There are probably lots of lemmas missing but this will allow people to
move forward beyond VSpace_C to other files.
Many sorries are dependent on C changes still in the pipeline
On x64, there are only 3 possible page sizes, so it is no longer
possible to deduce that a page size is well-formed from just the
bitfield struct (previously there were 4 page sizes for a 2-bit field).
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
Changes to the C kernel to mitigate the Meltdown vulnerability have
removed x64KSCurrentCR3, and replaced it with other state. As a
temporary fix, this commit removes references to x64KSCurrentCR3 from
the C state relation to keep existing proofs working.
For x64 verification, this ultimately needs to be replaced with a
relation on the new state that has been added, and the specs updated
accordingly.
This change was a result of the constant "(tcb_t*)~0" being defined as
0x00000000FFFFFFFF on x86-64 (0 is implicitly a 32-bit integer) rather
than 0xFFFFFFFFFFFFFFFF as expected.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
A private abbreviation in an anonymous context incidentally incremented
the global counter Variable.max_idxof which is used to avoid
name-collisions in lemmas.
For some reason (not obvious) the abbreviation in question was
incrementing the counter, and because it
was only in an X64 file, this resulted in X64 and the other
architectures getting out of sync. This was file previously, but became
a problem when processing the generic file lib/clib/Corres_C.
This commit adjusts the abbreviation to not increment the counter, and
fixes Refine and SR_lemmas_C to account for this change.
- a case-statement in decodeARMMMUInvocation has an if-statement with a conjunction of three conditions, but they are translated in different orders between arm and arm-hyp and currently the crefine proofs depend on those orders.
- this fix is not a fundumental solution, but, given how reliable the haskell translator is, not sure how much effort we should be putting in here
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
Somewhere automation has failed, resulting in virq_C not being in a size
class, hence arrays not being in packed_type. Therefore typ_heap_simps
would not work since strictly speaking there was no indication the
object could be stored in memory.
This caused hours of suffering for all concerned.
- add proper ccorres_pre_gets_armKSGICVCPUNumListRegs_ksArchState
- many of the other ccorres_pre_gets* lemmas are TOO WEAK to use safely!
- shiftr_and_eq_shiftl (proof by Matthew Brecknell)
The Haskell invariant now describes the page mappings necessary for LargePage
and SuperSection. Updates to refine/* to repair the corresponding fallout.
This commit moves some of the largePagePTEOffset et al lemmas from CRefine up
into Refine.
A small number of small but fiddly word lemmas are currently still sorried.
Solves goals of the following shape (rf_sr on fields of VCPUs):
⟦ (σ, σ') ∈ rf_sr; ko_at' vcpu vcpuptr σ ⟧
⟹ (σ⦇ksPSpace := ksPSpace σ(vcpuptr ↦ KOArch (KOVCPU (f vcpu)))⦈,
globals_update
(t_hrs_'_update (hrs_mem_update (heap_update (Ptr &(vcpu_Ptr vcpuptr→[''some_field''])) val)))
σ')
∈ rf_sr
I was not able to generalise this more. A rule would be better, but I don't
know how to bind one to the textual field lookup.
It's also slow, 10s per invocation, but at least it works.
see: vcpureg_eq_use_types
Transforms (of_nat (fromEnum reg) = scast seL4_VCPUReg_SCTLR)
into (reg = VCPURegSCTLR)
letting you do cases on reg. There are no cases for seL4_VCPUReg*.
Inspired by invocation_eq_use_types
Repurposed nearly all of old Arch_decodeInvocation_ccorres into
decodeARMMMUInvocation_ccorres.
Educated guess at a stub for decodeARMVCPUInvocation_ccorres.
Attribute does not exist in abstract spec, is nailed to False in
Haskell. In C it naturally gets mapped across in vmAttributesFromWord,
passed around everywhere, at which point the attribute is ignored
anyway.
Remap for large pages was correct in C, but hard to verify. Map however was
wrong (i.e. unchanged from ARM).
Abstract/haskell are same as ARM for both, hence they are being fixed.
* New archThreadSet_tcbVCPU_Basic_ccorres for updating the
associated vcpu inside a tcb
* New setObject_vcpuTCB_Basic_ccorres for updating the
associated tcb inside a vcpu
This is the top level file of crefine and last file of this sorrying run.
The new handleInterrupt (due to the new getActiveIRQ flag) has more specific
requirements about the current thread's state and queued status, which
are sorried, but probably true.
Some interesting questions about ctac/cinit/csymbr resulted in sorries
that look obviously true, but any attempt at touching them results in
exeception TERM despite many attempts.
There is a non-trivial issue with the pde/pte state relations no longer
being injective, due to HAPFromVMRights not being injective.
handleHypervisorEvent_C updated in both locations (no idea why two),
generating some interesting questions about cinit/ctac usage.
setArchTCB_C becomes setTCBContext_C because we only set the context on
entry into the kernel, not the VCPU pointer.
Introduce machine_bits_defs to catch even more items,
e.g. vcpu_bits and vcpuBits
Clean up all current uses of p[td]e?_bits in favour of Haskell
equivalent names and table_bits_defs simplification.
Drop p[td]eBits_eq and vcpuBits_eq from simpset.
CRefine is a theory of refinement from Haskell spec to C.
Let's avoid having to change tons of p(t|d)Bits lemmas to refer to some
abstract spec constants for no reason.
e.g. if you have a: "P ptBits" and want to prove "P 12" "simp add: a"
will NOT work, as the simplifier does not do that level of
simplification of rules supplied to it.
In hyp mode we don't share an address space with our users, so we flush
by kernel MVA instead. We need to also know that there isn't an overflow
after the ptrFromPAddr translation from physical to kernel virtual.
Other platforms such as arm-hyp will need to look into additional TCB state
such as VCPU in sanitiseRegister. This commit provides the scaffolding for
that.
On ARM with hypervisor extensions (arm-hyp), sanitiseRegister needs vcpu
data from the arch TCB component, thus adding an extra parameter.
This is a quick fix based around normal ARM not using that parameter,
and hence does not provide enough to get the proofs through on arm-hyp.
To do it properly requires additional work around the sanitiseRegister
call-site, which needs unwrapping it from asUser and zipWithM.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
SUPREMUM changed from a definition to an abbreviation.
A number of proofs that previously used blast, fastforce or auto to
solve goals involving UNION, now either fail or loop. This commit
includes various ad-hoc workarounds.
Joel Beeren
Corey Lewis
Rafal Kolanski
Thibaut Perami
Gerwin Klein
Thomas Sewell
Japheth Lim
Michael Sproul
Matthew Brecknell
Matthew Fernandez
Alejandro Gomez-Londono
Pang Luo
Joel Beeren
Adrian Danis
Alejandro Gomez-Londono
Miki Tanaka
Gerwin Klein