This allows us to more easily show that arch specific tcb fields are
preserved by many functions of the spec. For ARM_HYP we add a
projection for the tcb_vcpu field.
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
Changes to the C kernel to mitigate the Meltdown vulnerability have
removed x64KSCurrentCR3, and replaced it with other state. As a
temporary fix, this commit removes references to x64KSCurrentCR3 from
the C state relation to keep existing proofs working.
For x64 verification, this ultimately needs to be replaced with a
relation on the new state that has been added, and the specs updated
accordingly.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
This change was a result of the constant "(tcb_t*)~0" being defined as
0x00000000FFFFFFFF on x86-64 (0 is implicitly a 32-bit integer) rather
than 0xFFFFFFFFFFFFFFFF as expected.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
It's really tiring figuring out whether we loaded all of the right
InfoFlow theory files in jEdit. This file lists what "the theories for
InfoFlow" are and should be loaded instead.
ROOT file adjusted to target it instead of a bunch of files, some of
which already include some of the others.
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
A number of proofs begin with word_eqI followed by some similar steps,
suggesting a 'word_eqI_solve' proof method, which is implemented here.
Many of these steps are standard, however a tricky part is that constants of
type 'nat' which encode a particular number of bits must often be unfolded.
This was done by expanding the eval_bool machinery to add eval_int_nat, which
tries to evaluate ints and nats.
Testing eval_int_nat revealed the need to improve the code generator setup
somewhat. The Arch locale contains many of the relevant constants, and they are
given global names via requalify_const, but the code generator doesn't know
about them. Some tweaks make them available. I *think* this is safe for
arch_split, as long as the proofs that derive from them are true in each
architecture.
* word_eqI is no longer rule_format.
* Updated Isabelle/ML Thm.join_proofs to Thm.consolidate.
* Updated suffix_refl to suffix_order.order.refl.
* Removed some lines of proofs, thanks to improved simplifier.
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
This was broken a long while back because arch_switch_to_idle_thread
might sometimes be skipped in the implementation if the idle thread
was previously scheduled. Putting the same behaviour in the most
abstract (unit) specification is pretty easy, and it's not clear why
it wasn't done earlier.
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
Theory files used in the CKernel build refer to files that are generated by the
haskell translater by the design-spec target. This commit changes the dependencies
in the Makefile to reflect that
A private abbreviation in an anonymous context incidentally incremented
the global counter Variable.max_idxof which is used to avoid
name-collisions in lemmas.
For some reason (not obvious) the abbreviation in question was
incrementing the counter, and because it
was only in an X64 file, this resulted in X64 and the other
architectures getting out of sync. This was file previously, but became
a problem when processing the generic file lib/clib/Corres_C.
This commit adjusts the abbreviation to not increment the counter, and
fixes Refine and SR_lemmas_C to account for this change.
The theory_imports regression test requires bitfield-generated theory
files. Previously, the theory_imports regression test depended on
CParser, and explicitly invoked "make" to ensure bitfield-generated
theories were present. However, these theories can also be generated by
the CKernel regression test. This meant that it was non-deterministic
whether bitfield-generated theories were generated during the
theory_imports regression test or the CKernel regression test.
This change adds a c-kernel regression test which generates the relevant
theories for the current L4V_ARCH, and makes both theory_imports and
CKernel depend on c-kernel. This ensures that those theories are always
generated during the c-kernel test, and should therefore make run_tests
timing results for the CKernel image more consistent.
Unfortunately, the check_theory_imports script does not have an easy way
to restrict itself to theories for the current L4V_ARCH, so the script
still needs to invoke "make c-kernel" for architectures other than the
current L4V_ARCH.
now that we have valid_vspace_objs to express validiy of
vspace objects, we do not need valid_arch_objs: we have
valid_objs to state the validity of non-vspace arch objects.
*** ALERT: ANYONE USING SKIP_REFINE_PROOFS SHOULD CHANGE TO
SKIP_DUPLICATED_PROOFS IN ~/.isabelle/etc/settings!!! ***
Previously SKIP_REFINE_PROOFS was being used to skip duplicated Refine
and AInvs proofs when building CBaseRefine and InfoFlowC. This
conflicted with adding an option to actually skip building Refine proofs
(for example when trying to quickly build DBaseRefine).
After this change, we have the following SKIP_PROOFS flags:
* SKIP_AINVS_PROOFS: used to skip AInvs proofs (for example when
building Refine)
* SKIP_REFINE_PROOFS: used to skip Refine proofs (for example when
building DBaseRefine)
* SKIP_DUPLICATED_PROOFS: used to skip the rebuild of AInvs and
Refine when building forked images such as CBaseRefine and
InfoFlowC
In addition, the QUICK_AND_DIRTY flag for AInvs has been changed:
INVS_QUICK_AND_DIRTY -> AINVS_QUICK_AND_DIRTY
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
- a case-statement in decodeARMMMUInvocation has an if-statement with a conjunction of three conditions, but they are translated in different orders between arm and arm-hyp and currently the crefine proofs depend on those orders.
- this fix is not a fundumental solution, but, given how reliable the haskell translator is, not sure how much effort we should be putting in here
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
* This is trivial/irrelevant since getActiveIRQ ignores its argument
in ARM, but it makes a bit more sense to have it being this way,
and it is consistent with the equivalent function in InfoFlowC.
Somewhere automation has failed, resulting in virq_C not being in a size
class, hence arrays not being in packed_type. Therefore typ_heap_simps
would not work since strictly speaking there was no indication the
object could be stored in memory.
This caused hours of suffering for all concerned.
- add proper ccorres_pre_gets_armKSGICVCPUNumListRegs_ksArchState
- many of the other ccorres_pre_gets* lemmas are TOO WEAK to use safely!
- shiftr_and_eq_shiftl (proof by Matthew Brecknell)
The Haskell invariant now describes the page mappings necessary for LargePage
and SuperSection. Updates to refine/* to repair the corresponding fallout.
This commit moves some of the largePagePTEOffset et al lemmas from CRefine up
into Refine.
A small number of small but fiddly word lemmas are currently still sorried.
Solves goals of the following shape (rf_sr on fields of VCPUs):
⟦ (σ, σ') ∈ rf_sr; ko_at' vcpu vcpuptr σ ⟧
⟹ (σ⦇ksPSpace := ksPSpace σ(vcpuptr ↦ KOArch (KOVCPU (f vcpu)))⦈,
globals_update
(t_hrs_'_update (hrs_mem_update (heap_update (Ptr &(vcpu_Ptr vcpuptr→[''some_field''])) val)))
σ')
∈ rf_sr
I was not able to generalise this more. A rule would be better, but I don't
know how to bind one to the textual field lookup.
It's also slow, 10s per invocation, but at least it works.
see: vcpureg_eq_use_types
Transforms (of_nat (fromEnum reg) = scast seL4_VCPUReg_SCTLR)
into (reg = VCPURegSCTLR)
letting you do cases on reg. There are no cases for seL4_VCPUReg*.
Inspired by invocation_eq_use_types
Repurposed nearly all of old Arch_decodeInvocation_ccorres into
decodeARMMMUInvocation_ccorres.
Educated guess at a stub for decodeARMVCPUInvocation_ccorres.
Attribute does not exist in abstract spec, is nailed to False in
Haskell. In C it naturally gets mapped across in vmAttributesFromWord,
passed around everywhere, at which point the attribute is ignored
anyway.
Remap for large pages was correct in C, but hard to verify. Map however was
wrong (i.e. unchanged from ARM).
Abstract/haskell are same as ARM for both, hence they are being fixed.
* New archThreadSet_tcbVCPU_Basic_ccorres for updating the
associated vcpu inside a tcb
* New setObject_vcpuTCB_Basic_ccorres for updating the
associated tcb inside a vcpu
This is the top level file of crefine and last file of this sorrying run.
The new handleInterrupt (due to the new getActiveIRQ flag) has more specific
requirements about the current thread's state and queued status, which
are sorried, but probably true.
Some interesting questions about ctac/cinit/csymbr resulted in sorries
that look obviously true, but any attempt at touching them results in
exeception TERM despite many attempts.
There is a non-trivial issue with the pde/pte state relations no longer
being injective, due to HAPFromVMRights not being injective.
handleHypervisorEvent_C updated in both locations (no idea why two),
generating some interesting questions about cinit/ctac usage.
setArchTCB_C becomes setTCBContext_C because we only set the context on
entry into the kernel, not the VCPU pointer.
Introduce machine_bits_defs to catch even more items,
e.g. vcpu_bits and vcpuBits
Clean up all current uses of p[td]e?_bits in favour of Haskell
equivalent names and table_bits_defs simplification.
Drop p[td]eBits_eq and vcpuBits_eq from simpset.
CRefine is a theory of refinement from Haskell spec to C.
Let's avoid having to change tons of p(t|d)Bits lemmas to refer to some
abstract spec constants for no reason.
e.g. if you have a: "P ptBits" and want to prove "P 12" "simp add: a"
will NOT work, as the simplifier does not do that level of
simplification of rules supplied to it.
In hyp mode we don't share an address space with our users, so we flush
by kernel MVA instead. We need to also know that there isn't an overflow
after the ptrFromPAddr translation from physical to kernel virtual.