Commit 99d5d173 authored by Marc Schoolderman's avatar Marc Schoolderman
Browse files

test version (subp with loop is in 'bigint_subp_j.mlw')

parent 7ea1e096
......@@ -90,37 +90,527 @@ lemma mul_bound_preserve:
constant p25519: int = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
let bigint_subp ()
let test ()
requires { 32 <= uint 2 reg rX < pow2 15 }
requires { 32 <= uint 2 reg rZ < pow2 15 }
ensures { uint 32 mem (uint 2 reg rZ) = pow2 256*reg[24] + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
movw r26 r22; (* load operand address a to x *)
movw r30 r24; (* load address of result to z *)
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+30 }
ensures { uint 30 mem (old (uint 2 reg rZ)) = ?cf*pow2 240 + old (uint 30 mem (uint 2 reg rX)) - (pow2 240-1) - old (?cf) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ+0) <= i < old(uint 2 reg rZ+30) }
ensures { uint 2 reg rX = old (uint 2 reg rX)+30 }
ensures { uint 2 reg rZ = old (uint 2 reg rZ)+30 }
requires { S.synchronized S.shadow reg }
ensures { S.synchronized S.shadow reg }
= ldi r21 0xff;
'B:
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 4 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 32 + at (uint 4 mem (uint 2 reg rX))'B - (pow2 32-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 8 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 64 + at (uint 8 mem (uint 2 reg rX))'B - (pow2 64-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 12 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 96 + at (uint 12 mem (uint 2 reg rX))'B - (pow2 96-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 16 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'B - (pow2 128-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 20 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 160 + at (uint 20 mem (uint 2 reg rX))'B - (pow2 160-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 24 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 192 + at (uint 24 mem (uint 2 reg rX))'B - (pow2 192-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 28 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 224 + at (uint 28 mem (uint 2 reg rX))'B - (pow2 224-1) - at (?cf)'B };
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
check { uint 30 mem (at (uint 2 reg rZ)'B) = ?cf*pow2 240 + at (uint 30 mem (uint 2 reg rX))'B - (pow2 240-1) - at (?cf)'B };
(*
S.init();
abstract ensures { S.synchronized S.shadow reg } ensures { uint 2 reg rX = at(uint 2 reg rX)'B+1 /\ uint 2 reg rZ = uint 2 reg rX } ensures { mem = mem[at (uint 2 reg rX)'B <- ?cf*256 + old (mem[at(uint 2 reg rX)'B]) - 0xff - old (?cf)] } ld_inc r20 rX; sbc r20 r21; st_inc rZ r20; S.modify_r26(); S.modify_r27(); S.modify_r20(); S.modify_r30(); S.modify_r31() end;
abstract ensures { S.synchronized S.shadow reg } ensures { uint 2 reg rX = at(uint 2 reg rX)'B+2 /\ uint 2 reg rZ = uint 2 reg rX } ensures { mem = mem[at (uint 2 reg rX)'B+1 <- ?cf*256 + old (mem[at(uint 2 reg rX)'B+1]) - 0xff - old (?cf)] } ld_inc r20 rX; sbc r20 r21; st_inc rZ r20; S.modify_r26(); S.modify_r27(); S.modify_r20(); S.modify_r30(); S.modify_r31() end;
*)
S.modify_r26(); S.modify_r27(); S.modify_r20(); S.modify_r30(); S.modify_r31();
()
let test2 ()
requires { 32 <= uint 2 reg rX < pow2 15-1 }
requires { 32 <= uint 2 reg rZ < pow2 15-1 }
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 }
ensures { uint 32 mem (old (uint 2 reg rZ)) = ?cf*pow2 256 + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
'S:
ldi r21 0xed;
ld_inc r20 rX;
sub r20 r21;
st_inc rZ r20;
check { uint 1 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 8 + at (uint 1 mem (uint 2 reg rX))'S - 0xed };
check { eq 1 mem (at mem 'S) (uint 2 reg rX+30) };
'P:
check { eq 31 mem (at mem 'S) (uint 2 reg rX) };
check { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 };
check { uint 2 reg rZ+30 <= uint 2 reg rX+30 \/ uint 2 reg rZ-2 >= uint 2 reg rX+30 };
check { uint 2 reg rZ+30 <= uint 2 reg rX+30 \/ uint 2 reg rZ-2 >= uint 2 reg rX+30 };
ldi r21 0xff;
'B:
S.init();
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 10 mem (old (uint 2 reg rZ)) = ?cf*pow2 80 + old(uint 10 mem (uint 2 reg rX)) - (pow2 80-1) - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+10) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+10) }
ensures { forall i. mem[i] <> (at mem 'S)[i] -> at(uint 2 reg rZ)'S <= i < at(uint 2 reg rZ+11)'S }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 10 mem (old (uint 2 reg rZ)) = ?cf*pow2 80 + old(uint 10 mem (uint 2 reg rX)) - (pow2 80-1) - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+10) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+10) }
ensures { forall i. mem[i] <> (at mem 'S)[i] -> at(uint 2 reg rZ)'S <= i < at(uint 2 reg rZ+21)'S }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 10 mem (old (uint 2 reg rZ)) = ?cf*pow2 80 + old(uint 10 mem (uint 2 reg rX)) - (pow2 80-1) - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+10) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+10) }
ensures { forall i. mem[i] <> (at mem 'S)[i] -> at(uint 2 reg rZ)'S <= i < at(uint 2 reg rZ+31)'S }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
(* S.init(); test(); *)
assert { uint 30 mem (at (uint 2 reg rZ)'P) = ?cf*pow2 240 + at(uint 30 mem (uint 2 reg rX))'P - (pow2 240-1) - at (?cf) 'P };
check { uint 30 mem (at (uint 2 reg rZ+1)'S) = ?cf*pow2 240 + at(uint 30 mem (uint 2 reg rX+1))'S - (pow2 240-1) - at (?cf) 'P };
check { pow2 8*uint 30 mem (at (uint 2 reg rZ+1)'S) = ?cf*pow2 248 + pow2 8*at(uint 30 mem (uint 2 reg rX+1))'S - pow2 8*(pow2 240-1) - pow2 8*at (?cf) 'P };
check { uint 31 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 248 + at(uint 31 mem (uint 2 reg rX))'S - pow2 8*(pow2 240-1) - 0xed };
check { eq 1 mem (at mem 'S) (uint 2 reg rX) };
'PP:
ldi r21 0x7f;
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
check { uint 32 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 256 + at (uint 32 mem (uint 2 reg rX))'S - 0xed - pow2 8*(pow2 240-1) - pow2 248*0x7f };
()
(* perhaps unrolling saves on asserts? *)
for rept = 1 to 30 do
invariant { 32 <= uint 2 reg rX < pow2 15 + 32 }
invariant { 32 <= uint 2 reg rZ < pow2 15 + 32 }
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
done;
let test37 ()
requires { 32 <= uint 2 reg rX < pow2 15-1 }
requires { 32 <= uint 2 reg rZ < pow2 15-1 }
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 }
ensures { uint 32 mem (old (uint 2 reg rZ)) = ?cf*pow2 256 + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
'S:
S.init();
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 16 mem (old (uint 2 reg rZ)) = ?cf*pow2 128 + old(uint 16 mem (uint 2 reg rX)) - 0xffffffffffffffffffffffffffffffed }
ensures { uint 2 reg rX = old(uint 2 reg rX+16) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+16) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+16) }
ensures { reg[21] = 0xff }
ldi r21 0xed;
ld_inc r20 rX;
sub r20 r21;
st_inc rZ r20;
ldi r21 0xff;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
'T:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 16 mem (old (uint 2 reg rZ)) = ?cf*pow2 128 + old(uint 16 mem (uint 2 reg rX)) - 0x7fffffffffffffffffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+16) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+16) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+16) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ldi r21 0x7f;
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
()
clr r24;
adc r24 r24;
let test35 ()
requires { 32 <= uint 2 reg rX < pow2 15-1 }
requires { 32 <= uint 2 reg rZ < pow2 15-1 }
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 }
ensures { uint 32 mem (old (uint 2 reg rZ)) = ?cf*pow2 256 + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
'S:
S.init();
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 11 mem (old (uint 2 reg rZ)) = ?cf*pow2 88 + old(uint 11 mem (uint 2 reg rX)) - 0xffffffffffffffffffffed }
ensures { uint 2 reg rX = old(uint 2 reg rX+11) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+11) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+11) }
ensures { reg[21] = 0xff }
ldi r21 0xed;
ld_inc r20 rX;
sub r20 r21;
st_inc rZ r20;
ldi r21 0xff;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
'T:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 11 mem (old (uint 2 reg rZ)) = ?cf*pow2 88 + old(uint 11 mem (uint 2 reg rX)) - 0xffffffffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+11) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+11) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+11) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
assert { eq 10 mem (at mem 'S) (uint 2 reg rX) };
assert { uint 22 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 176 + at (uint 22 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffffffffffffffed };
'T2:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 10 mem (old (uint 2 reg rZ)) = ?cf*pow2 80 + old(uint 10 mem (uint 2 reg rX)) - 0x7fffffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+10) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+10) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+10) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ldi r21 0x7f;
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
(*
check { eq 16 mem (at mem 'T2) (at (uint 2 reg rZ)'S) };
assert { uint 16 mem (at (uint 2 reg rZ)'T2) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'T2 - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
*)
(*
check { uint 16 mem (at (uint 2 reg rZ)'S) = pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed };
check { uint 16 mem (at (uint 2 reg rZ+16)'S) = pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
check { uint 32 mem (at (uint 2 reg rZ)'S) =
uint 16 mem (at (uint 2 reg rZ)'S)
+ pow2 128*uint 16 mem (at (uint 2 reg rZ+16)'S)
= pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 128*(pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2)
= at(uint 32 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 256*(?cf) - 0x7fffffffffffffffffffffffffffffff*pow2 128
= pow2 256*(?cf) + at(uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
check { uint 32 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 256 + at (uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
*)
()
let test3 ()
requires { 32 <= uint 2 reg rX < pow2 15-1 }
requires { 32 <= uint 2 reg rZ < pow2 15-1 }
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 }
ensures { uint 32 mem (old (uint 2 reg rZ)) = ?cf*pow2 256 + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
'S:
S.init();
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + old(uint 8 mem (uint 2 reg rX)) - 0xffffffffffffffed }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ensures { reg[21] = 0xff }
ldi r21 0xed;
ld_inc r20 rX;
sub r20 r21;
st_inc rZ r20;
ldi r21 0xff;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
'T:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + old(uint 8 mem (uint 2 reg rX)) - 0xffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
assert { eq 16 mem (at mem 'S) (uint 2 reg rX) };
assert { uint 16 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed };
'T2:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + old(uint 8 mem (uint 2 reg rX)) - 0xffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
check { uint 24 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 192 + at (uint 24 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffffffffffffffffffed };
'T3:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + old(uint 8 mem (uint 2 reg rX)) - 0x7fffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ldi r21 0x7f;
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
(*
check { eq 16 mem (at mem 'T2) (at (uint 2 reg rZ)'S) };
*)
assert { uint 16 mem (at (uint 2 reg rZ)'T2) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'T2 - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
(*
check { uint 16 mem (at (uint 2 reg rZ)'S) = pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed };
check { uint 16 mem (at (uint 2 reg rZ+16)'S) = pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
check { uint 32 mem (at (uint 2 reg rZ)'S) =
uint 16 mem (at (uint 2 reg rZ)'S)
+ pow2 128*uint 16 mem (at (uint 2 reg rZ+16)'S)
= pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 128*(pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2)
= at(uint 32 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 256*(?cf) - 0x7fffffffffffffffffffffffffffffff*pow2 128
= pow2 256*(?cf) + at(uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
check { uint 32 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 256 + at (uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
*)
()
let test4 ()
requires { 32 <= uint 2 reg rX < pow2 15-1 }
requires { 32 <= uint 2 reg rZ < pow2 15-1 }
requires { uint 2 reg rZ <= uint 2 reg rX \/ uint 2 reg rZ >= uint 2 reg rX+32 }
ensures { uint 32 mem (old (uint 2 reg rZ)) = ?cf*pow2 256 + old (uint 32 mem (uint 2 reg rX)) - p25519 }
=
'S:
S.init();
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + at(uint 8 mem (uint 2 reg rX))'S - 0xffffffffffffffed }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ensures { reg[21] = 0xff }
ldi r21 0xed;
ld_inc r20 rX;
sub r20 r21;
st_inc rZ r20;
ldi r21 0xff;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
'T:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + at(uint 8 mem (uint 2 reg rX+8))'S - 0xffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
assert { uint 8 mem (at (uint 2 reg rZ)'T) = ?cf*pow2 64 + at(uint 8 mem (uint 2 reg rX))'T - 0xffffffffffffffff - at ?cf 'T }
end;
assert { eq 16 mem (at mem 'S) (uint 2 reg rX) };
assert { uint 16 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed };
'T2:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + at(uint 8 mem (uint 2 reg rX+16))'S - 0xffffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
check { uint 24 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 192 + at (uint 24 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffffffffffffffffffed };
'T3:
abstract ensures { S.synchronized S.shadow reg }
ensures { uint 8 mem (old (uint 2 reg rZ)) = ?cf*pow2 64 + at(uint 8 mem (uint 2 reg rX+24))'S - 0x7fffffffffffffff - old ?cf }
ensures { uint 2 reg rX = old(uint 2 reg rX+8) }
ensures { uint 2 reg rZ = old(uint 2 reg rZ+8) }
ensures { forall i. mem[i] <> (old mem)[i] -> old(uint 2 reg rZ) <= i < old(uint 2 reg rZ+8) }
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ld_inc r20 rX; sbc r20 r21; st_inc rZ r20;
ldi r21 0x7f;
ld_inc r20 rX;
sbc r20 r21;
st_inc rZ r20;
S.modify_r21();
S.modify_r20(); S.modify_r26(); S.modify_r27(); S.modify_r30(); S.modify_r31();
end;
(*
check { eq 16 mem (at mem 'T2) (at (uint 2 reg rZ)'S) };
*)
assert { uint 16 mem (at (uint 2 reg rZ)'T2) = ?cf*pow2 128 + at (uint 16 mem (uint 2 reg rX))'T2 - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
(*
check { uint 16 mem (at (uint 2 reg rZ)'S) = pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed };
check { uint 16 mem (at (uint 2 reg rZ+16)'S) = pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2 };
check { uint 32 mem (at (uint 2 reg rZ)'S) =
uint 16 mem (at (uint 2 reg rZ)'S)
+ pow2 128*uint 16 mem (at (uint 2 reg rZ+16)'S)
= pow2 128*at(?cf)'T2 + at(uint 16 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 128*(pow2 128*(?cf) + at(uint 16 mem (uint 2 reg rX+16))'S - 0x7fffffffffffffffffffffffffffffff - at(?cf)'T2)
= at(uint 32 mem (uint 2 reg rX))'S - 0xffffffffffffffffffffffffffffffed
+ pow2 256*(?cf) - 0x7fffffffffffffffffffffffffffffff*pow2 128
= pow2 256*(?cf) + at(uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
check { uint 32 mem (at (uint 2 reg rZ)'S) = ?cf*pow2 256 + at (uint 32 mem (uint 2 reg rX))'S - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed };
*)
()
end
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="4">
<prover id="0" name="CVC3" version="2.4.1" timelimit="300" steplimit="0" memlimit="2000"/>
<prover id="1" name="CVC4" version="1.4" alternative="noBV" timelimit="300" steplimit="0" memlimit="2000"/>
<prover id="2" name="CVC4" version="1.4" timelimit="130" steplimit="0" memlimit="2000"/>
<file name="../bigint_subp.mlw" expanded="true">
<theory name="BV_asr_Lemmas" sum="e8cfd36209084e7ef4bcdd056be94bf7" expanded="true">
<goal name="asr_0" expl="" expanded="true">
</goal>
<goal name="asr_1" expl="" expanded="true">
</goal>
<goal name="asr_f" expl="" expanded="true">
</goal>
<goal name="lsr_0" expl="" expanded="true">
</goal>
<goal name="lsr_1" expl="" expanded="true">
</goal>
<goal name="xor_0" expl="" expanded="true">
</goal>
<goal name="xor_1" expl="" expanded="true">
</goal>
<goal name="or_0" expl="" expanded="true">
</goal>
<goal name="pow2_72" expl="" expanded="true">
</goal>
<goal name="pow2_80" expl="" expanded="true">
</goal>
<goal name="pow2_88" expl="" expanded="true">
</goal>
<goal name="pow2_96" expl="" expanded="true">
</goal>
<goal name="pow2_104" expl="" expanded="true">
</goal>
<goal name="pow2_112" expl="" expanded="true">
</goal>
<goal name="pow2_120" expl="" expanded="true">
</goal>
<goal name="pow2_128" expl="" expanded="true">
</goal>
<goal name="pow2_136" expl="" expanded="true">
</goal>
<goal name="pow2_144" expl="" expanded="true">
</goal>
<goal name="pow2_152" expl="" expanded="true">
</goal>
<goal name="pow2_160" expl="" expanded="true">
</goal>
<goal name="pow2_168" expl="" expanded="true">
</goal>
<goal name="pow2_176" expl="" expanded="true">
</goal>
<goal name="pow2_184" expl="" expanded="true">
</goal>
<goal name="pow2_192" expl="" expanded="true">
</goal>
<goal name="pow2_200" expl="" expanded="true">
</goal>
<goal name="pow2_208" expl="" expanded="true">
</goal>
<goal name="pow2_216" expl="" expanded="true">
</goal>
<goal name="pow2_224" expl="" expanded="true">
</goal>
<goal name="pow2_232" expl="" expanded="true">
</goal>
<goal name="pow2_240" expl="" expanded="true">
</goal>
<goal name="pow2_248" expl="" expanded="true">
</goal>
<goal name="pow2_256" expl="" expanded="true">
</goal>
</theory>
<theory name="AvrModelLemmas" sum="84c2740c682dbec30eb04b8ce55086ee" expanded="true">
<goal name="register_file_invariant_strengthen" expl="" expanded="true">
</goal>
<goal name="pow_split" expl="" expanded="true">
</goal>
</theory>
<theory name="AVRcode" sum="e8d7e64cde0b93f7f1cba4ea1261adde" expanded="true">
<goal name="mul_bound_preserve" expl="" expanded="true">
</goal>
<goal name="WP_parameter test" expl="VC for test">
<transf name="split_goal_wp">
<goal name="WP_parameter test.1" expl="precondition">
<transf name="compute_in_goal">
</transf>
</goal>
<goal name="WP_parameter test.2" expl="precondition">
<transf name="compute_in_goal">
<goal name="WP_parameter test.2.1" expl="precondition">
<proof prover="0" timelimit="13" obsolete="true"><result status="valid" time="0.47"/></proof>
</goal>
</transf>
</goal>
<goal name="WP_parameter test.3" expl="precondition">
<transf name="compute_in_goal">
<goal name="WP_parameter test.3.1" expl="precondition">
<proof prover="0" timelimit="13" obsolete="true"><result status="valid" time="0.26"/></proof>
</goal>
</transf>