At the point we call set_asid_pool, the pool we are writing is out
of date, because invalidate_asid_entry will have changed it. This
commit adds another read operation after invalidate_asid_entry to
perform a write that is similarly atomic as the corresponding C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We previously made use of the fact that the table to be unmapped will
be a NormalPT_T. This is still true, but to avoid an unnecessary proof
obligation here, we take the pt_type provided by the cap instead, which
coincides with the pt_type the proof uses.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Check that the type of the page table that is present is the type we
are requested to update. The same assert is already present for ptes_of.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The strict function application operator made sense when performance
mattered because the model was used from a simulator. Now it's just
noise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 requires a space between ! and the operand to distinguish
the expression from a bang pattern.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 is more strict in its pattern syntax and rejects @ patterns
that are surrounded by parentheses.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch to lts-19.12 (GHC 9.0.2)
- use cabal v2 commands, which build locally by default and don't
need a separate sandbox
- update SEL4.cabal file to cabal spec version 3
- remove generated `cabal.project.local~*` backup files after configure
to avoid flooding the directory
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The previous spec was trying to set message registers manually
when instead it should have just returned the list of data words
that forms the reply. This correctly modeled the currently wrong
behaviour in C, which seL4/seL4#243 fixes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
arch_same_region_as must respect the type of the object the cap points
to, so we need to constrain PageTableCap to the same type.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On RISCV64, we had the nice property that pt_walk can only produce
aligned addresses. This alignment is important for further address
computation.
It turns out that the same is true on AARCH64, because the bottom 12
bits of page table addresses are not stored in PTEs. PagePTEs can only
point to normal page tables, so there is not variation in the size of
the alignment.
This commit uses a similar encoding to RISCV64 to achieve this pt_walk
property without using an additional invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This target was used in the regression test setup before this repo
switched to `run_tests` and has been unused for some time.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This means Isabelle will automatically insert `level_type` when it
finds a term of type `vm_level` but expects one of type `pt_type`.
This only works when the context is unambiguous, but it does make quite
a few terms shorter.
This is input-only, `level_type` will still show up in output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Same principle as for ASpec, set up in a way that PT_Type can be shared
between the specs. Fewer occurrences in Haskell, because does not have
explicit page table objects, only PTEs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Replaces bool with a dedicated type for page table types. This should
generalise nicely to more different levels and removes the slightly
confusing occurrence of bool.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This replaces 'a word for indices with machine_word. Since we can't use
a specific word length for a generic table index (because different
tables can have different index types), we don't win much by using 'a
word, but we do lose something: we must instantiate 'a when we use the
term, which means we need to decide at that point which type of table
we are talking about. This forces early case distinctions in proofs.
Using machine_word allows us to delay committing to a particular table
type and instead write a generic condition on the width of the index.
We are using machine_word instead of nat or a different specific word
length, because the index into the table is a slice of either an
obj_ref (in ptes_of) or a vref (when we do page table walks), both of
which are compatible with machine_word.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Instead of modeling uniform PTE access between levels from Haskell and
C, it comes out cleaner in the abstract spec to keep PTE access
separate per level. This means that get/storePTE take an is_vspace
argument, which in turn is propagated up, so a few more functions now
have a level/is_vspace argument.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Making vs_index_len a sybmolic value instead of a plain number means we
have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need
to consider both cases, which forces us to stay generic).
This also makes sure the type vs_index_len is always distinct from
pt_index_len (even if the sizes are the same), which was only
guaranteed in one of the two configurations before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The bit width of intermediate physical addresses (IPA) is occasionally
useful in the invariants later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make the function usable not only in the code+specs, but also in the
invariants by adding a case for asid_pool_level (= max_pt_level + 1).
At this level, we also need to translate the bits of the top-level
table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're accessing the right kind of object for the level
we are interested in. Relying on alignment is Ok when the invariants
are in scope, but this check is more immediate and avoids us needing
pspace_aligned and pspace_distinct in all lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Give more time for downloading and compiling dependencies for runs
where these are not cached.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes sure we're catching all dependencies that are declared for
`design-spec` in the top-level Makefile. In particular, we want
`c-config` to run at least once before either `ASpec` or `ExecSpec` run
it, to make sure these two are not racing on config generation in
`-j 2`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We had put a lot of VCPU content into ArchVSpace and ArchVSpaceAcc even
though VCPUs aren't really very related to VSpace. These functions now
live in a separate files VCPUAcc in analogy to VSpaceAcc and TcbAcc.
Some of these functions could also move into VCPU_A instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
As Corey points out, the rest of the fields are in perfect order with
Haskell, and keeping all of them fully in sync will save us shuffling
and looking up things later in the proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- tune comment
- make vs_index_len the generic interface for vs_index_len_def
- provide relationship to ptTranslationBits
The two latter points will help to keep invariant proofs generic over
the size of the top-level table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Config files should be re-generated when generator content changes,
because that generally changes the content of the output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 pptrUserTop is not page aligned, which also suits us fine for
reusing the value later in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Definitions in Platform.thy may depend on kernel config options, so
we need Kernel_Config_Lemmas there already, and need to replace the
dependency in Machine_Types to avoid a dependency circle.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These files have been reviewed, but the FIXMEs stuck around.
Update copyright on files we modified, and leave as is for only
copy+sed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Gerwin Klein
Michael McInerney
Corey Lewis
Rafal Kolanski
Ryan Barry