(copied from ARM)
Per-plaform CPP configuration for spec-check and make-spec.
The configuration is still duplicated between the two scripts, but now
the translation/check for ARM_HYP will use correct CPP settings.
from pull request #285:
SELFOUR-555: Rename ksCurCPU->armHSCurVCPU
SELFOUR-557: s/isIOSpaceFrame/isIOSpaceFrameCap/
Other changes in pull request have no effect on current Haskell spec.
Hypervisor extensions add extra fault types which are entirely
arch-specific. While the concept of a VM fault exists on all platforms,
these faults are also arch-specific.
This change adds an ArchFault datatype and constructor to the generic
Faults and Failures, and moves VMFault into ArchFault for the ARM
platform.
NOTE: fault indices have changed (generic goes before arch) as per
the changes needed for SELFOUR-413, which is the seL4 C equivalent of
this commit.
- dropped InvokePageIO in favour of capVPisIOSpace flag on PageCap
- converted some objBits (undefined :: ...) to pteBits and pdeBits
- added invalid IOPDEs and IOPTEs encoded to 0
- added IOPTEs and IOPDEs to PSpaceStorable
- adjusted asidHighBits to drop one on enabling MMU
The kernel gains an entry point for hypervisor exception events, as well
as a way to add arch-specific handlers for these events.
We do this since the hypervisor has its own entry point into the kernel,
and that must be reflected in the top-level kernel entry interface.
For ARM target, which does not have hypervisor support, we add an no-op stub.
Other platforms such as arm-hyp will need to look into additional TCB state
such as VCPU in sanitiseRegister. This commit provides the scaffolding for
that.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
SUPREMUM changed from a definition to an abbreviation.
A number of proofs that previously used blast, fastforce or auto to
solve goals involving UNION, now either fail or loop. This commit
includes various ad-hoc workarounds.
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
* arch_tcb is now correctly imported as a datatype not as a type
synonym
tags: [VER-623][SELFOUR-413]
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
tags: [VER-623][SELFOUR-413]
* fixing name space for arch_tcb and tcb_context
* arch_fault added
* changing name space for arch_tcb
- as_user, set_mrs, get_mrs, copyRegsToArea, and copyRegsToArea are
moved to the ARM_HYP directory. This breaks the proofs in
refinement, etc., mostly in tcb related files.
* removed a duplicate range check definition
* fixes ARM for arch_tcb
* adding arch_thread_get/set
* add ReserveIRQ
- initInterruptController is not added yet.
* add arch_fault
- arch_fault and related functions are added.
* arch-parametrising arch-specific extra registers
- ArchDefaultExtraRegisters is the common interface that refers to the
arch-specific data (ARMNoExtraRegisters for ARM/ARM_HYP)
* Adding accesors for tcb_context
- Despite the fact that tcb_context has an arch-specific definition,
it is reasonable to assume that some form of tcb_context will be
available in any architecture, thus the need for accesors to handle
updates.
* as_user updated to use tcb_context accesors
* set_mrs and get_mrs updated to use tcb_context accesors
- Several function on ArchTcb_A and ArchTcbAcc_A (both theories where
removed) can be defined in a general context by using the
tcb_context accesors
tags: [VER-623][SELFOUR-413]
* skeletons, adding new constructs (arch_tcb, arch_fault)
* adjusting skeletons for ReserveIRQ + small change in haskell (ARM)
Changes in: spec/haskell/src/SEL4/Object/Interrupt/ARM.lhs:37:21
Due to "Defined but not used: ‘irq’"
* arch-splitting faults in skeletons (ARM)
* fix arch_tcb and asUser namespace issues in skeletons (ARM)
* checking in current generated files
tags: [VER-623][SELFOUR-413]
Hypervisor extensions add extra fault types which are entirely
arch-specific. While the concept of a VM fault exists on all platforms,
these faults are also arch-specific.
This change adds an ArchFault datatype and constructor to the generic
Faults and Failures, and moves VMFault into ArchFault for the ARM
platform.
NOTE: fault indices have changed (generic goes before arch) as per
the changes needed for SELFOUR-413, which is the seL4 C equivalent of
this commit.
* add arch faults and failures to SEL4.cabal
* introduce and handle IRQReserved
On ARM this does nothing, but on other platforms reserved IRQs are
actually used.
* split TCB into ArchTCB (userContext)
* changing ArchFault to make haskell-translator to work
tags: [VER-623][SELFOUR-413]
This reverts:
- a67b443ca5
"SELFOUR-242: update goal number based indentation in Fastpath_C"
- f704cf0404
"SELFOUR-242: invert bitfield scheduler and optimise fast path"
Verification confirmed functional correctness and refinement of the
system in this case. However, guarantees on thread scheduling and
fairness are not modeled in the current verification. Once this issue is
addressed, SELFOUR-242 will be re-examined.
* Reverse the level 2 of the bitmap scheduler to move the highest priority
threads' level 2 entries into the same cache line as the level 1.
* Use the bitfield scheduler to make the fast path a more common occurrence.
* Change possibleSwitchTo to not invoke scheduler when the fast path would not
invoke it either (using implicit assumptions about the current thread being
the highest priority schedulable thread)
These changes to the automatons are required by:
SELFOUR-242: invert bitfield scheduler and optimise fast path
Details:
When we enter the kernel, the domain time left (ksDomainTime) is never zero.
If we entered on a timer interrupt, we may decrement it to zero before the
scheduler runs. If we do so, we set the scheduler state to choose_new_thread.
When choosing a new thread, the scheduler switches to a new domain if the
present one is required, and sets the new domain time left from domain_list
(ksDomSchedule).
When entering the kernel on a non-interrupt event, we never touch the domain
time left, which trivially preserves the new constraints.
To prove these, we had to ban a transition from kernel entry to kernel being
preempted when handling an interrupt event in InfoFlow. This is fine, as by
design handling interrupts is not meant to be preempted by interrupts.
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
Also includes fixes to specs and invariants, and initial progress
towards C refinement.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
A skeleton line of the form
\#INCLUDE_SETTINGS keep_constructor=asidpool
now ensures that the asidpool type constructor is actually created in
subsequent #INCLUDE_HASKELL declarations. It turns out this feature was already
available, and already used for asidpools, this change just makes it externally
adjustable.
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
There's a lot of proof text quoted into the source of the bitfield generator
(../seL4/tools/bitfield_gen.py). Optimising that requires even more complex
proof scripts. Instead of quoting them there, this introduces
lib/BitFieldProofsLib.thy which creates Eisbach methods for discharging some
relevant proof obligations. These can be tweaked without adjusting the
bitfield generator.
This approach could be taken a lot further to simplify the bitfield generator
further.
Miki Tanaka
Rafal Kolanski
Alejandro Gomez-Londono
Pang Luo
Joel Beeren
Gerwin Klein
Matthew Brecknell
Gerwin Klein
Alejandro Gomez-Londono
Xin,Gao
Ramana Kumar
Thomas Sewell
Sophie Taylor
Matthew Brecknell
Corey Richardson
Japheth Lim
Daniel Matichuk
Sophie Taylor
Xin Gao