All invariants that are pure interface definitions and otherwise
unused in RISC-V are now collected in a separate section to make more clear
what is used and what is not.
Added definitions for cap_asid and empty_table, which turns out is needed in
its complex form, because it is used in generic theorems. The simple form lives
on as empty_pt.
Mask out bottom bits of asid and vref in the cap; otherwise this
invariant would demand many caps for the same vspace object, one for
each combination of bottom "junk" bits.
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
Added set_object_wp_strong, which infers from a given hoare triple with
command set_object that the object of same type already exists in the
heap, and hoare_set_object_weaken_pre which does the same thing, but can
be applied on top of existing lemmas about set_object.
ainvs: improve proof of set_thread_state_runnable_valid_blocked
ainvs: change return value to a more general one
in_set_object has a return value that is empty '()', but the theorem
still holds true when replaced with a generic parameter 'rv' making it
easier to use this lemma.
ainvs: trivial - updated style of proof
ainvs: strengthen set_object_idle lemma
Add conditions imposed by valid_idle into precondition.
Thank you to Matt Brecknell for the help.
ainvs: abbreviated Hoare triples and proof fix
ainvs: restated set_object_wp_strong with auxiliary lemmas
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Move in a few set_object and set_aobject theorems from x64 theory files
as these theorems were architecture generic.
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Removed update_object, which does the same thing as the new version of
set_object, and replaced it with set_object.
x64 ainvs: update for new definition of set_object
Rename legacy update_object definitions to set_object definitions and
remove related lemmas (to move up into architecture generic
KHeap_AI.thy). Remove simpler_defs as the set_object definitions are now
equivalent.
x64 ainvs: move x64 specific lemma back to ArchKHeap_AI
set_aobject_valid_arch move back after confirmation with Matt Brecknell
that it is x64 specific
x64 ainvs: update for new definition of set_object
Fixed some proofs a result of removing set_arch_obj_simps from the simp
set.
Addresses issue VER-1036.
Previously, there were pointer alignment invariants in valid_pte, etc.
However, these had two problems:
1. valid_pte was conditioned on the PTE being mapped, so we couldn't
rely on PTE pointers being aligned unconditionally (see VER-1036).
2. The existing alignments were actually incorrect for large pages.
Proofs that needed the true alignments, obtained them from other
parts of invs (e.g. valid_objs).
This commit moves the alignment invariants to wellformed_pte, etc.
and changes them to use the correct values.
Integrity and pasRefined are majorly changed
The main repercussions are:
- 3 new authorities in the policy: Call, Reply, and DeleteDerived
- The cdt and the caps state are linked in pasRefined
- CDT parentship no longer implies control in certain cases (is_transferable)
- CDT parentship now implies DeleteDerived
- Introduction of cdt_change_allowed that specifies which slot your are
allowed to modify
- Integrity for CDT and CDT list use cdt_changes_allowed
- Integrity for objects in now expressed as a transitive closure of
atomic transition rules
* Context :
We would like to prove that, for ARM_HYP architecture,
the current vcpu is always the vcpu associated to the current thread.
See issue https://jira.csiro.au/browse/VER-770
and PR 291 http://bitbucket.keg.ertos.in.nicta.com.au/projects/SEL4/repos/l4v/pull-requests/291
* Intermediate step : the vcpu of the idle thread is always None
In this commit we update the proofs of abstract invariants for
the arm_hyp architecture, so that the new version of `valid_idle`,
stating that the vcpu of the idle thread is always None, holds.
* Context :
We would like to prove that, for ARM_HYP architecture,
the current vcpu is always the vcpu associated to the current thread.
See issue https://jira.csiro.au/browse/VER-770
and PR 291 http://bitbucket.keg.ertos.in.nicta.com.au/projects/SEL4/repos/l4v/pull-requests/291
* Intermediate step : the vcpu of the idle thread is always none
In this commit, we modify the `valid_idle` invariant so that it includes
the fact that the vcpu of the idle thread is always None.
This is needed for PR291 (see Context above).
`valid_idle` beeing defined with `idle_tcb_at`,
we changed the definition of `idle_tcb_at`
so that it can convey information about the architecture.
And we defined `valid_arch_idle`
that states that the vcpu of an iarch_tcb is None.
* What changed :
Even if these changes are only interesting for the
abstract invariants for arm_hyp architecture
(that are being extended),
it implied changes to several generic and architecture-specific
files of the astract invariants (AInvs) sessions.
Co-authored-by : Corey Lewis <corey.lewis@data61.csiro.au>
Co-authored-by : Santiago Bautista <santiago.bautista@data61.csiro.au>
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
This allows us to more easily show that arch specific tcb fields are
preserved by many functions of the spec. For ARM_HYP we add a
projection for the tcb_vcpu field.
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
A number of proofs begin with word_eqI followed by some similar steps,
suggesting a 'word_eqI_solve' proof method, which is implemented here.
Many of these steps are standard, however a tricky part is that constants of
type 'nat' which encode a particular number of bits must often be unfolded.
This was done by expanding the eval_bool machinery to add eval_int_nat, which
tries to evaluate ints and nats.
Testing eval_int_nat revealed the need to improve the code generator setup
somewhat. The Arch locale contains many of the relevant constants, and they are
given global names via requalify_const, but the code generator doesn't know
about them. Some tweaks make them available. I *think* this is safe for
arch_split, as long as the proofs that derive from them are true in each
architecture.
* word_eqI is no longer rule_format.
* Updated Isabelle/ML Thm.join_proofs to Thm.consolidate.
* Updated suffix_refl to suffix_order.order.refl.
* Removed some lines of proofs, thanks to improved simplifier.
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
This was broken a long while back because arch_switch_to_idle_thread
might sometimes be skipped in the implementation if the idle thread
was previously scheduled. Putting the same behaviour in the most
abstract (unit) specification is pretty easy, and it's not clear why
it wasn't done earlier.
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
A private abbreviation in an anonymous context incidentally incremented
the global counter Variable.max_idxof which is used to avoid
name-collisions in lemmas.
For some reason (not obvious) the abbreviation in question was
incrementing the counter, and because it
was only in an X64 file, this resulted in X64 and the other
architectures getting out of sync. This was file previously, but became
a problem when processing the generic file lib/clib/Corres_C.
This commit adjusts the abbreviation to not increment the counter, and
fixes Refine and SR_lemmas_C to account for this change.
now that we have valid_vspace_objs to express validiy of
vspace objects, we do not need valid_arch_objs: we have
valid_objs to state the validity of non-vspace arch objects.
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
ParityEnabled isn't used in ARM_HYP and we had to prove its absence as
invariant, which in turn makes the abstraction function from Haskell
to abstract partial (only works when invariants hold).
This commit removes that problem by removing ParityEnabled from the
abstract spec. Updated ainv and refine as necessary.
The lemma is not true on ARM_HYP. It is also not needed for AInvs, although
it looks like it may be used in Refine/CRefine.
It'll have to be replaced with a set of more specific assumptions, which
should be added on master, so I'm just removing it on this branch for now.
- AInvs builds with new definitions of dissociate et al
- fixed most of the fallout of the change, left some as additional sorries
- should now be ready for additional cur_vcp live invariant
* the definition of liveness is extended for tcb/vcpu reference
* proved liveness related properties for dissociate_vcpu_tcb, prepare_thread_delete, etc.
* fixed some crunches in ArchVSpace_AI
pd_at_flush_page
pt_at_flush_page
perform_page_invocation_pspace_respects_device_region
* proved a bunch of vcpu related statements for the above crunches
some of these might be useful in general
* removed a sorry from ArchRetype_AI
* make update_cap_data do nothing for IOPorts
* return same_aobject_as to previous definition for IOPorts
* change cap_master_cap for IOPorts to be the identity
Many generic proofs make use of cte_level_bits_def. Although the
definition is architecture specific, the proofs work for any reasonable
value of cte_level_bits, so it's fine to expose the definition to
generic proofs.
rather than 4.
This is true on all 64-bit platforms as the size of these objects is 4
words (4*8 = 32 = 2^5). However, this breaks the 32-bit ARM proofs that
rely on these values being 4 - see jira issue VER-725.
The canonical_address constant (but not its definition) is now exported
to generic theories, and used in do_user_op. On ARM, all virtual
addresses are canonical.
Gerwin Klein
Rafal Kolanski
Amirreza Zarrabi
Michael McInerney
Victor Phan
Michael Sproul
Japheth Lim
Thibaut Perami
Santiago Bautista
Edward Pierzchalski
Mitchell Buckley
Thomas Sewell
Joel Beeren
Matthew Brecknell
Rafal Kolanski
Corey Lewis
Maksym Bortin
Miki Tanaka
Pang Luo
Joel Beeren
Alejandro Gomez-Londono
Alejandro Gomez-Londono
Gerwin Klein