eb3f90a815
riscv refine: strengthen word lemmas around mask
2019-11-12 18:28:39 +11:00
66d43a5e91
riscv refine: cleanup in Retype_R
2019-11-12 18:28:39 +11:00
eb8370e18e
riscv refine: cleanup pass through Invariants_H
2019-11-12 18:28:39 +11:00
ec38460345
riscv refine: cleanup pass through ArchAcc_R
2019-11-12 18:28:39 +11:00
7cbe59e67a
riscv refine: 0 sorries
2019-11-12 18:28:39 +11:00
04cac93bbe
riscv refine: style cleanup in ADT_H
...
more consistent indentation and definition style;
removed warnings;
removed (most) magic numbers
2019-11-12 18:28:39 +11:00
3d6b5970f7
riscv refine: remove trivial sorry in ADT_H
2019-11-12 18:28:39 +11:00
0ac198fab5
riscv refine: Arch_R sorry-free
2019-11-12 18:28:39 +11:00
f55200b9d9
riscv refine: reduced Arch_R to 1 sorry
2019-11-12 18:28:39 +11:00
41d525d1b6
riscv refine: reduce sorries in Arch_R
2019-11-12 18:28:39 +11:00
53198e4fce
riscv refine: VSpace_R sorry-free
2019-11-12 18:28:39 +11:00
b051b9437d
riscv refine: reduce sorries in VSpace_R
2019-11-12 18:28:39 +11:00
3f5aaa6c48
riscv refine: Finalise_R sorry-free
2019-11-12 18:28:39 +11:00
be62cf1cfd
riscv refine: reduce sorries in VSpace_R and Arch_R
2019-11-12 18:28:39 +11:00
ed3d2e1ec2
riscv refine: reduce sorries in VSpace_R
2019-11-12 18:28:39 +11:00
e44423d6bb
riscv refine: ArchAcc_R sorry-free
2019-11-12 18:28:39 +11:00
a612a0e54e
riscv refine: reduce ArchAcc_R sorries to 1
2019-11-12 18:28:39 +11:00
939201f782
riscv refine: Retype_R and Detype_R sorry-free
2019-11-12 18:28:39 +11:00
cd70459771
riscv refine: reduce sorries in Finalise_R
2019-11-12 18:28:39 +11:00
5ac27afad0
riscv refine: close all sorries in CNodeInv_R
2019-11-12 18:28:39 +11:00
98a3efe16a
riscv refine: close all sorries in Ipc_R
2019-11-12 18:28:39 +11:00
fe895506cc
riscv refine: 0 sorries in Syscall_R
2019-11-12 18:28:39 +11:00
1f539c062c
riscv refine: 0 sorries in Refine_R
2019-11-12 18:28:39 +11:00
bf83335d78
riscv refine: reduce sorries in Refine
2019-11-12 18:28:39 +11:00
2d9ec1736f
riscv refine: set up DomainTime_R (0 sorries)
2019-11-12 18:28:39 +11:00
d224325b43
riscv refine: add Orphanage (dummy file)
...
This file is needed to prevent error messages in ROOT. No-orphans proof is
currently still ARM-only.
2019-11-12 18:28:39 +11:00
bd8e032504
riscv refine: sorrying Refine_R
2019-11-12 18:28:39 +11:00
6b2009ac45
riscv refine: set up IncKernelInit, InitLemmas, KernelInit_R (0 sorries)
2019-11-12 18:28:39 +11:00
cbe29f527f
riscv refine: sorrying ADT_H (3 sorries)
2019-11-12 18:28:39 +11:00
4a5084b46b
riscv refine: encode absence of Execute in PTablePTEs in state relation
2019-11-12 18:28:39 +11:00
b692a5c81f
riscv refine: set up PageTableDuplicates (0 sorries)
2019-11-12 18:28:39 +11:00
eab8f3e19e
riscv refine: set up Syscall_R (3 sorries)
2019-11-12 18:28:39 +11:00
1d9328dbcd
riscv refine: set up Tcb_R (0 sorries)
2019-11-12 18:28:39 +11:00
d324216454
riscv refine: set up CNodeInv (3 sorries)
2019-11-12 18:28:39 +11:00
0d881171fa
riscv refine: set up Interrupt_R (0 sorries)
2019-11-12 18:28:39 +11:00
42bd55ea3b
riscv refine: simplify assumptions in CSpace_R
2019-11-12 18:28:39 +11:00
b1157aef9e
riscv refine: sorrying Ipc_R (2 sorries)
2019-11-12 18:28:39 +11:00
bdf9e036a8
riscv refine: sorrying Arch_R (7 sorries)
2019-11-12 18:28:39 +11:00
99b7cc7ceb
riscv refine: remove unused assumptions
2019-11-12 18:28:39 +11:00
5ee57f72fc
riscv refine: sorrying Finalise_R (3 sorries)
2019-11-12 18:28:39 +11:00
45172e930f
riscv refine: basic setup for recursive PTLookup*
2019-11-12 18:28:39 +11:00
76a69cda63
riscv refine: close sorry in KHeap_R
2019-11-12 18:28:39 +11:00
96b3754455
riscv refine: set up IpcCancel (0 sorries)
2019-11-12 18:28:39 +11:00
e6da934e7d
riscv refine: simplify setASIDPool_invs
...
Does not require valid_asid_pool in weakened invariant setting.
2019-11-12 18:28:39 +11:00
e46023fe12
riscv refine: set up Untyped_R (0 sorries)
2019-11-12 18:28:39 +11:00
159bf6a50f
riscv refine: add valid_arch_cap' to invariants
...
It turns out that Untyped_R needs the properties of valid_arch_cap' non-locally
for all descendants of the untyped cap it's looking at. This would be a fairly
involved property to assert, and so far only Retype/Detype had any real proof
obligations on valid_cap', i.e. it should be cheap to keep.
2019-11-12 18:28:39 +11:00
854e74a1fd
riscv refine: add Invocations_R
2019-11-12 18:28:39 +11:00
4422d1ecca
riscv refine: sorried Detype_R
2019-11-12 18:28:39 +11:00
2d9afdf7be
riscv refine: storePTE_valid_objs + remove one sorry
2019-11-12 18:28:39 +11:00
adf7f7bf03
riscv refine: sorry Retype_R (2 sorries)
2019-11-12 18:28:39 +11:00
01c6c9f7b5
riscv refine: weaken precondition of threadSet_invs_trivialT
2019-11-12 18:28:39 +11:00
4fe875e854
riscv refine: set up Schedule_R (0 sorries)
2019-11-12 18:28:39 +11:00
e850ab5ea5
riscv refine: reduce Haskell guards in TcbAcc
2019-11-12 18:28:39 +11:00
c40435c4a8
riscv refine: sorried VSpace_R
2019-11-12 18:28:39 +11:00
e25631e919
riscv refine: more guard cross-over rules
2019-11-12 18:28:39 +11:00
d4932ced42
riscv refine: set up InterruptAcc_R
2019-11-12 18:28:39 +11:00
7fde8b47a0
riscv refine: set up TcbAcc_R (0 sorries)
2019-11-12 18:28:39 +11:00
df28d3bdbc
riscv refine: set up CSpace_R (0 sorries)
2019-11-12 18:28:39 +11:00
3d037d7219
riscv refine: Invariants_H: syntax precedence for parentOf
2019-11-12 18:28:39 +11:00
b122d1945a
riscv refine: fill in RAB_FN.thy
2019-11-12 18:28:39 +11:00
a3dd552343
riscv refine: set up CSpace1_R (0 sorries)
2019-11-12 18:28:39 +11:00
6cd1482169
riscv refine: set up CSpace_I (0 sorries)
2019-11-12 18:28:39 +11:00
1f149e7387
riscv refine: add ArchFrameCap to capSimps and friends
2019-11-12 18:28:39 +11:00
7815e4734a
riscv refine: introduce bit_simps'
2019-11-12 18:28:39 +11:00
e6fe4420ea
riscv refine: sorried ArchAcc_R
2019-11-12 18:28:39 +11:00
318d54a8ca
riscv refine: adjustments for page_table_at' in KHeap_R
2019-11-12 18:28:39 +11:00
8b40b334bd
riscv refine: rephrase page_table_at' in Invariants_H
2019-11-12 18:28:38 +11:00
c4646172b3
riscv refine: set up KHeap_R (1 sorry) and SubMonad_R
2019-11-12 18:28:38 +11:00
6bc51a2562
riscv refine: set up Bits_R, Corres, EmptyFail
2019-11-12 18:28:38 +11:00
db8768234c
riscv refine: initial state relation
2019-11-12 18:28:38 +11:00
244e8fe32f
riscv refine: initial design invariants
...
upd
2019-11-12 18:28:38 +11:00
8be2ab8484
riscv refine: initial skeleton
2019-11-12 18:28:38 +11:00
9846cd42bb
proof: update for crunch changes
2019-10-14 17:23:41 +11:00
dd48e0d899
proof: update for wp changes
...
Updated 'wp_once' to 'wp (once)' and removed several stray uses of 'wp_trace'.
2019-10-14 17:12:18 +11:00
a6024fb377
x64 refine/crefine: remove vmsz_aligned'
2019-10-10 11:27:31 +11:00
9100315c86
x64 refine: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:27:10 +11:00
c5b4d0fab5
arm-hyp refine: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:27:10 +11:00
67d37f8025
arm refine: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:27:10 +11:00
acbc08b836
clean-ups done during proof update for the jira issue SELFOUR-1187: seL4 setPriority should attempt a direct schedule
2019-10-06 18:31:19 +11:00
d934d25269
proof update for SELFOUR-1187: seL4 setPriority should attempt a direct schedule
...
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
2019-10-06 18:31:19 +11:00
ab4b3b17c6
refine: adjustments for global None_upd_eq[simp]
2019-07-31 16:55:32 +10:00
4f93ebe608
refine, crefine: update after adding thread id registers to TCB for SELFOUR-1524
2019-06-28 11:48:24 +10:00
c34840d09b
global: isabelle update_cartouches
2019-06-14 11:41:21 +10:00
0025f29417
refine: update for Isabelle2019
2019-06-13 16:22:33 +10:00
4463e9750e
SELFOUR-1198: update proofs for correct restart PC
...
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
2019-06-13 11:43:50 +10:00
4a07af9d9d
ainvs refine: update arch-split locale names
...
Previously, some arch-specific names were qualified with the wrong
architecture abbreviation.
2019-06-13 11:43:50 +10:00
9478d5507c
refine cleanup: remove unused lemmas
2019-06-13 11:43:50 +10:00
6d581b5897
refine: add some lemmas about obj_at'
2019-06-13 11:43:50 +10:00
c1e9a09e26
lib: move "tl_nat_list_simp" up.
2019-05-28 10:00:10 +10:00
14c4722cef
refine: remove stray 'thm' commands.
2019-05-28 10:00:10 +10:00
59b07ad60d
refine: mark "call_kernel_serial" as a theorem.
2019-05-28 10:00:10 +10:00
2035f444a0
refine: Remove unused lemmas.
2019-05-28 10:00:10 +10:00
f1901beee0
cleanup: remove duplicates of invs'_invs_no_cicd
2019-05-03 13:52:52 +10:00
eedf3d8fa2
cleanup: remove duplicates of objBitsKO_gt_0
2019-05-03 13:52:52 +10:00
834dd88681
refine: remove as_user_valid_etcbs from architecture specific files
...
as_user_valid_etcbs can be reasoned in an architecture generic setting.
2019-04-18 14:32:08 +10:00
1689dd94fe
cleanup
...
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
2019-04-18 14:32:08 +10:00
1fd4c1ab0b
x64 refine: update for new definition of set_object
2019-04-18 14:32:08 +10:00
c323da2f5c
arm-hyp refine: update for new definition of set_object
2019-04-18 14:32:08 +10:00
d707c97df9
arm refine: update for new definition of set_object
2019-04-18 14:32:08 +10:00
103fc3656e
x64 refine: update for GrantReply (SELFOUR-6)
2018-12-10 20:01:38 +11:00
0ead52863d
arm-hyp refine: update for GrantReply (SELFOUR-6)
2018-12-10 20:01:38 +11:00
c02d0406f5
arm refine: update for GrantReply (SELFOUR-6)
...
Initial setup and sorrying by Thibaut Perami.
2018-12-10 20:01:37 +11:00
fd6d4b87ae
refactor einvs from Refine and Access into AInvs
2018-11-20 16:34:29 +11:00
c53f7850d7
Base ASpec + machine on OptionMonad_ND; fix proof fallout
2018-10-25 12:54:02 +11:00
15bfcdd98b
reduce DRefine dependencies from Refine to AInvs
...
This needs (and includes) some deduplication and moving of lemmas formerly in
refine.
2018-10-22 13:21:11 +11:00
c4dc578bc3
Fix up proofs after word lemma moves
2018-10-10 14:15:01 +11:00
d75740201c
Remove pure word lemmas from proof/*
...
Removes redundant lemmas after moving them up to Word_Lib.
2018-10-10 14:15:00 +11:00
18e0d934cc
refine: move Orphanage to separate session, RefineOrphanage
...
Previously, the build system conditionally included Orphanage, but only
when built from run_tests. This meant that a plain ‘isabelle jedit’ or
‘make Refine’ would see a different session definition, resulting in a
slow rebuild.
NB: editing Orphanage now requires -l Refine instead of -l BaseRefine.
2018-10-03 19:47:04 +10:00
331a0ee1c2
Minor adjustments to the patch for selfour-1491.
...
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
2018-09-21 10:09:49 +10:00
8173a37c2d
Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM.
2018-09-19 16:18:09 +10:00
fa553b8085
aspec/refine: remove redundant captransfer_size definition
2018-08-20 09:06:37 +10:00
a7782f4af4
Isabelle2018 x64: Refine
2018-08-20 09:06:36 +10:00
0c407a64d9
Isabelle2018 arm_hyp: Refine
2018-08-20 09:06:36 +10:00
9646c3a315
Isabelle2018 arm: Refine
2018-08-20 09:06:36 +10:00
6b9d9d24dd
Isabelle2018: new "op x" syntax; now is "(x)"
...
(result of "isabelle update_op -m <dir>")
2018-08-20 09:06:35 +10:00
011e08458e
Isabelle2018: new comment syntax
...
(result of "isabelle update_comments <dirs>")
2018-08-20 09:06:35 +10:00
c6981d5556
x64 refine: add IOPortControl to EmptyFail_H
2018-08-20 09:06:34 +10:00
7cd5538934
arm_hyp refine: prove EmptyFail_H
...
This theory is part of the Refine session, but only used in InfoFlow,
which is why it has been missed so far.
2018-08-20 09:06:34 +10:00
b5cdf4703f
globally use session-qualified imports; add Lib session
...
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
2018-08-20 09:06:34 +10:00
ead3e6fdc4
aspec: message_info_to_data is mostly arch independent
...
Factored out msg_label_bits, which is the only architecture specific part.
2018-08-06 11:22:51 +10:00
26049db669
Repair proofs for wpsimp/crunch changes.
...
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
2018-08-03 18:25:30 +10:00
0f0f46b2b0
x64: refine: fix fallout from decodeX64PageInvocation change
2018-07-05 16:23:15 +10:00
2558a7c6e5
x64: crefine: update decodeX64FrameInvocation to not mask with PPTR_USER_TOP
2018-07-05 16:23:15 +10:00
7f52da6571
x64: ainvs+refine: fix up proofs for decodeX64FrameInvocation changes
2018-07-05 16:23:15 +10:00
5ed7bb16be
x64: fix up definition of performPageInvocation for unmapping pages
2018-07-05 16:23:15 +10:00
151ca60b9f
x64: refine: add new invariant "pspace_in_kernel_mappings'"
...
This invariant shows that all pointers in ksPSpace are above pptr_base -
that is, in the kernel window. This was never formally proven before, as
had never truly been required (although it is true).
2018-07-05 16:23:15 +10:00
b91ee8e4d0
x64: spec+ainvs+refine: add machine ops for nativeThreadUsingFPU and switchFpuOwner
2018-07-05 16:23:15 +10:00
df1c4b1e45
x64: spec+refine: plumb call through perform_ioport_invocation
2018-07-05 16:23:15 +10:00
e9940dee83
x64: spec+refine: remove VMIOSpaceMap, tighten valid_cap' map type guarantees
2018-07-05 16:23:15 +10:00
a4a9a9f721
x64: spec: update ensurePortOperationAllowed to better match C
2018-07-05 16:23:15 +10:00
43f482ab26
x64: ainvs: refine: changes for IRQ invocations (VER-879)
2018-07-05 16:23:15 +10:00
c481c7d2df
x64: set cteRightsBits to 0 (VER-930)
2018-07-05 16:23:15 +10:00
8953543843
x64: ainvs+refine: remove invalidateASIDEntry, simplify with just hwASIDInvalidate
2018-07-05 16:23:15 +10:00
8cb2744306
x64: refine: cleanup after ioportcontrol
2018-07-05 16:23:15 +10:00
4967850316
x64: clear wordFromMessageInfo_spec sorry in VSpace_C
2018-07-05 16:23:15 +10:00
e7145a693e
x64: proof update for crunch changes
2018-07-05 16:23:15 +10:00
f649240cde
x64: CR3 and machine op updates for Meltdown
2018-07-05 16:23:15 +10:00
a3de401c09
x64: more abstract specs and invariants for ASIDs
2018-07-05 16:23:15 +10:00
99f2868803
x64 refine: RAB_FN (needed for x64 crefine)
2018-07-05 16:23:14 +10:00
c12aa74ca3
x64: refine: add valid_pspace' -> pspace_canonical' drule
2018-07-05 16:23:14 +10:00
bcac2c8492
x64: clear some sorry proofs from CSpace_C
...
Also update some Haskell and abstract specs relating to IO ports.
2018-07-05 16:23:14 +10:00
b072714ca1
x64: crefine: move pspace_canonical' lemmas to refine
2018-07-05 16:23:14 +10:00
9159cf7c0d
x64 refine: add pspace_canonical' invariant
...
All kernel objects in the kheap exist at canonical addresses. Additional
constraint needed on Untyped caps: they must refer to a canonical
address in memory, since the Untyped objects themselves do not live in
the kheap.
The invariant is needed to discharge pointer dereference guards in C for
pointers obtained from kernel objects. We managed to prove it without
adding abstract invariants.
2018-07-05 16:23:14 +10:00
9d315cda20
ainvs+refine: update proofs for SetTLSBase (VER-807)
2018-07-03 13:42:19 +10:00
15d6b62040
arm: address setCurrentPD mismatch between abstract/haskell/C
...
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
2018-06-22 11:59:30 +10:00
4a3d7a958c
arm-hyp: update proofs for SELFOUR-584: running multiple VMs on ARM
...
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
2018-06-15 18:48:47 +10:00
c686d6e776
lib: Make Crunch more effective at applying supplied rules
2018-06-08 15:48:32 +10:00
25125763bd
arm-hyp: ioportcontrol: fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
1634608453
arm: ioportcontrol: Fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
f728dd25e8
x64: Add IOPortControlCaps to control IO port allocation
...
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
2018-04-19 05:27:06 +10:00
cf601cb3c6
refine+crefine: update proofs for range check change
2018-04-11 08:05:46 +10:00
9813f6a09f
arm-hyp haskell+refine: reorder arch invocation labels to match C
2018-04-07 00:02:51 +10:00
2d0baab462
Proof update for crunch changes
2018-04-04 14:13:55 +10:00
0f38e20094
Many proof repairs.
2018-03-16 14:57:51 +11:00
652cbb966e
Initial proof updates for combinator changes.
2018-03-16 14:53:22 +11:00
53996e94d9
arm-hyp refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
2d9de5b9a6
ARM refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
72c4123d10
x64 refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
f0795805d1
SELFOUR-1016: fix confused deputy problem when setting priorities
2018-02-26 11:19:43 +11:00
4601f2a1ab
Genericise deletion actions that occur after empty_slot
...
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
2018-02-23 09:12:55 +11:00
3d225cde69
VER-910: add msgLabelBits to haskell
...
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
2018-02-07 10:36:59 +11:00
d675e253ba
fix broken README links
2018-01-29 13:24:35 +11:00
995b88cefa
SELFOUR-707: schedule highest priority thread on setPriority
2018-01-19 16:08:11 +11:00
7c0e7970d6
x64 refine: proof update for ASIDMap removal
2018-01-11 18:48:37 +11:00
2f540e802c
add constant definitions for bounds on untyped object sizes
2017-12-18 12:58:27 +11:00
dcca6d496f
x64 ainvs/refine: simple_ko setter/getter
2017-12-14 18:03:41 +11:00
6eb2cb74ad
arm-hyp: simple_ko setter/getter
2017-12-14 18:03:31 +11:00
2a1beffac1
arm: update for simple_ko getter/setter
2017-12-14 18:02:48 +11:00
3841b6e8ba
arm : add AEndpoint and ANTFN a_type simplification
...
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
2017-12-14 07:17:27 +11:00
ffc0640869
VER-853: put arch_check_irq into the Arch locale, and update x64 to match C
2017-12-13 12:13:36 +11:00
0c9d7269d4
x64: miscellaneous constant updates (VER-845, VER-852)
...
Updated syscallMessage register list, maxIRQ to match C code
2017-12-13 12:13:36 +11:00
b01b341b3c
x64: adjust definition of Arch.switchToIdleThread (VER-848)
2017-12-13 12:13:36 +11:00
a5a5edc832
VER-849: abstractly declare a threads registers have changed
...
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
2017-12-13 12:13:36 +11:00
2f28bfeaec
x64: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242)
...
Apply "invert-fastpath" changes to x64 (ainvs, refine, partial crefine).
See main commit for arm for more context.
2017-11-27 22:05:46 +11:00
7b36283c70
arm-hyp: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242)
...
Apply "invert-fastpath" changes to arm-hyp (ainvs, refine, crefine).
See main commit for arm for more context.
2017-11-27 22:05:46 +11:00
3a22487cf3
arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242)
...
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
2017-11-27 22:05:34 +11:00
68ae97454e
lib: more modifiers for wpsimp (wp_del, simp_del)
2017-11-03 08:09:29 +11:00
3cb118fe02
Isabelle2017: update Refine for RC0
2017-10-30 12:23:26 +11:00
48b3a8b4ca
update object and field widths for x64, and remove some magic numbers
...
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
2017-10-26 14:05:35 +11:00
9bdb47e114
reintroduce Orphanage test (for ARM only)
...
- Orphanage files in the ARM_HYP and X64 directories are not tested at the moment
- once we finish proving them, we will remove the restriction to ARM
2017-10-24 13:49:21 +11:00
6b9912c47a
manually adjust non-obvious cases of tab to space replacement
2017-10-20 14:22:36 +11:00
184d6b70b7
remove most tab characters
2017-10-20 14:22:36 +11:00
7e915e39bd
x64: adjusted abbreviation in ArchAcc_AI to restore global name-clash counter to be consistent between architectures.
...
A private abbreviation in an anonymous context incidentally incremented
the global counter Variable.max_idxof which is used to avoid
name-collisions in lemmas.
For some reason (not obvious) the abbreviation in question was
incrementing the counter, and because it
was only in an X64 file, this resulted in X64 and the other
architectures getting out of sync. This was file previously, but became
a problem when processing the generic file lib/clib/Corres_C.
This commit adjusts the abbreviation to not increment the counter, and
fixes Refine and SR_lemmas_C to account for this change.
2017-09-19 12:07:02 +10:00
07e9bfa417
remove_valid_arch_objs: updates for X64
2017-08-18 09:44:00 +10:00
6d8e917087
Remove valid_arch_objs
...
now that we have valid_vspace_objs to express validiy of
vspace objects, we do not need valid_arch_objs: we have
valid_objs to state the validity of non-vspace arch objects.
2017-08-17 22:44:23 +10:00
42401684b0
refine: integrate all architectures
2017-08-09 17:02:49 +10:00
238e8b307e
x64: merge master
2017-07-21 11:27:12 +10:00
d38a19f1bb
fix ARM_HYP Refine for newest corres method after ARM_HYP rebase
...
VER-737
2017-07-18 12:19:48 -06:00
c72bece06f
fix ARM Refine for newest corres method after ARM_HYP rebase
...
VER-737
2017-07-18 12:19:27 -06:00
2d2f2a1e1d
fix refine proofs for improved corres_pre
...
minor fix - verification condition no longer
generated mid-proof
VER-737
2017-07-17 13:09:46 -06:00
8c7163457a
remove explicit use of corres_rv rules
...
This is now handled by the corres method
VER-737
2017-07-17 13:09:46 -06:00
206be43920
use correswp and correct corres_rv rules
2017-07-17 13:09:46 -06:00
fa6112378d
cleanup refine for latest corres_method
...
Some fallout from protecting return-value relations
VER-737
2017-07-17 13:09:08 -06:00
8d454f1deb
use new lift_corres_args attribute to abstract function args
...
This avoids manually rewriting the lemma statements, but puts
the rules in the more general form
2017-07-17 13:08:19 -06:00
2bc620c670
addressing protect_r -> corres_protect rename
2017-07-17 13:08:19 -06:00
196e2e2e0a
fix corres proofs for corres method
...
Fixing the fact that ex_abs is slightly rephrased
VER-737
2017-07-17 13:06:55 -06:00
9ab936e815
fix refine after changes to corres_method
2017-07-17 12:54:08 -06:00
796887d9b1
Removes all trailing whitespaces
2017-07-12 15:13:51 +10:00
81064fdb55
idle-thread-pd: run idle thread with the global PD all the time.
...
This avoids the multicore scenario of the idle thread running in the
address space that has been deleted by a thread running on another core.
2017-07-11 11:29:34 +10:00
41fe1a0845
update proofs for SELFOUR-30/291 "Reschedule on self-modification"
...
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
2017-06-26 15:52:35 +10:00
392d055e99
SELFOUR-748: rename tlb invalidation functions
2017-06-20 14:05:45 +10:00
2d20221396
arm refine: updates for the backport from arm-hyp completed
2017-06-19 14:32:44 +10:00
b76709967b
arm refine: Updating theories for ainvs changes
2017-06-19 14:32:44 +10:00
35f714addf
arm-hyp refine: reintroduce valid_global_objs and valid_global_vspace_mappings
2017-06-19 14:32:43 +10:00
a4e9ffa403
arm-hyp: refactor tpidrurwRegister and fix corresponding proofs
...
See VER-717
2017-06-19 14:32:43 +10:00
1f4b9e686a
arm-hyp: rename archTCBSanitise, arch_tcb_sanitise_condition, Arch_hasVCPU to be more appropriate
2017-06-19 14:32:43 +10:00
25ef365531
arm-hyp refine: fix proofs broken by spec updates
2017-06-19 14:32:43 +10:00
1f5a142096
arm-hyp refine: remove corresK_machine_op from the default corresK set
2017-06-19 14:32:43 +10:00
eb967add36
arm-hyp refine: remove remaining sorries for vcpuSave spec change
2017-06-19 14:32:42 +10:00
2e962ff0a3
arm-hyp refine: reduce sorries in VSpace_R for vcpu_save change
2017-06-19 14:32:41 +10:00
ea7b95d4dd
arm-hyp refine: vcpuSave_corres for the new vcpuSave
2017-06-19 14:32:41 +10:00
f6f4d724fe
arm-hyp refine: more sorries in CNodeInv_R and Schedule_R for spec updates
2017-06-19 14:32:41 +10:00
131972d498
arm-hyp refine: VSpace_R sorried for spec change fixes
2017-06-19 14:32:41 +10:00
3e65a59f1c
arm-hyp refine: fix for makeVIRQ spec change
2017-06-19 14:32:41 +10:00
8ae57e7a81
arm-hyp refine: fix breakages from sanitiseRegister_refactor
2017-06-19 14:32:40 +10:00
d531dc9dc5
arm-hyp refine: fixed invokeVCPUInjectIRQ_corres
2017-06-19 14:32:40 +10:00
6b3528b24d
arm-hyp refine: sorry fallouts from invoke_vcpu_inject_irq change
2017-06-19 14:32:40 +10:00
a07c41a43b
arm-hyp refine: fix fallouts from the spec changes (excluding those in vcpu_save), with 1 sorry in Arch_R
2017-06-19 14:32:39 +10:00
35df51dd8f
arm-hyp refine: prove word lemmas relating to duplicate page table entries
2017-06-19 14:32:39 +10:00
85053b2580
arm-hyp refine: new vs_valid_duplicates
...
The Haskell invariant now describes the page mappings necessary for LargePage
and SuperSection. Updates to refine/* to repair the corresponding fallout.
This commit moves some of the largePagePTEOffset et al lemmas from CRefine up
into Refine.
A small number of small but fiddly word lemmas are currently still sorried.
2017-06-19 14:32:38 +10:00
c132fb331c
arm-hyo Refine: fix vcouDisable_corres for spec updates
2017-06-19 14:32:37 +10:00
1e195355d7
arm-hyp refine: invariant: num vgic LR registers has a known maximum
2017-06-19 14:32:35 +10:00
766f32320a
arm-hyp refine: update for dissociate_vcpu_tcb
...
* Swapping set_vcpu and arch_thread_set in dissociate_vcpu_tcb to
match the order in C
2017-06-19 14:32:35 +10:00
9ebaa2c3ea
arm-hyp refine: new invariant: VMNoAccess is unused
2017-06-19 14:32:35 +10:00
a488e8dd44
arm-hyp refine: various fixes and renames for obj_at' related rules
2017-06-19 14:32:34 +10:00
2dc5ec8601
arm-hyp refine: update for do_flush/doFlush
2017-06-19 14:32:32 +10:00
b96877f244
arm-hyp refine: (Fix) Correctly defining setCurrentPD
2017-06-19 14:32:32 +10:00
a8b7b7887d
arm-hyp refine: update for asidHighBits change
2017-06-19 14:32:31 +10:00
fc74a6440f
arm-hyp refine: repair for rebase (new corres)
...
- fixes the fallout from the updated corres method.
- also includes some fixes by: Daniel Matichuk <daniel.matichuk@data61.csiro.au>
2017-06-19 14:32:31 +10:00
bf98897a98
arm-hyp refine: Refine sorry free
2017-06-19 14:32:31 +10:00
ca9582a2e8
arm-hyp refine: VSpace_R sorry free
2017-06-19 14:32:31 +10:00
ddb5c4043c
arm-hyp refine: VSpace_R, 2 sorries left
2017-06-19 14:32:31 +10:00
34a7c911e2
arm-hyp refine: VSpace_R, 2 sorries left, 1 sorry elsewhere
2017-06-19 14:32:31 +10:00
37ef712322
arm-hyp refine: zobj_refs adjustments; Arch_R sorry-free
2017-06-19 14:32:31 +10:00
0bf8d784b5
arm-hyp refine: zobj_refs' for VCPU (needed for liveness)
2017-06-19 14:32:31 +10:00
e48643f785
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
19b519ba29
arm-hyp refine: VSpace_R, 4 sorries left
2017-06-19 14:32:30 +10:00
3edf057812
arm-hyp refine: tidying up Schedule_R
2017-06-19 14:32:30 +10:00
bee7435458
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
5e9080c77b
arm-hyp refine: Syscall_R sorry-free
2017-06-19 14:32:30 +10:00
501e71adbe
arm-hyp refine: CNodeInvs_R sorry-free
2017-06-19 14:32:30 +10:00
8118968a05
arm-hyp refine: remove sorry in Syscall_R
2017-06-19 14:32:30 +10:00
c34aef1ee3
arm-hyp refine: DomainTime_R sorry-free
2017-06-19 14:32:30 +10:00
14b0f600ab
arm-hyp refine: Finalise_R sorry-free
2017-06-19 14:32:30 +10:00
187611825c
arm-hyp refine: dissociateVCPUTCB_invs'
2017-06-19 14:32:30 +10:00
31575f1065
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
ff6da2f76c
arm-hyp refine: Retype_R sorry free
2017-06-19 14:32:30 +10:00
6f32ddc7e9
arm-hyp refine: remove setVCPU_invs from wp set.
...
(The rule will need more preconditions, so we don't want it used
automatically yet.)
2017-06-19 14:32:30 +10:00
f727cc983c
arm-hyp refine: remove crunch sorries in DomainTime_R
...
Still two sorries left that depend on vgicMaintenance.
2017-06-19 14:32:30 +10:00
23d80dd261
arm-hyp refine: Ipc_R sorry free
2017-06-19 14:32:30 +10:00
fa5448625b
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:29 +10:00
cb5e0bcd7e
arm-hyp refine: VSpace_R incremental progress (vcpuSwitch invariants)
2017-06-19 14:32:29 +10:00
b74e8c59a2
arm-hyp refine: Schedule_R sorry free
...
- last few sorries are moved to VSpace_R
2017-06-19 14:32:29 +10:00
774448a7de
arm-hyp refine: Untyped_R sorry free
2017-06-19 14:32:29 +10:00
35e751f005
arm-hyp refine: PageTableDuplicates sorry-free
2017-06-19 14:32:29 +10:00
10e8973abb
arm-hyp refine: reduce sorries in Ipc_R
2017-06-19 14:32:29 +10:00
8ccba110a1
arm-hyp refine: reduce (more) sorries in VSpace_R
2017-06-19 14:32:29 +10:00
36146506ee
arm-hyp refine: reduce sorries in VSpace_R
2017-06-19 14:32:29 +10:00
4067704e99
arm-hyp refine: reduce sorries in PageTableDuplicates
2017-06-19 14:32:29 +10:00
8ae1d84e94
arm-hyp refine: reduce sorries in Finalise_R
2017-06-19 14:32:29 +10:00
96958113ef
arm-hyp refine: IPCCancel sorry-free
...
inlcuding simplification to ep and ntftn state_hyp_refs_of lemmas
2017-06-19 14:32:29 +10:00
1e9d0dc006
arm-hyp refine: completed remaining instances of no_vcpu class
2017-06-19 14:32:29 +10:00
2f972cfffd
arm-hyp refine: more vcpuSwitch hoare triples
2017-06-19 14:32:29 +10:00
69d16699ee
arm-hyp refine: Introducing no_vcpu typeclass to avoid duplicated lemmas
...
* Then idea with this class is to be able to genericaly constrain
predicates over pspace_storable values to are not of type VCPU,
this is useful for invariants such as obj_at' that are trivialy
true (sort of) if the predicate and the function (in the hoare
triple)
2017-06-19 14:32:29 +10:00
89496b3d90
arm-hyp: valid_arch_state'
2017-06-19 14:32:28 +10:00
a751e4f798
arm-hyp refine: More invariants for vcpuSwitch and alike
2017-06-19 14:32:28 +10:00
d1eef6c026
arm-hyp refine: Detype_R sorry free
2017-06-19 14:32:28 +10:00
511d3f5c40
arm-hyp refine: one sorry left in Detype_R
2017-06-19 14:32:28 +10:00
bdd6f9c896
arm-hyp refine: add armUSGlobalPD to global_refs' in Invariants_H
2017-06-19 14:32:28 +10:00
a6b0559e23
arm-hyp refine: set_vm_root_corres and auxiliary lemmas
2017-06-19 14:32:28 +10:00
e52c985b4b
arm-hyp refine: add valid_arch_tcb' invariant (vcpu_at' for atcbVCPUPtr)
2017-06-19 14:32:28 +10:00
9103207d8a
arm-hyp refine: fix storePDE/storePTE sorries in VSpace_R
2017-06-19 14:32:28 +10:00
4260a2c545
arm-hyp refine: new definition of valid_arch_state', with more sorries for now
...
valid_arch_state' now requires armHSCurVCPU to be a pointer to a live' vcpu
2017-06-19 14:32:28 +10:00
aa82471c17
arm-hyp refine: Invariants_H sorry free
2017-06-19 14:32:28 +10:00
1c85326bac
arm-hyp refine: new definition of valid_vcpu'
...
this introduces a more accessible definition of valid_vcpu'
2017-06-19 14:32:27 +10:00
4e90b0558f
arm-hyp refine: fixing some broken lemmas after the last batch of changes
2017-06-19 14:32:27 +10:00
b7e754bf1b
arm-hyp refine: vcpu{Switch,Save,Enable,etc}_corres + other related lemmas
2017-06-19 14:32:27 +10:00
76b02fe736
arm-hyp ainvs: Fixing StateRelation due to some renaming in abstract/haskell
2017-06-19 14:32:27 +10:00
740d606774
refine: closed the Orphanage
...
Not necessary for CRefine and better proved on the abstract spec now.
To be resurrected (on abstract) in the future.
2017-06-19 14:32:27 +10:00
75acdb3823
arm-hyp refine: add IRQReserved to state relation
2017-06-19 14:32:27 +10:00
e2d8a0ae50
arm-hyp refine: Tcb_R sorry free
2017-06-19 14:32:27 +10:00
bc40dc4a46
arm-hyp refine: remove unused ADT_H lemma
2017-06-19 14:32:27 +10:00
e9d3c3eb54
arm-hyp: remove unused ParityEnabled in aspec; solve sorries in ADT_H
...
ParityEnabled isn't used in ARM_HYP and we had to prove its absence as
invariant, which in turn makes the abstraction function from Haskell
to abstract partial (only works when invariants hold).
This commit removes that problem by removing ParityEnabled from the
abstract spec. Updated ainv and refine as necessary.
2017-06-19 14:32:27 +10:00
61136c29fd
arm-hyp: wp_pre rebase repair
2017-06-19 14:32:27 +10:00
f33d584cac
arm-hyp refine: proof repair for spec updates
2017-06-19 14:32:26 +10:00
5a03004e2c
refine: minor cleanup
2017-06-19 14:32:26 +10:00
29abd9a19e
arm-hyp/refine: vgic maintenance updates
2017-06-19 14:32:26 +10:00
e4d8bb1d4f
arm_hyp/refine: 'getActiveIRQ in_kernel' updates
2017-06-19 14:32:26 +10:00
e6c70be8a5
arm-hyp refine: Adding vcpuSwitch_corres and similar
2017-06-19 14:32:25 +10:00
43c742901b
arm-hyp refine: trivial: remove spurious Eisbach import
2017-06-19 14:32:25 +10:00
edee892ac0
arch_split: refine: remove spurious reference to ARM namespace
2017-06-19 14:32:25 +10:00
4d97cdd6a3
arch_split: refine: update DetSchedSchedule_AI imports
2017-06-19 14:32:25 +10:00
56c00ab03a
arm-hyp refine: sorrying done
2017-06-19 14:32:25 +10:00
18d76773fa
arm-hyp refine: sorrying done upto VSpace_R
2017-06-19 14:32:25 +10:00
fd79501491
arm-hyp refine: ArchAcc_R done
...
tags: [VER-696]
2017-06-19 14:32:24 +10:00
881ce3e8cb
arm-hyp refine: Invariants_H done for now, sorried up to ArchAcc_R
2017-06-19 14:32:24 +10:00
9060562bfe
arm-hyp refine: update refine for the rebase (includes all the changes)
...
None of these files contain arm-hyp specific changes yet.
2017-06-19 14:32:24 +10:00
00a68d1470
arm-hyp refine: sorrying in progress (now in CSpase_R)
2017-06-19 14:32:23 +10:00
8cf46846b5
arm-hyp refine: Invariants_H and StateRelation updated
2017-06-19 14:32:23 +10:00
e3cb71ef04
arm-hyp refine: copy ARM files to ARM_HYP directory, updating invariants in progress
2017-06-19 14:32:23 +10:00
Gerwin Klein
Corey Lewis
Victor Phan
MiladKetabi
Amirreza Zarrabi
Michael McInerney
Edward Pierzchalski
Matthew Brecknell
Rafal Kolanski
Japheth Lim
Mitchell Buckley
Thomas Sewell
Joel Beeren
Michael Sproul
Rafal Kolanski
Maksym Bortin
Matthew Fernandez
Miki Tanaka
Pang Luo
Joel Beeren
Daniel Matichuk
Alejandro Gomez-Londono
Alejandro Gomez-Londono
Gerwin Klein