- pull base-level empty_fail lemmas from AInvs into Monads.Empty_Fail
- apply consistent naming
- apply consistent [intro!, wp]
- make all non-conditional lemmas [simp]
- re-add context building to empty_fail rules, because the select_*
rules may need context to solve their side condition
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out the bit0/bit1 setup for the vm_level type into its own file.
It doesn't really have anything to do with BCorres where it was before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The projection operators should be definitions so that they are stable
under simp and case splits. This enables later projection stacks to
use abbreviations that remain stable.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We initially wanted to move ucast_ucast_ppn to Kernel_Config_Lemmas.
This doesn't work, because ppn is only defined in Arch_Structs_A, but
it turns out that ppn_len is exactly the term `ipa_size - pageBits`
that the lemma needs, so instead of moving the lemma up, we make its
proof generic by providing the symbolic form of `ppn_len` instead.
This still unfolds Kernel_Config.config_ARM_PA_SIZE_BITS_40, but it
does so only trivially and directly where ppn_len is defined.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- make kheap crunch for do_machine_op generic
- make None_Some_strg available generically in LevityCatch
- move word lemmas up into Word_Lib
- move wp lemmas up into lib + minor lib cleanup
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- minor style/whitespace cleanup
- resolve all smaller AARCH64-local FIXMEs
- move AARCH64-local lemmas
- fix up proof fallout from move (gained some automation in the move)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- move proof methods spec and bspec to Eisbach_Methods
- move general lemmas to Lib
- move word lemmas to Word_Lemmas_Internal
- update proof style
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Implementations for machine ops returning a value should have a _val
postfix. This commit brings vcpuHardwareRegVal in line.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit automatically renames bit0.*/bit1.* lemmas (depending on
the value of vm_level) to vm_level.*
The idea is that vm_level.* can now generically refer to the right
instance, so that the same proof text works without change for both an
even and odd number of page table levels.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- define formally where 14 is coming from instead of trying to explain
in a comment,
- also remove unused parts of the lemma where it is used.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch off quick_and_dirty for AInvs session
- switch on quick_and_dirty for Refine session for development
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
For the proofs in ArchAInvsPre we require knowledge that the default
user-level tables do not map any user-space addresses. In hyp mode, the
default user-level table is completely empty, because the kernel has
its own separate table. We encode that empty table in the
`valid_global_tables` predicate analogously to the RISCV64 formulation.
We explicitly leave `valid_global_arch_objs` as a `typ_at` predicate,
because the proofs expect `valid_global_arch_objs` to be liftable.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Ensure in valid_pti that page table operations, in particular
unmap_page_table, are only called on NormalPTs. This means we can
remove the vspace_for_asid precondition in the associated lemmas.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
wp rules for most operators such as return, get, gets are named
return_wp, get_wp, etc. Then when, whenE, unless, unlessE operators had
an additional hoare_.. prefix that this commit removes for more
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
set_asid_pool_empty and delete_asid_empty_table_pt aren't used on
RISCV64 (despite being proved and declared [wp]). Hopefully these won't
be needed on AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
On HYP platforms with projections it's sometimes useful to be able to
grab the `arch_valid_obj` formulation for specific arch types like page
tables before the simplifier breaks them apart for you.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
For AARCH64 showing that valid_vspace_objs is preserved over a retype
operation via the retype_region_proofs_invs locale, it is not sufficient
to only know valid_vspace_objs. Since this locale already assumes invs,
use invs, which implies the other requirements for AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Using named constructor arguments added to the datatype package allows
removal of the old way of writing them out explicitly.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This commit weakens some assumptions in previous ArchAcc lemmas and
strengthens some requirements we make on later decode lemmas, hopefully
in a still provable way.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Generalise concept of proving word equality by splitting two words at
bit n and comparing the parts.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Clean up and consolidate further do_machine_op lemmas on AARCH64.
Includes enabling some crunches and lemmas that were blocked on
do_machine_op.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Clean up KHeap_AI. It turns out that almost all do_machine_op lemmas
proved here are crunchable, so move them all into on place.
This only proves lemmas originally already in KHeap_AI. It would likely
make sense to collect general do_machine_op lemmas from other places
in AInvs here as well.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It was likely a mistake from the beginning to single out this machine
op for crunch ignore here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Includes some progress inside ArchVSpace_AI as well.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce a locale similar to Arch_pspace_update_eq, but where also
`asid_table s` is preserved. This preserves most vspace predicates and
is much more widely applicable than the existing locale in the
hierarchy that demands all of `arch_state s` to be preserved.
Since this only makes sense for Arch functions, there is no generic
version of this locale and instantiation happens only in ArchBits_AI,
not in Invariants_AI.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- reduce assumptions of some of the no-loop helper lemmas
- factor out common reasoning for vs_lookup_table/pt_walk stitching
- close last sorry
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- includes cur_vcpu lemmas for set_asid_pool and store_pte that were
masked by the missing vmid_inv results.
- vmid_inv lemmas for the case where an entire asid pool entry is being
removed. In this case, the vmid entry will already have been reset.
- set_asid_pool unmap lemmas reformulated from map/set restriction to
single entry unmap, because the vmid lemmas don't make sense for sets.
The set version was only ever used for single entries anyway, so had
unnecessary generality.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The rule applies to anything that has `aobjs_of` in the abbreviation
stack, e.g. including asid_pools_of and vcpus_of, and is therefore too
eager for `[wp]`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pattern `(ucast high << asid_low_bits) || ucast low` occurs in
a few places in the proofs and `asid_of high low` is easier to read.
For example, it makes obvious that
`asid_low_bits_of (asid_of hi_bits lo_bits) = lo_bits`
should be a simp rule.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- project out the parts of the state that are needed
(asid_pools_of and asid_table) to remove need for lifting rules
- fix argument order (state first)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Two key lemmas are vs_lookup_slot_unique_level and store_pte_valid_objs.
The latter needs the new concept of of valid_mapping_insert to preserve
valid_pt_range (which is part of valid_obj).
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit more involved than on RISCV64, but with treating
max_pt_level separately from the rest, most of the argument can be
recovered.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes a few hopefully useful lemmas about page table type
uniqueness.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The remaining interesting lemma (which is not proved) is
vs_lookup_non_PageTablePTE which needed two statement adjustments, one
to adjust the ptes_of update (certain that this is correct), and one to
add a new precondition valid_vspace_objs (speculative, but hopefully
enough to solve the lemma).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- use vspace_objs_of instead of aobjs_of where possible to reduce
scope and make lifting rules stronger
- prove remaining lifting rules in ArchKHeap_AI
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- provides case split rules for vspace_objs_of lifting
- proves the provable vspace_objs_of/vspace_obj_pred lifting rules. The
other lifting rules will need rephrasing for AARCH64 since
vspace_objs_of does not cover all arch objects.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This rewrites the extraction function to a simpler form, which is
consistent with how the lemma is written on the other architectures.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Lemmas not relying on any specifications or more local concepts will be
moved into MonadicRewrite.thy
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Handle abstract machine ops in large crunch passes.
Clean up some proofs, standardise others, and rearrange into topical
areas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- the lifting rule now needs an additional vcpus_of assumption
- this makes the rule not applicable any more for the proof of other
lifting rules that are for vspace objs only; these will now need
different proofs
- add FIXME suggestion for equivalence of projection and vspace_obj_pred
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a rough pass over all the vcpu|vppi|vgic items found in ARM_HYP
abstract invariants. Broken items and issues tagged with FIXMEs,
lemmas sorried when possible.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Some definitions needed to change to take VCPUs into account, breaking
some lifting lemmas that assumed vspace objects and arch objects were
the same thing. FIXMEs added.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This indicates potential for using `crunches` to shorten many of the
empty_fail, no_fail and no_irq proofs for most machine ops.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The statements of all VSpace-related lemmas are now in as good a state
as we can predict without proving them.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On RISCV64, we had the nice property that pt_walk can only produce
aligned addresses. This alignment is important for further address
computation.
It turns out that the same is true on AARCH64, because the bottom 12
bits of page table addresses are not stored in PTEs. PagePTEs can only
point to normal page tables, so there is not variation in the size of
the alignment.
This commit uses a similar encoding to RISCV64 to achieve this pt_walk
property without using an additional invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
some follow-on effects from the removal of dmo_read_stval_inv which had
become too generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes a few lifting rules much simpler and eliminates the need for
lifting completely in some circumstances.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This target was used in the regression test setup before this repo
switched to `run_tests` and has been unused for some time.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Starting point for AArch64 abstract invariant proofs.
In most cases, commented out or sorried what doesn't work. In some
cases, had to tweak definitions to get through. Marked all
problem/failure areas with FIXME AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
No modifications made. Use this commit to refer to what initial sorrying
run modified from standard.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This means Isabelle will automatically insert `level_type` when it
finds a term of type `vm_level` but expects one of type `pt_type`.
This only works when the context is unambiguous, but it does make quite
a few terms shorter.
This is input-only, `level_type` will still show up in output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Replaces bool with a dedicated type for page table types. This should
generalise nicely to more different levels and removes the slightly
confusing occurrence of bool.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This replaces 'a word for indices with machine_word. Since we can't use
a specific word length for a generic table index (because different
tables can have different index types), we don't win much by using 'a
word, but we do lose something: we must instantiate 'a when we use the
term, which means we need to decide at that point which type of table
we are talking about. This forces early case distinctions in proofs.
Using machine_word allows us to delay committing to a particular table
type and instead write a generic condition on the width of the index.
We are using machine_word instead of nat or a different specific word
length, because the index into the table is a slice of either an
obj_ref (in ptes_of) or a vref (when we do page table walks), both of
which are compatible with machine_word.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
With separate pte levels the proofs become simpler and shorter, but
some of the statements longer.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Some properties that crunch can be used for have different legacy naming
schemes. This commit makes it possible for different instances of crunch
to be configured for either prefix or suffix naming.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
It is possible to do this with one line now that crunch does not produce
duplicate attribute warnings.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Several parts of CRefine did not or should not depend on anything
C-related, but the import hierarchy (and theory content) did not reflect
this. Namely:
* Move_C and ArchMove_C were intended to hold items that could be moved
to Refine yet used `kernel_m` locale and imported the C spec.
* IsolatedThreadAction indicates how to rearrange statements in the
design spec and has nothing to do with the C spec or framework.
* Fastpath_C contained the design spec of the fastpath, the design spec
rewrite proofs, and the C refinement. Having to rebuild nearly all of
CRefine to work on rewrite proofs wasted time.
In the new import hierarchy:
* Move_C imports only Refine; ArchMove_C builds on Move_C
* IsolatedThreadAction imports only ArchMove_C
* The fastpath proofs are split into the spec definition (Fastpath_Defs)
and rewrite proofs (Fastpath_Equiv), which don't depend on anything
C-related, with their C refinement remaining in Fastpath_C.
While it is possible to separate out the fastpath definitions and rewire
proofs into a separate image or even move them to Refine, development
experience indicates keeping them alongside their C refinement remains
more convenient for the proof engineer involved.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Put all lemmas for vm_level from the bit1/bit0 classes into one place
so we can later assign these automatically.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Making vs_index_len a sybmolic value instead of a plain number means we
have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need
to consider both cases, which forces us to stay generic).
This also makes sure the type vs_index_len is always distinct from
pt_index_len (even if the sizes are the same), which was only
guaranteed in one of the two configurations before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The previous proof inadvertently relied on the fact that
config_ARM_PA_SIZE_BITS_40 is not configured and solved the lemma
trivially instead of really proving that case.
This is only relevant for the config_ARM_PA_SIZE_BITS_40 configuration,
which is not the current verification target, but it is nicer to stay
generic in config_ARM_PA_SIZE_BITS_40 as far as we can.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This means that the invariants are strong enough to support all of the
basic properties of page table walks and vspace address arithmetic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In some AArch64 configurations, some slots in the top-level table are
not accessible, because the IPA space size is smaller than the number
of bits the page tables can translate. invalid_mapping_slots indicates
which slots have to remain set to InvalidPTE in those tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- update lemma statements to include pspace_distinct where needed,
and adjust for multiple PT sizes.
- update most proofs accordingly, leave the rest sorried.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- introduce max_page_level to express that PagePTEs can only occur
on levels 0-2 (regardless of PA/IPA space size)
- PageTablePTEs must always point to normal tables (can't point back
to the top)
- PageTables at max_pt_level must be VSRootPTs
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit more complex than before. The general approach is to do
lemmas per level first, then combine them in the map union of pte_of.
For ptes_of_Some, with pspace_distinct, we get the expected two cases.
Without pspace_distinct we need in the second case a condition that the
first case doesn't apply (they are only mutually exclusive when
pspace_distinct holds).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- void type is not used in AArch64
- remove duplication of level_of_vmsize
- state equivalence lemma
- unified formulation of valid_vspace_obj turned out to be usable so far
- confirmed that no further vmid properties are needed (in addition to
inverse)
- removed alternative version of arch_valid_obj (but remains in history)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
At this stage ArchInvariants_AI should process cleanly, but is still
missing some interface lemmas for Invariants_AI.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a first draft of what we think needs to change in the
invariants to model AArch64. VCPU-related definitions are still
missing, and further tweaks are likely.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Copied from RISCV64 with minimal search/replace, added FIXMEs.
Should be enough for formulating architecture-specific invariants.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Three main thrusts:
- speed up the `updateMDB_the_lot` chain by using more targeted
proof methods
- drastically reduce goal size by removing unused assumptions when
that becomes possible (this is the largest overall speed win)
- use `subgoal` to unblock interactive proof progress
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Both AInvs and the refinement chain need the generated files necessary
for ASpec and ExecSpec. We could depend on ASpec directly, but that
would mess with Isabelle being able to schedule sessions as it wants
them.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add a bundle for global word simp set changes -- unfortunately we
can't actually do this globally, because they are mostly simp rule
removals which will be overwritten by theory merges. So this new
l4v_word_lib bundle will have to be activated/unbundled multiple times.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Michael McInerney
Corey Lewis
Rafal Kolanski
Ryan Barry
Corey Lewis
Michael McInerney