The top-level object type is called `VSpaceObject` in C, so we use the
same name here. The top-level cap is `VSpaceCap` in C, but since we
want to keep it as a flag in the PT Cap in the specs, we call the flag
`capPTisVSpace` for consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes the type-checking fallout from those two main additions,
but no real further validation yet downstream from Structures.thy.
PageTable objects now have an inner object that contains either a
normal page table or a page table with the potentially different size
for top-level VSpace roots.
In ArchVSpaceAcc, the follow-on effects include making pte operations
figure out what kind of object is is by first checking for the
potentially smaller-sized object, and if that does not exist, trying
the larger-sized object (which has a different base address). When
pspace_distinct and pspace_aligned invariants hold, this should model
the behaviour of Haskell/C precisely.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is mostly verbatim copy/paste from RISCV64 to get started. Needs
update and validation everywhere, but type checks for now.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allows building ExecSpec, but is almost certainly wrong due to not
taking top-level pages into account.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Enables generation of boolean config keys. Since C for these often
equates absence with `false`, but Isabelle won't be able to deal with
the absence of the config name, we need to manually indicate which ones
we want. For now, we generate `false` for absence for all boolean keys
that have a custom Isabelle name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use RISCV64 design spec skeletons to start work on AARCH64 ExecSpec.
Only minimal RISCV64 to AARCH64 substitution done, with big FIXMEs
stuck on top to remind people this got no human oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This is firmly a bash script and not intended to be portable to other
shells, so no point checking portability.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Haskell translator import statements in skeleton files can get very
long, and keeping them as one line is rather inconvenient. This change
allows a backslash (`\`) at end-of-line to indicate line continuation.
Note: the `\` acts like in shells, i.e. it must be exactly at EOL.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Note: left FIXMEs in InvocationLabels where we currently diverge from C,
and the missing SMMU invocations at this time.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Directly switches to global empty VSpace instead of doing the cap
checks in setVMRoot which we know will fail.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds armContextSwitch and setGlobalUserVSpace, the latter a
shorthand for setting the empty VSpace, to be re-used in
switchToIdleThread.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validate decodeARMASIDPoolInvocation. Main change to RISCV64 is that
VTableRoot caps can now be distinguished and checked-for.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated against C. We seem to be doing some unnecessary calculations
in ARM_HYP there, which are left out here (Haskell now is closer to C).
As follow-on, validated and tweaked decodeARMVSpaceRootInvocation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
No plans to resurrect Haskell simulation any more, so the comments are
mostly going to be confusing to people who come at this fresh.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The C code has an unnecessary name indirection via isValidNativeRoot
here, which I replicated to make more obvious what maps to what.
Eventually this should disappear.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit speculative since the C is not there yet, but I think
it's a good candidate, esp turning the VMPageSize parameters into Int,
because that will save the C from converting it back and forth.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Uses lookupFrame which still needs to be filled in. We already have
a form of that in the formalisation, and can maybe reuse some of that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds first AArch64-specific flushing. More to come when we add
the explicit flush API.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This refactors getASIDPoolEntry to extract code that is shared between
lookup and update, and should make conversion to reader monad later
easier.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We are on an Arm board, where <= maxIRQ implies != irqInvalid, so use
original ARM version.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This adjusts ptBitsLeft and ptIndex to properly take into account
the potentially different-sized top-level table. This is all that is
needed for the rest of the lookup code to be correct.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a sketch of what I think the API will look like after C code
changes. In particular, this adds a VSpaceRoot API object type
that stands for a top-level page table. The name may change, but a
different API object type for the different page size will probably
stay.
Different top-level table size only applies in some configurations. The
spec attempts to model both cases by making ptBits and
ptTranslationBits dependent on whether it is a top-level table or not.
The rest follows from that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated constants defined in Structures/AARCH64.lhs
PT caps now include a flag whether they are for a top-level table or
not. This could later be generalised to a level, but that's likely not
necessary for AArch64.
Amazingly, only the creation of new PT caps was affected by this
change. That creation will need user-level input which size of table to
create (to be added later).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski