Making vs_index_len a sybmolic value instead of a plain number means we
have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need
to consider both cases, which forces us to stay generic).
This also makes sure the type vs_index_len is always distinct from
pt_index_len (even if the sizes are the same), which was only
guaranteed in one of the two configurations before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The bit width of intermediate physical addresses (IPA) is occasionally
useful in the invariants later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make the function usable not only in the code+specs, but also in the
invariants by adding a case for asid_pool_level (= max_pt_level + 1).
At this level, we also need to translate the bits of the top-level
table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're accessing the right kind of object for the level
we are interested in. Relying on alignment is Ok when the invariants
are in scope, but this check is more immediate and avoids us needing
pspace_aligned and pspace_distinct in all lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Give more time for downloading and compiling dependencies for runs
where these are not cached.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're catching all dependencies that are declared for
`design-spec` in the top-level Makefile. In particular, we want
`c-config` to run at least once before either `ASpec` or `ExecSpec` run
it, to make sure these two are not racing on config generation in
`-j 2`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We had put a lot of VCPU content into ArchVSpace and ArchVSpaceAcc even
though VCPUs aren't really very related to VSpace. These functions now
live in a separate files VCPUAcc in analogy to VSpaceAcc and TcbAcc.
Some of these functions could also move into VCPU_A instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
As Corey points out, the rest of the fields are in perfect order with
Haskell, and keeping all of them fully in sync will save us shuffling
and looking up things later in the proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- tune comment
- make vs_index_len the generic interface for vs_index_len_def
- provide relationship to ptTranslationBits
The two latter points will help to keep invariant proofs generic over
the size of the top-level table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Config files should be re-generated when generator content changes,
because that generally changes the content of the output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 pptrUserTop is not page aligned, which also suits us fine for
reusing the value later in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These files have been reviewed, but the FIXMEs stuck around.
Update copyright on files we modified, and leave as is for only
copy+sed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The C code PR still uses the old naming scheme (hw_asid), but even if
it stays that way so it can share code with paths that use a "generic"
hw_asid name, it is better for the specs to use the correct name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These are ArchCSpace_A, ArchIpcCancel_A, ArchRetype_A, ArchTcb_A.
Already in good shape, just some style copyright headers, etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Minor style update; set up global user page table and example kernel
vspace uses that should satisfy invariants.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also sync handle_reserved_irq phrasing with Haskell and C (sequential
comparison instead of cascaded. Comes out to the same, but no need to
prove that here).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes new vspace decode and page flush invocations, as well
as machine constants that are used in those paths.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The actual order for the ObjectType enum is defined in design. This one
has to correspond to the C enum. Mirroring it here in Haskell for
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The page table size can not be "vspace" here, because the invocation
is only for lower-level tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
VCPU and style still needs to be updated, but the virtual memory
operations in this file are validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This only updates the rest of the spec to type check, it does not
yet use the vmid information stored in the new type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pte type is now in sync with Haskell and C.
Note that there is a trade-off in storing the entire paddr (base
address) in the pte. In RISC-V we don't store the bottom bits, so get
an invariant for free that these are always 0, but we need to do a
bunch of shifting and casting to convert addresses. The shifting there
aligns with the C code.
On AArch64, the address field instead uses field_high, which does the
shifting inside the bitfield generator and makes it invisible to the
rest of the C code. To model that there is no such shifting going on,
we choose to store the entire base address here (as in ARM/ARM_HYP).
This means we will need an invariant that they are all aligned to
pageBits.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use a more principled way to define ptes_of/get_pte by defining
level_pte_of parametric in the level and setting ptes_of to the union
of all levels. This works because objects must be distinct.
For store_pte a simple union doesn't work, but we can still first
extract the level, and then use the level to update the object for that
level.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski