We previously had asids at machine word representation, but it turns out that
constraining them to actual asid_len is almost no overhead and saves us proving
invariants about asid sizes.
When we look up a vref and reach a page table / asid pool, it could not
have been used in the lookup and hence changing it has no effect on the
lookup.
This refactoring makes user_region statically equal to {0 .. canonical_user},
which removes the need for a valid_uses s precondition in most lemmas about
user_region, which is needed for the generic/architecture interface in
ArchRetype_AI.
To express that this is equivalent with the old concept, there is a new
"user_window s", which under valid_uses, is the same set as user_region, but
demands that memory uses are correctly set to RISCVVSpaceUserRegion.
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7
This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
ex_vs_lookup_level shows we can't find the same table/pool at different
lookup depths; combined with unique_vs_lookup_table we can now show that
there exists only one lookup path from the ASID table to any table/pool
object in the system
Long-running joint work with Gerwin Klein.
This lemma demonstrates that from our invariants, when looking up two virtual
addresses in the same ASID, if lookups end up at the same page table, then
the page table must be found at the same level, disallowing loops in
either of the lookups.
On other architectures, the address is a PTE stored using field_high and
thus retrieved as an aligned address. On RISCV we have a frame number
(referred to as PPN in some places) that is the address shifted down by
pt_bits.
This changes over the pte to use a ppn with a different number of bits,
and provides addr_from_ppn and addr_from_pte accessors, the latter being
an abbreviation.
Issues:
- "ppn" and "frame" show up in C, which should we use
- conversion functions take paddr, but are named with "addr": change
naming to use paddr?
- we sanity check the number of bits in a ppn is word_bits - pt_bits,
but in C that number subtracts another 8 bits, not clear why
Rafal Kolanski
Gerwin Klein