c7fb4dcf2b
riscv aspec/ainvs: redefine kernel_elf_base to point to be kernelELFBase
2019-11-13 16:08:52 +11:00
6f94fff163
riscv aspec/ainvs: rename kernel_base to kernel_elf_base
2019-11-13 16:08:42 +11:00
8bf03d45a0
riscv haskell/design: add and implement IRQ invocations
...
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
2019-11-12 18:28:40 +11:00
55408a48af
riscv aspec: implement IRQ check, decode and invoke control functions
...
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.
In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
2019-11-12 18:28:40 +11:00
39d314137e
riscv haskell: add support to thread id registers
2019-11-12 18:28:40 +11:00
79da089c2e
riscv aspec: update for moving IPC buffer register to thread-local storage
2019-11-12 18:28:40 +11:00
d4f302ae7f
riscv haskell: rename kernelBase to kernelELFBase and fix its value
2019-11-12 18:28:40 +11:00
453233faad
riscv aspec: rename kernelBase to kernelELFBase and update address space layout comment
2019-11-12 18:28:40 +11:00
e4d83b313a
riscv refine: update for PageMap replacing PageRemap (SELFOUR-161)
2019-11-12 18:28:40 +11:00
a5e27933a5
riscv: cleanup; resolve remaining FIXMEs
2019-11-12 18:28:40 +11:00
090894c990
riscv aspec+ainvs: define a consistent initial page table
...
Simpler than the real kernel layout, but will show that invariants are
consistent.
2019-11-12 18:28:39 +11:00
9d81f85c38
riscv: force vptr alignment in PTMap decode
...
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
2019-11-12 18:28:39 +11:00
4a49681bf5
riscv haskell: look up ASID of PT cap, not vspace cap.
...
It is the user-provided cap that needs to be checked for correct ASID and
vspace.
2019-11-12 18:28:39 +11:00
7ce1c0fb21
riscv haskell: force vptr alignment in decodeRISCVPageTableInvocationMap
...
see also JIRA SELFOUR-2162
2019-11-12 18:28:39 +11:00
b5c47d552e
riscv aspec+ainvs: perform_pg_inv_unmap: update cap in memory
...
The argument cap is the same as the one in memory, but it's less work to not
prove that.
2019-11-12 18:28:39 +11:00
a26c57a825
riscv haskell: needs to unmap, not ignore in finalise
2019-11-12 18:28:39 +11:00
750746296f
riscv aspec: unmap_page may be called with unmapped ASID
...
This means we can't use gets_the, which asserts, but need find_vspace_for_asid,
which can throw.
2019-11-12 18:28:39 +11:00
d4f3d7122c
riscv aspec: fix addr conversions in set_vm_root
...
global_pt needs addrFromKPPtr, because it is an address that lives in the
kernel image, other pt's need addrFromPPtr because they are standard
kernel-virtual addresses.
2019-11-12 18:28:39 +11:00
11bcbc1675
riscv refine: fix ppn handling in checkMappingPPtr
2019-11-12 18:28:39 +11:00
09dbc34a0c
riscv haskell/design: fix lookupPTSlotFromLevel and lookupPTFromLevel
2019-11-12 18:28:39 +11:00
c46a641f7f
riscv haskell: globalPT is at maxPTLevel
2019-11-12 18:28:39 +11:00
c77b2126e0
riscv aspec: initialise SSTATUS register correctly
2019-11-12 18:28:39 +11:00
5a7c2ef850
riscv aspec: correct comment for kernel_base; adjust idle_thread_ptr
2019-11-12 18:28:39 +11:00
960636f744
riscv aspec: pick aligned addresses for pptr_base in initial example state.
2019-11-12 18:28:39 +11:00
8ab9888cf4
riscv aspec: set irq type to lowest word length that fits maxIRQ
...
The irq type determines the size of the IRQ CNode in the abstract spec, which
(in C) is the smallest power of two that fits maxIRQ.
2019-11-12 18:28:39 +11:00
c764565b51
riscv haskell: fail ArchInv.IRQControlInvocation
...
Use fail instead of error so we don't have to prove unreachability for all
properties.
2019-11-12 18:28:39 +11:00
688f8b193d
riscv design: make machine op definition available
...
setVSpaceRoot was being shadowed, because setVMRoot was wrongly excluded instead.
2019-11-12 18:28:39 +11:00
bb4245d23d
riscv haskell: define rest of arch kernel state
...
Included vspace_uses for refinement proof, and added multiple global PTs.
2019-11-12 18:28:39 +11:00
6dd45e2d5f
riscv aspec: sync max_untyped_size with Haskell/C
2019-11-12 18:28:39 +11:00
067d1bdcab
riscv haskell: object numbers for LargePage and HugePage
2019-11-12 18:28:39 +11:00
d72e6b5263
riscv haskell: sync RISCVPageTableUnmap with C and spec
...
now in sync with seL4 change set f612028b180633dc4e404aaceee656da953f877d
2019-11-12 18:28:38 +11:00
ab43338feb
riscv haskell: bring lookupPTFromLevel up to date with C and spec
2019-11-12 18:28:38 +11:00
6b30142018
riscv haskell: maxUntypedSize depends on addressable memory
...
(not on word size)
2019-11-12 18:28:38 +11:00
8e39bbbda9
riscv aspec: provide a constant for ppn word width
2019-11-12 18:28:38 +11:00
430a345aeb
riscv aspec: avoid type variable warning and freeindex increase
2019-11-12 18:28:38 +11:00
c143029f25
capdl: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:27:28 +11:00
5d22c1d329
riscv haskell: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:27:04 +11:00
f284a0cb0e
x64 haskell: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:27:01 +11:00
18a12fc4a0
arm/arm-hyp haskell: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:27:01 +11:00
0ae9614d30
riscv aspec: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:26:41 +11:00
2f04dc3694
x64 aspec: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:26:33 +11:00
12a7c2d441
arm-hyp aspec: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:26:33 +11:00
c64e054c3f
arm aspec: update PageMap to replace PageRemap (SELFOUR-161)
2019-10-10 11:26:33 +11:00
90c0bd618f
aspec doc: update for PageMap replacing Remap (SELFOUR-161)
2019-10-10 11:26:33 +11:00
d934d25269
proof update for SELFOUR-1187: seL4 setPriority should attempt a direct schedule
...
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
2019-10-06 18:31:19 +11:00
31d5c1c70e
cspec: Add feature selection variable.
...
Adds an 'L4V_FEATURES' variable which can be used to select different
CMake configurations for seL4. This makes it easier to build and test
alternative configurations (like MCS).
2019-08-12 16:22:41 +10:00
a1dca67543
riscv aspec/ainvs: resolve FIXMEs, reduce warnings
...
Mostly moved lemmas and definitions to more suitable locations.
Removed unused lemmas and commented-out code.
Resolved simple Isabelle warnings.
2019-07-31 16:56:26 +10:00
f8dc660baf
riscv aspec/ainvs: move init_vspace_uses and canonical_user to spec
...
Needed to define an initial state that satisfies invariants.
2019-07-31 16:55:32 +10:00
519b672d08
riscv aspec bugfix: need to check vaddr alignment for PT-map
2019-07-31 16:55:32 +10:00
0feb5c1a1e
riscv aspec: add check for top-level PT in PT unmap decode
...
See also SELFOUR-2158
2019-07-31 16:55:32 +10:00
af6e0765c5
riscv aspec+ainvs: spec bugfix for arch_finalise_cap; finish ArchFinalise
2019-07-31 16:55:32 +10:00
82df777dd7
riscv aspec: fix spec bug in pt_lookup_from_level
...
This spec bug was inspired by slightly differently but similarly wrong C code
(SELFOUR-2091). Current change brings it into sync with the (correct, we think)
C. Proof update included.
2019-07-31 16:55:32 +10:00
116009c1d7
riscv aspec: constrain asid type to asid_len
...
We previously had asids at machine word representation, but it turns out that
constraining them to actual asid_len is almost no overhead and saves us proving
invariants about asid sizes.
2019-07-31 16:55:32 +10:00
d140b5d9bc
aspec: workaround for VER-1099
...
(locale_abbrev does not always contract when part of the abbreviation chain is outside the locale)
2019-07-31 16:55:32 +10:00
ed87ba03a9
riscv aspec: vtable roots must be page table caps
2019-07-31 16:55:32 +10:00
89aafed912
riscv aspec+ainvs+haskell: update kernelBase, paddrLoad to match C
...
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7
This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
2019-07-31 16:55:32 +10:00
8cd2f3de79
riscv aspec: change pte to store ppn instead of address
...
On other architectures, the address is a PTE stored using field_high and
thus retrieved as an aligned address. On RISCV we have a frame number
(referred to as PPN in some places) that is the address shifted down by
pt_bits.
This changes over the pte to use a ppn with a different number of bits,
and provides addr_from_ppn and addr_from_pte accessors, the latter being
an abbreviation.
Issues:
- "ppn" and "frame" show up in C, which should we use
- conversion functions take paddr, but are named with "addr": change
naming to use paddr?
- we sanity check the number of bits in a ppn is word_bits - pt_bits,
but in C that number subtracts another 8 bits, not clear why
2019-07-31 16:55:31 +10:00
341d12d2fb
riscv aspec: adjust asid high and low bits to match C
...
1 bit moves from high bits to low bits
2019-07-31 16:55:31 +10:00
31da393e14
riscv haskell: adjust asid high and low bits to match C
...
1 bit moves from high bits to low bits
2019-07-31 16:55:31 +10:00
bda33be6b9
riscv aspec: sync with C fix for SELFOUR-1955
...
aspec now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
decbdd9c17
riscv haskell: sync VMFaults with C fix for SELFOUR-1955
...
RISCV faults reduced to actual VM faults, rest become anonymous user-level
faults. handleVMFault adjusted to perform complete case distinction and to not
change the state.
Now in sync with seL4 master@a39c9b6a76d279364e28d3415d750d7287fefd67
2019-07-31 16:55:31 +10:00
23866cbae9
riscv platform: sync seL4_UserTop with C
...
now in sync with master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
b7bf3a9e22
riscv haskell: sync register set definition with C
...
Now in sync with seL4 master@63ed19c9b7d972eb4af73c666484e277b0d4cf83
2019-07-31 16:55:31 +10:00
f2a6566192
riscv: add Kernel_C.thy to base CKernel image on
2019-07-31 16:55:31 +10:00
61bd76708f
riscv aspec: temporarily work around SELFOUR-1955
2019-07-31 16:55:31 +10:00
3e8f89f249
riscv aspec: make aobjs_of projection available in generic spec
2019-07-31 16:55:31 +10:00
c0b7d2fc83
riscv aspec: make decode case distinctions complete
2019-07-31 16:55:31 +10:00
a37d867e66
riscv aspec: abbreviations for asid_table & pt table base + index
...
(moved from riscv ainvs)
2019-07-31 16:55:31 +10:00
d91c83f3a6
riscv aspec+ainvs: rename lookup_pt_* to pt_lookup_* to resemble vs_lookup_*
...
More consistent naming, easier to remember.
2019-07-31 16:55:31 +10:00
ac9ff925ce
riscv platform: removed unused region in address space diagram
...
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 14:13:56 +10:00
367922b8fa
riscv aspec: factor out pure page table walking
...
In particular, separate out a function that returns page table pointers instead
of a function that returns slots in page tables. Phrase the latter in terms of
the former. This makes many properties about walks much more compositional.
2019-07-31 14:13:56 +10:00
629b131dcd
riscv aspec: use OptionReader instead of Option monad
2019-07-31 14:13:56 +10:00
d54fc7860e
riscv aspec: use locale_abbrev
2019-07-31 14:13:56 +10:00
28e1298eea
riscv spec: refactored for invariants; force alignment for PTEs
...
Also:
- renamed pt_slot_index and pte_at_index to *_offset
- store pte_addr instead of pte_ppn
2019-07-31 14:13:56 +10:00
f152d32512
riscv aspec: refactor ptes_of
...
(to make it obvious it depends on pts_of only)
2019-07-31 14:13:56 +10:00
7561116d08
riscv aspec: factor out conversion of page number to kernel virtual
2019-07-31 14:13:56 +10:00
0b8af8800c
riscv aspec: fail not too early in lookup_pt_slot_from_level
2019-07-31 14:13:56 +10:00
e2e68953ae
riscv aspec: refactor to allow multiple levels of global PTs
2019-07-31 14:13:56 +10:00
b44925d0b0
riscv aspec: add riscv_kernel_vspace to support invariant formulation
2019-07-31 14:13:56 +10:00
5f2e6c15db
riscv design: avoid double declaration of riscvvspace_region_use
2019-07-31 14:13:56 +10:00
c1373f3eac
riscv haskell: add kernel ELF region identifier
...
(used in proofs only)
2019-07-31 14:13:56 +10:00
bc7c4efc5a
abstract: updates for moving IPC buffer register to thread-local storage for SELFOUR-1524
2019-06-28 11:32:31 +10:00
0116126a3c
design: add support to thread id registers
2019-06-28 11:20:22 +10:00
2e556d4a33
reduce UserLevelFault code to 28 bits
...
This makes room for a 4-bit seL4_FaultType field.
2019-06-18 12:04:45 +10:00
c34840d09b
global: isabelle update_cartouches
2019-06-14 11:41:21 +10:00
6af81b535c
x64 aspec: more comments now rendered in LaTeX
2019-06-14 11:41:20 +10:00
159a9fc27e
arm-hyp aspec: more comments now rendered in LaTeX
2019-06-14 11:41:20 +10:00
dfb7ed8fc9
design: correct haskell-translator build dependencies
2019-06-13 16:22:33 +10:00
356e91c9fa
access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019
2019-06-13 16:22:33 +10:00
664fc34aaa
cspec: eliminate Local_Theory.reset
...
(removed in Isabelle2019)
2019-06-13 16:22:33 +10:00
ea5e502d25
cspec: update to using cartouches
2019-06-13 16:22:33 +10:00
26fdedad4d
ainvs, spec: changes to remove errors for Isabelle 2019 update
2019-06-13 16:22:33 +10:00
4463e9750e
SELFOUR-1198: update proofs for correct restart PC
...
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
2019-06-13 11:43:50 +10:00
1c35127dcc
x64 aspec: trivial - removed filename prefix in set_asid_pool definition
2019-04-18 14:32:08 +10:00
27a46bbe94
aspec: move type checking assert to set_object
...
Move type checking assert from kernel object set functions to
set_object. This improves proofs by generic reasoning of set_object
instead of kernel object specific lemmas.
2019-04-18 14:32:08 +10:00
8a13759deb
haskell: update to GHC 8.6.4 and Cabal 2.4
...
Cabal 2.4 deprecates the default behaviours of previous versions, and
issues warnings whenever the usual cabal-install commands are used. This
is in preparation for future versions of Cabal where the usual commands
will have entirely new default behaviours. More work would be required
to update our SEL4.cabal configuration to these new behaviours. For now,
we avoid the warnings given by Cabal 2.4 by using the `v1-` versions of
cabal-install commands, which should continue to have the old behaviours
until they are removed from Cabal.
2019-04-02 18:14:37 +11:00
22f2a1c08c
CSpec: update KernelInc_C imports to match seL4 build system changes
...
This fixes import breakage due to seL4 commit f85774e36f.
2019-03-21 19:54:16 +11:00
89372de534
Update to new toolchain
2019-03-18 16:35:18 +11:00
c44fd87594
capdl: remove redundant definition `opt_object`
...
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
2019-02-28 14:34:01 +11:00
4c79675879
sysinit: implement support for shared frames
...
Co-authored-by: Michael Sproul <michael.sproul@data61.csiro.au>
2019-02-19 14:47:00 +11:00
04f1254cb8
arm/arm-hyp abstract: remove outdated comment about globals_frame
2019-01-14 13:37:52 +11:00
10b5bab0f4
aspec: avoid manual proof for rec_del definition
2018-12-18 14:50:54 +11:00
3758df05df
dspec, drefine: fix for GrantReply (SELFOUR-6)
...
Nothing too exciting here, just duplicating the new GrantReply logic
from ASpec and repairing the proofs.
2018-12-10 20:01:38 +11:00
ddf222700f
haskell: Update for GrantReply (SELFOUR-6)
2018-12-10 20:01:37 +11:00
c955ff4917
aspec + arm ainvs: Update mask_rights to mask master reply caps
2018-12-10 20:01:37 +11:00
1b0b188679
aspec: Fix send_fault_ipc to call send_ipc with is_call at true
2018-12-10 20:01:37 +11:00
10145250c2
aspec: Update ASpec for GrantReply (SELFOUR-6)
2018-12-10 20:01:37 +11:00
cac9472e44
sys-init: eliminate non-constructive UNIV
2018-11-26 16:05:37 +11:00
558aa5ca05
riscv platform: address space layout diagram; fixed pAddr_base
2018-11-06 14:14:26 +11:00
021f3eedb5
riscv aspec: refactor RISC-V spec to use OptionMonad
2018-10-26 09:24:27 +11:00
c53f7850d7
Base ASpec + machine on OptionMonad_ND; fix proof fallout
2018-10-25 12:54:02 +11:00
7a48f4c8c7
aspec: add function for mapping arch objects from objects
2018-10-25 12:54:02 +11:00
516952bd9d
aspec: clean up comments + warnings
2018-10-25 12:54:02 +11:00
15bfcdd98b
reduce DRefine dependencies from Refine to AInvs
...
This needs (and includes) some deduplication and moving of lemmas formerly in
refine.
2018-10-22 13:21:11 +11:00
331a0ee1c2
Minor adjustments to the patch for selfour-1491.
...
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
2018-09-21 10:09:49 +10:00
8173a37c2d
Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM.
2018-09-19 16:18:09 +10:00
733f749e7e
cspec: normalise imports + use proper session name for Kernel_C
...
Substitute.thy already includes Kernel_C, no need to import twice.
Not using the session name in the imports was leading to a second import
of the C code, instead of using the CKernel image/session.
2018-09-10 08:34:32 +10:00
64ea909c4d
haskell: increase timeout for Haskell compilation
...
(GHC setup now seems to take longer)
2018-09-08 11:36:22 +10:00
1597395f03
riscv aspec: style + docs
2018-09-07 08:13:13 +10:00
6301a9703f
riscv aspec: implement abstract spec for RISCV64
2018-09-07 08:13:13 +10:00
395a1eede5
riscv machine: update copyright headers for RISCV64 work
2018-09-07 08:13:13 +10:00
7986766e95
riscv haskell: consistent name for Frame invocations
2018-09-07 08:13:13 +10:00
340232aeb5
riscv haskell: refactor checkFreeSlot; fix test in PageRemap decoding
2018-09-07 08:13:13 +10:00
85a589e1a8
riscv haskell: add type annotations
2018-09-07 08:13:13 +10:00
ec6e969cbf
riscv design: use pre-defined machine ops
2018-09-07 08:13:13 +10:00
01307aeeb0
riscv machine: define setVSpaceRoot, update read_sbadaddr
2018-09-07 08:13:13 +10:00
4791ae78e2
riscv design: make vmFaultTypeFSR available to ASpec
2018-09-07 08:13:13 +10:00
378717bee0
haskell: hide count{Leading,Trailing}Zeros from Data.Bits
2018-09-04 14:59:45 +10:00
d63c9d0343
haskell: enable FlexibleContexts extension in some files
...
Since version 7.10 complains if the inferred type requires FlexibleContexts.
Alternatively we could just add monomorphic type signatures.
2018-09-04 14:59:45 +10:00
333f01608e
haskell: switch from deprecated ErrorT to ExceptT
...
and remove Error instances that are not needed anymore.
2018-09-04 14:59:45 +10:00
34e437f918
haskell: hide Prelude.Word in generated hsboot files
2018-09-04 14:59:44 +10:00
dac7a00e83
haskell: explicitly import Prelude hiding Word
...
everywhere where it can clash with Word type defined by SEL4.
2018-09-04 14:59:44 +10:00
7dc3d1f47c
haskell: fix Setup.hs to work with Cabal2
2018-09-04 14:59:44 +10:00
d232c20030
haskell: add missing modules to the cabal file
2018-09-04 14:59:44 +10:00
5b95542e9a
haskell: start switching to Stackage LTS-12.7 (GHC 8.4/Cabal 2.2)
2018-09-04 14:59:44 +10:00
3101eba8e7
remove trailing whitespace from ulem.sty
2018-08-21 15:15:08 +10:00
fa553b8085
aspec/refine: remove redundant captransfer_size definition
2018-08-20 09:06:37 +10:00
6db6322169
aspec: remove duplicate cap_transfer definition
2018-08-20 09:06:37 +10:00
84110bd84a
Isabelle2018 riscv: ExecSpec
2018-08-20 09:06:37 +10:00
a1d1b69776
Isabelle2018 arm: CRefine
2018-08-20 09:06:37 +10:00
082a48d7b2
Isabelle2018: c-kernel/UmmTypes
2018-08-20 09:06:37 +10:00
8af6b2ec1a
Isabelle2018: add ulem.sty which is now required by isabelle.sty
...
(available by default in newer tetex installs, but not older ones)
2018-08-20 09:06:37 +10:00
bdb3c592b8
Isabelle2018: TakeGrant
2018-08-20 09:06:36 +10:00
b2a2656c19
Isabelle2018: DSpec
2018-08-20 09:06:36 +10:00
428a806526
Isabelle2018 arm: ASpec
...
Only change is empty ~> Map.empty
2018-08-20 09:06:36 +10:00
3525eb6d15
Isabelle2018 arm: ExecSpec
2018-08-20 09:06:36 +10:00
75b38be012
Isabelle2018: new AsmRefine session + test
2018-08-20 09:06:36 +10:00
6b9d9d24dd
Isabelle2018: new "op x" syntax; now is "(x)"
...
(result of "isabelle update_op -m <dir>")
2018-08-20 09:06:35 +10:00
011e08458e
Isabelle2018: new comment syntax
...
(result of "isabelle update_comments <dirs>")
2018-08-20 09:06:35 +10:00
7a5416dc05
Isabelle2018 spec: new handling of external file deps
2018-08-20 09:06:34 +10:00
6486bad264
lib: make Lib session a test dependency
...
Also ensure that the C parser is built before Lib, because it depends
on generated grammar files that need `make'.
2018-08-20 09:06:34 +10:00
b5cdf4703f
globally use session-qualified imports; add Lib session
...
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
2018-08-20 09:06:34 +10:00
4258929246
haskell-translator: add Makefile dependency on caseconvs
2018-08-16 16:44:12 +10:00
2d8233bb76
cparser: set sorry_modifies_proofs conditionally on env var
...
This includes replacing the non-thread-safe ref sorry_modifies_proofs with a
proper Config option.
2018-08-06 14:28:44 +10:00
53fde5e5ff
lib/design: enable more Haskell-like list comprehension syntax
...
Accept "[f x | x \leftarrow t]" in addition to "[f x . x \leftarrow t]",
because the former is what naturally comes out of the Haskell translator, and
the regexps that would be necessary in the Haskell translator for this are
distasteful.
JIRA-VER 927
2018-08-06 11:22:54 +10:00
4db4af2347
dspec: resolve old FIXMEs in capDL spec
2018-08-06 11:22:53 +10:00
9a4d2677e3
lib+spec: move definition of machine_word to Word_Lib
...
JIRA VER-963
2018-08-06 11:22:52 +10:00
807a9792d9
arm-hyp haskell: use consistent ARMHYP_SMMU tag
2018-08-06 11:22:52 +10:00
d860d1e656
haskell: code sharing turned out to work; remove FIXME
2018-08-06 11:22:52 +10:00
e82c7a5c50
x64 design: clean out old FIXMEs
2018-08-06 11:22:52 +10:00
5ae7cc23b1
aspec: msg_align_bits and related are arch independent
...
While the numerical value is arch dependent, the definition and symbolic value
are not. This commit factors out the symbolic computation and only unfolds the
numeric value in the architecture dependent spec.
2018-08-06 11:22:51 +10:00
ead3e6fdc4
aspec: message_info_to_data is mostly arch independent
...
Factored out msg_label_bits, which is the only architecture specific part.
2018-08-06 11:22:51 +10:00
d4f59c862c
aspec: resolve ntfn FIXME
2018-08-06 11:22:50 +10:00
b383b9a187
aspec: move up mask_vm_rights, make arch independent
...
Strictly speaking vmrights might at some point become architecture dependent,
but all present architectures have precisely the same implementation, and there
are no plans to do anything different in the foreseeable future.
2018-08-06 11:22:50 +10:00
e533810190
x64 aspec: mark vt-d FIXME
2018-08-06 11:22:49 +10:00
469b88ea30
x64 aspec: remove syntax warning
2018-08-06 11:22:49 +10:00
8f1122270c
aspec/ainvs: move TLS/ipc buffer FIXME to appropriate position in ADT_AI
2018-08-06 11:22:49 +10:00
d635232bec
aspec: remove old mentions of (retired) globals_frame
2018-08-06 11:18:41 +10:00
0ca5f831a1
x64 machine: cleanup
2018-08-06 11:18:41 +10:00
065f4d25cd
x64 aspec: resolve vtd_pt_bits; check IOPageTabelCap functions
...
Currently unused, but will be relevant for VT-d
2018-08-06 11:18:41 +10:00
908787f315
aspec/haskell: clean out resolved FIXMEs
2018-08-06 11:18:41 +10:00
d262d7f747
cspec Makefile: add target for kernel source.
...
Adds a target name that ensures that the preprocessed kernel source
is up to date, but doesn't do any other work. This avoids confusion
when doing a check of source compatibility in building the seL4 input
for graph-refine.
2018-07-20 14:57:54 +10:00
9e0551f56a
arm-hyp: update proofs for TPIDRUR[OW]/TLS_BASE preservation
...
TPIDRUR[OW] registers removed from VCPU registers. Their saving now
lives in arch_c_entry_hook, which is before verified code is hit.
Relevant for verification, TPIDRURO is already handled as TLS_BASE
register, and TPIDRURW (holds IPC buffer) is saved/restored as part of
normal thread register save/restore.
2018-07-12 23:38:58 +10:00
2558a7c6e5
x64: crefine: update decodeX64FrameInvocation to not mask with PPTR_USER_TOP
2018-07-05 16:23:15 +10:00
e6ca6883ad
x64: spec: fix up definition of decodeX64FrameInvocation to match C
2018-07-05 16:23:15 +10:00
5ed7bb16be
x64: fix up definition of performPageInvocation for unmapping pages
2018-07-05 16:23:15 +10:00
02ed965d79
x64: aspec+haskell: reorder attribsFromWord to match C
2018-07-05 16:23:15 +10:00
b91ee8e4d0
x64: spec+ainvs+refine: add machine ops for nativeThreadUsingFPU and switchFpuOwner
2018-07-05 16:23:15 +10:00
df1c4b1e45
x64: spec+refine: plumb call through perform_ioport_invocation
2018-07-05 16:23:15 +10:00
e9940dee83
x64: spec+refine: remove VMIOSpaceMap, tighten valid_cap' map type guarantees
2018-07-05 16:23:15 +10:00
a4a9a9f721
x64: spec: update ensurePortOperationAllowed to better match C
2018-07-05 16:23:15 +10:00
0b978bae61
x64: spec: changes for IRQ invocations (VER-879)
2018-07-05 16:23:15 +10:00
c481c7d2df
x64: set cteRightsBits to 0 (VER-930)
2018-07-05 16:23:15 +10:00
8953543843
x64: ainvs+refine: remove invalidateASIDEntry, simplify with just hwASIDInvalidate
2018-07-05 16:23:15 +10:00
4967850316
x64: clear wordFromMessageInfo_spec sorry in VSpace_C
2018-07-05 16:23:15 +10:00
f649240cde
x64: CR3 and machine op updates for Meltdown
2018-07-05 16:23:15 +10:00
a3de401c09
x64: more abstract specs and invariants for ASIDs
2018-07-05 16:23:15 +10:00
c10b93bedd
spec/design: fix Haskell file dependencies
2018-07-05 16:23:15 +10:00
c041492916
specs: mask to 32 bit for user-level faults
...
Even on 64 bit platforms, C only passes on 32 bit of information for these faults.
2018-07-05 16:23:15 +10:00
b7758614a8
x64 abstract: reorder arch_data_to_obj_type to match C
2018-07-05 16:23:15 +10:00
0640ff61e4
x64 design/skel: reorder object_type enum to match C
2018-07-05 16:23:15 +10:00
8744fb20d7
x64 abstract/machine: introduce and use FPUNullState
...
The FPU state is opaque, and its null state is not necessary an array of zeroes.
Instead, the null state is a snapshot taken after initialisation.
2018-07-05 16:23:15 +10:00
bcac2c8492
x64: clear some sorry proofs from CSpace_C
...
Also update some Haskell and abstract specs relating to IO ports.
2018-07-05 16:23:14 +10:00
c2694a009d
x64: haskell: comment out IO invocation labels
2018-07-05 16:23:14 +10:00
769a9d1166
riscv haskell: use TP register for TLS_BASE
...
Recent TLS_BASE was missing a RISCV64 definition.
2018-07-04 17:45:36 +10:00
2b8a2ebfbe
spec: add SetTLSBase invocation and update the registers (VER-807)
2018-07-03 13:42:17 +10:00
66831aac87
haskell: pin cabal version
...
Breaks with newer cabals such as 1.22, and it should be using the
stack default anyway.
2018-06-28 16:38:35 +10:00
3a88648ec4
riscv haskell: unmapPage updated to check mapping ptr in C
...
removed FIXME
2018-06-27 10:06:49 +02:00
86ae67af41
riscv haskell: setVMRoot C updated to use 0 ASID for global PT
...
remove FIXME
2018-06-27 10:06:48 +02:00
705983cfd4
riscv design: type sigs + style for recursive funs
2018-06-27 10:06:48 +02:00
ebee89f76b
riscv design: license check
2018-06-27 10:06:48 +02:00
77a47b8c52
riscv haskell: rename decodePage* to match C more closely
2018-06-27 10:06:48 +02:00
360b43a12c
riscv design: lookupPTFromLevel now terminates as fun
2018-06-27 10:06:48 +02:00
5ed7eee730
riscv design: add remaining arch skel files
2018-06-27 10:06:48 +02:00
e12e57d74a
riscv design: skeleton files up to ArchRetypeDecls_H
2018-06-27 10:06:48 +02:00
a84b7c624e
riscv machine: style
2018-06-27 10:06:48 +02:00
aa510dbb93
riscv machine: add remaining machine interface
...
These are unused in RISCV64 at the moment, but referred to
in generic code, and will likely need to be filled in for
real hardware later.
2018-06-27 10:06:48 +02:00
52486ccd79
riscv haskell: refactor for haskell translator
...
The translator couldn't infer the error monad in the where clause.
2018-06-27 10:06:48 +02:00
a64b0805ad
riscv haskell: parentheses for the haskell translator
2018-06-27 10:06:48 +02:00
6e93fb1724
riscv haskell: check ptr to be unmapped
2018-06-27 10:06:48 +02:00
cd086b17f1
riscv haskell: avoid identifiers with leading _ for Isabelle
2018-06-27 10:06:48 +02:00
ca8142fdda
riscv haskell: add ASIDPoolCap case to finaliseCap
...
(C got updated)
2018-06-27 10:06:47 +02:00
115a9ad266
riscv machine: define pptrUserTop and pageColourBits
2018-06-27 10:06:47 +02:00
fc13a034bb
riscv haskell: C code now respects isDevice in createObject
...
remove FIXME
2018-06-27 10:06:47 +02:00
b4f74c851e
riscv haskell: sync maskCapRights to new C implementation
2018-06-27 10:06:47 +02:00
39b8b1cb28
riscv design: sFence and readSBADAddr -> sfence and read_sbadaddr
2018-06-27 10:06:47 +02:00
53774a7a47
riscv haskell: sFence and readSBADAddr -> sfence and read_sbadaddr
2018-06-27 10:06:47 +02:00
41326ddec4
riscv haskell: review hardware ops, especially "unimplemented"
...
sFence and readSBADAddr have hard-to-guess names, tuned to what they
look like in C
2018-06-27 10:06:47 +02:00
ce937c5797
riscv design: update ptrFromPAddr/addrFromPPtr to match C
2018-06-27 10:06:47 +02:00
8e4f85c7d5
riscv spec/machine: adjust defs for RISCV64
2018-06-27 10:06:47 +02:00
05925b889d
riscv design: initial RISCV64 setup
2018-06-27 10:06:47 +02:00
9bc97c9ac7
riscv haskell: use explicit decl for haskell translator
2018-06-27 10:06:47 +02:00
1833ea40de
riscv haskell: use -- comments for haskell translator
2018-06-27 10:06:47 +02:00
84a455641e
riscv haskell: add VSpaceRegionUse type for invariants
2018-06-27 10:06:47 +02:00
c0afbc6977
riscv haskell: mark simulator interface unused
2018-06-27 10:06:46 +02:00
3eed0be588
riscv haskell: correct initial ASIDPool size
...
This will be encoded separately in the proofs anyway, but if there ever is a
simulator interface for Haskell/RISCV, makeObject is now defined correctly.
2018-06-27 10:06:40 +02:00
8a71a417c2
riscv haskell: Arch.(perform|decode)Invocation
2018-06-27 10:05:45 +02:00
077353b5f1
riscv haskell: clean up hardware interface.
...
Most of the machine monad functions can remain unimplemented for RISCV, because
they are only relevant for simulator support in Haskell. They will be
implemented separately in the formal specs after translation.
2018-06-27 10:05:45 +02:00
e20c03a53a
riscv haskell: no IRQ parameters on RISCV64
2018-06-27 10:05:45 +02:00
8a9b22c459
riscv haskell: checked boot code stubs
...
They can all remain unimplemented.
2018-06-27 10:05:45 +02:00
51732b74bc
riscv haskell: irq type and bounds
2018-06-27 10:05:45 +02:00
9a10e926fa
riscv haskell: StateData: checked and cleared FIXMEs
2018-06-27 10:05:45 +02:00
856e4df5d3
riscv haskell: decode page table invocations
2018-06-27 10:05:45 +02:00
98541812c7
riscv haskell: decode page invocation
2018-06-27 10:05:45 +02:00
d57c3db80f
riscv haskell: indent tweak
2018-06-27 10:05:45 +02:00
892ef9e695
riscv haskell: ASID control + pool decode
2018-06-27 10:05:45 +02:00
8fb7e5523a
riscv haskell: no separate flushing on riscv
2018-06-27 10:05:45 +02:00
4ba6fa77d9
riscv haskell: page table invocations
2018-06-27 10:05:44 +02:00
0b4e6974d2
riscv haskell: ASID and Page invocations
2018-06-27 10:05:44 +02:00
5a762ccbfa
riscv haskell: added sfence machine op
2018-06-27 10:05:44 +02:00
42a3e465fd
riscv haskell: introduce readSBADAddr machine op
...
(C machine interface has caught up)
2018-06-27 10:05:44 +02:00
8e40102aed
riscv haskell: fill in vspace helper functions
2018-06-27 10:05:44 +02:00
5b665f663a
riscv haskell: unmapPageTable
2018-06-27 10:05:44 +02:00
487dbe56b0
riscv haskell: progress on ObjectType
...
Preliminary versions of finaliseCap/sameRegionAs/placeNewDataObject
There are issues with C code under discussion, these are noted and spec
will have to be updated accordingly.
2018-06-27 10:05:44 +02:00
22c86e9c5f
riscv haskell: unmapPage
2018-06-27 10:05:44 +02:00
be08b88ce5
riscv haskell: deleteASID
2018-06-27 10:05:44 +02:00
537360b065
riscv haskell: lookupIPCBuffer
2018-06-27 10:05:44 +02:00
2e7c6ed252
riscv haskell: copyGlobalMappings
2018-06-27 10:05:44 +02:00
8c23021814
riscv haskell: no ASID map in RISCV (enough bits in hw ASID)
2018-06-27 10:05:44 +02:00
9ba1c0ee07
riscv haskell: deleteASIDPool
2018-06-27 10:05:44 +02:00
156e4b3262
riscv haskell: tweak lookupPTSlot, add comments.
...
Adjusted according to Raf's feedback.
2018-06-27 10:05:44 +02:00
8af55f6f9d
riscv haskell: deriveCap and similar
2018-06-27 10:05:44 +02:00
13d68657db
riscv haskell: arch invocation datatypes
2018-06-27 10:05:44 +02:00
31b635401d
riscv: setup cspec build for L4V_ARCH=RISCV64
...
C parser and word setup copied from X64
2018-06-27 10:05:44 +02:00
d5eb5f6768
riscv haskell: handling/encoding of VM faults
2018-06-27 10:05:44 +02:00
4d79eb9a8e
haskell: explicitly note RISCV64 modules in cabal file
...
They are implicitly compiled already when building non-arch modules.
2018-06-27 10:05:44 +02:00
7a16f0611a
riscv haskell: setVMRoot
2018-06-27 10:05:44 +02:00
c5c4e2d41f
riscv haskell: fill in basic address constants
2018-06-27 10:05:44 +02:00
254e0e02af
riscv haskell: more consistent name
...
Diverges from C, but if at all we should change the C.
2018-06-27 10:05:44 +02:00
fd20351903
riscv haskell: refactor lookupPTSlot to avoid duplication
2018-06-27 10:05:43 +02:00
499e768dd5
riscv haskell: recursive lookupPTSlot
2018-06-27 10:05:43 +02:00
6d7ca21acb
riscv haskell: rework PTE for more abstraction
2018-06-27 10:05:43 +02:00
f99e733669
riscv haskell: findVSpaceForASID and PSpaceStorable
2018-06-27 10:02:47 +02:00
3bd9b618ce
riscv haskell: use symbolic names
2018-06-27 10:02:47 +02:00
6a8425f644
riscv haskell: pageBitsForSize
2018-06-27 10:02:47 +02:00
34093ed313
riscv haskell: arch object types
...
Translate 4K/Mega/Giga to Small/Large/Huge to fit with other
architectures.
2018-06-27 10:02:47 +02:00
f1069582bd
riscv haskell: update arch thread and interrupt
2018-06-27 10:02:47 +02:00
086ff039e5
riscv haskell: invocation labels from xml
2018-06-27 10:02:47 +02:00
e4c4650cf3
riscv haskell: update arch RegisterSet and TCB
2018-06-27 10:02:47 +02:00
a98fe9b465
riscv haskell: finish arch object definitions
2018-06-27 10:02:47 +02:00
37d552967c
riscv haskell: clarify diff to C
2018-06-27 10:02:47 +02:00
f220423f50
riscv haskell: define arch objects and caps
2018-06-27 10:02:47 +02:00
7f06c5eb9c
riscv haskell: minimum compiling skeleton
...
All functions and datatypes required by generic code are supplied in
stubbed out or placeholder form, and anything not required is missing.
The code compiles (make build-riscv), please let's keep it that way.
Look for the "FIXME RISCV" tag, which is the official FIXME tag for this
project.
2018-06-27 10:02:47 +02:00
959aa78aa1
haskell: add build configuration for RISCV on Spike platform
...
Setup.hs + SEL4.cabal + Makefile
2018-06-27 10:02:47 +02:00
15d6b62040
arm: address setCurrentPD mismatch between abstract/haskell/C
...
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
2018-06-22 11:59:30 +10:00
4a3d7a958c
arm-hyp: update proofs for SELFOUR-584: running multiple VMs on ARM
...
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
2018-06-15 18:48:47 +10:00
2ca1994139
haskell: retire literate Haskell PDF document
...
The PDF has been out of date for a while and is unmaintained. For now,
we leave the file format as literate Haskell, but retire the build for
the PDF document.
JIRA VER-912
2018-05-24 10:44:35 +10:00
25125763bd
arm-hyp: ioportcontrol: fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
1634608453
arm: ioportcontrol: Fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
f728dd25e8
x64: Add IOPortControlCaps to control IO port allocation
...
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
2018-04-19 05:27:06 +10:00
02e5096534
x64: VER-917: correct VSpace invocations to update map_type, and add invariants to check that maptype and mapped addresses correspond for PageCaps
2018-04-19 05:27:05 +10:00
1966c2e07c
cspec: fix make dependency breakage when CMake command fails
...
Once again, with feeling. This commit uses a dummy file as the CMake
dependency, to avoid re-running the kernel build in parallel.
2018-04-13 17:10:59 +10:00
b264f59f8d
Revert "cspec: fix make dependency breakage when CMake command fails"
...
This reverts commit 1635696387
2018-04-13 16:46:29 +10:00
1635696387
cspec: fix make dependency breakage when CMake command fails
2018-04-12 12:07:42 +10:00
88f804be12
specs: range check full object size, not only user object size
...
This is relevant when the max object size is significantly smaller than word_bits,
which is the case for 64 bit platforms.
2018-04-11 07:59:27 +10:00
9813f6a09f
arm-hyp haskell+refine: reorder arch invocation labels to match C
2018-04-07 00:02:51 +10:00
62bee91f12
cspec/crefine: make ctcb_offset available to AUXUPD
2018-03-26 14:37:22 +11:00
51190d18d1
ARM bisim: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
d9c08fc73f
aspec/haskell/machine: refactor user_context interface
...
- remove separate abstract set_/get_register implementation, directly use machine op
- make interface aware that user_context does not always need to equal
(register => machine_word)
- introduce FPU state on x64
2018-03-08 18:41:28 +11:00
f0795805d1
SELFOUR-1016: fix confused deputy problem when setting priorities
2018-02-26 11:19:43 +11:00
4601f2a1ab
Genericise deletion actions that occur after empty_slot
...
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
2018-02-23 09:12:55 +11:00
3abbdd74a3
aspec: reintroduce spec document version information
...
Including version information in the spec document is tricky, because
Isabelle will rebuild the session whenever it sees that session inputs
(including document sources) have changed. Since ASpec is close to the
root of our session hierarchy, frequently changing version information
causes excessive rebuilds during development.
This commit avoids excessive rebuilding by building the document (with
version information) in a separate ASpecDoc session. The ASpecDoc
session is identical to the previous version of the ASpec session, but
is not the parent of any other sessions. The ASpec session is used as
the basis for other sessions, but has document-only inputs removed, and
also has document builds disabled.
2018-02-20 10:46:50 +11:00
0b2cb85b8d
aspec: remove ARCH and git-id from specification document
...
This partially reverts a recent change which adds these.
Unfortunately, including the ARCH and git-id files in the ROOT file
causes frequent rebuilds during development. For example, adding a
commit that changes only CRefine would cause a change in the git-id
file, which would in turn trigger a rebuild of ASpec and everything that
depends on it. Because the git-id file also noted uncommitted changes,
these would also trigger an ASpec rebuild. Similarly, switching to a
different L4V_ARCH would cause the ARCH file to change, also triggering
an ASpec rebuild.
Since Isabelle makes it difficult to include this information in the
document without adding these files to the ROOT file, this commit is
removing this information until we find a better way.
2018-02-17 10:44:36 +11:00
3d225cde69
VER-910: add msgLabelBits to haskell
...
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
2018-02-07 10:36:59 +11:00
07f4c60171
abstract pdf: indicate additional/dirty files in hash
2018-01-26 14:30:52 +11:00
840e77edeb
abstract pdf: update old NICTA URL to TS
2018-01-26 14:30:48 +11:00
9f6d2c8d57
abstract pdf: update copyright
2018-01-26 14:30:44 +11:00
f310195e56
abstract pdf: update authors list
2018-01-26 14:30:38 +11:00
e6c65356a0
abstract pdf: generate VERSION, ARCH, git-id information for PDF
2018-01-26 14:30:38 +11:00
995b88cefa
SELFOUR-707: schedule highest priority thread on setPriority
2018-01-19 16:08:11 +11:00
Victor Phan
Gerwin Klein
MiladKetabi
Edward Pierzchalski
Rafal Kolanski
Amirreza Zarrabi
Matthew Brecknell
Japheth Lim
Michael McInerney
Luke Mondy
Michael Sproul
Callum Bannister
Thibaut Perami
Mitchell Buckley
Ilya Yanok
Thomas Sewell
Rafal Kolanski
Joel Beeren
Corey Lewis
Gerwin Klein