This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
For CRefine, this process is much more complex than for Refine and up,
as the C code both has its own definitions `maxDom` and `numDomains`,
but they are not defined in terms of each other, only numbers.
Similarly, array size types and their corresponding ArrayGuard bounds
checks refer to specific numbers, making a fullproof abstraction impossible.
A reasonably constrained interface to numDomains/maxDomain/maxDom in
Wellformed_C provides a sufficient abstraction to allow the proofs to be
independent of the number of domains (constrained to <= 256). Using the
value_type command allows more abstraction techniques, such as linking
the size of the scheduler queues back to numDomains*numPriorities,
without stating what the numbers are. Finally, for getting past the
ArrayGuard bounds checks, we do leak some information in the form of
`explicit` lemmas. These are the least safe, but short of augmenting the
C parser to re-wrap array sizes into equivalent constants/types, they
constitute a limited risk. Nonetheless, `explicit` lemmas should be used
as sparingly as possible.
Refinement to C proceeds by pretending we don't know the number of
domains, and whenever a control flow decision is made based on
`numDomains > 1`, we follow both branches, as we did for Refine. We also
attempt to avoid clever rewrites such as `(x < 1) = (x = 0)` which mess
up bounds checks into a domain-size array when `numDomains = 1`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The aim of the PR was readability, but it actually also brings the
C more in line with the spec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The PR seL4/seL4#473 removes Arch_finaliseInterrupt; this commit
updates the C proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This fixes up some atrocious indentation and removes some warnings for
duplicate rules etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Some of the assumptions in Machine_C were about C functions that do not
exist (any more, presumably after some change in C). This means these
names were free variables and the rules could in theory be applied to
any function, potentially causing unsoundness. Luckily, we were
disciplined enough in the proofs not to have done that. The proofs with
the names fixed go through unchanged.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
A previous update to C code added a disjunct to an `if` condition
outside the existing `unlikely` branch hint. This commit is the proof
update for a C patch that extends the branch hint to the full `if`
condition.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
When exception-aware lifting was enabled in `csymbr`, a small number of
existing proofs were broken. The `csymbr_legacy` method was added to
preserve the old behaviour of `csymbr` for those proofs.
This commit updates those proofs to use the new `csymbr` behaviour.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new variable lifting behaviour that was recently added to the
`cinit`, `clift` and `ctac` commands is now also added to `csymbr`.
This means `csymbr` variable lifting is now sensitive to exceptional
control flow.
Since this breaks some existing proofs, we add a new `csymbr_legacy`
command with the old behaviour, and use it where necessary.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new kernelExitAssertions need to be threaded through the fastpath
and integrated in the right place in the theorems about callKernel.
In InfoFlowC we have yet another refinement framework, and we're taking apart
callKernel to isolate the `schedule` call which is significant in the
infoflow proof and needs the new assertion inserted as wel. After some force
applied, this does work as well.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Move it to ArchMove_C for each architecture except RISCV64. On RISCV64
the definitions of obj_range has changed to use mask_range and hence the
lemma statement would look different.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
crefine/[ARCH]/Move.thy is replaced with crefine/Move_C.thy
(arch-generic), and crefine/[ARCH]/ArchMove_C.thy (arch-specific).
The only CRefine theory file that imports ArchMove_C is CLevityCatch,
and ArchMove_C imports Move_C which imports "Refine.Refine".
Lemmas found by looking through "FIXME: Move" comments have been added
to either Move_C or ArchMove_C depending on whether it is arch-generic
or arch-specific respectively.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
Several constants are are added to the top level crunch_ignore statement in
Bits_R.thy, then removed from individual crunch statements across Refine and
CRefine.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
Gerwin Klein
Rafal Kolanski
Ryan Barry
Florian Haftmann
Mitchell Buckley
Mitchell Buckley
Matthew Brecknell
Corey Lewis
Gerwin Klein
Rafal Kolanski
Victor Phan
Zoltan Kocsis