Completed decodeRISCVFrameInvocation_ccorres, synced with C changes and
cleaned up a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Since on RISCV64 we do not have restrictions on arch objects in
valid_obj', for the state relation to form a function from abstract to
concrete, we need to restrict the domains of the abstract asid pools.
Further we also need to ensure ASID 0 is not used in any of them, as
that is a sentinel value for "no ASID".
This is analogous to the restriction placed by valid_obj' on ASIDs on
X64, except occurring in the state relation rather than an invariant.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
No examination of failing proofs this time. All CRefine files are now
present and accounted for.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Broken bits blindly sorried or commented out with FIXME RISCV.
carch_state_to_H is currently wrong as valid_arch_state' is
insufficient to accurately describe global page tables.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
On RISCV, we do not mask the interrupt on IRQSignal in handleInterrupt.
Spec currently masks this, so we provide the sorried intended spec
definition of handleInterrupt for the time being.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Make a bit more progress after merging fixes for decode/invoke model
violation, and missing page table cap type check.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
There are sorries waiting on C updates, a few large sorries, and several
chunks of commented-out X64 proofs that may need to be adapted to
address the other sorries.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Two big ones where crefine machinery leads us astray, and a few small
ones waiting on a spec update on api object enums.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Opted to use old form of statement and adjust proof, as CRefine proofs
are not aware of mask_range and a cleanup of that sort would take too
long at this time.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Move it to ArchMove_C for each architecture except RISCV64. On RISCV64
the definitions of obj_range has changed to use mask_range and hence the
lemma statement would look different.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
crefine/[ARCH]/Move.thy is replaced with crefine/Move_C.thy
(arch-generic), and crefine/[ARCH]/ArchMove_C.thy (arch-specific).
The only CRefine theory file that imports ArchMove_C is CLevityCatch,
and ArchMove_C imports Move_C which imports "Refine.Refine".
Lemmas found by looking through "FIXME: Move" comments have been added
to either Move_C or ArchMove_C depending on whether it is arch-generic
or arch-specific respectively.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
Several constants are are added to the top level crunch_ignore statement in
Bits_R.thy, then removed from individual crunch statements across Refine and
CRefine.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
unat_ucast_8_64 states that upcasting an 8 word to a 64 word does not
changes its value. We have a generic lemma for this which can be
specialised to this lemma: unat_ucast_up_simp[where 'a=8 and 'b=64,
simplified].
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
When the bitfield generator switches to python 3, the dicts we use to
track data won't be iterated deterministically. These changes
disambiguate (some) record literals and accessors so that they aren't
sensitive to the definition order.
Changes in the C boot code mean that `tcb_C` and `asid_pool_C` are now
overloaded in the Isabelle C specification: They are constructors for
the respective C structs, and also accessors for fields of an unrelated
struct (`root_server_mem_t`). Consequently, we need to be more explicit
when naming the constructors.
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
The ARM C kernels have renamed the LR_svc and FaultInstruction registers
to NextIP and FaultIP respectively, for consistency with x86 kernels. A
patch for a similar renaming in the abstract and Haskell specifications
is forthcoming.
Previously, the C kernel maintained a global pointer to the IRQ node.
This pointer was only initialised during boot, when the actual IRQ node
was dynamically allocated from untyped memory.
The C kernel now includes a statically allocated IRQ node, which is just
a suitably sized array of CTEs. This commit updates the proofs to verify
this change to the C kernel.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
Previously, tactics like `ctac` and `csymbr` would use definition names
to produce new bound variables. Now that the C parser always emits long
name *definitions* and short name *aliases*, we adjust these tactics to
try and shorten any new names they produce.
Recent changes to the C kernel mean that various structures and
constants are generated from DTS files. In particular, verification now
sees interrupt identifiers as integer literals instead of defined
constants.
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
While the numerical value is arch dependent, the definition and symbolic value
are not. This commit factors out the symbolic computation and only unfolds the
numeric value in the architecture dependent spec.
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
TPIDRUR[OW] registers removed from VCPU registers. Their saving now
lives in arch_c_entry_hook, which is before verified code is hit.
Relevant for verification, TPIDRURO is already handled as TLS_BASE
register, and TPIDRURW (holds IPC buffer) is saved/restored as part of
normal thread register save/restore.
In x64, asid_map_C is now a bitfield union type, whereas in ARM,
the ASID pool contains plain pointers. This means that proving
ccorres for the x64 ASID pool placeNewObject operation requires
some additional unfolding of C type information.
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
Gerwin Klein
Rafal Kolanski
Victor Phan
Zoltan Kocsis
Corey Lewis
MiladKetabi
Japheth Lim
Edward Pierzchalski
Amirreza Zarrabi
Matthew Brecknell
Michael McInerney
Mitchell Buckley
Ilya Yanok
Michael Sproul
Thomas Sewell
Rafal Kolanski
Joel Beeren