This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
It's really tiring figuring out whether we loaded all of the right
InfoFlow theory files in jEdit. This file lists what "the theories for
InfoFlow" are and should be loaded instead.
ROOT file adjusted to target it instead of a bunch of files, some of
which already include some of the others.
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
now that we have valid_vspace_objs to express validiy of
vspace objects, we do not need valid_arch_objs: we have
valid_objs to state the validity of non-vspace arch objects.
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
* This is trivial/irrelevant since getActiveIRQ ignores its argument
in ARM, but it makes a bit more sense to have it being this way,
and it is consistent with the equivalent function in InfoFlowC.
Other platforms such as arm-hyp will need to look into additional TCB state
such as VCPU in sanitiseRegister. This commit provides the scaffolding for
that.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
Some lemmas that were specific instances of more general lemmas have
been removed from the library. In most cases, broken references could
simply be replaced with the more general fact.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
* tcb_context rephrasing to (tcb_context o tcb_arch) and respectively
for set operations
* unfolding of reserved_irq for trivially solving most lemmas
* Changes to the inductive definition of integrity_obj to account for
tcb_arch and tcb_context new location
* Changes to the tcb examples in ExampleSystem to include tcb_arch
* Rephrasing of domain_sep_inv to accommodate the ReservedIRQ case
* Mostly rephrasing of tcb_context to (some form of) (tcb_context o tcb_arch)
* Trivial unfolding of handle_reserved_irq for hoare rules
* Examples in Example_Valid_State.thy were updated
* Nothing remarkable, mostly rephrasing of tcb_context and ReservedIRQ
handling
* Fun fact, some proofs are now shorter
tags: [VER-623][SELFOUR-413]
Corey Lewis
Thomas Sewell
Gerwin Klein
Michael Sproul
Joel Beeren
Matthew Brecknell
Miki Tanaka
Rafal Kolanski
Alejandro Gomez-Londono
Pang Luo
Daniel Matichuk
Alejandro Gomez-Londono
Joel Beeren
Gerwin Klein
Thomas Sewell
Xin,Gao