This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
A previous update to C code added a disjunct to an `if` condition
outside the existing `unlikely` branch hint. This commit is the proof
update for a C patch that extends the branch hint to the full `if`
condition.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`register_t` only needs to be able to index into the TCB user context
array, which has 35 entries on RISC-V. Therefore `uint8_t` is
sufficient.
Using the smallest possible type for `register_t` helps with binary
verification. This shrinks static read-only data, which in turn reduces
the complexity of binary verification proof search.
This commit verifies the corresponding C kernel patch.
Co-authored-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
Signed-off-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Progress towards verification of new and more efficient implementations
of library functions to could leading and trailing zeros.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The binary verification tools perform inlining of C specifications, to
simulate inlining that has been performed in the binary. This means that
`DONT_TRANSLATE` and `inline` are incompatible, since the binary
verification tools require C specifications for any functions that have
been inlined in the binary.
This `DONT_TRANSLATE` annotation was added with a `MODIFIES` annotation
for the proof of `resetUntypedCap_ccorres`. That proof has been reworked
so that it no longer requires the `MODIFIES` annotation in the C.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
When exception-aware lifting was enabled in `csymbr`, a small number of
existing proofs were broken. The `csymbr_legacy` method was added to
preserve the old behaviour of `csymbr` for those proofs.
This commit updates those proofs to use the new `csymbr` behaviour.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The previous implementation of `cinit` discarded C preconditions used
for variable lifting. This is usually appropriate for local variables
and function arguments. However, when using the new `cinit` to lift
global variables, the respective preconditions sometimes need to be kept
for the last subgoal.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new variable lifting behaviour that was recently added to the
`cinit`, `clift` and `ctac` commands is now also added to `csymbr`.
This means `csymbr` variable lifting is now sensitive to exceptional
control flow.
Since this breaks some existing proofs, we add a new `csymbr_legacy`
command with the old behaviour, and use it where necessary.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`cinit` and related methods are able to automatically abstract accesses
of Simpl state variables to Isabelle variables, provided they can prove
that the Simpl variable has not been modified up to the point it is
accessed. However, previously, the automation was unaware of exceptional
control flow. This limits the effectiveness of variable lifting in
situations like the following:
// `var` has not yet been modified.
if (condition) {
var = new_value;
// Here, `var` has been modified.
return;
}
// Has `var` been modified before the following access?
do_something(var);
Prior to this commit, the answer would be "yes": `cinit` would conclude
that `var` has been modified prior to the access for `do_something`, so
the variable access would not be abstracted.
With this commit, the answer is "no": `cinit` recognises the `return` in
the `if` block, and can abstract the variable access for `do_something`.
The new automation is enabled for `cinit`, `clift` and `ctac`. It is
currently disabled for `csymbr`, since the new behaviour breaks some
existing proofs.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The `cinit` and `clift` methods already provided a way to abstract
accesses to specified local variables to Isabelle variables that do not
depend on the state, provided that the procedure does not write to those
variables. The proof methods included automation of proofs that the
values of variables being abstracted remain constant throughout the
procedure.
This commit adds support for abstracting accesses to *global* variables.
The additional challenge here is that calls to other procedures might
modify global variables. We use the `modifies` facts produced by the C
parser to determine (and prove) when variables of interest are preserved
across procedure calls.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
As currently defined, the C state relation is empty, and consequently,
`ccorres` is trivially true for any pair of functions. This means that,
in a very technical sense, our C refinement proofs are meaningless.
The state relation is empty because several conjuncts in
`cstate_relation` form a contradiction:
- Two conjuncts claim that `intStateIRQNode_array_Ptr` points to a heap
object within the set of addresses `kernel_data_refs`.
- Another implies that all heap objects are within `domain`.
- Another claims that `kernel_data_refs = -domain`, forming the
contradiction.
This commit proves the contradiction, and also proves that `ccorres` is
trivially true for any pair of functions.
Fortunately, we never made any essential use of this contradiction, and
so the issue can be fixed fairly easily. The issue seems to have arisen
out of a conflation of two different concepts:
- `kernel_data_refs` is introduced in the intermediate specification,
and is intended to be the set of addresses containing global heap
objects that are not covered by capabilities.
- `domain` was introduced for binary verification, and was intended to
be the set of all addresses that may be used for heap objects.
The easiest fix seems to be to expand the meaning of `kernel_data_refs`
to include all addresses that are not covered by capabilities. If we
assert that `kernel_data_refs = -domain`, then this does not allow for
heap objects that are not covered by capabilities. If instead, we make a
weaker assertion that `-domain <= kernel_data_refs`, we can have heap
objects that are not covered by capabilities, such as the one pointed to
by `intStateIRQNode_array_Ptr`.
This fix will be performed in a subsequent commit.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new kernelExitAssertions need to be threaded through the fastpath
and integrated in the right place in the theorems about callKernel.
In InfoFlowC we have yet another refinement framework, and we're taking apart
callKernel to isolate the `schedule` call which is significant in the
infoflow proof and needs the new assertion inserted as wel. After some force
applied, this does work as well.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
the definition of objBits is in Haskell, so has to use pteBits instead of
pte_bits (not in scope)
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Completed decodeRISCVFrameInvocation_ccorres, synced with C changes and
cleaned up a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Since on RISCV64 we do not have restrictions on arch objects in
valid_obj', for the state relation to form a function from abstract to
concrete, we need to restrict the domains of the abstract asid pools.
Further we also need to ensure ASID 0 is not used in any of them, as
that is a sentinel value for "no ASID".
This is analogous to the restriction placed by valid_obj' on ASIDs on
X64, except occurring in the state relation rather than an invariant.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
No examination of failing proofs this time. All CRefine files are now
present and accounted for.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Broken bits blindly sorried or commented out with FIXME RISCV.
carch_state_to_H is currently wrong as valid_arch_state' is
insufficient to accurately describe global page tables.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
On RISCV, we do not mask the interrupt on IRQSignal in handleInterrupt.
Spec currently masks this, so we provide the sorried intended spec
definition of handleInterrupt for the time being.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Make a bit more progress after merging fixes for decode/invoke model
violation, and missing page table cap type check.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
There are sorries waiting on C updates, a few large sorries, and several
chunks of commented-out X64 proofs that may need to be adapted to
address the other sorries.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Two big ones where crefine machinery leads us astray, and a few small
ones waiting on a spec update on api object enums.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Opted to use old form of statement and adjust proof, as CRefine proofs
are not aware of mask_range and a cleanup of that sort would take too
long at this time.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Move it to ArchMove_C for each architecture except RISCV64. On RISCV64
the definitions of obj_range has changed to use mask_range and hence the
lemma statement would look different.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
crefine/[ARCH]/Move.thy is replaced with crefine/Move_C.thy
(arch-generic), and crefine/[ARCH]/ArchMove_C.thy (arch-specific).
The only CRefine theory file that imports ArchMove_C is CLevityCatch,
and ArchMove_C imports Move_C which imports "Refine.Refine".
Lemmas found by looking through "FIXME: Move" comments have been added
to either Move_C or ArchMove_C depending on whether it is arch-generic
or arch-specific respectively.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
Matthew Brecknell
Gerwin Klein
Mitchell Buckley
Corey Lewis
Gerwin Klein
Rafal Kolanski
Victor Phan
Zoltan Kocsis