Cleared all bitfield sorries as well as remnant sorries from previous
spec changes. Only sorries remaining require spec changes
(msgLabelBits, VER-910) or C/c-parser changes (VER-881).
The logic roughly follows what happens in Refine, but gets woven into
ccorres proofs making this non-obvious.
Similar breakage will become evident once more sorries are cleared
around retyping/deleting.
All kernel objects in the kheap exist at canonical addresses. Additional
constraint needed on Untyped caps: they must refer to a canonical
address in memory, since the Untyped objects themselves do not live in
the kheap.
The invariant is needed to discharge pointer dereference guards in C for
pointers obtained from kernel objects. We managed to prove it without
adding abstract invariants.
Applied the changes from invert-fastpath on ARM_HYP to available X64
files, updated relevant proofs to 64-bit, reduced IpcCancel sorries to
sign_extend only, reduced Schedule to one sorry.
There are probably lots of lemmas missing but this will allow people to
move forward beyond VSpace_C to other files.
Many sorries are dependent on C changes still in the pipeline
On x64, there are only 3 possible page sizes, so it is no longer
possible to deduce that a page size is well-formed from just the
bitfield struct (previously there were 4 page sizes for a 2-bit field).
This allows us to more easily show that arch specific tcb fields are
preserved by many functions of the spec. For ARM_HYP we add a
projection for the tcb_vcpu field.
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
Changes to the C kernel to mitigate the Meltdown vulnerability have
removed x64KSCurrentCR3, and replaced it with other state. As a
temporary fix, this commit removes references to x64KSCurrentCR3 from
the C state relation to keep existing proofs working.
For x64 verification, this ultimately needs to be replaced with a
relation on the new state that has been added, and the specs updated
accordingly.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
This change was a result of the constant "(tcb_t*)~0" being defined as
0x00000000FFFFFFFF on x86-64 (0 is implicitly a 32-bit integer) rather
than 0xFFFFFFFFFFFFFFFF as expected.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Colloquially known as "invert-fastpath".
Update verification efforts on ARM for the following seL4 changes:
- scheduling decisions done in possibleSwitchTo are moved to the
scheduler
- possibleSwitchTo only checks whether the candidate is valid for a
fast switch, not its priority, accepting possible candidates
immmediately as a switch-to scheduler action
- the scheduler checks the candidate against the current thread and
against the bitmaps before making a decision
- attemptSwitchTo and switchIfRequiredTo are gone
- scheduler is now more complicated, and numerous proofs related to it
are rewritten from scratch
- fast path now checks ready queues via the scheduler bitmaps
- L2 scheduler bitmap order reversed for better cache locality
Many iterations between the kernel and verification teams were needed
to get this right.
It's really tiring figuring out whether we loaded all of the right
InfoFlow theory files in jEdit. This file lists what "the theories for
InfoFlow" are and should be loaded instead.
ROOT file adjusted to target it instead of a bunch of files, some of
which already include some of the others.
Gerwin Klein
Michael Sproul
Japheth Lim
Matthew Brecknell
Joel Beeren
Rafal Kolanski
Corey Lewis
Maksym Bortin
Thibaut Perami
Thomas Sewell
Miki Tanaka
Matthew Fernandez