The remaining interesting lemma (which is not proved) is
vs_lookup_non_PageTablePTE which needed two statement adjustments, one
to adjust the ptes_of update (certain that this is correct), and one to
add a new precondition valid_vspace_objs (speculative, but hopefully
enough to solve the lemma).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- use vspace_objs_of instead of aobjs_of where possible to reduce
scope and make lifting rules stronger
- prove remaining lifting rules in ArchKHeap_AI
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- provides case split rules for vspace_objs_of lifting
- proves the provable vspace_objs_of/vspace_obj_pred lifting rules. The
other lifting rules will need rephrasing for AARCH64 since
vspace_objs_of does not cover all arch objects.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This rewrites the extraction function to a simpler form, which is
consistent with how the lemma is written on the other architectures.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Lemmas not relying on any specifications or more local concepts will be
moved into MonadicRewrite.thy
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Handle abstract machine ops in large crunch passes.
Clean up some proofs, standardise others, and rearrange into topical
areas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- the lifting rule now needs an additional vcpus_of assumption
- this makes the rule not applicable any more for the proof of other
lifting rules that are for vspace objs only; these will now need
different proofs
- add FIXME suggestion for equivalence of projection and vspace_obj_pred
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a rough pass over all the vcpu|vppi|vgic items found in ARM_HYP
abstract invariants. Broken items and issues tagged with FIXMEs,
lemmas sorried when possible.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Some definitions needed to change to take VCPUs into account, breaking
some lifting lemmas that assumed vspace objects and arch objects were
the same thing. FIXMEs added.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This indicates potential for using `crunches` to shorten many of the
empty_fail, no_fail and no_irq proofs for most machine ops.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The statements of all VSpace-related lemmas are now in as good a state
as we can predict without proving them.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On RISCV64, we had the nice property that pt_walk can only produce
aligned addresses. This alignment is important for further address
computation.
It turns out that the same is true on AARCH64, because the bottom 12
bits of page table addresses are not stored in PTEs. PagePTEs can only
point to normal page tables, so there is not variation in the size of
the alignment.
This commit uses a similar encoding to RISCV64 to achieve this pt_walk
property without using an additional invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
some follow-on effects from the removal of dmo_read_stval_inv which had
become too generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This makes a few lifting rules much simpler and eliminates the need for
lifting completely in some circumstances.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This target was used in the regression test setup before this repo
switched to `run_tests` and has been unused for some time.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Starting point for AArch64 abstract invariant proofs.
In most cases, commented out or sorried what doesn't work. In some
cases, had to tweak definitions to get through. Marked all
problem/failure areas with FIXME AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
No modifications made. Use this commit to refer to what initial sorrying
run modified from standard.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This means Isabelle will automatically insert `level_type` when it
finds a term of type `vm_level` but expects one of type `pt_type`.
This only works when the context is unambiguous, but it does make quite
a few terms shorter.
This is input-only, `level_type` will still show up in output.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Replaces bool with a dedicated type for page table types. This should
generalise nicely to more different levels and removes the slightly
confusing occurrence of bool.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This replaces 'a word for indices with machine_word. Since we can't use
a specific word length for a generic table index (because different
tables can have different index types), we don't win much by using 'a
word, but we do lose something: we must instantiate 'a when we use the
term, which means we need to decide at that point which type of table
we are talking about. This forces early case distinctions in proofs.
Using machine_word allows us to delay committing to a particular table
type and instead write a generic condition on the width of the index.
We are using machine_word instead of nat or a different specific word
length, because the index into the table is a slice of either an
obj_ref (in ptes_of) or a vref (when we do page table walks), both of
which are compatible with machine_word.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
With separate pte levels the proofs become simpler and shorter, but
some of the statements longer.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Some properties that crunch can be used for have different legacy naming
schemes. This commit makes it possible for different instances of crunch
to be configured for either prefix or suffix naming.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
It is possible to do this with one line now that crunch does not produce
duplicate attribute warnings.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Several parts of CRefine did not or should not depend on anything
C-related, but the import hierarchy (and theory content) did not reflect
this. Namely:
* Move_C and ArchMove_C were intended to hold items that could be moved
to Refine yet used `kernel_m` locale and imported the C spec.
* IsolatedThreadAction indicates how to rearrange statements in the
design spec and has nothing to do with the C spec or framework.
* Fastpath_C contained the design spec of the fastpath, the design spec
rewrite proofs, and the C refinement. Having to rebuild nearly all of
CRefine to work on rewrite proofs wasted time.
In the new import hierarchy:
* Move_C imports only Refine; ArchMove_C builds on Move_C
* IsolatedThreadAction imports only ArchMove_C
* The fastpath proofs are split into the spec definition (Fastpath_Defs)
and rewrite proofs (Fastpath_Equiv), which don't depend on anything
C-related, with their C refinement remaining in Fastpath_C.
While it is possible to separate out the fastpath definitions and rewire
proofs into a separate image or even move them to Refine, development
experience indicates keeping them alongside their C refinement remains
more convenient for the proof engineer involved.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Put all lemmas for vm_level from the bit1/bit0 classes into one place
so we can later assign these automatically.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Making vs_index_len a sybmolic value instead of a plain number means we
have to unfold config_ARM_PA_SIZE_BITS_40 less often (instead, we need
to consider both cases, which forces us to stay generic).
This also makes sure the type vs_index_len is always distinct from
pt_index_len (even if the sizes are the same), which was only
guaranteed in one of the two configurations before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The previous proof inadvertently relied on the fact that
config_ARM_PA_SIZE_BITS_40 is not configured and solved the lemma
trivially instead of really proving that case.
This is only relevant for the config_ARM_PA_SIZE_BITS_40 configuration,
which is not the current verification target, but it is nicer to stay
generic in config_ARM_PA_SIZE_BITS_40 as far as we can.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This means that the invariants are strong enough to support all of the
basic properties of page table walks and vspace address arithmetic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In some AArch64 configurations, some slots in the top-level table are
not accessible, because the IPA space size is smaller than the number
of bits the page tables can translate. invalid_mapping_slots indicates
which slots have to remain set to InvalidPTE in those tables.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- update lemma statements to include pspace_distinct where needed,
and adjust for multiple PT sizes.
- update most proofs accordingly, leave the rest sorried.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- introduce max_page_level to express that PagePTEs can only occur
on levels 0-2 (regardless of PA/IPA space size)
- PageTablePTEs must always point to normal tables (can't point back
to the top)
- PageTables at max_pt_level must be VSRootPTs
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit more complex than before. The general approach is to do
lemmas per level first, then combine them in the map union of pte_of.
For ptes_of_Some, with pspace_distinct, we get the expected two cases.
Without pspace_distinct we need in the second case a condition that the
first case doesn't apply (they are only mutually exclusive when
pspace_distinct holds).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- void type is not used in AArch64
- remove duplication of level_of_vmsize
- state equivalence lemma
- unified formulation of valid_vspace_obj turned out to be usable so far
- confirmed that no further vmid properties are needed (in addition to
inverse)
- removed alternative version of arch_valid_obj (but remains in history)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since user addresses are intermediate physical addresses in hyp mode,
the concept of canonical_user is different to other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
At this stage ArchInvariants_AI should process cleanly, but is still
missing some interface lemmas for Invariants_AI.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a first draft of what we think needs to change in the
invariants to model AArch64. VCPU-related definitions are still
missing, and further tweaks are likely.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Copied from RISCV64 with minimal search/replace, added FIXMEs.
Should be enough for formulating architecture-specific invariants.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup
on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the
function is unused. There are some proof about it, but those are unused
as well. This commit removes all of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Three main thrusts:
- speed up the `updateMDB_the_lot` chain by using more targeted
proof methods
- drastically reduce goal size by removing unused assumptions when
that becomes possible (this is the largest overall speed win)
- use `subgoal` to unblock interactive proof progress
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Both AInvs and the refinement chain need the generated files necessary
for ASpec and ExecSpec. We could depend on ASpec directly, but that
would mess with Isabelle being able to schedule sessions as it wants
them.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add a bundle for global word simp set changes -- unfortunately we
can't actually do this globally, because they are mostly simp rule
removals which will be overwritten by theory merges. So this new
l4v_word_lib bundle will have to be activated/unbundled multiple times.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Corey Lewis
Ryan Barry
Rafal Kolanski
Corey Lewis
Michael McInerney