├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md └── bpf.v /.gitignore: -------------------------------------------------------------------------------- 1 | # Editor backup files 2 | *~ 3 | \#* 4 | .\#* 5 | .*.swp 6 | 7 | # Coq 8 | *.glob 9 | *.vo 10 | 11 | # Python 12 | *.pyc 13 | 14 | 15 | # Local Variables: 16 | # mode: conf 17 | # End: 18 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to Contribute 2 | 3 | We'd love to accept your patches and contributions to this project. There are 4 | just a few small guidelines you need to follow. 5 | 6 | ## Contributor License Agreement 7 | 8 | Contributions to this project must be accompanied by a Contributor License 9 | Agreement. You (or your employer) retain the copyright to your contribution; 10 | this simply gives us permission to use and redistribute your contributions as 11 | part of the project. Head over to to see 12 | your current agreements on file or to sign a new one. 13 | 14 | You generally only need to submit a CLA once, so if you've already submitted one 15 | (even if it was for a different project), you probably don't need to do it 16 | again. 17 | 18 | ## Code reviews 19 | 20 | All submissions, including submissions by project members, require review. We 21 | use GitHub pull requests for this purpose. Consult 22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more 23 | information on using pull requests. 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Coq BPF interpreter 2 | 3 | This is a BPF interpreter written in the Coq proof assistant. It also has 4 | tactic machinery to construct proven-equivalent Gallina programs for BPF 5 | programs. 6 | 7 | This is not an official Google product. 8 | -------------------------------------------------------------------------------- /bpf.v: -------------------------------------------------------------------------------- 1 | (* Copyright 2017 Google LLC 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use 4 | this file except in compliance with the License. You may obtain a copy of the 5 | License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software distributed 10 | under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 11 | CONDITIONS OF ANY KIND, either express or implied. See the License for the 12 | specific language governing permissions and limitations under the License. *) 13 | 14 | Set Primitive Projections. 15 | Set Printing Projections. 16 | Unset Printing Primitive Projection Parameters. 17 | 18 | Require Import Coq.Init.Peano. 19 | Require Import Coq.Lists.List. 20 | Require Coq.ZArith.Zdiv. 21 | 22 | Fixpoint set_nth {T} (ls : list T) (n : nat) (x : T) {struct n} : list T := 23 | match ls with 24 | | nil => nil 25 | | x'::ls' => 26 | match n with 27 | | O => x::ls' 28 | | S n' => x' :: set_nth ls' n' x 29 | end 30 | end. 31 | 32 | Module word. 33 | Record word := 34 | { 35 | T :> Type; 36 | zero : T; 37 | 38 | eqb : T -> T -> bool; 39 | geb : T -> T -> bool; 40 | gtb : T -> T -> bool; 41 | 42 | lor : T -> T -> T; 43 | land : T -> T -> T; 44 | shiftl : T -> T -> T; 45 | shiftr : T -> T -> T; 46 | 47 | add : T -> T -> T; 48 | sub : T -> T -> T; 49 | opp : T -> T; 50 | mul : T -> T -> T; 51 | div : T -> T -> T; 52 | 53 | to_nat : T -> nat; 54 | of_nat : nat -> T; 55 | }. 56 | End word. 57 | 58 | Module word_Z. 59 | Section word_Z. 60 | Import BinInt Zdiv Logic. Local Open Scope Z_scope. 61 | Context {n : Z}. 62 | Let T := { z : Z | z mod (2^n) = z }. 63 | Let zero : T. refine (exist _ 0 _). apply Zmod_0_l. Defined. 64 | 65 | Let eqb (x y : T) : bool := Z.eqb (proj1_sig x) (proj1_sig y). 66 | Let geb (x y : T) : bool := Z.geb (proj1_sig x) (proj1_sig y). 67 | Let gtb (x y : T) : bool := Z.gtb (proj1_sig x) (proj1_sig y). 68 | 69 | Let admit : forall {T}, T. Admitted. 70 | 71 | Let lor (x y : T) : T := exist _ (Z.lor (proj1_sig x) (proj1_sig y)) admit. 72 | Let land (x y : T) : T := exist _ (Z.land (proj1_sig x) (proj1_sig y)) admit. 73 | Let shiftl (x y : T) : T := exist _ (Z.shiftl (proj1_sig x) (proj1_sig y)) admit. 74 | Let shiftr (x y : T) : T := exist _ (Z.shiftr (proj1_sig x) (proj1_sig y)) admit. 75 | 76 | Let add (x y : T) : T := exist _ (Z.add (proj1_sig x) (proj1_sig y)) admit. 77 | Let sub (x y : T) : T := exist _ (Z.sub (proj1_sig x) (proj1_sig y)) admit. 78 | Let opp (x : T) : T := exist _ (Z.opp (proj1_sig x)) admit. 79 | Let mul (x y : T) : T := exist _ (Z.mul (proj1_sig x) (proj1_sig y)) admit. 80 | Let div (x y : T) : T := exist _ (Z.div (proj1_sig x) (proj1_sig y)) admit. 81 | 82 | Let to_nat (x : T) : nat := Z.to_nat (proj1_sig x). 83 | Let of_Z (x : Z) : T := exist _ (Z.land x (Z.ones n)) admit. 84 | Let of_nat (x : nat) : T := of_Z (Z.of_nat x). 85 | 86 | Definition word := 87 | {| 88 | word.T := T; 89 | word.zero := zero; 90 | 91 | word.eqb := eqb; 92 | word.geb := geb; 93 | word.gtb := gtb; 94 | 95 | word.lor := lor; 96 | word.land := land; 97 | word.shiftl := shiftl; 98 | word.shiftr := shiftr; 99 | 100 | word.add := add; 101 | word.sub := sub; 102 | word.opp := opp; 103 | word.mul := mul; 104 | word.div := div; 105 | 106 | word.to_nat := to_nat; 107 | word.of_nat := of_nat 108 | |}. 109 | End word_Z. 110 | Arguments word : clear implicits. 111 | End word_Z. 112 | 113 | (* TODO: parametrize over uint* -- Coq crashes on printing execute_instruction outside section *) 114 | Import word. 115 | Definition uint8 := word_Z.word (BinInt.Z.of_nat 8). 116 | Definition uint16 := word_Z.word (BinInt.Z.of_nat 16). 117 | Definition uint32 := word_Z.word (BinInt.Z.of_nat 32). 118 | 119 | Structure instruction := 120 | { 121 | code : uint16; 122 | jt : uint8; 123 | jf : uint8; 124 | k : uint32 125 | }. 126 | 127 | Structure state := 128 | { 129 | A : uint32; 130 | X : uint32; 131 | mem : list uint32; 132 | }. 133 | 134 | Notation "( s 'with' 'A' := a )" := ({|A := a; X := s.(X); mem := s.(mem)|}). 135 | Notation "( s 'with' 'X' := x )" := ({|A := s.(A); X := x ; mem := s.(mem)|}). 136 | Notation "( s 'with' 'mem' := m )" := ({|A := s.(A); X := s.(X); mem := m |}). 137 | 138 | Local Open Scope nat_scope. 139 | (* 140 | * The instruction encodings. 141 | *) 142 | (* instruction classes *) 143 | (* #define BPF_CLASS(code) ((code) & 0x07) *) 144 | Notation BPF_LD := (uint16.(of_nat) 0). 145 | Notation BPF_LDX := (uint16.(of_nat) 1). 146 | Notation BPF_ST := (uint16.(of_nat) 2). 147 | Notation BPF_STX := (uint16.(of_nat) 3). 148 | Notation BPF_ALU := (uint16.(of_nat) 4). 149 | Notation BPF_JMP := (uint16.(of_nat) 5). 150 | Notation BPF_RET := (uint16.(of_nat) 6). 151 | Notation BPF_MISC:= (uint16.(of_nat) 7). 152 | 153 | (* ld/ldx fields *) 154 | (* #define BPF_SIZE(code) ((code) & 0x18) *) 155 | Notation BPF_W := (uint16.(of_nat) (0*16+0)). 156 | Notation BPF_H := (uint16.(of_nat) (0*16+8)). 157 | Notation BPF_B := (uint16.(of_nat) (1*16+0)). 158 | (* #define BPF_MODE(code) ((code) & 0xe0) *) 159 | Notation BPF_IMM := (uint16.(of_nat) (0*16+0)). 160 | Notation BPF_ABS := (uint16.(of_nat) (2*16+0)). 161 | Notation BPF_IND := (uint16.(of_nat) (4*16+0)). 162 | Notation BPF_MEM := (uint16.(of_nat) (6*16+0)). 163 | Notation BPF_LEN := (uint16.(of_nat) (8*16+0)). 164 | Notation BPF_MSH := (uint16.(of_nat) (10*16+0)). 165 | 166 | (* alu/jmp fields *) 167 | (* #define BPF_OP(code) ((code)& 0xf0) *) 168 | Notation BPF_ADD := (uint16.(of_nat) (0*16+0)). 169 | Notation BPF_SUB := (uint16.(of_nat) (1*16+0)). 170 | Notation BPF_MUL := (uint16.(of_nat) (2*16+0)). 171 | Notation BPF_DIV := (uint16.(of_nat) (3*16+0)). 172 | Notation BPF_OR := (uint16.(of_nat) (4*16+0)). 173 | Notation BPF_AND := (uint16.(of_nat) (5*16+0)). 174 | Notation BPF_LSH := (uint16.(of_nat) (6*16+0)). 175 | Notation BPF_RSH := (uint16.(of_nat) (7*16+0)). 176 | Notation BPF_NEG := (uint16.(of_nat) (8*16+0)). 177 | Notation BPF_JA := (uint16.(of_nat) (0*16+0)). 178 | Notation BPF_JEQ := (uint16.(of_nat) (1*16+0)). 179 | Notation BPF_JGT := (uint16.(of_nat) (2*16+0)). 180 | Notation BPF_JGE := (uint16.(of_nat) (3*16+0)). 181 | Notation BPF_JSET:= (uint16.(of_nat) (4*16+0)). 182 | (* #define BPF_SRC(code) ((code) & 0x08) *) 183 | Notation BPF_K := (uint16.(of_nat) 0). 184 | Notation BPF_X := (uint16.(of_nat) 8). 185 | 186 | (* ret - BPF_K and BPF_X also apply *) 187 | (* #define BPF_RVAL(code)((code) & 0x18) *) 188 | Notation BPF_A := (uint16.(of_nat) (1*16+0)). 189 | 190 | (* misc *) 191 | (* #define BPF_MISCOP(code) ((code) & 0xf8) *) 192 | Notation BPF_TAX := (uint16.(of_nat) (0*16+0)). 193 | Notation BPF_TXA := (uint16.(of_nat) (8*16+0)). 194 | 195 | Notation BPF_MEMWORDS := 16. 196 | 197 | (* "|" is already used for pattern-matching *) 198 | Infix ".|" := (lor _) (at level 50) : nat_scope. 199 | Infix ".&" := (land _) (at level 50) : nat_scope. 200 | Infix "==" := (eqb _) (at level 70, no associativity) : nat_scope. 201 | 202 | 203 | Section with_loaders. 204 | Context (wirelen : uint32). 205 | Context (ldb : uint32 -> option uint32). 206 | Context (ldh : uint32 -> option uint32). 207 | Context (ldw : uint32 -> option uint32). 208 | 209 | (* BPF interpreter, in continuation-passing style to make partial evaluation work nicely *) 210 | Definition execute_instruction {R} (i:instruction) (s:state) (done:uint32->R) (step:state->R) (jump:nat->R) : R := 211 | let nz8 x := negb (uint8.(eqb) uint8.(zero) x) in 212 | let nz16 x := negb (uint16.(eqb) uint16.(zero) x) in 213 | let nz32 x := negb (uint32.(eqb) uint32.(zero) x) in 214 | let jump8 x := jump (uint8.(to_nat) x) in 215 | let jump16 x := jump (uint16.(to_nat) x) in 216 | let jump32 x := jump (uint32.(to_nat) x) in 217 | if i.(code) == (BPF_RET.|BPF_K) then done i.(k) 218 | else if i.(code) == (BPF_RET.|BPF_A) then done s.(A) 219 | else if i.(code) == (BPF_LD.|BPF_W.|BPF_ABS) then 220 | match ldw i.(k) with None => done uint32.(zero) | Some w => step (s with A := w) end 221 | else if i.(code) == (BPF_LD.|BPF_H.|BPF_ABS) then 222 | match ldh i.(k) with None => done uint32.(zero) | Some w => step (s with A := w) end 223 | else if i.(code) == (BPF_LD.|BPF_B.|BPF_ABS) then 224 | match ldb i.(k) with None => done uint32.(zero) | Some w => step (s with A := w) end 225 | else if i.(code) == (BPF_LD.|BPF_W.|BPF_LEN) then step (s with A := wirelen) 226 | else if i.(code) == (BPF_LDX.|BPF_W.|BPF_LEN) then step (s with X := wirelen) 227 | else if i.(code) == (BPF_LD.|BPF_W.|BPF_IND) then 228 | let k := uint32.(add) s.(X) i.(k) in 229 | match ldw k with None => done uint32.(zero) | Some w => step (s with A := w) end 230 | else if i.(code) == (BPF_LD.|BPF_H.|BPF_IND) then 231 | let k := uint32.(add) s.(X) i.(k) in 232 | match ldh k with None => done uint32.(zero) | Some w => step (s with A := w) end 233 | else if i.(code) == (BPF_LD.|BPF_B.|BPF_IND) then 234 | let k := uint32.(add) s.(X) i.(k) in 235 | match ldb k with None => done uint32.(zero) | Some w => step (s with A := w) end 236 | else if i.(code) == (BPF_LDX.|BPF_MSH.|BPF_B) then 237 | match ldb i.(k) with 238 | | None => done uint32.(zero) 239 | | Some X => 240 | let X := uint32.(land) X (uint32.(of_nat) 15) in 241 | let X := uint32.(shiftl) X (uint32.(of_nat) 2) in 242 | step (s with X := X) 243 | end 244 | else if i.(code) == (BPF_LD.|BPF_IMM) then step (s with A := i.(k)) 245 | else if i.(code) == (BPF_LDX.|BPF_IMM) then step (s with X := i.(k)) 246 | else if i.(code) == (BPF_LD.|BPF_MEM) then step (s with A := List.nth_default uint32.(zero) s.(mem) (uint32.(to_nat) i.(k))) 247 | else if i.(code) == (BPF_LDX.|BPF_MEM) then step (s with X := List.nth_default uint32.(zero) s.(mem) (uint32.(to_nat) i.(k))) 248 | else if i.(code) == (BPF_ST ) then step (s with mem := (set_nth s.(mem) (uint32.(to_nat) i.(k)) s.(A))) 249 | else if i.(code) == (BPF_STX) then step (s with mem := (set_nth s.(mem) (uint32.(to_nat) i.(k)) s.(X))) 250 | else if i.(code) == (BPF_JMP.|BPF_JA) then jump32 i.(k) 251 | else if i.(code) == (BPF_JMP.|BPF_JGT.|BPF_K) then (if uint32.(gtb) s.(A) i.(k) then jump8 i.(jt) else jump8 i.(jf)) 252 | else if i.(code) == (BPF_JMP.|BPF_JGE.|BPF_K) then (if uint32.(geb) s.(A) i.(k) then jump8 i.(jt) else jump8 i.(jf)) 253 | else if i.(code) == (BPF_JMP.|BPF_JEQ.|BPF_K) then (if uint32.(eqb) s.(A) i.(k) then jump8 i.(jt) else jump8 i.(jf)) 254 | else if i.(code) == (BPF_JMP.|BPF_JSET.|BPF_K) then (if nz32(s.(A) .& i.(k)) then jump8 i.(jt) else jump8 i.(jf)) 255 | else if i.(code) == (BPF_JMP.|BPF_JGT.|BPF_X) then (if uint32.(gtb) s.(A) s.(X) then jump8 i.(jt) else jump8 i.(jf)) 256 | else if i.(code) == (BPF_JMP.|BPF_JGE.|BPF_X) then (if uint32.(geb) s.(A) s.(X) then jump8 i.(jt) else jump8 i.(jf)) 257 | else if i.(code) == (BPF_JMP.|BPF_JEQ.|BPF_X) then (if (s.(A) == s.(X)) then jump8 i.(jt) else jump8 i.(jf)) 258 | else if i.(code) == (BPF_JMP.|BPF_JSET.|BPF_X) then (if nz32(s.(A) .& s.(X)) then jump8 i.(jt) else jump8 i.(jf)) 259 | else if i.(code) == (BPF_ALU.|BPF_ADD.|BPF_X) then step (s with A := uint32.(add) s.(A) s.(X)) 260 | else if i.(code) == (BPF_ALU.|BPF_SUB.|BPF_X) then step (s with A := uint32.(sub) s.(A) s.(X)) 261 | else if i.(code) == (BPF_ALU.|BPF_MUL.|BPF_X) then step (s with A := uint32.(mul) s.(A) s.(X)) 262 | else if i.(code) == (BPF_ALU.|BPF_DIV.|BPF_X) then 263 | if s.(X) == uint32.(zero) then done uint32.(zero) else step (s with A := uint32.(div) s.(A) s.(X)) 264 | else if i.(code) == (BPF_ALU.|BPF_AND.|BPF_X) then step (s with A := uint32.(land) s.(A) s.(X)) 265 | else if i.(code) == (BPF_ALU.|BPF_OR .|BPF_X) then step (s with A := uint32.(lor) s.(A) s.(X)) 266 | else if i.(code) == (BPF_ALU.|BPF_LSH.|BPF_X) then step (s with A := uint32.(shiftl) s.(A) s.(X)) 267 | else if i.(code) == (BPF_ALU.|BPF_RSH.|BPF_X) then step (s with A := uint32.(shiftr) s.(A) s.(X)) 268 | else if i.(code) == (BPF_ALU.|BPF_ADD.|BPF_K) then step (s with A := uint32.(add) s.(A) i.(k)) 269 | else if i.(code) == (BPF_ALU.|BPF_SUB.|BPF_K) then step (s with A := uint32.(sub) s.(A) i.(k)) 270 | else if i.(code) == (BPF_ALU.|BPF_MUL.|BPF_K) then step (s with A := uint32.(mul) s.(A) i.(k)) 271 | else if i.(code) == (BPF_ALU.|BPF_DIV.|BPF_K) then step (s with A := uint32.(div) s.(A) i.(k)) 272 | else if i.(code) == (BPF_ALU.|BPF_AND.|BPF_K) then step (s with A := uint32.(land) s.(A) i.(k)) 273 | else if i.(code) == (BPF_ALU.|BPF_OR .|BPF_K) then step (s with A := uint32.(lor) s.(A) i.(k)) 274 | else if i.(code) == (BPF_ALU.|BPF_LSH.|BPF_K) then step (s with A := uint32.(shiftl) s.(A) i.(k)) 275 | else if i.(code) == (BPF_ALU.|BPF_RSH.|BPF_K) then step (s with A := uint32.(shiftr) s.(A) i.(k)) 276 | else if i.(code) == (BPF_ALU.|BPF_NEG) then step (s with A := uint32.(opp) s.(A)) 277 | else if i.(code) == (BPF_MISC.|BPF_TAX) then step (s with X := s.(A)) 278 | else if i.(code) == (BPF_MISC.|BPF_TXA) then step (s with A := s.(X)) 279 | else done uint32.(zero). 280 | 281 | Fixpoint execute' {R} (instrs : list instruction) (s : state) (skip : nat) (ret : uint32 -> R) {struct instrs} : R := 282 | match instrs with 283 | | nil => ret uint32.(zero) (* TODO: is this an invalid program? *) 284 | | i::instrs' => 285 | match skip with 286 | | O => 287 | execute_instruction i s 288 | (fun r => ret r) 289 | (fun s' => execute' instrs' s' 0 ret) 290 | (fun n => execute' instrs' s n ret) 291 | | S skip' => 292 | execute' instrs' s skip' ret 293 | end 294 | end. 295 | 296 | Definition execute instrs := 297 | execute' 298 | instrs 299 | {| A := uint32.(zero); X := uint32.(zero); mem := List.repeat uint32.(zero) BPF_MEMWORDS |} 300 | 0 id. 301 | End with_loaders. 302 | 303 | Notation constNone := (fun _ => None). 304 | 305 | Import ListNotations BinInt. Local Open Scope Z_scope. 306 | Local Notation u8 x := (exist _ x%Z eq_refl). 307 | Local Notation u16 x := (exist _ x%Z eq_refl). 308 | Local Notation u32 x := (exist _ x%Z eq_refl). 309 | Section bpfcode. 310 | Definition bpfcode := [ 311 | Build_instruction (u16 48) (u8 0) (u8 0) (u32 4294963204) ; 312 | Build_instruction (u16 21) (u8 22) (u8 0) (u32 4) ; 313 | Build_instruction (u16 21) (u8 21) (u8 0) (u32 3) ; 314 | Build_instruction (u16 128) (u8 0) (u8 0) (u32 0) ; 315 | Build_instruction (u16 37) (u8 19) (u8 0) (u32 2048) ; 316 | Build_instruction (u16 40) (u8 0) (u8 0) (u32 4294963200) ; 317 | Build_instruction (u16 21) (u8 12) (u8 0) (u32 34525) ; 318 | Build_instruction (u16 21) (u8 1) (u8 0) (u32 2048) ; 319 | Build_instruction (u16 5) (u8 0) (u8 0) (u32 15) ; 320 | Build_instruction (u16 48) (u8 0) (u8 0) (u32 9) ; 321 | Build_instruction (u16 21) (u8 0) (u8 13) (u32 17) ; 322 | Build_instruction (u16 40) (u8 0) (u8 0) (u32 6) ; 323 | Build_instruction (u16 69) (u8 11) (u8 0) (u32 8191) ; 324 | Build_instruction (u16 177) (u8 0) (u8 0) (u32 0) ; 325 | Build_instruction (u16 135) (u8 0) (u8 0) (u32 0) ; 326 | Build_instruction (u16 53) (u8 0) (u8 8) (u32 20) ; 327 | Build_instruction (u16 72) (u8 0) (u8 0) (u32 2) ; 328 | Build_instruction (u16 21) (u8 0) (u8 6) (u32 443) ; 329 | Build_instruction (u16 6) (u8 0) (u8 0) (u32 65535) ; 330 | Build_instruction (u16 48) (u8 0) (u8 0) (u32 6) ; 331 | Build_instruction (u16 21) (u8 0) (u8 3) (u32 17) ; 332 | Build_instruction (u16 40) (u8 0) (u8 0) (u32 42) ; 333 | Build_instruction (u16 21) (u8 0) (u8 1) (u32 443) ; 334 | Build_instruction (u16 6) (u8 0) (u8 0) (u32 65535) ; 335 | Build_instruction (u16 6) (u8 0) (u8 0) (u32 0) 336 | ]. 337 | End bpfcode. 338 | 339 | Local Notation "A <- X ; B" 340 | := (match X with 341 | | Some A => B 342 | | None => _ 343 | end) 344 | (at level 70, right associativity, format "'[v' A <- X ; '/' B ']'"). 345 | 346 | (* flags for partial evaluation machinery *) 347 | 348 | Local Arguments Pos.to_nat !_. 349 | Local Arguments Z.eqb !_ !_. 350 | Local Arguments Z.geb !_ !_. 351 | Local Arguments Z.gtb !_ !_. 352 | Local Arguments Z.lor !_ !_. 353 | Local Arguments Z.land !_ !_. 354 | Local Arguments Z.shiftr !_ !_. 355 | Local Arguments Z.shiftl !_ !_. 356 | Local Arguments Z.add !_ !_. 357 | Local Arguments Z.sub !_ !_. 358 | Local Arguments Z.opp !_. 359 | Local Arguments Z.mul !_ !_. 360 | Local Arguments Z.div !_ !_. 361 | 362 | Local Infix ".|" := Z.lor (at level 50) : Z_scope. 363 | Local Infix ".&" := Z.land (at level 50) : Z_scope. 364 | Local Infix "<<" := Z.shiftl (at level 50) : Z_scope. 365 | Local Infix ">>" := Z.shiftr (at level 50) : Z_scope. 366 | 367 | Local Notation "'uint32_t'" := ({z : Z | z mod 4294967296 = z}) : type_scope. 368 | Local Notation "'(uint32_t)' x" := (exist (fun z : Z => z mod 4294967296 = z) x _) (at level 10). 369 | Local Notation "0" := (exist (fun z : Z => z mod 4294967296 = z) 0 _). 370 | Local Notation "'(ℤ)'" := proj1_sig. 371 | 372 | (* Example of partial evaluation of bpf code to if statements *) 373 | 374 | Goal forall P len ldb ldh ldw (xs:list instruction), P (execute len (fun x => ldb (proj1_sig x)) (fun x => ldh (proj1_sig x)) (fun x => ldw (proj1_sig x)) bpfcode). 375 | intros. 376 | Time cbn. 377 | Abort. 378 | --------------------------------------------------------------------------------