1db6ae7cf0
riscv: add kdev_base/kdevBase to handle RISCVVSpaceDeviceWindow and update proofs
...
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
2019-11-13 16:27:30 +11:00
c7fb4dcf2b
riscv aspec/ainvs: redefine kernel_elf_base to point to be kernelELFBase
2019-11-13 16:08:52 +11:00
6f94fff163
riscv aspec/ainvs: rename kernel_base to kernel_elf_base
2019-11-13 16:08:42 +11:00
d1f3afc4f2
riscv ainvs: close sorries for adding IRQ invocations
...
- Add setTrigger lemmas: setIRQTrigger_irq_masks, dmo_setIRQTrigger_invs
and no_irq_setIRQTrigger
- Modify primrec arch_irq_control_inv_valid_real to include similar
conditions to its equivalent in ARM, but with the minor chnage of irq !=
irqInvalid.
2019-11-12 18:28:40 +11:00
0d7c2fff48
riscv ainvs: add support to thread id registers
2019-11-12 18:28:40 +11:00
26b25838d0
riscv ainvs: close sorry for introducing kernelELFBase
2019-11-12 18:28:40 +11:00
a5e27933a5
riscv: cleanup; resolve remaining FIXMEs
2019-11-12 18:28:40 +11:00
d2584a3692
cleanup: collect word lemmas
2019-11-12 18:28:40 +11:00
cbc31e31e1
ainvs+refine: provide def of mask_range in InvariantsPre
...
(used to be ptr_range in riscv, which is too overloaded)
2019-11-12 18:28:40 +11:00
82bcbdc137
riscv ainvs: prove that example state satisfies invs
2019-11-12 18:28:40 +11:00
090894c990
riscv aspec+ainvs: define a consistent initial page table
...
Simpler than the real kernel layout, but will show that invariants are
consistent.
2019-11-12 18:28:39 +11:00
9d81f85c38
riscv: force vptr alignment in PTMap decode
...
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
2019-11-12 18:28:39 +11:00
b5c47d552e
riscv aspec+ainvs: perform_pg_inv_unmap: update cap in memory
...
The argument cap is the same as the one in memory, but it's less work to not
prove that.
2019-11-12 18:28:39 +11:00
f7bf957c71
riscv ainvs: adjustments for unmap_page change
2019-11-12 18:28:39 +11:00
430a345aeb
riscv aspec: avoid type variable warning and freeindex increase
2019-11-12 18:28:38 +11:00
9846cd42bb
proof: update for crunch changes
2019-10-14 17:23:41 +11:00
dd48e0d899
proof: update for wp changes
...
Updated 'wp_once' to 'wp (once)' and removed several stray uses of 'wp_trace'.
2019-10-14 17:12:18 +11:00
4e14c1ffcb
ainvs: add invs_implies lemma, a collection of invs lemmas
2019-10-10 11:27:01 +11:00
fc06d03f84
riscv ainvs: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:27:01 +11:00
89510ac172
x64 ainvs: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:27:01 +11:00
10127117ee
arm-hyp ainvs: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:26:53 +11:00
558b2e8f37
arm ainvs: update for PageMap replacing PageRemap (SELFOUR-161)
2019-10-10 11:26:44 +11:00
acbc08b836
clean-ups done during proof update for the jira issue SELFOUR-1187: seL4 setPriority should attempt a direct schedule
2019-10-06 18:31:19 +11:00
d934d25269
proof update for SELFOUR-1187: seL4 setPriority should attempt a direct schedule
...
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
2019-10-06 18:31:19 +11:00
5e2f9bd83b
ainvs: shorten proof of unique_table_refs_upd_eqD
2019-07-31 16:56:29 +10:00
bcfefb359b
riscv ainvs cleanup: remove unused crunches
2019-07-31 16:56:29 +10:00
cf168e2714
riscv ainvs: update cartouches to Isabelle2019 style
2019-07-31 16:56:29 +10:00
f29e73bc58
lib: move more facts on Numeral_Type from invariant proofs into lib
2019-07-31 16:56:29 +10:00
a1dca67543
riscv aspec/ainvs: resolve FIXMEs, reduce warnings
...
Mostly moved lemmas and definitions to more suitable locations.
Removed unused lemmas and commented-out code.
Resolved simple Isabelle warnings.
2019-07-31 16:56:26 +10:00
f8dc660baf
riscv aspec/ainvs: move init_vspace_uses and canonical_user to spec
...
Needed to define an initial state that satisfies invariants.
2019-07-31 16:55:32 +10:00
56bbcb3b41
riscv ainvs: remove unused store_pte_equal_kernel_mappings
2019-07-31 16:55:32 +10:00
06010ef565
ainvs: adjustments for global None_upd_eq[simp]
2019-07-31 16:55:32 +10:00
0c9c594026
ainvs: adjustments for stronger ArchFinalise interface assumptions
2019-07-31 16:55:32 +10:00
cf2a4d2743
riscv ainvs: cleanup in crunch setup and invariant definitions
2019-07-31 16:55:32 +10:00
3369b33431
riscv ainvs cleanup: remove unused lemma
2019-07-31 16:55:32 +10:00
29f5ac319c
riscv ainvs: the sound of the last lemma fitting perfectly
2019-07-31 16:55:32 +10:00
7440b7b7a4
riscv ainvs: close sorry for perform_page_table_invocation
2019-07-31 16:55:32 +10:00
9acd6b2729
riscv ainvs: slightly tighten store_pte precondition for valid_vs_lookup
2019-07-31 16:55:32 +10:00
e77f11da9e
riscv ainvs: close sorries on PageTableUnmap invocation
2019-07-31 16:55:32 +10:00
3e5c0b7cf5
ainvs: provide real_cte assumption for arch decode functions
2019-07-31 16:55:32 +10:00
55ed773c49
riscv ainvs: fix comment
2019-07-31 16:55:32 +10:00
e4f7e4676a
riscv ainvs: close perform_pg_inv_unmap, remove unused unmap lemmas
2019-07-31 16:55:32 +10:00
67e4d89ca2
riscv ainvs: close mapM sorry in ArchVSpace
2019-07-31 16:55:32 +10:00
4a73ad6ef1
riscv ainvs: cleanup tweak for store_pte_invs
2019-07-31 16:55:32 +10:00
af6e0765c5
riscv aspec+ainvs: spec bugfix for arch_finalise_cap; finish ArchFinalise
2019-07-31 16:55:32 +10:00
366fb4988f
riscv ainvs: remove unused/duplicate store_pte lemmas
...
New proofs of invariant preservation over store_pte supersede old and
broken ones.
2019-07-31 16:55:32 +10:00
8b1bb46293
riscv ainvs: preservation of invs over store_pte
...
Proofs for valid_vspace_objs and valid_vs_lookup are rather repetitive
and could use extraction of a common principle involving vs_lookup_table
over an updated state.
2019-07-31 16:55:32 +10:00
48e52e4ab9
riscv ainvs: sorry store_pte_valid_vspace_objs
...
remove its dependency, rename to _FIXME_RISCV for further inspection,
remove from wp set
2019-07-31 16:55:32 +10:00
34f901ec39
riscv ainvs: prove store_pte_PageTablePTE_valid_vspace_objs
...
There is room to extract a property of vs_lookup_table on an updated
state, but for now the manipulation is done inline.
We needed an extra restriction that we do not introduce a loop by adding
a PTE to an empty table that would point to itself.
2019-07-31 16:55:32 +10:00
82df777dd7
riscv aspec: fix spec bug in pt_lookup_from_level
...
This spec bug was inspired by slightly differently but similarly wrong C code
(SELFOUR-2091). Current change brings it into sync with the (correct, we think)
C. Proof update included.
2019-07-31 16:55:32 +10:00
0603b7d57c
riscv ainvs: adjust frame invocation conditions; prove decode
2019-07-31 16:55:32 +10:00
ea334dc044
riscv ainvs: cleanup, combine unique_vs_lookup_table/no_loop_vs_lookup_table
...
Prove the same for vs_lookup_slot, moving up lemmas and global_pt abbreviation
from ArchVSpace.
2019-07-31 16:55:32 +10:00
f443145e9c
riscv ainvs: more vs_lookup_target/table properties
2019-07-31 16:55:32 +10:00
e46c7403fc
riscv ainvs: reduce ArchArch to page invocation decode
2019-07-31 16:55:32 +10:00
7a712d9d53
riscv ainvs: close 2 more sorries in ArchFinalise
2019-07-31 16:55:32 +10:00
faa124c6a1
riscv ainvs: clean out unused and vcpu-related lemmas
2019-07-31 16:55:32 +10:00
c08668c165
riscv ainvs: prove empty_slot invs in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
06f59c5f32
riscv ainvs: remove unused lemmas in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
cc02bb366c
riscv ainvs: close 4 asid_table sorries in ArchFinalise
2019-07-31 16:55:32 +10:00
e268d57128
riscv ainvs: clear sorries in ArchArch up to decode lemmas
2019-07-31 16:55:32 +10:00
ae30dff1a4
riscv ainvs: adjust and prove asid_update locale in ArchArch_AI
2019-07-31 16:55:32 +10:00
40587d59fe
riscv ainvs: progress in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
159a11baea
riscv ainvs: prove set_asid_pool_invs_restrict
...
+ update for extra preconditions on asid removal
2019-07-31 16:55:32 +10:00
f78f8c9092
riscv ainvs: minor cleanup/moving lemmas in ArchAcc_AI
2019-07-31 16:55:32 +10:00
57b8f451b1
riscv ainvs: prove set_asid_pool_vs_lookup_unmap'
2019-07-31 16:55:32 +10:00
f52c70af73
riscv ainvs: valid_vspace_objs over non-PTPTE store_pte
...
Weakened rules specific to InvalidPTE, showed
store_pte_PagePTE_valid_vspace_objs
2019-07-31 16:55:32 +10:00
a252e040e4
riscv ainvs: prove perform_asid_pool_invs
...
This includes various lemmas on copy_global_mappings.
2019-07-31 16:55:32 +10:00
0122b80dc5
riscv ainvs: improve ex_vs_lookup_table notation
...
Should now contract.
2019-07-31 16:55:32 +10:00
0f8d69a029
riscv ainvs: idempotency of lookups over unreachable updates
...
If there is no way to look up a vspace object, then changing it cannot
affect existing lookup paths.
2019-07-31 16:55:32 +10:00
2901899cc8
riscv ainvs: more invariant preservation over store_pte
...
shown preservation of:
valid_table_caps
valid_global_tables
valid_global_arch_objs
unique_table_refs
unique_table_caps
valid_asid_pool_caps
2019-07-31 16:55:32 +10:00
7409acb3e6
riscv ainvs: lift some set_pt properties to store_pte
2019-07-31 16:55:32 +10:00
744a85c311
riscv ainvs: remove simple sorries ArchArch_AI
2019-07-31 16:55:32 +10:00
6448a3c47d
riscv ainvs: clean out invariants and preconditions on ASID size
...
These are now already enforced by type.
2019-07-31 16:55:32 +10:00
75efc6a90c
riscv ainvs: remove 3 sorries ArchVSpace_AI
2019-07-31 16:55:32 +10:00
bb7062c263
riscv ainvs: clear out 7 sorries about replacable caps in ArchFinalise
...
(plus removal of one unused lemma)
2019-07-31 16:55:32 +10:00
d6a5b3c983
riscv ainvs: wellformed_mapdata more RISCV-idiomatic
...
use "vref : user_region", instead of pptr_base and canonical_address, which
was more an X64 idiom
2019-07-31 16:55:32 +10:00
f90a9d1080
riscv ainvs: close one sorry in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
6c3fb3a1cb
riscv ainvs: removed two unused lemmas (and sorries)
2019-07-31 16:55:32 +10:00
406a3eb9b4
riscv ainvs: idempotency of vs_lookup_table over kheap update
...
When we look up a vref and reach a page table / asid pool, it could not
have been used in the lookup and hence changing it has no effect on the
lookup.
2019-07-31 16:55:32 +10:00
8db6a74716
riscv ainvs: clear unneeded is_aligned from pt_walk_eqI up
2019-07-31 16:55:32 +10:00
a893a40aa5
riscv ainvs: reduce sorries in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
8fb9aa8b91
riscv ainvs: reduce sorries in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
1b9a7d3174
riscv ainvs: more automatic atyp_at lifting; vs_ap_ref_arch_simps
2019-07-31 16:55:32 +10:00
a88891ea7c
riscv ainvs: adjustments for is_valid_vtable root spec fix
2019-07-31 16:55:32 +10:00
c386d2a85e
riscv ainvs: remove trivial sorry in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
2f2b7b0c7f
riscv ainvs: ArchRetype_AI sorry-free
2019-07-31 16:55:32 +10:00
298445c347
riscv ainvs: update ArchKernelInit_AI for user_region refactor
2019-07-31 16:55:32 +10:00
3171901efd
riscv ainvs: -1 sorry in ArchRetype_AI
2019-07-31 16:55:32 +10:00
cd49720dbe
riscv ainvs: refactor user_region to be state-independent
...
This refactoring makes user_region statically equal to {0 .. canonical_user},
which removes the need for a valid_uses s precondition in most lemmas about
user_region, which is needed for the generic/architecture interface in
ArchRetype_AI.
To express that this is equivalent with the old concept, there is a new
"user_window s", which under valid_uses, is the same set as user_region, but
demands that memory uses are correctly set to RISCVVSpaceUserRegion.
2019-07-31 16:55:32 +10:00
04926d48e4
riscv ainvs: clean-up (comment addressed in ArchAInvsPre)
2019-07-31 16:55:32 +10:00
30bda7cdc4
riscv ainvs: reduce sorries in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
b27fa1e41e
riscv ainvs: reduce sorries in ArchAcc_AI
2019-07-31 16:55:32 +10:00
2b359f6265
riscv ainvs: typos: canoncial->canonical
2019-07-31 16:55:32 +10:00
89aafed912
riscv aspec+ainvs+haskell: update kernelBase, paddrLoad to match C
...
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7
This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
2019-07-31 16:55:32 +10:00
96b3876ad1
riscv ainvs: complete level uniqueness proof
...
ex_vs_lookup_level shows we can't find the same table/pool at different
lookup depths; combined with unique_vs_lookup_table we can now show that
there exists only one lookup path from the ASID table to any table/pool
object in the system
2019-07-31 16:55:32 +10:00
240302d89b
riscv ainvs: complete proof of no_loop_vs_lookup_table
...
Long-running joint work with Gerwin Klein.
This lemma demonstrates that from our invariants, when looking up two virtual
addresses in the same ASID, if lookups end up at the same page table, then
the page table must be found at the same level, disallowing loops in
either of the lookups.
2019-07-31 16:55:32 +10:00
b2600af6ec
riscv ainvs: -2 sorries in ArchRetype_AI
2019-07-31 16:55:32 +10:00
439b56eb11
riscv ainvs: adjust for pt_walk_0[simp]
2019-07-31 16:55:32 +10:00
5b0aa53836
riscv ainvs: add and migrate lemmas to ArchInvariants_AI
...
Adds properties of:
- vm_levels
- ptrFromPAddr alignment
- alignment of lookup/walk results
Some other lemmas migrated from ArchAcc_AI.
2019-07-31 16:55:31 +10:00
0296b241c8
riscv ainvs: generalise pt_slot_offset_vref/pt_slot_offset_vref_for_level_eq
...
Apply to any higher level rather than only max_pt_level.
2019-07-31 16:55:31 +10:00
Victor Phan
Gerwin Klein
Corey Lewis
MiladKetabi
Rafal Kolanski