No real content changes; remove unused armParityEnabled and rename
`isToplevel` to `isVSpace` for consistency with the rest.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes decode, perform, and the functions called by them.
Removes the now unused RISCV sfence machine op.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Also removes the now unused function `checkSlot`.
With this, all of decode/perform ARMPageInvocation is validated.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
synced checks, order, and errors with C and factored out
`checkVSpaceRoot` which is used in a few other invocations. Some of the
`let`s here are not necessary, but inserted anyway to match up names
with the C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Now that the C code is available, we can settle the PTE encoding for
the spec. Notable differences to RISCV64 are:
- the base address uses field-high and doesn't need shifting
- leads to simpler/more direct address access
- PTEs use different attributes
- uses a flag for 4k pages which have a different hardware encoding
- page table PTEs have no rights/attributes
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The top-level object type is called `VSpaceObject` in C, so we use the
same name here. The top-level cap is `VSpaceCap` in C, but since we
want to keep it as a flag in the PT Cap in the specs, we call the flag
`capPTisVSpace` for consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes the type-checking fallout from those two main additions,
but no real further validation yet downstream from Structures.thy.
PageTable objects now have an inner object that contains either a
normal page table or a page table with the potentially different size
for top-level VSpace roots.
In ArchVSpaceAcc, the follow-on effects include making pte operations
figure out what kind of object is is by first checking for the
potentially smaller-sized object, and if that does not exist, trying
the larger-sized object (which has a different base address). When
pspace_distinct and pspace_aligned invariants hold, this should model
the behaviour of Haskell/C precisely.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is mostly verbatim copy/paste from RISCV64 to get started. Needs
update and validation everywhere, but type checks for now.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allows building ExecSpec, but is almost certainly wrong due to not
taking top-level pages into account.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Enables generation of boolean config keys. Since C for these often
equates absence with `false`, but Isabelle won't be able to deal with
the absence of the config name, we need to manually indicate which ones
we want. For now, we generate `false` for absence for all boolean keys
that have a custom Isabelle name.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use RISCV64 design spec skeletons to start work on AARCH64 ExecSpec.
Only minimal RISCV64 to AARCH64 substitution done, with big FIXMEs
stuck on top to remind people this got no human oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Note: left FIXMEs in InvocationLabels where we currently diverge from C,
and the missing SMMU invocations at this time.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Directly switches to global empty VSpace instead of doing the cap
checks in setVMRoot which we know will fail.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds armContextSwitch and setGlobalUserVSpace, the latter a
shorthand for setting the empty VSpace, to be re-used in
switchToIdleThread.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validate decodeARMASIDPoolInvocation. Main change to RISCV64 is that
VTableRoot caps can now be distinguished and checked-for.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated against C. We seem to be doing some unnecessary calculations
in ARM_HYP there, which are left out here (Haskell now is closer to C).
As follow-on, validated and tweaked decodeARMVSpaceRootInvocation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
No plans to resurrect Haskell simulation any more, so the comments are
mostly going to be confusing to people who come at this fresh.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The C code has an unnecessary name indirection via isValidNativeRoot
here, which I replicated to make more obvious what maps to what.
Eventually this should disappear.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit speculative since the C is not there yet, but I think
it's a good candidate, esp turning the VMPageSize parameters into Int,
because that will save the C from converting it back and forth.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Uses lookupFrame which still needs to be filled in. We already have
a form of that in the formalisation, and can maybe reuse some of that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This adds first AArch64-specific flushing. More to come when we add
the explicit flush API.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This refactors getASIDPoolEntry to extract code that is shared between
lookup and update, and should make conversion to reader monad later
easier.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We are on an Arm board, where <= maxIRQ implies != irqInvalid, so use
original ARM version.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This adjusts ptBitsLeft and ptIndex to properly take into account
the potentially different-sized top-level table. This is all that is
needed for the rest of the lookup code to be correct.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a sketch of what I think the API will look like after C code
changes. In particular, this adds a VSpaceRoot API object type
that stands for a top-level page table. The name may change, but a
different API object type for the different page size will probably
stay.
Different top-level table size only applies in some configurations. The
spec attempts to model both cases by making ptBits and
ptTranslationBits dependent on whether it is a top-level table or not.
The rest follows from that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Validated constants defined in Structures/AARCH64.lhs
PT caps now include a flag whether they are for a top-level table or
not. This could later be generalised to a level, but that's likely not
necessary for AArch64.
Amazingly, only the creation of new PT caps was affected by this
change. That creation will need user-level input which size of table to
create (to be added later).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously renamed invocation labels, as well as decodeARMMMUInvocation
and performARMMMUInvocation.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Largely adapted from ARM_HYP, modified and checked against C code.
Remaining known issues marked with FIXMEs.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Model AARCH64-specific global kernel data, which means:
- adjust vspace region mapping names
- remove global page tables, including accesses (copyGlobalMappings)
- add pointer to empty user page table
This commit does not yet include VCPU and SMMU.
As on 32-bit ARM_HYP, global page tables exist on AARCH64, but are not
accessed by any code after boot, so are not visible in verified code
apart from defining the (constant) kernel window and kernel mappings
during execution. User code without a valid VSpace root is assigned a
pointer to an empty table.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Set the naming convention for global state components to armKS..
This overlaps with ARM and ARM_HYP, but so do the concepts as well
as the C convention.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit adds hardware ASID handling from ARM/ARM_HYP, and tweaks it
to use local ASID pool entries for hardware ASIDs instead of a global
ASID map.
Naming here is unfortunate in multiple dimensions:
- C calls the entries asid_map (from the global function in Haskell)
- what is actually mapped is a seL4 ASID to a HW ASID + VSpace root,
but only via multiple functions, the type is not a map
- the HW ASIDS are not actual ASIDs, but instead VMIDs in AArch64 EL-2
To be cleaned up when nomenclature is clearer in C.
Validation against C is minimal at the moment; only the types are
validated to correspond with C, and which functions are present, but
not their full behaviour/structure yet.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Adds FPU state to UserContext, uses 64 general-purpose registers as seen
on TX2.
Abstracts FPU operations to fpuThreadDelete required for thread
deletion, thereby not including intricacies of lazy FPU switching.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Use RISCV64 version of Haskell spec as a basis for upcoming work on
spec for AARCH64 architecture.
Only minimal RISCV64 to AARCH64 substitution done to yield a compiling
target, with a big FIXME stuck on top to remind people this got no human
oversight.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
globally (for all arches) removes word simp rules that are too eager
for 64 bit bitfield proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The benefit of the wpx method is not worth the maintenance effort.
There are still a few instances of wpx left in AInvs, which will have
to be fixed later.
We are keeping the wps method from the same file (WPEx.thy), because
that is used more widely and does not break with Isabelle2021-1
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The rule for kernel.sigs previously depended on building standalone C
parsers and tokenizers for all architectures. With this change, we only
build the standalone C parser for the current architecture.
We also explicitly pass a --cpp argument based on the TOOLPREFIX.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
Some development environments set an environment variable OBJDUMP by
default. With the previous version of kernel.mk, decompilation used the
objdump indicated by that OBJDUMP variable. This could cause
decompilation to fail if OBJDUMP did not match the TOOLPREFIX used for
compilation.
Since we don't currently have a need to specify a different objdump, we
remove the ability to override via the OBJDUMP environment variable.
With this commit, we always use TOOLPREFIX to locate a suitable objdump.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
An invocation to bind a thread to a VCPU will perform associate_vcpu_tcb.
Previously, vcpu_switch was called only on a context switch, and so
it was possible to bind the current thread to a VCPU and then not switch
to that VCPU. This change will allow us to prove that the current active
VCPU is the VCPU of the current thread.
Signed-off-by: Michael McInerney <m.mcinerney@unsw.edu.au>
Since `numDomains` exists both in Kernel_Config in C, and we want to
force people to annotate the C version as `Kernel_C.numDomains`, we hide
it right after the C is parsed.
Some of the comments about hiding/reintroducing vmsize constants became
a bit broken/absent around X64, and adding the above made things extra
confusing. Put back the ARM/ARM_HYP comments to clear up what's going
on, and tweaked a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This change eases any future platform ports by better matching the C
code that it models and by making it so that there is one less constant
that needs modification.
Signed-off-by: Corey Lewis <corey.lewis@unsw.edu.au>
This commit adds compiler prefixes for AArch64 so that the preprocess
test finds the right cross compilers for this architecture.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This script takes the gen_config.h file CMake produces for each kernel
configuration, parses it, and emits corresponding Isabelle definitions
into Kernel_Config.thy in spec/machine/$L4V_ARCH/
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce Kernel_Config theory for storage of non-architecture-specific
seL4 configuration variables that are shared by the abstract and design
specs.
Remove `num_domains`, in lieu of `numDomains` that is now defined only
in `Kernel_Config.thy`. The definition is hidden and must be referred to
as Kernel_Config.numDomains_def when avoiding unfolding is not possible.
Include required properties of `numDomains` as lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The new docker containers that upgraded to gcc-10 use a different
version of the gcc Arm toolchain (`arm-linux-gnueabi`).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In the rest of the proofs we use machine_word to refer to addresses.
This commit brings the machine definitions in line with that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
When there is no Haskell stack cache yet and all dependencies are
compiled from source, 30min CPU time is tight. Bumping it to 45min
should reduce failures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This mostly refactors ML code to avoid non-exhaustive matches, restore
the (op infix) syntax that got lost in a previous Isabelle update, and
removes some unused functions/parameters.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Platform constants were previously not translated. When they were moved
to translated code, some constructor issues came up.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
The names for `kernelBase` and `physBase` are renamed to `pptrBase` and
`paddrBase` respectively to be more consistent with the C (and the
previous commit).
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
This update reflects a set of changes made to the seL4 kernel some time
ago that consolidates the definitions for physical to virtual
translation.
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
Remove resolve_address_bits'.simps from the simp set at the definition
site, instead of in the middle of the proofs.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Make these a separate target so that other sessions that depend on
ASpec can kick off generation of these files (necessary because some
are mentioned in spec/ROOT, and the session structure will fail if they
don't exist).
This is only relevant in a fresh check-out when you've never built
ASpec, but in test environments this can happen if only specific
sessions are tested.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 doesn't allow sharing session directories between the document
session and non-document session. Instead of duplicating things, this commit
pulls the document build back into the ASpec session, but changes the build
such that the git revision is read directly from LaTeX, removing the
superfluous re-build for every git revision change (even when no relevant spec
file changed).
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
- preemption in C is not associated to an irq
- updating aspec to reflect this so that we can have irq-independent
preemptions (needed in MCS)
- proof fix for the above: remove intr
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
The reason `CKernel` depends on `design-spec` is quite obscure, so we
add a comment to relevant `Makefile`s to help us avoid wasting time
trying to remove the dependency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
I previously updated the `#!` in `mk_umm_types.py` to use `python3`, but
forgot to remove the explicit `python` call from `kernel.mk`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISCV implementation of invokeIRQHandler calls plic_complete_claim
instead of maskInterrupt. plicCompleteClaim is added as a machine op
and invokeIRQHandler has been arch split for the ACKIrq case.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
The proof needs to know that there is a page table at the entry
point in the induction for lookupPTSlot. Moving the assertion just
before the recursive call establishes this directly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The RISC-V ISA spec does not allow PagePTEs with 000 for rwx rights,
because 000 is used to identify PageTablePTEs. Instead we write
InvalidPTEs, which has the same effect for the user.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The assertion is provable from the abstract invariants, and used in
CRefine to conclude that the test wether the vspace root cap is mapped
can be left out.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
`tcbBlockSizeBits` was previously defined to be `wordSizeCase 9 11`
universally, but this claim does not hold anymore since it takes the
value 10 on RISCV64. Therefore an arch split for `tcbBlockSizeBits` and
affected definitions are made. The constant and its definition needs to
be requalified so that proofs in Refine can access it through the
constant objBits_defs.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Update specs and proofs for ARM platforms to contain TPIDRURO in the
TCB user context rather than treating it as a VCPU register, following
change in C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was used to make sure the LaTeX document from literate Haskell builds.
Since this document is retired, we don't need the check any more.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
We keep on forgetting what the parameters to loadObject and storeObject
mean, and why we have pspace_storable in the first place. Hopefully
these comments mean having to re-remember fewer things.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
This allows some git operations (e.g. fetch) without requiring a
c-kernel rebuild.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously, we would rebuild the kernel if any file in the `seL4`
repository changed since previous `cmake` setup. Since the kernel build
after the `cmake` setup generates `__pycache__` directories in the
`seL4` tree, this would cause some unnecessary rebuilds.
This commit explicitly excludes `__pycache__` directories from the set
of files considered to be dependencies of the kernel build.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This effectively reverts commit 2fec23d646, which was a previous attempt
at fixing a race condition in the design spec generation, which turned
out to be ineffective. Since the `design-spec` test had the same effect
as the `haskell-translator` test on which it depended, it was redundant,
and can be removed.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously the Makefile rule for generating the design spec depended on
all Haskell source files in `spec/haskell`. This unintentionally
included files generated by the Haskell kernel build in
`spec/haskell/dist`. This meant that for `run_tests` builds in which the
Haskell kernel test completes *after* the initial generation of the
design spec, subsequent Makefile jobs which depend on the design spec
could cause re-runs of the design spec. Furthermore, if `run_tests` runs
several such jobs concurrently, race conditions in concurrent runs of
the design spec could cause errors.
Since the design spec does not make use of the generated Haskell source
in `spec/haskell/dist`, this commit restricts the design spec
dependencies to Haskell source files in `spec/haskell/src`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Python 2 has passed its sunset date, and many distributions are
withdrawing support for Python 2.
PEP 394 recommends distributions always install versioned interpreter
commands (e.g. `python3`), but does not make a recommendation about
whether or not an unversioned command (`python`) should exist, or what
version it should run.
It therefore seems advisable to explicitly run scripts using the
`python3` command, for scripts that are compatible with Python 3.
Here, we do this for Python scripts used by `run_tests`. For this to
work, some scripts have been updated in ways that will break Python 2
compatibility. But for some other scripts which were already compatible
with both Python 2 and 3, we have not yet removed Python 2
compatibility. There are also miscellaneous scripts that are not used by
`run_tests`, and these have not yet been updated to Python 3.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
- Increase IRQ word size from 3 to 6 to match IRQ_CNODE_SLOT_BITS in
sel4 config.
- Bump maxIRQ up to 54.
- Fix broken inequality proof by changing constant that depended on IRQ
word size.
- Add Makefile targets for building ELF binaries and various dumps that
are used in binary verification.
- Add support for extra CMake command-line arguments. For binary
verification, this is used to set the optimisation level for the ELF
targets.
- Add support for the Debian RISC-V toolchain packages, without breaking
existing users with a manually built RISC-V toolchain.
- Move reusable parts of the C kernel Makefile out to a separate include
file, with support for configuring the build directory. For binary
verification, this is used to allow multiple builds at different
optimisation levels.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
We listed the invocation labels 3 times -- this commit removes the duplication
and instead derives the enum from the order the constructors are listed in.
`ASpec`, `ExecSpec`, and `DSpec` were identical tests which built the
`design-spec` make target. This means that when `./run_tests` runs tests
concurrently, multiple instances of the `design-spec` make target were
also run concurrently.
We address the issue by making a new "test" called `design-spec` which
builds the `design-spec` make target, and making `{A,Exec,D}Spec`
dependees on `design-spec`.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.
In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
global_pt needs addrFromKPPtr, because it is an address that lives in the
kernel image, other pt's need addrFromPPtr because they are standard
kernel-virtual addresses.
Gerwin Klein
Rafal Kolanski
Matthew Brecknell
Michael McInerney
Corey Lewis
Ryan Barry
Gerwin Klein
Florian Haftmann
Matthew Brecknell
Gerwin Klein
Rafal Kolanski
Curtis Millar
Corey Lewis
Miki Tanaka
Victor Phan
Edward Pierzchalski
Zoltan Kocsis