This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`register_t` only needs to be able to index into the TCB user context
array, which has 35 entries on RISC-V. Therefore `uint8_t` is
sufficient.
Using the smallest possible type for `register_t` helps with binary
verification. This shrinks static read-only data, which in turn reduces
the complexity of binary verification proof search.
This commit verifies the corresponding C kernel patch.
Co-authored-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
Signed-off-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Progress towards verification of new and more efficient implementations
of library functions to could leading and trailing zeros.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The binary verification tools perform inlining of C specifications, to
simulate inlining that has been performed in the binary. This means that
`DONT_TRANSLATE` and `inline` are incompatible, since the binary
verification tools require C specifications for any functions that have
been inlined in the binary.
This `DONT_TRANSLATE` annotation was added with a `MODIFIES` annotation
for the proof of `resetUntypedCap_ccorres`. That proof has been reworked
so that it no longer requires the `MODIFIES` annotation in the C.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
When exception-aware lifting was enabled in `csymbr`, a small number of
existing proofs were broken. The `csymbr_legacy` method was added to
preserve the old behaviour of `csymbr` for those proofs.
This commit updates those proofs to use the new `csymbr` behaviour.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new variable lifting behaviour that was recently added to the
`cinit`, `clift` and `ctac` commands is now also added to `csymbr`.
This means `csymbr` variable lifting is now sensitive to exceptional
control flow.
Since this breaks some existing proofs, we add a new `csymbr_legacy`
command with the old behaviour, and use it where necessary.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new kernelExitAssertions need to be threaded through the fastpath
and integrated in the right place in the theorems about callKernel.
In InfoFlowC we have yet another refinement framework, and we're taking apart
callKernel to isolate the `schedule` call which is significant in the
infoflow proof and needs the new assertion inserted as wel. After some force
applied, this does work as well.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
the definition of objBits is in Haskell, so has to use pteBits instead of
pte_bits (not in scope)
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Completed decodeRISCVFrameInvocation_ccorres, synced with C changes and
cleaned up a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Since on RISCV64 we do not have restrictions on arch objects in
valid_obj', for the state relation to form a function from abstract to
concrete, we need to restrict the domains of the abstract asid pools.
Further we also need to ensure ASID 0 is not used in any of them, as
that is a sentinel value for "no ASID".
This is analogous to the restriction placed by valid_obj' on ASIDs on
X64, except occurring in the state relation rather than an invariant.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>