr); - assert (US.v shift_size_t % U32.v size_class == 0); + assert (US.v shift_size_t % U32.v size_class.sc == 0); let ptr_shifted = A.ptr_shift ptr shift_size_t in - (| ptr_shifted, G.hide (U32.v size_class) |) + (| ptr_shifted, G.hide (U32.v size_class.sc) |) #pop-options let slot_vprop - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) = @@ -64,17 +63,17 @@ let slot_vprop #push-options "--fuel 1 --ifuel 1" let slot_vprop_lemma - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma - (t_of (slot_vprop size_class arr pos) == Seq.lseq U8.t (U32.v size_class)) + (t_of (slot_vprop size_class arr pos) == Seq.lseq U8.t (U32.v size_class.sc)) = () #pop-options let slab_vprop_aux_f - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (i: U32.t{U32.v i < U32.v (nb_slots size_class)}) @@ -82,27 +81,27 @@ let slab_vprop_aux_f = let vp = slot_vprop size_class arr i in slot_vprop_lemma size_class arr i; - c2 #(Seq.lseq U8.t (U32.v size_class)) (not (Bitmap4.get md_as_seq i)) vp + c2 #(Seq.lseq U8.t (U32.v size_class.sc)) (not (Bitmap4.get md_as_seq i)) vp #push-options "--fuel 1 --ifuel 1" let slab_vprop_aux_f_lemma - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) : (i: U32.t{U32.v i < U32.v (nb_slots size_class)}) -> Lemma ( t_of (slab_vprop_aux_f size_class md_as_seq arr i) == - option (Seq.lseq U8.t (U32.v size_class))) + option (Seq.lseq U8.t (U32.v size_class.sc))) = fun i -> let vp = slot_vprop size_class arr i in slot_vprop_lemma size_class arr i; - c2_t #(Seq.lseq U8.t (U32.v size_class)) (Bitmap4.get md_as_seq i) vp + c2_t #(Seq.lseq U8.t (U32.v size_class.sc)) (Bitmap4.get md_as_seq i) vp #pop-options let slab_vprop_aux - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (md_as_seq: Seq.lseq U64.t 4) : vprop @@ -111,20 +110,20 @@ let slab_vprop_aux let incr_seq = SeqUtils.init_u32_refined nb_slots_as_nat in starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) incr_seq #push-options "--fuel 1 --ifuel 1" let slab_vprop_aux_lemma - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (md_as_seq: Seq.lseq U64.t 4) : Lemma (t_of (slab_vprop_aux size_class arr md_as_seq) == - Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) (U32.v (nb_slots size_class)) + Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (U32.v (nb_slots size_class)) ) = assert (Seq.length (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) == U32.v (nb_slots size_class)); @@ -132,7 +131,7 @@ let slab_vprop_aux_lemma #pop-options let slab_vprop_aux2 - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) : prop = @@ -149,8 +148,8 @@ open SteelVRefineDep #push-options "--fuel 1 --ifuel 1" let slab_vprop - (size_class: sc) - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (md: slab_metadata) = vrefinedep @@ -163,8 +162,8 @@ let slab_vprop #push-options "--fuel 1 --ifuel 1" let slab_vprop_lemma_aux - (size_class: sc) - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (md: slab_metadata) : Lemma (t_of (vrefinedep @@ -175,7 +174,10 @@ let slab_vprop_lemma_aux == dtuple2 (x:Seq.lseq U64.t 4{slab_vprop_aux2 size_class x}) - (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) (U32.v (nb_slots size_class))) + (fun _ -> Seq.lseq + (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) + (U32.v (nb_slots size_class)) + ) ) = let aux (n1 n2:nat) (p:Seq.lseq U64.t n1 -> prop) : Lemma @@ -198,37 +200,38 @@ let slab_vprop_lemma_aux == dtuple2 (x:Seq.lseq U64.t (A.length md){slab_vprop_aux2 size_class x}) - (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) + (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (Seq.length (SeqUtils.init_u32_refined (UInt32.v (nb_slots size_class))))) ); aux (A.length md) 4 (slab_vprop_aux2 size_class); aux2 (x:Seq.lseq U64.t (A.length md){slab_vprop_aux2 size_class x}) (x:Seq.lseq U64.t 4{slab_vprop_aux2 size_class x}) - (Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) + (Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (Seq.length (SeqUtils.init_u32_refined (UInt32.v (nb_slots size_class))))) - (Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) + (Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (U32.v (nb_slots size_class))) #pop-options #push-options "--fuel 1 --ifuel 1" let slab_vprop_lemma - (size_class: sc) - (arr: array U8.t{A.length arr = U32.v page_size}) + (size_class: sc_full) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (md: slab_metadata) : Lemma (t_of (slab_vprop size_class arr md) == dtuple2 (x:Seq.lseq U64.t 4{slab_vprop_aux2 size_class x}) - (fun _ -> Seq.lseq (G.erased (option (Seq.lseq U8.t (U32.v size_class)))) (U32.v (nb_slots size_class))) + (fun _ -> Seq.lseq + (G.erased (option (Seq.lseq U8.t (U32.v size_class.sc)))) (U32.v (nb_slots size_class))) & - Seq.lseq U8.t (U32.v page_size - US.v (rounding size_class)) + Seq.lseq U8.t (U32.v size_class.slab_size - US.v (rounding size_class)) ) = slab_vprop_lemma_aux size_class arr md; - assert(A.length (A.split_r arr (rounding size_class)) == U32.v page_size - US.v (rounding size_class)); - assert(t_of (A.varray (A.split_r arr (rounding size_class))) == Seq.lseq U8.t (U32.v page_size - US.v (rounding size_class))) + assert(A.length (A.split_r arr (rounding size_class)) == U32.v size_class.slab_size - US.v (rounding size_class)); + assert(t_of (A.varray (A.split_r arr (rounding size_class))) == Seq.lseq U8.t (U32.v size_class.slab_size - US.v (rounding size_class))) #pop-options //[@@ __steel_reduce__] @@ -266,7 +269,7 @@ let f_invol (#n: nat) //TODO: move to Bitmap5/BitmapUtils let equiv_get_a2bv_index - (size_class: sc) + (size_class: sc_full) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (k:nat{k < U32.v (nb_slots size_class)}) : Lemma @@ -286,7 +289,7 @@ let equiv_get_a2bv_index () let starseq_upd_aux_lemma1_aux - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) @@ -326,7 +329,7 @@ let starseq_upd_aux_lemma1_aux assert (Seq.index (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) k = U32.uint_to_t k) let starseq_upd_aux_lemma1 - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) @@ -359,7 +362,7 @@ let starseq_upd_aux_lemma1 )) let starseq_upd_aux_lemma2 - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) @@ -378,7 +381,7 @@ let starseq_upd_aux_lemma2 (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) (U32.v pos))) == - none_as_emp #(Seq.lseq U8.t (U32.v size_class)) + none_as_emp #(Seq.lseq U8.t (U32.v size_class.sc)) ) = let bm2 = a2bv (G.reveal md_as_seq2) in @@ -391,7 +394,7 @@ let starseq_upd_aux_lemma2 assert (Bitmap4.get md_as_seq2 pos = true) let apply_starseq_upd (#opened:_) - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) @@ -401,7 +404,7 @@ let apply_starseq_upd (#opened:_) ( starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -415,7 +418,7 @@ let apply_starseq_upd (#opened:_) (U32.v pos)) `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -428,28 +431,28 @@ let apply_starseq_upd (#opened:_) (ensures fun h0 _ h1 -> v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0; v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h1; let v1 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0 in let v2 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -463,7 +466,7 @@ let apply_starseq_upd (#opened:_) starseq_upd3 #_ #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) + #(Seq.lseq U8.t (U32.v size_class.sc)) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) @@ -474,7 +477,7 @@ let apply_starseq_upd (#opened:_) #push-options "--fuel 1 --ifuel 1" let starseq_upd_aux_lemma3 - (size_class: sc) + (size_class: sc_full) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) @@ -489,7 +492,7 @@ let starseq_upd_aux_lemma3 (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) (U32.v pos))) == - some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos) + some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos) ) = let bm = a2bv (G.reveal md_as_seq) in @@ -504,7 +507,7 @@ let starseq_upd_aux_lemma3 #push-options "--fuel 1 --ifuel 1" let get_slot_as_returned_value - (size_class: sc) + (size_class: sc_full) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) @@ -518,11 +521,11 @@ let get_slot_as_returned_value let bm = a2bv md_as_seq in Seq.index bm (Bitmap5.f #4 (U32.v pos)) = false) (ensures fun h0 r h1 -> - A.length r == U32.v size_class /\ + A.length r == U32.v size_class.sc /\ same_base_array r arr /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) >= 0 /\ - A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v page_size /\ - (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class) == 0 + A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v size_class.slab_size /\ + (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class.sc) == 0 ) = starseq_upd_aux_lemma3 size_class (G.reveal md_as_seq) arr pos; @@ -531,19 +534,19 @@ let get_slot_as_returned_value (Seq.index (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) (U32.v pos))) - (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos)) + (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos)) (fun x y -> x == y) (fun _ -> ()); let r = slot_array size_class arr pos in change_slprop_rel - (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos)) + (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos)) (A.varray r) (fun - (x: t_of (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos))) + (x: t_of (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos))) (y: t_of (A.varray r)) -> - let x' : option (Seq.lseq U8.t (U32.v size_class)) = x in - let y' : Seq.lseq U8.t (U32.v size_class) = y in + let x' : option (Seq.lseq U8.t (U32.v size_class.sc)) = x in + let y' : Seq.lseq U8.t (U32.v size_class.sc) = y in x' == Some y') (fun _ -> ()); return r @@ -551,7 +554,7 @@ let get_slot_as_returned_value noextract inline_for_extraction let allocate_slot_aux - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) @@ -561,7 +564,7 @@ let allocate_slot_aux A.varray md `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -572,7 +575,7 @@ let allocate_slot_aux A.varray r `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -586,28 +589,28 @@ let allocate_slot_aux (ensures fun h0 r h1 -> v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0; v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h1; let blob1 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0 in let blob2 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -616,11 +619,11 @@ let allocate_slot_aux let v2 = A.asel md h1 in //let idx = Bitmap5.f #4 (U32.v pos) in v2 == Bitmap4.set v1 pos /\ - A.length r == U32.v size_class /\ + A.length r == U32.v size_class.sc /\ same_base_array r arr /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) >= 0 /\ - A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v page_size /\ - (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class) == 0 + A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v size_class.slab_size /\ + (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class.sc) == 0 ) //blob2 == Seq.upd blob1 (U32.v pos) None /\ = @@ -655,7 +658,7 @@ let f_lemma (#n: nat) #push-options "--z3rlimit 50" inline_for_extraction noextract let get_free_slot_aux - (size_class: sc) + (size_class: sc_full) (bitmap: slab_metadata) (i: U32.t) : Steel U32.t @@ -703,7 +706,7 @@ let get_free_slot_aux #push-options "--z3rlimit 50" inline_for_extraction noextract let get_free_slot_aux2 - (size_class: sc) + (size_class: sc_full) (bitmap: slab_metadata) : Steel U32.t (A.varray bitmap) @@ -741,7 +744,7 @@ let get_free_slot_aux2 r #pop-options -let get_free_slot (size_class: sc) (bitmap: slab_metadata) +let get_free_slot (size_class: sc_full) (bitmap: slab_metadata) : Steel U32.t (A.varray bitmap) (fun _ -> A.varray bitmap) @@ -786,9 +789,9 @@ let get_free_slot (size_class: sc) (bitmap: slab_metadata) #push-options "--fuel 1 --ifuel 1" let elim_slab_vprop_aux - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (m: SM.mem) : Lemma (requires SM.interp (hp_of ( @@ -817,10 +820,10 @@ let elim_slab_vprop_aux #push-options "--fuel 2 --ifuel 2 --z3rlimit 30" let intro_slab_vprop (#opened:_) - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq: G.erased (Seq.lseq U64.t 4)) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : SteelGhost unit opened ( slab_vprop_aux size_class (A.split_l arr (rounding size_class)) (G.reveal md_as_seq) `star` @@ -860,9 +863,9 @@ let intro_slab_vprop (#opened:_) // this fails in lax mode #push-options "--fuel 2 --ifuel 2 --z3rlimit 30 --compat_pre_typed_indexed_effects" let elim_slab_vprop (#opened:_) - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : SteelGhost (G.erased (Seq.lseq U64.t 4)) opened (slab_vprop size_class arr md) (fun r -> @@ -912,9 +915,9 @@ let elim_slab_vprop (#opened:_) md_as_seq2 #pop-options -#push-options "--z3rlimit 150" +#push-options "--z3rlimit 150 --fuel 1 --ifuel 1" let bound2_inv - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma @@ -933,13 +936,13 @@ let bound2_inv let md_as_seq' = Bitmap4.set md_as_seq pos in let bm' = Bitmap4.array_to_bv2 md_as_seq' in let nb_slots_sc_rem = U32.rem nb_slots_sc 64ul in - if (U32.v size_class <= 64) + if (U32.v nb_slots_sc >= 64) then ( - assert (size_class = 16ul \/ size_class = 32ul \/ size_class = 64ul); - assert (U32.v nb_slots_sc_rem = 0); + let x = U32.v size_class.sc in + let y = U32.v size_class.slab_size in + assert (x == y/256 \/ x == y/128 \/ x == y/64); Seq.lemma_empty (Seq.slice bm' 0 (64 - U32.v bound2)) ) else ( - assert (U32.v size_class > 64); assert (U32.v nb_slots_sc < 64); assert (nb_slots_sc_rem = nb_slots_sc); let idx = Bitmap4.f #4 (U32.v pos) in @@ -954,9 +957,9 @@ let bound2_inv #push-options "--fuel 1 --ifuel 1 --z3rlimit 100" let allocate_slot - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) : Steel (array U8.t) (slab_vprop size_class arr md) (fun r -> A.varray r `star` slab_vprop size_class arr md) @@ -973,11 +976,11 @@ let allocate_slot let v0 : Seq.lseq U64.t 4 = dfst (fst blob0) in let v1 : Seq.lseq U64.t 4 = dfst (fst blob1) in not (is_empty size_class v1) /\ - A.length r == U32.v size_class /\ + A.length r == U32.v size_class.sc /\ same_base_array r arr /\ A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) >= 0 /\ - A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v page_size /\ - (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class) == 0 + A.offset (A.ptr_of r) - A.offset (A.ptr_of arr) < U32.v size_class.slab_size /\ + (A.offset (A.ptr_of r) - A.offset (A.ptr_of arr)) % (U32.v size_class.sc) == 0 ) //U32.v (G.reveal (snd r)) < U64.n * 4 /\ //v1 == Bitmap4.set v0 (G.reveal (snd r))) diff --git a/src/SlotsFree.fst b/src/SlotsFree.fst index 037779db..3f666132 100644 --- a/src/SlotsFree.fst +++ b/src/SlotsFree.fst @@ -27,7 +27,7 @@ open FStar.Mul open SlotsAlloc let apply_starseq_upd2 (#opened:_) - (size_class: sc) + (size_class: sc_full) //TODO: remove (md: slab_metadata) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) @@ -42,7 +42,7 @@ let apply_starseq_upd2 (#opened:_) (U32.v pos)) `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -50,7 +50,7 @@ let apply_starseq_upd2 (#opened:_) (fun _ -> starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -63,14 +63,14 @@ let apply_starseq_upd2 (#opened:_) (ensures fun h0 _ h1 -> v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0; v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -81,14 +81,14 @@ let apply_starseq_upd2 (#opened:_) (U32.v pos)); let v1 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0 in let v2 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq2 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -121,7 +121,7 @@ let apply_starseq_upd2 (#opened:_) starseq_upd4 #_ #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(Seq.lseq U8.t (U32.v size_class)) + #(Seq.lseq U8.t (U32.v size_class.sc)) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f size_class md_as_seq2 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) @@ -132,7 +132,7 @@ let apply_starseq_upd2 (#opened:_) noextract inline_for_extraction let deallocate_slot_aux - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) @@ -146,7 +146,7 @@ let deallocate_slot_aux A.varray md `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -155,7 +155,7 @@ let deallocate_slot_aux A.varray md `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -169,28 +169,28 @@ let deallocate_slot_aux (ensures fun h0 _ h1 -> v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0; v_starseq_len #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h1; let blob1 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) h0 in let blob2 = v_starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -227,7 +227,7 @@ let deallocate_slot_aux // that is, A.split_r arr (rounding size_class) #push-options "--z3rlimit 100 --fuel 0 --ifuel 0" let deallocate_slot_aux0 - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (ptr: array U8.t) (diff: U32.t) @@ -236,7 +236,7 @@ let deallocate_slot_aux0 let diff2 = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in same_base_array arr ptr /\ 0 <= diff2 /\ - diff2 <= U32.v page_size /\ + diff2 <= U32.v size_class.slab_size /\ U32.v diff == diff2 )) (ensures @@ -249,7 +249,7 @@ let deallocate_slot_aux0 US.lt diff_sz (rounding size_class) let deallocate_slot_aux_lemma - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (ptr: array U8.t) (diff: nat) @@ -259,23 +259,23 @@ let deallocate_slot_aux_lemma same_base_array arr ptr /\ 0 <= diff2 /\ diff2 < US.v (rounding size_class) /\ - diff2 % (U32.v size_class) = 0 /\ + diff2 % (U32.v size_class.sc) = 0 /\ diff == diff2 )) (ensures ( - let r = diff / (U32.v size_class) in + let r = diff / (U32.v size_class.sc) in r < U32.v (nb_slots size_class) )) = let x = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in let y = US.v (rounding size_class) in - assert (x % (U32.v size_class) == 0); - Math.Lemmas.cancel_mul_mod (U32.v (nb_slots size_class)) (U32.v size_class); - assert (y % (U32.v size_class) == 0); + assert (x % (U32.v size_class.sc) == 0); + Math.Lemmas.cancel_mul_mod (U32.v (nb_slots size_class)) (U32.v size_class.sc); + assert (y % (U32.v size_class.sc) == 0); assert (x < y) let deallocate_slot_aux1 - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (ptr: array U8.t) (diff: U32.t) @@ -285,36 +285,36 @@ let deallocate_slot_aux1 same_base_array arr ptr /\ 0 <= diff2 /\ diff2 < US.v (rounding size_class) /\ - diff2 % (U32.v size_class) = 0 /\ + diff2 % (U32.v size_class.sc) = 0 /\ U32.v diff == diff2 )) (ensures fun r -> let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in - U32.v r = diff / (U32.v size_class) /\ + U32.v r = diff / (U32.v size_class.sc) /\ U32.v r < U32.v (nb_slots size_class) /\ U32.v r < U64.n * 4) = deallocate_slot_aux_lemma size_class arr ptr (U32.v diff); - let div = U32.div diff size_class in + let div = U32.div diff size_class.sc in div -let slot_array_offset_lemma (size_class: sc) (arr: array U8.t) (pos: U32.t) +let slot_array_offset_lemma (size_class: sc_full) (arr: array U8.t) (pos: U32.t) : Lemma (requires U32.v pos < U32.v (nb_slots size_class) /\ A.length arr = US.v (rounding size_class)) (ensures - U32.v (U32.mul pos size_class) + U32.v (U32.mul pos size_class.sc) == A.offset (A.ptr_of (slot_array size_class arr pos)) - A.offset (A.ptr_of arr) ) = let ptr = A.ptr_of arr in - let shift = U32.mul pos size_class in + let shift = U32.mul pos size_class.sc in nb_slots_correct size_class pos; - assert (U32.v shift <= U32.v page_size); - assert_norm (U32.v shift <= FI.max_int U16.n); - assert (U32.v shift <= FI.max_int U16.n); + //assert (U32.v shift <= U32.v page_size); + //assert_norm (U32.v shift <= FI.max_int U16.n); + //assert (U32.v shift <= FI.max_int U16.n); let shift_size_t = US.uint32_to_sizet shift in assert (US.v shift_size_t < A.length arr); let ptr_shifted = A.ptr_shift ptr shift_size_t in @@ -322,7 +322,7 @@ let slot_array_offset_lemma (size_class: sc) (arr: array U8.t) (pos: U32.t) () let deallocate_slot_aux2 - (size_class: sc) + (size_class: sc_full) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (ptr: array U8.t) : Lemma @@ -331,22 +331,22 @@ let deallocate_slot_aux2 same_base_array arr ptr /\ 0 <= diff /\ diff < US.v (rounding size_class) /\ - diff % (U32.v size_class) == 0 /\ - A.length ptr == U32.v size_class + diff % (U32.v size_class.sc) == 0 /\ + A.length ptr == U32.v size_class.sc )) (ensures ( let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in - let pos = diff / U32.v size_class in + let pos = diff / U32.v size_class.sc in pos < U32.v (nb_slots size_class) /\ ptr == slot_array size_class arr (U32.uint_to_t pos) )) = let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in - let pos = diff / (U32.v size_class) in - let rem = diff % (U32.v size_class) in + let pos = diff / (U32.v size_class.sc) in + let rem = diff % (U32.v size_class.sc) in assert (rem = 0); - assert (diff = pos * (U32.v size_class)); - assert (nb_slots size_class = U32.div page_size size_class); + assert (diff = pos * (U32.v size_class.sc)); + assert (nb_slots size_class = U32.div size_class.slab_size size_class.sc); deallocate_slot_aux_lemma size_class arr ptr diff; assert (pos < U32.v (nb_slots size_class)); slot_array_offset_lemma size_class arr (U32.uint_to_t pos); @@ -360,7 +360,7 @@ let deallocate_slot_aux2 #push-options "--z3rlimit 50" let deallocate_slot'_aux0 (#opened:_) - (size_class: sc) + (size_class: sc_full) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) @@ -387,13 +387,13 @@ let deallocate_slot'_aux0 (fun _ -> ()); change_slprop_rel (A.varray (slot_array size_class arr pos)) - (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos)) + (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos)) (fun (x: t_of (A.varray (slot_array size_class arr pos))) - (y: t_of (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos))) + (y: t_of (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos))) -> - let x' : Seq.lseq U8.t (U32.v size_class) = x in - let y' : option (Seq.lseq U8.t (U32.v size_class)) = y in + let x' : Seq.lseq U8.t (U32.v size_class.sc) = x in + let y' : option (Seq.lseq U8.t (U32.v size_class.sc)) = y in y' == Some x') (fun _ -> ()); starseq_upd_aux_lemma3 size_class (G.reveal md_as_seq) arr pos; @@ -403,7 +403,7 @@ let deallocate_slot'_aux0 (U32.v pos) == pos); assert (Bitmap4.get (G.reveal md_as_seq) pos = false); assert ( - (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos)) + (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos)) == ((slab_vprop_aux_f size_class (G.reveal md_as_seq) arr) (Seq.index @@ -411,14 +411,14 @@ let deallocate_slot'_aux0 (U32.v pos))) ); change_equal_slprop - (some_as_vp #(Seq.lseq U8.t (U32.v size_class)) (slot_vprop size_class arr pos)) + (some_as_vp #(Seq.lseq U8.t (U32.v size_class.sc)) (slot_vprop size_class arr pos)) ((slab_vprop_aux_f size_class (G.reveal md_as_seq) arr) (Seq.index (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) (U32.v pos))) let set_unset_bij - (size_class: sc) + (size_class: sc_full) (md_as_seq1 md_as_seq2: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma @@ -445,7 +445,7 @@ let set_unset_bij (Bitmap4.unset md_as_seq2 pos) let unset_set_bij - (size_class: sc) + (size_class: sc_full) (md_as_seq1 md_as_seq2: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma @@ -473,7 +473,7 @@ let unset_set_bij let deallocate_slot'_aux1 (#opened: _) - (size_class: sc) + (size_class: sc_full) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) @@ -482,7 +482,7 @@ let deallocate_slot'_aux1 ( starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -490,7 +490,7 @@ let deallocate_slot'_aux1 (fun _ -> starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq2 pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.set md_as_seq2 pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -508,7 +508,7 @@ let deallocate_slot'_aux1 starseq_weakening #_ #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f size_class (Bitmap4.set md_as_seq2 pos) arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) @@ -518,7 +518,7 @@ let deallocate_slot'_aux1 let deallocate_slot'_aux2 (#opened: _) - (size_class: sc) + (size_class: sc_full) (md_as_seq1: G.erased (Seq.lseq U64.t 4)) (md_as_seq2: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) @@ -527,7 +527,7 @@ let deallocate_slot'_aux2 ( starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -535,7 +535,7 @@ let deallocate_slot'_aux2 (fun _ -> starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq2 pos) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.unset md_as_seq2 pos) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -553,7 +553,7 @@ let deallocate_slot'_aux2 starseq_weakening #_ #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq1 arr) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq2 pos) arr) (slab_vprop_aux_f_lemma size_class md_as_seq1 arr) @@ -569,12 +569,12 @@ let u32_bounded open ExternUtils val deallocate_zeroing - (size_class: sc) + (size_class: sc_full) (ptr: array U8.t) : Steel unit (A.varray ptr) (fun _ -> A.varray ptr) (requires fun h0 -> - A.length ptr = U32.v size_class + A.length ptr = U32.v size_class.sc ) (ensures fun _ _ h1 -> enable_zeroing_free ==> zf_u8 (A.asel ptr h1) @@ -583,7 +583,7 @@ val deallocate_zeroing let deallocate_zeroing size_class ptr = if enable_zeroing_free then ( - apply_zeroing_u8 ptr (US.uint32_to_sizet size_class) + apply_zeroing_u8 ptr (US.uint32_to_sizet size_class.sc) ) else ( return () ) @@ -592,7 +592,7 @@ let deallocate_zeroing size_class ptr //CAUTION #push-options "--z3rlimit 100 --compat_pre_typed_indexed_effects" let deallocate_slot' - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) (md_as_seq: G.erased (Seq.lseq U64.t 4)) (arr: array U8.t{A.length arr = US.v (rounding size_class)}) @@ -604,7 +604,7 @@ let deallocate_slot' A.varray ptr `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -615,7 +615,7 @@ let deallocate_slot' emp `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq (snd r)) arr) (slab_vprop_aux_f_lemma size_class (Bitmap4.unset md_as_seq (snd r)) arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -623,7 +623,7 @@ let deallocate_slot' A.varray ptr `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq arr) (slab_vprop_aux_f_lemma size_class md_as_seq arr) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -633,11 +633,11 @@ let deallocate_slot' let diff = A.offset (A.ptr_of ptr) - A.offset (A.ptr_of arr) in same_base_array ptr arr /\ 0 <= diff /\ - diff < U32.v page_size /\ - diff % U32.v size_class == 0 /\ + diff < U32.v size_class.slab_size /\ + diff % U32.v size_class.sc == 0 /\ US.v diff_ == diff /\ A.asel md h0 == G.reveal md_as_seq /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v size_class.sc ) (ensures fun h0 r h1 -> // using h0 (A.varray md) instead fails @@ -692,7 +692,7 @@ let lemma_div_lt #push-options "--fuel 1 --ifuel 1 --z3rlimit 50" let bound2_inv2 - (size_class: sc) + (size_class: sc_full) (md_as_seq: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U32.v (nb_slots size_class)}) : Lemma @@ -713,14 +713,13 @@ let bound2_inv2 let md_as_seq' = Bitmap4.unset md_as_seq pos in let bm' = Bitmap4.array_to_bv2 md_as_seq' in let nb_slots_sc_rem = U32.rem nb_slots_sc 64ul in - if (U32.v size_class <= 64) + if (U32.v nb_slots_sc >= 64) then ( - assert (size_class = 16ul \/ size_class = 32ul \/ size_class = 64ul); - assert (U32.v nb_slots_sc_rem = 0); + let x = U32.v size_class.sc in + let y = U32.v size_class.slab_size in + assert (x == y/256 \/ x == y/128 \/ x == y/64); Seq.lemma_empty (Seq.slice bm' 0 (64 - U32.v bound2)) ) else ( - assert (U32.v size_class > 64); - lemma_div_lt (U32.v page_size) 64 (U32.v size_class); assert (U32.v nb_slots_sc < 64); assert (nb_slots_sc_rem = nb_slots_sc); let idx = Bitmap4.f #4 (U32.v pos) in @@ -733,11 +732,19 @@ let bound2_inv2 #restart-solver +noextract +let is_full + (size_class: sc_full) + (s: Seq.lseq U64.t 4) + : bool + = + not (has_free_slot size_class s) + #push-options "--z3rlimit 100 --compat_pre_typed_indexed_effects" let deallocate_slot - (size_class: sc) + (size_class: sc_full) (md: slab_metadata) - (arr: array U8.t{A.length arr = U32.v page_size}) + (arr: array U8.t{A.length arr = U32.v size_class.slab_size}) (ptr: array U8.t) (diff_: US.t) : Steel bool @@ -752,10 +759,10 @@ let deallocate_slot //let v0 : Seq.lseq U64.t 4 = dfst blob0 in same_base_array arr ptr /\ 0 <= diff /\ - diff < U32.v page_size /\ - diff % U32.v size_class == 0 /\ + diff < U32.v size_class.slab_size /\ + diff % U32.v size_class.sc == 0 /\ US.v diff_ = diff /\ - A.length ptr == U32.v size_class + A.length ptr == U32.v size_class.sc ) //not (is_empty size_class v0)) (ensures fun h0 b h1 -> @@ -779,7 +786,7 @@ let deallocate_slot emp `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -787,7 +794,7 @@ let deallocate_slot A.varray ptr `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class md_as_seq (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -795,7 +802,7 @@ let deallocate_slot (emp `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class)))); @@ -814,7 +821,7 @@ let deallocate_slot emp `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class (Bitmap4.unset md_as_seq (snd r)) (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -822,7 +829,7 @@ let deallocate_slot A.varray ptr `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class md_as_seq (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class))) @@ -830,7 +837,7 @@ let deallocate_slot (A.varray ptr `star` starseq #(pos:U32.t{U32.v pos < U32.v (nb_slots size_class)}) - #(option (Seq.lseq U8.t (U32.v size_class))) + #(option (Seq.lseq U8.t (U32.v size_class.sc))) (slab_vprop_aux_f size_class md_as_seq (A.split_l arr (rounding size_class))) (slab_vprop_aux_f_lemma size_class md_as_seq (A.split_l arr (rounding size_class))) (SeqUtils.init_u32_refined (U32.v (nb_slots size_class)))); diff --git a/src/StarMalloc.fst b/src/StarMalloc.fst index 10056811..0920348e 100644 --- a/src/StarMalloc.fst +++ b/src/StarMalloc.fst @@ -28,13 +28,19 @@ open LargeAlloc #push-options "--fuel 0 --ifuel 0" +//TODO: [@ CConst] +let threshold : US.t = + if enable_slab_canaries_malloc + then US.sub (u32_to_sz max_slab_size) 2sz + else u32_to_sz max_slab_size + #push-options "--fuel 1 --ifuel 1" val malloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (size: US.t) : Steel (array U8.t) emp (fun r -> null_or_varray r) (requires fun _ -> - US.fits (US.v size + U32.v page_size) + US.fits (US.v size + U32.v max_slab_size) ) (ensures fun _ r h1 -> let s : t_of (null_or_varray r) @@ -44,7 +50,7 @@ val malloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (size: US.t) array_u8_alignment r 16ul /\ (enable_zeroing_malloc ==> zf_u8 (Seq.slice s 0 (US.v size))) //Seq.length s >= 2 /\ - //(enable_slab_canaries_malloc ==> + //((enable_slab_canaries_malloc /\ US.v size <= US.v threshold) ==> // Seq.index s (A.length r - 2) == slab_canaries_magic1 /\ // Seq.index s (A.length r - 1) == slab_canaries_magic2 //) @@ -54,11 +60,6 @@ val malloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (size: US.t) module G = FStar.Ghost -//TODO: [@ CConst] -let threshold : US.t = - if enable_slab_canaries_malloc - then US.sub (US.uint32_to_sizet page_size) 2sz - else US.uint32_to_sizet page_size #push-options "--fuel 1 --ifuel 1 --z3rlimit 30" let malloc arena_id size = @@ -79,9 +80,9 @@ let malloc arena_id size = ) ) else ( // TODO: use efficient align here - assert (US.v size > U32.v page_size - 2); - let size' = if US.lte size (US.uint32_to_sizet page_size) - then US.add (US.uint32_to_sizet page_size) 1sz + assert (US.v size > U32.v max_slab_size - 2); + let size' = if US.lte size (u32_to_sz max_slab_size) + then US.add (u32_to_sz max_slab_size) 1sz else size in let r = large_malloc size' in let s : G.erased (t_of (null_or_varray r)) @@ -105,14 +106,15 @@ val aligned_alloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (alignment:US. emp (fun r -> null_or_varray r) (requires fun _ -> - US.fits (US.v size + U32.v page_size) + US.fits (US.v size + U32.v max_slab_size) ) (ensures fun _ r h1 -> let s : t_of (null_or_varray r) = h1 (null_or_varray r) in not (A.is_null r) ==> ( 0 < US.v alignment /\ - US.v alignment <= U32.v page_size /\ + US.v alignment <= U32.v max_slab_size /\ + //US.v alignment <= U32.v page_size /\ A.length r >= US.v size /\ array_u8_alignment r 16ul /\ array_u8_alignment r (US.sizet_to_uint32 alignment) /\ @@ -121,32 +123,36 @@ val aligned_alloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) (alignment:US. ) #pop-options -#push-options "--fuel 1 --ifuel 1 --z3rlimit 50" +#push-options "--fuel 1 --ifuel 1 --z3rlimit 100" let aligned_alloc arena_id alignment size = let page_as_sz = US.uint32_to_sizet page_size in - let check = US.gt alignment 0sz && US.rem (US.uint32_to_sizet page_size) alignment = 0sz in - if check then ( - let alignment_as_u32 = US.sizet_to_uint32 alignment in - if (US.lte size threshold) then ( - let ptr = slab_aligned_alloc arena_id alignment_as_u32 (US.sizet_to_uint32 size) in - if (A.is_null ptr || not enable_zeroing_malloc) then ( + let alignment_as_u32 = US.sizet_to_uint32 alignment in + // use slab aligned allocations + let check1 = US.gt alignment 0sz && US.rem (US.uint32_to_sizet max_slab_size) alignment = 0sz + && US.lte size threshold in + // use large allocations + let check2 = US.gt alignment 0sz && US.rem (US.uint32_to_sizet page_size) alignment = 0sz in + if check1 then ( + let ptr = slab_aligned_alloc arena_id alignment_as_u32 (US.sizet_to_uint32 size) in + if (A.is_null ptr || not enable_zeroing_malloc) then ( + return ptr + ) else ( + elim_live_null_or_varray ptr; + let b = check_zeroing_u8 ptr size in + if b then ( + intro_live_null_or_varray ptr; return ptr ) else ( - elim_live_null_or_varray ptr; - let b = check_zeroing_u8 ptr size in - if b then ( - intro_live_null_or_varray ptr; - return ptr - ) else ( - // TODO: distinct case from malloc? - FatalError.die_from_malloc_zeroing_check_failure ptr; - intro_null_null_or_varray #U8.t - ) + // TODO: distinct case from malloc? + FatalError.die_from_malloc_zeroing_check_failure ptr; + intro_null_null_or_varray #U8.t ) - ) else ( - let size' = if US.lte size (US.uint32_to_sizet page_size) - then US.add (US.uint32_to_sizet page_size) 1sz + ) + ) else ( + if check2 then ( + let size' = if US.lte size (US.uint32_to_sizet max_slab_size) + then US.add (US.uint32_to_sizet max_slab_size) 1sz else size in let ptr = large_malloc size' in assert_norm (pow2 12 == U32.v page_size); @@ -164,11 +170,11 @@ let aligned_alloc arena_id alignment size 16ul ) else (); return ptr + ) else ( + // TODO: add some warning, failure + let r = intro_null_null_or_varray #U8.t in + return r ) - ) else ( - // TODO: add some warning, failure - let r = intro_null_null_or_varray #U8.t in - return r ) #pop-options @@ -212,7 +218,7 @@ let spec_getsize (length: nat{enable_slab_canaries_malloc ==> length >= 2}) : Tot nat = - if (length <= U32.v page_size) + if (length <= U32.v max_slab_size) then ( // slab allocation, possibly a canary if enable_slab_canaries_malloc @@ -244,11 +250,11 @@ let full_getsize (ptr: array U8.t) (US.v (fst result) > 0 ==> (enable_slab_canaries_malloc ==> A.length ptr >= 2) /\ US.v (fst result) == spec_getsize (A.length ptr) /\ - (G.reveal (snd result) <==> US.v (fst result) <= U32.v page_size) /\ + (G.reveal (snd result) <==> US.v (fst result) <= U32.v max_slab_size) /\ (G.reveal (snd result) ==> ( let idx = sc_selection (US.sizet_to_uint32 (fst result)) in (enable_sc_fast_selection ==> - A.length ptr == U32.v (L.index sc_list (US.v idx))) /\ + A.length ptr == U32.v (L.index sc_list (US.v idx)).sc) /\ (enable_slab_canaries_malloc ==> A.length ptr == US.v (fst result) + 2 ) /\ @@ -289,10 +295,10 @@ let getsize (ptr: array U8.t) (US.v result > 0 ==> (enable_slab_canaries_malloc ==> A.length ptr >= 2) /\ US.v result == spec_getsize (A.length ptr) /\ - (US.v result <= U32.v page_size ==> ( + (US.v result <= U32.v max_slab_size ==> ( let idx = sc_selection (US.sizet_to_uint32 result) in (enable_sc_fast_selection ==> - A.length ptr == U32.v (L.index sc_list (US.v idx))) /\ + A.length ptr == U32.v (L.index sc_list (US.v idx)).sc) /\ (enable_slab_canaries_malloc ==> A.length ptr == US.v result + 2 ) /\ @@ -316,10 +322,10 @@ let realloc_small_optim_lemma (new_size: US.t) : Lemma (requires enable_sc_fast_selection /\ - US.v old_size <= U32.v page_size /\ + US.v old_size <= U32.v max_slab_size /\ US.v new_size <= US.v threshold /\ (let old_idx = sc_selection (US.sizet_to_uint32 old_size) in - let old_sc = L.index sc_list (US.v old_idx) in + let old_sc = (L.index sc_list (US.v old_idx)).sc in let new_idx = if enable_slab_canaries_malloc then sc_selection (US.sizet_to_uint32 (US.add new_size 2sz)) else sc_selection (US.sizet_to_uint32 new_size) in @@ -383,7 +389,7 @@ val realloc_standard_case (arena_id:US.t{US.v arena_id < US.v nb_arenas}) ) (requires fun _ -> within_size_classes_pred ptr /\ - US.fits (US.v new_size + U32.v page_size) /\ + US.fits (US.v new_size + U32.v max_slab_size) /\ not (A.is_null ptr) /\ US.v new_size > 0 ) @@ -416,7 +422,7 @@ let realloc_standard_case arena_id ptr new_size = elim_live_null_or_varray ptr; let old_size = getsize ptr in - let old_allocation_is_small : bool = US.lte old_size (u32_to_sz page_size) in + let old_allocation_is_small : bool = US.lte old_size (u32_to_sz max_slab_size) in let new_allocation_is_small : bool = US.lte new_size threshold in let same_case : bool = old_allocation_is_small = new_allocation_is_small in let small_case_optim_condition = enable_sc_fast_selection && old_allocation_is_small && same_case && ( @@ -520,7 +526,7 @@ val realloc (arena_id:US.t{US.v arena_id < US.v nb_arenas}) ) (requires fun _ -> within_size_classes_pred ptr /\ - US.fits (US.v new_size + U32.v page_size) + US.fits (US.v new_size + U32.v max_slab_size) ) (ensures fun h0 r h1 -> let s0 : t_of (null_or_varray ptr) @@ -604,7 +610,7 @@ val calloc (requires fun _ -> FStar.Math.Lemmas.nat_times_nat_is_nat (US.v size1) (US.v size2); let size : nat = US.v size1 * US.v size2 in - US.fits (size + U32.v page_size) + US.fits (size + U32.v max_slab_size) ) (ensures fun _ r h1 -> FStar.Math.Lemmas.nat_times_nat_is_nat (US.v size1) (US.v size2); diff --git a/src/Utils2.fst b/src/Utils2.fst index d0852687..ec930ae9 100644 --- a/src/Utils2.fst +++ b/src/Utils2.fst @@ -31,7 +31,7 @@ let array_u8_alignment = ArrayAlignment.array_u8_alignment let array_u8_alignment_lemma = ArrayAlignment.array_u8_alignment_lemma #push-options "--z3rlimit 30" -let nb_slots (size_class: sc) +let nb_slots (size_class: sc_full') : Pure U32.t (requires True) (ensures fun r -> @@ -39,37 +39,37 @@ let nb_slots (size_class: sc) U32.v r <= 256 ) = - //TODO: stabilize - U32.div page_size size_class + U32.div size_class.slab_size size_class.sc #pop-options open FStar.Mul open Prelude -let rounding (size_class: sc) +let rounding (size_class: sc_full') : Pure US.t (requires True) (ensures fun r -> - US.v r <= U32.v page_size + US.v r <= U32.v size_class.slab_size ) = - US.uint32_to_sizet (U32.mul (nb_slots size_class) size_class) + US.uint32_to_sizet (U32.mul (nb_slots size_class) size_class.sc) #push-options "--z3rlimit 50" -let nb_slots_correct - (size_class: sc) +let nb_slots_correct (size_class: sc_full') (pos: U32.t) : Lemma - (requires U32.v pos < U32.v (nb_slots size_class)) + (requires + U32.v pos < U32.v (nb_slots size_class) + ) (ensures - U32.v (U32.mul pos size_class) - <= US.v (rounding size_class) - U32.v size_class) + U32.v (U32.mul pos size_class.sc) + <= US.v (rounding size_class) - U32.v size_class.sc) = assert (U32.v pos <= U32.v (nb_slots size_class) - 1); - FML.lemma_mult_le_left (U32.v size_class) (U32.v pos) (U32.v (nb_slots size_class) - 1); - assert (U32.v pos * U32.v size_class <= U32.v (U32.mul (nb_slots size_class) size_class) - U32.v size_class); - assert (U32.v (U32.mul (nb_slots size_class) size_class) <= U32.v page_size) + FML.lemma_mult_le_left (U32.v size_class.sc) (U32.v pos) (U32.v (nb_slots size_class) - 1); + assert (U32.v pos * U32.v size_class.sc <= U32.v (U32.mul (nb_slots size_class) size_class.sc) - U32.v size_class.sc); + assert (U32.v (U32.mul (nb_slots size_class) size_class.sc) <= U32.v size_class.slab_size) #pop-options noextract @@ -347,7 +347,7 @@ let full_n_lemma (x: U64.t) (bound: U32.t) module G = FStar.Ghost noextract inline_for_extraction -let bound2_gen (v: U32.t) (size_class: G.erased sc) +let bound2_gen (v: U32.t) (size_class: G.erased sc_full') : Pure U32.t (requires v == nb_slots (G.reveal size_class)) (ensures fun r -> @@ -362,7 +362,7 @@ let bound2_gen (v: U32.t) (size_class: G.erased sc) noextract let has_free_slot - (size_class: sc) + (size_class: sc_full') (s: Seq.lseq U64.t 4) : bool = @@ -379,7 +379,7 @@ let has_free_slot (bound > 3 && (U64.v (Seq.index s 3) <> max)) let has_free_slot_s - (size_class: sc) + (size_class: sc_full') (md: slab_metadata) : Steel bool (A.varray md) (fun _ -> A.varray md) @@ -404,7 +404,7 @@ let has_free_slot_s noextract let is_empty - (size_class: sc) + (size_class: sc_full') (s: Seq.lseq U64.t 4) : bool = @@ -416,7 +416,7 @@ let is_empty (bound <= 3 || (U64.v (Seq.index s 3) = 0)) let is_empty_s - (size_class: sc) + (size_class: sc_full') (md: slab_metadata) : Steel bool (A.varray md) (fun _ -> A.varray md) @@ -438,14 +438,14 @@ let is_empty_s noextract let is_partial - (size_class: sc) + (size_class: sc_full') (s: Seq.lseq U64.t 4) : bool = has_free_slot size_class s && (not (is_empty size_class s)) let is_partial_s - (size_class: sc) + (size_class: sc_full') (md: slab_metadata) : Steel bool (A.varray md) (fun _ -> A.varray md) @@ -461,14 +461,14 @@ let is_partial_s noextract let is_full - (size_class: sc) + (size_class: sc_full') (s: Seq.lseq U64.t 4) : bool = not (has_free_slot size_class s) let is_full_s - (size_class: sc) + (size_class: sc_full') (md: slab_metadata) : Steel bool (A.varray md) (fun _ -> A.varray md) @@ -483,7 +483,7 @@ let is_full_s noextract let zeroes_impl_empty - (size_class: sc) + (size_class: sc_full') (s: Seq.lseq U64.t 4) : Lemma (requires s == Seq.create 4 0UL) @@ -615,12 +615,12 @@ let lemma_nth_nonmax64 #push-options "--z3rlimit 50" let lemma_nth_nonfull - (size_class: sc) + (size_class: sc_full') (x: U64.t) (i: nat{i < U32.v (nb_slots size_class) /\ i <= 63}) : Lemma (requires - U32.v size_class > 64 /\ + U32.v size_class.sc * 64 > U32.v size_class.slab_size /\ FU.nth (U64.v x) (63 - i) = false) (ensures ( let bound2 = nb_slots size_class in @@ -643,7 +643,7 @@ let lemma_nth_nonfull #push-options "--z3rlimit 100" let set_lemma_nonempty - (size_class: sc) + (size_class: sc_full') (md_as_seq1: Seq.lseq U64.t 4) (md_as_seq2: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U64.n * 4}) @@ -699,7 +699,7 @@ let lemma_div_lt_aux #push-options "--z3rlimit 100" let set_lemma_nonfull - (size_class: sc) + (size_class: sc_full') (md_as_seq1: Seq.lseq U64.t 4) (md_as_seq2: Seq.lseq U64.t 4) (pos: U32.t{U32.v pos < U64.n * 4}) @@ -728,7 +728,7 @@ let set_lemma_nonfull then ( let bound2 = bound2_gen (nb_slots size_class) (G.hide size_class) in let full = full_n bound2 in - if (U32.v size_class <= 64) + if (U32.v (nb_slots size_class) >= 64) then ( assert (U32.v bound2 == 64); assert (full_n bound2 = max64); @@ -736,17 +736,18 @@ let set_lemma_nonfull assert (x <> max64); assert (Seq.index md_as_seq2 (U32.v i1) <> full_n bound2) ) else ( - assert (U32.v size_class > 64); - lemma_div_lt_aux 64 (U32.v size_class) (U32.v page_size); - assert ((U32.v page_size)/64 == 64); - assert (U32.v (nb_slots size_class) < 64); - assert (U32.v pos < 63); - assert (idx - U32.v i1 * 64 = idx); - assert (idx = Bitmap4.f_aux (U32.v pos)); - assert (idx - U32.v i1 * 64 = 64 - U32.v pos - 1); + //assert (U32.v size_class > 64); + //lemma_div_lt_aux 64 (U32.v size_class) (U32.v page_size); + //assert ((U32.v page_size)/64 == 64); + //assert (U32.v (nb_slots size_class) < 64); + //assert (U32.v pos < 63); + //assert (idx - U32.v i1 * 64 = idx); + //assert (idx = Bitmap4.f_aux (U32.v pos)); + //assert (idx - U32.v i1 * 64 = 64 - U32.v pos - 1); lemma_nth_nonfull size_class x (U32.v pos); - assert (x <> full_n bound2); - assert (Seq.index md_as_seq2 (U32.v i1) <> full_n bound2) + //assert (x <> full_n bound2); + //assert (Seq.index md_as_seq2 (U32.v i1) <> full_n bound2) + () ) ) else ( lemma_nth_nonmax64 x (idx - U32.v i1 * 64); diff --git a/vendor/hacl-star/Lib_Memzero0.c b/vendor/hacl-star/Lib_Memzero0.c new file mode 100644 index 00000000..e3228916 --- /dev/null +++ b/vendor/hacl-star/Lib_Memzero0.c @@ -0,0 +1,83 @@ +#if defined(__has_include) +#if __has_include("config.h") +#include "config.h" +#endif +#endif + +#ifdef _WIN32 +#include +#endif + +#if defined(__APPLE__) && defined(__MACH__) +#include +// memset_s is available from macOS 10.9, iOS 7, watchOS 2, and on all tvOS and visionOS versions. +# if (defined(MAC_OS_X_VERSION_MIN_REQUIRED) && defined(MAC_OS_X_VERSION_10_9) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_9)) +# define APPLE_HAS_MEMSET_S +# elif (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && defined(__IPHONE_7_0) && (__IPHONE_OS_VERSION_MIN_REQUIRED >= __IPHONE_7_0)) +# define APPLE_HAS_MEMSET_S +# elif (defined(TARGET_OS_TV) && TARGET_OS_TV) +# define APPLE_HAS_MEMSET_S +# elif (defined(__WATCH_OS_VERSION_MIN_REQUIRED) && defined(__WATCHOS_2_0) && (__WATCH_OS_VERSION_MIN_REQUIRED >= __WATCHOS_2_0)) +# define APPLE_HAS_MEMSET_S +# elif (defined(TARGET_OS_VISION) && TARGET_OS_VISION) +# define APPLE_HAS_MEMSET_S +# else +# undef APPLE_HAS_MEMSET_S +# endif +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) || defined(__OpenBSD__) +#define __STDC_WANT_LIB_EXT1__ 1 +#include +#endif + +#if defined(__FreeBSD__) || defined(__NetBSD__) +#include +#endif + +#include +#include +#include +#include + +/* This is now a hand-written header */ +#include "lib_memzero0.h" +/*#include "krml/internal/target.h"*/ + +/* The F* formalization talks about the number of elements in the array. The C + implementation wants a number of bytes in the array. KaRaMeL is aware of this + and inserts a sizeof multiplication. */ +void Lib_Memzero0_memzero0(void *dst, uint64_t len) { + /* This is safe: karamel checks at run-time (if needed) that all object sizes + fit within a size_t, so the size we receive has been checked at + allocation-time, possibly via KRML_CHECK_SIZE, to fit in a size_t. */ + size_t len_ = (size_t) len; + + #ifdef _WIN32 + SecureZeroMemory(dst, len_); + #elif defined(__APPLE__) && defined(__MACH__) && defined(APPLE_HAS_MEMSET_S) + memset_s(dst, len_, 0, len_); + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) || defined(__OpenBSD__) + explicit_bzero(dst, len_); + #elif defined(__NetBSD__) + explicit_memset(dst, 0, len_); + #else + /* Default implementation for platforms with no particular support. */ + #warning "Your platform does not support any safe implementation of memzero -- consider a pull request!" + volatile unsigned char *volatile dst_ = (volatile unsigned char *volatile) dst; + size_t i = 0U; + while (i < len_) + dst_[i++] = 0U; + #endif +} + +int main(){ + char* ptr = malloc(16); + Lib_Memzero0_memzero0(ptr, 16U); + ptr[1] = 1; + ptr[10] = 1; + Lib_Memzero0_memzero0(ptr, 8U); + printf("%i\n", ptr[10]); + free(ptr); + return 0; +} diff --git a/vendor/hacl-star/lib_memzero0.h b/vendor/hacl-star/lib_memzero0.h new file mode 100644 index 00000000..fea3e41c --- /dev/null +++ b/vendor/hacl-star/lib_memzero0.h @@ -0,0 +1,5 @@ +#include + +void Lib_Memzero0_memzero0(void *dst, uint64_t len); + +#define Lib_Memzero0_memzero(dst, len, t, _ret_t) Lib_Memzero0_memzero0(dst, len * sizeof(t))