As Corey points out, the rest of the fields are in perfect order with
Haskell, and keeping all of them fully in sync will save us shuffling
and looking up things later in the proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- tune comment
- make vs_index_len the generic interface for vs_index_len_def
- provide relationship to ptTranslationBits
The two latter points will help to keep invariant proofs generic over
the size of the top-level table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Config files should be re-generated when generator content changes,
because that generally changes the content of the output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 pptrUserTop is not page aligned, which also suits us fine for
reusing the value later in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These files have been reviewed, but the FIXMEs stuck around.
Update copyright on files we modified, and leave as is for only
copy+sed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The C code PR still uses the old naming scheme (hw_asid), but even if
it stays that way so it can share code with paths that use a "generic"
hw_asid name, it is better for the specs to use the correct name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These are ArchCSpace_A, ArchIpcCancel_A, ArchRetype_A, ArchTcb_A.
Already in good shape, just some style copyright headers, etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Minor style update; set up global user page table and example kernel
vspace uses that should satisfy invariants.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also sync handle_reserved_irq phrasing with Haskell and C (sequential
comparison instead of cascaded. Comes out to the same, but no need to
prove that here).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes new vspace decode and page flush invocations, as well
as machine constants that are used in those paths.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The actual order for the ObjectType enum is defined in design. This one
has to correspond to the C enum. Mirroring it here in Haskell for
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The page table size can not be "vspace" here, because the invocation
is only for lower-level tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
VCPU and style still needs to be updated, but the virtual memory
operations in this file are validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This only updates the rest of the spec to type check, it does not
yet use the vmid information stored in the new type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pte type is now in sync with Haskell and C.
Note that there is a trade-off in storing the entire paddr (base
address) in the pte. In RISC-V we don't store the bottom bits, so get
an invariant for free that these are always 0, but we need to do a
bunch of shifting and casting to convert addresses. The shifting there
aligns with the C code.
On AArch64, the address field instead uses field_high, which does the
shifting inside the bitfield generator and makes it invisible to the
rest of the C code. To model that there is no such shifting going on,
we choose to store the entire base address here (as in ARM/ARM_HYP).
This means we will need an invariant that they are all aligned to
pageBits.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use a more principled way to define ptes_of/get_pte by defining
level_pte_of parametric in the level and setting ptes_of to the union
of all levels. This works because objects must be distinct.
For store_pte a simple union doesn't work, but we can still first
extract the level, and then use the level to update the object for that
level.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
No real content changes; remove unused armParityEnabled and rename
`isToplevel` to `isVSpace` for consistency with the rest.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes decode, perform, and the functions called by them.
Removes the now unused RISCV sfence machine op.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also removes the now unused function `checkSlot`.
With this, all of decode/perform ARMPageInvocation is validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
synced checks, order, and errors with C and factored out
`checkVSpaceRoot` which is used in a few other invocations. Some of the
`let`s here are not necessary, but inserted anyway to match up names
with the C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Now that the C code is available, we can settle the PTE encoding for
the spec. Notable differences to RISCV64 are:
- the base address uses field-high and doesn't need shifting
- leads to simpler/more direct address access
- PTEs use different attributes
- uses a flag for 4k pages which have a different hardware encoding
- page table PTEs have no rights/attributes
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski