In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
Added set_object_wp_strong, which infers from a given hoare triple with
command set_object that the object of same type already exists in the
heap, and hoare_set_object_weaken_pre which does the same thing, but can
be applied on top of existing lemmas about set_object.
ainvs: improve proof of set_thread_state_runnable_valid_blocked
ainvs: change return value to a more general one
in_set_object has a return value that is empty '()', but the theorem
still holds true when replaced with a generic parameter 'rv' making it
easier to use this lemma.
ainvs: trivial - updated style of proof
ainvs: strengthen set_object_idle lemma
Add conditions imposed by valid_idle into precondition.
Thank you to Matt Brecknell for the help.
ainvs: abbreviated Hoare triples and proof fix
ainvs: restated set_object_wp_strong with auxiliary lemmas
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Move in a few set_object and set_aobject theorems from x64 theory files
as these theorems were architecture generic.
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
Contains changes to the generic theory, back-ported and arch-split from
ARM_HYP, as well as corresponding changes to the ARM theory.
Also-by: Gerwin Klein <Gerwin.Klein@data61.csiro.au>
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
* Rephrasing of all the lemmas that used to refer to tcb_context as
a direct value on tcb.
* Providing arch-specific lemmas about handle_arch_fault_reply and
make_arch_fault_msg to deal with handle_fault_reply and make_fault_msg
new arch-specific cases.
* Trivial but arch-specific proofs about reserved_irq
tags: [VER-623][SELFOUR-413]
This reverts:
- a67b443ca5
"SELFOUR-242: update goal number based indentation in Fastpath_C"
- f704cf0404
"SELFOUR-242: invert bitfield scheduler and optimise fast path"
Verification confirmed functional correctness and refinement of the
system in this case. However, guarantees on thread scheduling and
fairness are not modeled in the current verification. Once this issue is
addressed, SELFOUR-242 will be re-examined.
* Reverse the level 2 of the bitmap scheduler to move the highest priority
threads' level 2 entries into the same cache line as the level 1.
* Use the bitfield scheduler to make the fast path a more common occurrence.
* Change possibleSwitchTo to not invoke scheduler when the fast path would not
invoke it either (using implicit assumptions about the current thread being
the highest priority schedulable thread)
These changes to the automatons are required by:
SELFOUR-242: invert bitfield scheduler and optimise fast path
Details:
When we enter the kernel, the domain time left (ksDomainTime) is never zero.
If we entered on a timer interrupt, we may decrement it to zero before the
scheduler runs. If we do so, we set the scheduler state to choose_new_thread.
When choosing a new thread, the scheduler switches to a new domain if the
present one is required, and sets the new domain time left from domain_list
(ksDomSchedule).
When entering the kernel on a non-interrupt event, we never touch the domain
time left, which trivially preserves the new constraints.
To prove these, we had to ban a transition from kernel entry to kernel being
preempted when handling an interrupt event in InfoFlow. This is fine, as by
design handling interrupts is not meant to be preempted by interrupts.
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
Gerwin Klein
Victor Phan
Corey Lewis
MiladKetabi
Amirreza Zarrabi
Michael McInerney
Thibaut Perami
Thomas Sewell
Matthew Brecknell
Maksym Bortin
Joel Beeren
Miki Tanaka
Rafal Kolanski
Alejandro Gomez-Londono
Joel Beeren
Gerwin Klein
Xin,Gao
Sophie Taylor