Using named constructor arguments added to the datatype package allows
removal of the old way of writing them out explicitly.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This rewrites the extraction function to a simpler form, which is
consistent with how the lemma is written on the other architectures.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Lemmas not relying on any specifications or more local concepts will be
moved into MonadicRewrite.thy
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Several parts of CRefine did not or should not depend on anything
C-related, but the import hierarchy (and theory content) did not reflect
this. Namely:
* Move_C and ArchMove_C were intended to hold items that could be moved
to Refine yet used `kernel_m` locale and imported the C spec.
* IsolatedThreadAction indicates how to rearrange statements in the
design spec and has nothing to do with the C spec or framework.
* Fastpath_C contained the design spec of the fastpath, the design spec
rewrite proofs, and the C refinement. Having to rebuild nearly all of
CRefine to work on rewrite proofs wasted time.
In the new import hierarchy:
* Move_C imports only Refine; ArchMove_C builds on Move_C
* IsolatedThreadAction imports only ArchMove_C
* The fastpath proofs are split into the spec definition (Fastpath_Defs)
and rewrite proofs (Fastpath_Equiv), which don't depend on anything
C-related, with their C refinement remaining in Fastpath_C.
While it is possible to separate out the fastpath definitions and rewire
proofs into a separate image or even move them to Refine, development
experience indicates keeping them alongside their C refinement remains
more convenient for the proof engineer involved.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add a bundle for global word simp set changes -- unfortunately we
can't actually do this globally, because they are mostly simp rule
removals which will be overwritten by theory merges. So this new
l4v_word_lib bundle will have to be activated/unbundled multiple times.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
For CRefine, this process is much more complex than for Refine and up,
as the C code both has its own definitions `maxDom` and `numDomains`,
but they are not defined in terms of each other, only numbers.
Similarly, array size types and their corresponding ArrayGuard bounds
checks refer to specific numbers, making a fullproof abstraction impossible.
A reasonably constrained interface to numDomains/maxDomain/maxDom in
Wellformed_C provides a sufficient abstraction to allow the proofs to be
independent of the number of domains (constrained to <= 256). Using the
value_type command allows more abstraction techniques, such as linking
the size of the scheduler queues back to numDomains*numPriorities,
without stating what the numbers are. Finally, for getting past the
ArrayGuard bounds checks, we do leak some information in the form of
`explicit` lemmas. These are the least safe, but short of augmenting the
C parser to re-wrap array sizes into equivalent constants/types, they
constitute a limited risk. Nonetheless, `explicit` lemmas should be used
as sparingly as possible.
Refinement to C proceeds by pretending we don't know the number of
domains, and whenever a control flow decision is made based on
`numDomains > 1`, we follow both branches, as we did for Refine. We also
attempt to avoid clever rewrites such as `(x < 1) = (x = 0)` which mess
up bounds checks into a domain-size array when `numDomains = 1`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The aim of the PR was readability, but it actually also brings the
C more in line with the spec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The PR seL4/seL4#473 removes Arch_finaliseInterrupt; this commit
updates the C proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This fixes up some atrocious indentation and removes some warnings for
duplicate rules etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Some of the assumptions in Machine_C were about C functions that do not
exist (any more, presumably after some change in C). This means these
names were free variables and the rules could in theory be applied to
any function, potentially causing unsoundness. Luckily, we were
disciplined enough in the proofs not to have done that. The proofs with
the names fixed go through unchanged.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
A previous update to C code added a disjunct to an `if` condition
outside the existing `unlikely` branch hint. This commit is the proof
update for a C patch that extends the branch hint to the full `if`
condition.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`register_t` only needs to be able to index into the TCB user context
array, which has 35 entries on RISC-V. Therefore `uint8_t` is
sufficient.
Using the smallest possible type for `register_t` helps with binary
verification. This shrinks static read-only data, which in turn reduces
the complexity of binary verification proof search.
This commit verifies the corresponding C kernel patch.
Co-authored-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
Signed-off-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Progress towards verification of new and more efficient implementations
of library functions to could leading and trailing zeros.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The binary verification tools perform inlining of C specifications, to
simulate inlining that has been performed in the binary. This means that
`DONT_TRANSLATE` and `inline` are incompatible, since the binary
verification tools require C specifications for any functions that have
been inlined in the binary.
This `DONT_TRANSLATE` annotation was added with a `MODIFIES` annotation
for the proof of `resetUntypedCap_ccorres`. That proof has been reworked
so that it no longer requires the `MODIFIES` annotation in the C.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
When exception-aware lifting was enabled in `csymbr`, a small number of
existing proofs were broken. The `csymbr_legacy` method was added to
preserve the old behaviour of `csymbr` for those proofs.
This commit updates those proofs to use the new `csymbr` behaviour.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The previous implementation of `cinit` discarded C preconditions used
for variable lifting. This is usually appropriate for local variables
and function arguments. However, when using the new `cinit` to lift
global variables, the respective preconditions sometimes need to be kept
for the last subgoal.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new variable lifting behaviour that was recently added to the
`cinit`, `clift` and `ctac` commands is now also added to `csymbr`.
This means `csymbr` variable lifting is now sensitive to exceptional
control flow.
Since this breaks some existing proofs, we add a new `csymbr_legacy`
command with the old behaviour, and use it where necessary.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`cinit` and related methods are able to automatically abstract accesses
of Simpl state variables to Isabelle variables, provided they can prove
that the Simpl variable has not been modified up to the point it is
accessed. However, previously, the automation was unaware of exceptional
control flow. This limits the effectiveness of variable lifting in
situations like the following:
// `var` has not yet been modified.
if (condition) {
var = new_value;
// Here, `var` has been modified.
return;
}
// Has `var` been modified before the following access?
do_something(var);
Prior to this commit, the answer would be "yes": `cinit` would conclude
that `var` has been modified prior to the access for `do_something`, so
the variable access would not be abstracted.
With this commit, the answer is "no": `cinit` recognises the `return` in
the `if` block, and can abstract the variable access for `do_something`.
The new automation is enabled for `cinit`, `clift` and `ctac`. It is
currently disabled for `csymbr`, since the new behaviour breaks some
existing proofs.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The `cinit` and `clift` methods already provided a way to abstract
accesses to specified local variables to Isabelle variables that do not
depend on the state, provided that the procedure does not write to those
variables. The proof methods included automation of proofs that the
values of variables being abstracted remain constant throughout the
procedure.
This commit adds support for abstracting accesses to *global* variables.
The additional challenge here is that calls to other procedures might
modify global variables. We use the `modifies` facts produced by the C
parser to determine (and prove) when variables of interest are preserved
across procedure calls.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
As currently defined, the C state relation is empty, and consequently,
`ccorres` is trivially true for any pair of functions. This means that,
in a very technical sense, our C refinement proofs are meaningless.
The state relation is empty because several conjuncts in
`cstate_relation` form a contradiction:
- Two conjuncts claim that `intStateIRQNode_array_Ptr` points to a heap
object within the set of addresses `kernel_data_refs`.
- Another implies that all heap objects are within `domain`.
- Another claims that `kernel_data_refs = -domain`, forming the
contradiction.
This commit proves the contradiction, and also proves that `ccorres` is
trivially true for any pair of functions.
Fortunately, we never made any essential use of this contradiction, and
so the issue can be fixed fairly easily. The issue seems to have arisen
out of a conflation of two different concepts:
- `kernel_data_refs` is introduced in the intermediate specification,
and is intended to be the set of addresses containing global heap
objects that are not covered by capabilities.
- `domain` was introduced for binary verification, and was intended to
be the set of all addresses that may be used for heap objects.
The easiest fix seems to be to expand the meaning of `kernel_data_refs`
to include all addresses that are not covered by capabilities. If we
assert that `kernel_data_refs = -domain`, then this does not allow for
heap objects that are not covered by capabilities. If instead, we make a
weaker assertion that `-domain <= kernel_data_refs`, we can have heap
objects that are not covered by capabilities, such as the one pointed to
by `intStateIRQNode_array_Ptr`.
This fix will be performed in a subsequent commit.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new kernelExitAssertions need to be threaded through the fastpath
and integrated in the right place in the theorems about callKernel.
In InfoFlowC we have yet another refinement framework, and we're taking apart
callKernel to isolate the `schedule` call which is significant in the
infoflow proof and needs the new assertion inserted as wel. After some force
applied, this does work as well.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
the definition of objBits is in Haskell, so has to use pteBits instead of
pte_bits (not in scope)
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Rafal Kolanski
Corey Lewis
Gerwin Klein
Ryan Barry
Corey Lewis
Michael McInerney
Ryan Barry
Florian Haftmann
Miki Tanaka
Mitchell Buckley
Mitchell Buckley
Matthew Brecknell
Gerwin Klein
Corey Lewis
Gerwin Klein
Rafal Kolanski