- in VSpace_R
- the same method added to each arch; would be good to unify via
arch split in the future
- also includes some style cleanup
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
- this introduces idle_tcb' which is defined directly using tcb fields
- backport from MCS ARM Refine
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
- this introduces idle_tcb' which is defined directly using tcb fields
- backport from MCS ARM Refine
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
Importing Init_R into ADT_H was causing EmptyFail_H to fail. Since
no other theories actually depend on Init_R we can instead include
it in the Refine session directly.
Signed-off-by: Mitchell Buckley <mitchell.alan.buckley@gmail.com>
Describe an extremely simple abstract kernel state, and haskell state
that obey the state relation. These states are `zeroed` in the sense
that they have empty heaps, and default values of 0, False, None, []
and similar in all fields.
These states do not satisfy invs or invs', and this is not as strong
a result as showing that kernel initial states satisfy the state
relation, but it is a good sanity check on the relation itself.
Signed-off-by: Mitchell Buckley <mitchell.buckley@data61.csiro.au>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Ideally all corres lemmas of the form
`corres rrel P P' my_abstract_function myHaskellFunction`
should be named `myHaskellFunction_corres`.
This commit renames over 200 lemmas to match this style.
Signed-off-by: Mitchell Buckley <mitchell.alan.buckley@gmail.com>
Co-authored-by: Victor Phan <Victor.Phan@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Remove resolve_address_bits'.simps from the simp set at the definition
site, instead of in the middle of the proofs.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We already have find_goal, but the interface is a bit too unwieldy to
casually use frequently. This commit introduces (or moves from RISCV)
two methods on top of find_goal:
- `in_case x`: asserts the goal has an assumption `?t = x`
- `find_case x`: finds a goal such that `in_case x`
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This makes sure Isabelle doesn't complain about a missing dependency in
the ROOT file when ARM_HYP is selected. The complaint only shows up in
jedit, and doesn't stop anything, but it's still nicer without.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The assertion is provable from the abstract invariants, and used in
CRefine to conclude that the test wether the vspace root cap is mapped
can be left out.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
- Increase IRQ word size from 3 to 6 to match IRQ_CNODE_SLOT_BITS in
sel4 config.
- Bump maxIRQ up to 54.
- Fix broken inequality proof by changing constant that depended on IRQ
word size.
Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
Several constants are are added to the top level crunch_ignore statement in
Bits_R.thy, then removed from individual crunch statements across Refine and
CRefine.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
irqInvalid is manually requalified into Interrupt_R. If it's defined for all
architectures, then can be requalified instead in the more suitable
spec/machine/MachineExports.thy
Reimplement the following primrecs:
- arch_irq_control_inv_relation
- arch_irq_control_inv_valid'
- irq_control_inv_valid'
Add the following lemmas:
- arch_check_irq_corres
- crunches arch_check_irq, checkIRQ
- arch_check_irq_valid
- arch_check_irq_valid'
- no_fail_setIRQTrigger
- setIRQTrigger_corres
- dmo_setIRQTrigger_invs'
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
It turns out that Untyped_R needs the properties of valid_arch_cap' non-locally
for all descendants of the untyped cap it's looking at. This would be a fairly
involved property to assert, and so far only Retype/Detype had any real proof
obligations on valid_cap', i.e. it should be cheap to keep.
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
Rafal Kolanski
Gerwin Klein
Florian Haftmann
Miki Tanaka
Ryan Barry
Mitchell Buckley
Mitchell Buckley
Matthew Brecknell
Corey Lewis
Gerwin Klein
Gerwin Klein
Rafal Kolanski
Victor Phan
Zoltan Kocsis
MiladKetabi
Amirreza Zarrabi
Michael McInerney
Edward Pierzchalski