Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These files have been reviewed, but the FIXMEs stuck around.
Update copyright on files we modified, and leave as is for only
copy+sed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The C code PR still uses the old naming scheme (hw_asid), but even if
it stays that way so it can share code with paths that use a "generic"
hw_asid name, it is better for the specs to use the correct name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These are ArchCSpace_A, ArchIpcCancel_A, ArchRetype_A, ArchTcb_A.
Already in good shape, just some style copyright headers, etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Minor style update; set up global user page table and example kernel
vspace uses that should satisfy invariants.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also sync handle_reserved_irq phrasing with Haskell and C (sequential
comparison instead of cascaded. Comes out to the same, but no need to
prove that here).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes new vspace decode and page flush invocations, as well
as machine constants that are used in those paths.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The actual order for the ObjectType enum is defined in design. This one
has to correspond to the C enum. Mirroring it here in Haskell for
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The page table size can not be "vspace" here, because the invocation
is only for lower-level tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
VCPU and style still needs to be updated, but the virtual memory
operations in this file are validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This only updates the rest of the spec to type check, it does not
yet use the vmid information stored in the new type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pte type is now in sync with Haskell and C.
Note that there is a trade-off in storing the entire paddr (base
address) in the pte. In RISC-V we don't store the bottom bits, so get
an invariant for free that these are always 0, but we need to do a
bunch of shifting and casting to convert addresses. The shifting there
aligns with the C code.
On AArch64, the address field instead uses field_high, which does the
shifting inside the bitfield generator and makes it invisible to the
rest of the C code. To model that there is no such shifting going on,
we choose to store the entire base address here (as in ARM/ARM_HYP).
This means we will need an invariant that they are all aligned to
pageBits.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use a more principled way to define ptes_of/get_pte by defining
level_pte_of parametric in the level and setting ptes_of to the union
of all levels. This works because objects must be distinct.
For store_pte a simple union doesn't work, but we can still first
extract the level, and then use the level to update the object for that
level.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
No real content changes; remove unused armParityEnabled and rename
`isToplevel` to `isVSpace` for consistency with the rest.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes decode, perform, and the functions called by them.
Removes the now unused RISCV sfence machine op.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also removes the now unused function `checkSlot`.
With this, all of decode/perform ARMPageInvocation is validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
synced checks, order, and errors with C and factored out
`checkVSpaceRoot` which is used in a few other invocations. Some of the
`let`s here are not necessary, but inserted anyway to match up names
with the C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Now that the C code is available, we can settle the PTE encoding for
the spec. Notable differences to RISCV64 are:
- the base address uses field-high and doesn't need shifting
- leads to simpler/more direct address access
- PTEs use different attributes
- uses a flag for 4k pages which have a different hardware encoding
- page table PTEs have no rights/attributes
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The top-level object type is called `VSpaceObject` in C, so we use the
same name here. The top-level cap is `VSpaceCap` in C, but since we
want to keep it as a flag in the PT Cap in the specs, we call the flag
`capPTisVSpace` for consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes the type-checking fallout from those two main additions,
but no real further validation yet downstream from Structures.thy.
PageTable objects now have an inner object that contains either a
normal page table or a page table with the potentially different size
for top-level VSpace roots.
In ArchVSpaceAcc, the follow-on effects include making pte operations
figure out what kind of object is is by first checking for the
potentially smaller-sized object, and if that does not exist, trying
the larger-sized object (which has a different base address). When
pspace_distinct and pspace_aligned invariants hold, this should model
the behaviour of Haskell/C precisely.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski