coq/kernel/byterun, branch master The formal proof system [dune] Rename byterun to coqrun 2021-03-31T17:05:49+00:00 Emilio Jesus Gallego Arias 2021-03-31T17:02:00+00:00 3bd703714dff733fbfcdfcae591b85bdac6f4b2a This seems the official name, the byterun name is just an artifact from the very preliminary dune build. 
This seems the official name, the byterun name is just an artifact
from the very preliminary dune build.
Set the lsb of return addresses on the bytecode interpreter stack. 2021-03-13T22:02:59+00:00 Guillaume Melquiond 2021-03-13T16:57:55+00:00 cfcbc967a11fc534e2d9df8e2ca47a5ff305b0b6 This makes it possible to skip the check when scanning the stack for the garbage collector. 
This makes it possible to skip the check when scanning the stack for the
garbage collector.
[build] Split stdlib to it's own opam package. 2021-03-03T15:06:14+00:00 Emilio Jesus Gallego Arias 2020-06-22T15:52:18+00:00 ab98d847d237af3cd0e46edef42218be65cfc98f We introduce a new package structure for Coq: - `coq-core`: Coq's OCaml tools code and plugins - `coq-stdlib`: Coq's stdlib [.vo files] - `coq`: meta-package that pulls `coq-{core,stdlib}` This has several advantages, in particular it allows to install Coq without the stdlib which is useful in several scenarios, it also open the door towards a versioning of the stdlib at the package level. The main user-visible change is that Coq's ML development files now live in `$lib/coq-core`, for compatibility in the regular build we install a symlink and support both setups for a while. Note that plugin developers and even `coq_makefile` should actually rely on `ocamlfind` to locate Coq's OCaml libs as to be more robust. There is a transient state where we actually look for both `$coqlib/plugins` and `$coqlib/../coq-core/plugins` as to support the non-ocamlfind plus custom variables. This will be much improved once #13617 is merged (which requires this PR first), then, we will introduce a `coq.boot` library so finally `coqdep`, `coqchk`, etc... can share the same path setup code. IMHO the plan should work fine. 
We introduce a new package structure for Coq:

- `coq-core`: Coq's OCaml tools code and plugins
- `coq-stdlib`: Coq's stdlib [.vo files]
- `coq`: meta-package that pulls `coq-{core,stdlib}`

This has several advantages, in particular it allows to install Coq
without the stdlib which is useful in several scenarios, it also open
the door towards a versioning of the stdlib at the package level.

The main user-visible change is that Coq's ML development files now
live in `$lib/coq-core`, for compatibility in the regular build we
install a symlink and support both setups for a while.

Note that plugin developers and even `coq_makefile` should actually
rely on `ocamlfind` to locate Coq's OCaml libs as to be more robust.

There is a transient state where we actually look for both
`$coqlib/plugins` and `$coqlib/../coq-core/plugins` as to support
the non-ocamlfind plus custom variables.

This will be much improved once #13617 is merged (which requires this
PR first), then, we will introduce a `coq.boot` library so finally
`coqdep`, `coqchk`, etc... can share the same path setup code.

IMHO the plan should work fine.
Signed primitive integers 2021-02-26T13:32:41+00:00 Ana 2020-12-01T08:52:12+00:00 4302a75d82b9ac983cd89dd01c742c36777d921b Signed primitive integers defined on top of the existing unsigned ones with two's complement. The module Sint63 includes the theory of signed primitive integers that differs from the unsigned case. Additions to the kernel: les (signed <=), lts (signed <), compares (signed compare), divs (signed division), rems (signed remainder), asr (arithmetic shift right) (The s suffix is not used when importing the Sint63 module.) The printing and parsing of primitive ints was updated and the int63_syntax_plugin was removed (we use Number Notation instead). A primitive int is parsed / printed as unsigned or signed depending on the scope. In the default (Set Printing All) case, it is printed in hexadecimal. 
Signed primitive integers defined on top of the existing unsigned ones
with two's complement.

The module Sint63 includes the theory of signed primitive integers that
differs from the unsigned case.

Additions to the kernel:
  les (signed <=), lts (signed <), compares (signed compare),
  divs (signed division), rems (signed remainder),
  asr (arithmetic shift right)
(The s suffix is not used when importing the Sint63 module.)

The printing and parsing of primitive ints was updated and the
int63_syntax_plugin was removed (we use Number Notation instead).

A primitive int is parsed / printed as unsigned or signed depending on
the scope. In the default (Set Printing All) case, it is printed in
hexadecimal.
Merge PR #13676: Protect caml_process_pending_actions_exn with caml_something_to_do. 2021-02-26T12:33:21+00:00 Pierre-Marie Pédrot 2021-02-26T12:33:21+00:00 c7c155cbaf7516cef98c7a654ee9e0c25a23ab73 Reviewed-by: gasche Ack-by: ppedrot Reviewed-by: xavierleroy 
Reviewed-by: gasche
Ack-by: ppedrot
Reviewed-by: xavierleroy
Be less permissive with respect to nonsensical bytecode. 2021-02-19T10:17:27+00:00 Guillaume Melquiond 2021-02-17T11:13:32+00:00 d39a01caf4cbbc22cddbaa23234622b21412f058 






Make the generated file the official source of arity.
2021-02-19T10:17:26+00:00

Guillaume Melquiond

2021-02-17T11:12:29+00:00

ab94a2a5dbe142d972d65a33d977e8e9f8d52f01












Add a file coq_arity.h generated by genOpcodeFiles.ml.
2021-02-19T10:17:26+00:00

Guillaume Melquiond

2021-02-17T11:09:00+00:00

c7bbe4729dc53ddf3a02a7ae3816ec3c146d452e

This avoids forgetting to add opcodes to coq_fix_code.c, and thus prevents
arities being mistakenly set to zero.





This avoids forgetting to add opcodes to coq_fix_code.c, and thus prevents
arities being mistakenly set to zero.







Fix missing arities of VM opcodes.
2021-02-16T22:19:10+00:00

Guillaume Melquiond

2021-02-16T22:19:10+00:00

70caa6eb02c69b30e5307db02bf5c81f1a2b84dc

Since the compiler initializes the arities to zero, coq_tcode_of_code
wrongly believes that the word following a primitive operation contains
an opcode, while it is the global index of the primitive operation. So,
the function will try to translate it and thus corrupt it. But as long as
the evaluated term fully reduces (which is always the case for
CoqInterval), the corrupted word will never be read.

At this point, it all depends on the arity of the global index (seen as
an opcode). If it is zero, then coq_tcode_of_code will recover and
correctly translate the following opcodes. If it is nonzero, then the
function starts translating random words, possibly corrupting the memory
past the end of the translation buffer. Independently of this memory
corruption, coq_interprete will execute random code once it gets to the
opcode following the primitive operation, since it has not been
translated.

The reason CoqInterval is not always crashing due to this bug is just
plain luck. Indeed, the arity of the pseudo opcode only depends on the
global index of the primitive operations. So, as long as this arity is
zero, the memory corruption is fully contained. This happens in the vast
majority of cases, since coq_tcode_of_code translates any unrecognized
opcode to STOP, which has arity zero.

This bug is exploitable.





Since the compiler initializes the arities to zero, coq_tcode_of_code
wrongly believes that the word following a primitive operation contains
an opcode, while it is the global index of the primitive operation. So,
the function will try to translate it and thus corrupt it. But as long as
the evaluated term fully reduces (which is always the case for
CoqInterval), the corrupted word will never be read.

At this point, it all depends on the arity of the global index (seen as
an opcode). If it is zero, then coq_tcode_of_code will recover and
correctly translate the following opcodes. If it is nonzero, then the
function starts translating random words, possibly corrupting the memory
past the end of the translation buffer. Independently of this memory
corruption, coq_interprete will execute random code once it gets to the
opcode following the primitive operation, since it has not been
translated.

The reason CoqInterval is not always crashing due to this bug is just
plain luck. Indeed, the arity of the pseudo opcode only depends on the
global index of the primitive operations. So, as long as this arity is
zero, the memory corruption is fully contained. This happens in the vast
majority of cases, since coq_tcode_of_code translates any unrecognized
opcode to STOP, which has arity zero.

This bug is exploitable.







Remove MAKEPROD.
2021-01-10T09:24:10+00:00

Guillaume Melquiond

2020-12-27T13:55:17+00:00

5820a964a5b380d82923be7905cdacd6fa6bd6c3

MAKEPROD is just MAKEBLOCK2(0), but one word shorter. Since this opcode is
never encountered in the fast path, this optimization is not worth the
extra complexity.





MAKEPROD is just MAKEBLOCK2(0), but one word shorter. Since this opcode is
never encountered in the fast path, this optimization is not worth the
extra complexity.