This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
This change was a result of the constant "(tcb_t*)~0" being defined as
0x00000000FFFFFFFF on x86-64 (0 is implicitly a 32-bit integer) rather
than 0xFFFFFFFFFFFFFFFF as expected.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
- a case-statement in decodeARMMMUInvocation has an if-statement with a conjunction of three conditions, but they are translated in different orders between arm and arm-hyp and currently the crefine proofs depend on those orders.
- this fix is not a fundumental solution, but, given how reliable the haskell translator is, not sure how much effort we should be putting in here
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
Japheth Lim
Gerwin Klein
Michael Sproul
Joel Beeren
Matthew Brecknell
Rafal Kolanski
Alejandro Gomez-Londono
Pang Luo
Adrian Danis
Joel Beeren
Alejandro Gomez-Londono
Miki Tanaka