Rafal Kolanski
31da393e14
riscv haskell: adjust asid high and low bits to match C
...
1 bit moves from high bits to low bits
2019-07-31 16:55:31 +10:00
Rafal Kolanski
47d8c75e76
riscv ainvs: reduce sorries in ArchAcc_AI
2019-07-31 16:55:31 +10:00
Rafal Kolanski
4e0bdf6572
riscv ainvs: reduce sorries in ArchCSpace_AI
2019-07-31 16:55:31 +10:00
Rafal Kolanski
4c190598bc
riscv ainvs: change valid_vs_lookup to use asid directly
...
(since we always look up from ASID level)
2019-07-31 16:55:31 +10:00
Gerwin Klein
08a4b74d5a
riscv ainvs: strength kernel mapping invs; close sorries in ArchAInvsPre
...
Kernel mapping invariants enriched to show that:
- global tables never permit user rights
- global top-level table has no user mappings
2019-07-31 16:55:31 +10:00
Gerwin Klein
80bbd083af
riscv ainvs/cleanup: lemma moves
2019-07-31 16:55:31 +10:00
Gerwin Klein
9e83803199
riscv ainvs: close last sorry in ArchDetype_AI
2019-07-31 16:55:31 +10:00
Gerwin Klein
f0d4054ec0
riscv ainvs: strengthen pt_lookup_target_pt_upd_eq; add _eqI version
...
(to be used in ArchDetype_AI)
2019-07-31 16:55:31 +10:00
Gerwin Klein
c9399f56da
riscv ainvs: proved valid_arch_state_detype
2019-07-31 16:55:31 +10:00
Gerwin Klein
254670fb54
riscv ainvs: reduce sorries in ArchDetype_AI
2019-07-31 16:55:31 +10:00
Gerwin Klein
ed5b72b72a
riscv ainvs: ArchCNodeInv_AI sorry-free; valid_asid_pool_caps tweak
...
Tweaked valid_asid_pool_caps again to be more careful about which ASIDs
are required in the caps. The previous version was too strong.
2019-07-31 16:55:31 +10:00
Gerwin Klein
f39db91457
riscv ainvs: -2 sorries in ArchCNodeInv_AI
...
(mostly cleared by previous is_nondevice_page_cap_simps addition)
2019-07-31 16:55:31 +10:00
Gerwin Klein
f2f9c68fc4
riscv ainvs: -1 sorry in ArchCNodeInv_AI; is_nondevice_page_cap_simps
2019-07-31 16:55:31 +10:00
Gerwin Klein
c44392fd89
riscv ainvs: ArchTCB_AI sorry-free
2019-07-31 16:55:31 +10:00
Gerwin Klein
8725351ccc
riscv ainvs: ArchCSpaceInv_AI sorry-free; fix replaceable_final_arch_cap
2019-07-31 16:55:31 +10:00
Gerwin Klein
4754ebbf7e
riscv ainvs: fewer sorries in ArchCSpaceInvPre_AI; adjusted invariants
...
1 sorry left, which should disappear after sync with work in ArchAcc_AI.
Strengthened valid_asid_pool_caps invariant to same phrasing as valid_vs_lookup
to get uniform preconditions for set_cap.
Strengthened reachable_target to actually cover all reachable targets of a
lookup (incl ASIDPools).
2019-07-31 16:55:31 +10:00
Gerwin Klein
956255809e
riscv ainvs: sync ArchKernelInit_AI with invariant changes
2019-07-31 16:55:31 +10:00
Gerwin Klein
f2ed0a5944
riscv ainvs: tweak valid_uses invariant to solve sorry in ArchAInvsPre
...
We previously had the user region from 0 to user_vtop, which does not
necessarily include all canonical addresses in the low range. However, even if
users are not able to map anything above user_vtop, they can still access a
virtual address > user_vtop, and our invariants cover this case. (Either the
address will simply not be mapped or it will be a lookup into the kernel part
of the vspace, i.e. a page fault for the user).
This commit introduces canonical_user as the largest canonical address in the
low range of canonical addresses, which is the range reserved for users.
2019-07-31 16:55:31 +10:00
Gerwin Klein
bee9099ae6
riscv ainvs: implement arch ADT interface; reduce ArchAInvsPre sorries
...
The remaining 3 sorries in ArchAInvsPre need small invariant changes.
2019-07-31 16:55:31 +10:00
Gerwin Klein
65cc19c172
lib: move up library lemmas from RISCV64 and X64
2019-07-31 16:55:31 +10:00
Gerwin Klein
3cc2aa477e
riscv ainvs: ArchKHeap_AI sorry-free
...
Weakened assumptions of lifting lemma in ArchInvariants_AI for the proofs in
ArchKHeap_AI to go through.
2019-07-31 16:55:31 +10:00
Gerwin Klein
3a5cc87d67
ainvs: allow multiple assumptions in use of lifting rule
2019-07-31 16:55:31 +10:00
Gerwin Klein
fdc14273a8
riscv ainvs: ArchDetSchedSchedule_AI sorry-free
2019-07-31 16:55:31 +10:00
Gerwin Klein
557803c8c4
riscv ainvs: ArchTcbAcc sorry-free
...
(proof from X64)
2019-07-31 16:55:31 +10:00
Gerwin Klein
b8ed8a6115
riscv ainvs: ArchSchedule sorry-free
2019-07-31 16:55:31 +10:00
Gerwin Klein
b99de6bee7
riscv ainvs: clear sorry in ArchIpc_AI
2019-07-31 16:55:31 +10:00
Gerwin Klein
eb15e6a350
riscv ainvs: clear sorries related to decoding
2019-07-31 16:55:31 +10:00
Gerwin Klein
0154a8bb77
riscv ainvs: clear sorries related to handle_vm_fault
2019-07-31 16:55:31 +10:00
Gerwin Klein
c7d055eaa8
riscv ainvs: clear sorries related to user_vtop adjustment
2019-07-31 16:55:31 +10:00
Gerwin Klein
bda33be6b9
riscv aspec: sync with C fix for SELFOUR-1955
...
aspec now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
Gerwin Klein
decbdd9c17
riscv haskell: sync VMFaults with C fix for SELFOUR-1955
...
RISCV faults reduced to actual VM faults, rest become anonymous user-level
faults. handleVMFault adjusted to perform complete case distinction and to not
change the state.
Now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
Gerwin Klein
0dad1f53ab
riscv ainvs: remove warnings for pt_slot_offset_id
...
(now in simpset)
2019-07-31 16:55:31 +10:00
Gerwin Klein
87afc177f1
riscv ainvs: strengthen valid_uses for C sync; prove it consistent
...
C now has a user_vtop different from pptr_base, so valid_uses needed updating,
and since the intervals don't fully join up any more, also strengthening of the
user and kernel window properties.
To make sure this is all still consistent, there is now an example state in
ArchKernelInit_AI that is shown to satisfy these conditions.
2019-07-31 16:55:31 +10:00
Gerwin Klein
23866cbae9
riscv platform: sync seL4_UserTop with C
...
now in sync with master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
Gerwin Klein
b7bf3a9e22
riscv haskell: sync register set definition with C
...
Now in sync with seL4 master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
Rafal Kolanski
f2a6566192
riscv: add Kernel_C.thy to base CKernel image on
2019-07-31 16:55:31 +10:00
Gerwin Klein
9187c7d826
riscv ainvs: remove sorries caused by SELFOUR-1955
...
Currently this is a workaround, because the defect still exists, but if the
fix is done right, none of these proofs should have to change.
2019-07-31 16:55:31 +10:00
Gerwin Klein
61bd76708f
riscv aspec: temporarily work around SELFOUR-1955
2019-07-31 16:55:31 +10:00
Rafal Kolanski
17ca50d695
run_tests: configure RISCV64 sessions for abstract invariant proofs
...
Enable AInvs, remove everything from Refine onwards, but include CSpec.
2019-07-31 16:55:31 +10:00
Rafal Kolanski
3f32b21d3c
riscv ainvs: add valid_global_tables to valid_arch_state
...
Previously valid_global_tables was nor deriveable from invs.
The best place I could think to put it is inside valid_arch_state.
This made a mess of some valid_arch_state_lift-related lemmas and
trivial valid_arch_state preservation in two cases, but seems a decent
tradeoff.
2019-07-31 16:55:31 +10:00
Rafal Kolanski
762c3f1eea
riscv ainvs: progress on ArchAcc_AI
...
set_pt_caps_of_state
store_pte_valid_objs
set_pt_equal_kernel_mappings
2019-07-31 16:55:31 +10:00
Rafal Kolanski
07f10f986e
riscv ainvs: convert valid_global_tables to _2 style
2019-07-31 16:55:31 +10:00
Rafal Kolanski
3e8f89f249
riscv aspec: make aobjs_of projection available in generic spec
2019-07-31 16:55:31 +10:00
Rafal Kolanski
ab23a6bd45
riscv ainvs: preservation of valid_global_tables over set_pt
2019-07-31 16:55:31 +10:00
Rafal Kolanski
4cc9a1fb19
lib: add option_Some_value_independent
2019-07-31 16:55:31 +10:00
Rafal Kolanski
4319e81887
riscv ainvs: tweak global mapping invariants, port lookups to projections
...
Main change is valid_global_tables, which was previously insufficient
for preservation proofs over set_pt.
2019-07-31 16:55:31 +10:00
Rafal Kolanski
66d87cd550
lib: OptionMonad: add more obind decomposition, oassert simps
2019-07-31 16:55:31 +10:00
Gerwin Klein
014f351265
riscv ainvs: global crunch ignore for recursive pt_lookup_from_level
2019-07-31 16:55:31 +10:00
Gerwin Klein
46d1ba3cc4
riscv ainvs: remove ARM ref
2019-07-31 16:55:31 +10:00
Gerwin Klein
da26a83c18
riscv ainvs: finished sorrying AInvs
2019-07-31 16:55:31 +10:00