The PR seL4/seL4#473 removes Arch_finaliseInterrupt; this commit
updates the C proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This fixes up some atrocious indentation and removes some warnings for
duplicate rules etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Some of the assumptions in Machine_C were about C functions that do not
exist (any more, presumably after some change in C). This means these
names were free variables and the rules could in theory be applied to
any function, potentially causing unsoundness. Luckily, we were
disciplined enough in the proofs not to have done that. The proofs with
the names fixed go through unchanged.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit updates the proofs for seL4/seL4#485, which fixes
the security and correctness bug seL4/seL4#481. The bug was that
caches are not sufficiently flushed in retype for frames that can
be mapped uncached later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- in VSpace_R
- the same method added to each arch; would be good to unify via
arch split in the future
- also includes some style cleanup
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
- this introduces idle_tcb' which is defined directly using tcb fields
- backport from MCS ARM Refine
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
- this introduces idle_tcb' which is defined directly using tcb fields
- backport from MCS ARM Refine
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
Importing Init_R into ADT_H was causing EmptyFail_H to fail. Since
no other theories actually depend on Init_R we can instead include
it in the Refine session directly.
Signed-off-by: Mitchell Buckley <mitchell.alan.buckley@gmail.com>
Describe an extremely simple abstract kernel state, and haskell state
that obey the state relation. These states are `zeroed` in the sense
that they have empty heaps, and default values of 0, False, None, []
and similar in all fields.
These states do not satisfy invs or invs', and this is not as strong
a result as showing that kernel initial states satisfy the state
relation, but it is a good sanity check on the relation itself.
Signed-off-by: Mitchell Buckley <mitchell.buckley@data61.csiro.au>
This verifies a C kernel patch (seL4/seL4#409) which consolidates
translation between virtual and physical addresses, and makes it
consistent across architectures. In particular, we always use
`addrFromKPPtr`, even on architectures that don't use a distinct region
to map the kernel ELF. This will facilitate future improvements which
move the ELF mapping into a distinct virtual address region.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Ideally all corres lemmas of the form
`corres rrel P P' my_abstract_function myHaskellFunction`
should be named `myHaskellFunction_corres`.
This commit renames over 200 lemmas to match this style.
Signed-off-by: Mitchell Buckley <mitchell.alan.buckley@gmail.com>
Co-authored-by: Victor Phan <Victor.Phan@data61.csiro.au>
A previous update to C code added a disjunct to an `if` condition
outside the existing `unlikely` branch hint. This commit is the proof
update for a C patch that extends the branch hint to the full `if`
condition.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
* Add comments into proof.
* Unwind some automation to clarify how each subgoal is resolved.
* Remove some "in monad" lemmas about `premption_point`.
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
`register_t` only needs to be able to index into the TCB user context
array, which has 35 entries on RISC-V. Therefore `uint8_t` is
sufficient.
Using the smallest possible type for `register_t` helps with binary
verification. This shrinks static read-only data, which in turn reduces
the complexity of binary verification proof search.
This commit verifies the corresponding C kernel patch.
Co-authored-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
Signed-off-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Progress towards verification of new and more efficient implementations
of library functions to could leading and trailing zeros.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The binary verification tools perform inlining of C specifications, to
simulate inlining that has been performed in the binary. This means that
`DONT_TRANSLATE` and `inline` are incompatible, since the binary
verification tools require C specifications for any functions that have
been inlined in the binary.
This `DONT_TRANSLATE` annotation was added with a `MODIFIES` annotation
for the proof of `resetUntypedCap_ccorres`. That proof has been reworked
so that it no longer requires the `MODIFIES` annotation in the C.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
When exception-aware lifting was enabled in `csymbr`, a small number of
existing proofs were broken. The `csymbr_legacy` method was added to
preserve the old behaviour of `csymbr` for those proofs.
This commit updates those proofs to use the new `csymbr` behaviour.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The previous implementation of `cinit` discarded C preconditions used
for variable lifting. This is usually appropriate for local variables
and function arguments. However, when using the new `cinit` to lift
global variables, the respective preconditions sometimes need to be kept
for the last subgoal.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The new variable lifting behaviour that was recently added to the
`cinit`, `clift` and `ctac` commands is now also added to `csymbr`.
This means `csymbr` variable lifting is now sensitive to exceptional
control flow.
Since this breaks some existing proofs, we add a new `csymbr_legacy`
command with the old behaviour, and use it where necessary.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`cinit` and related methods are able to automatically abstract accesses
of Simpl state variables to Isabelle variables, provided they can prove
that the Simpl variable has not been modified up to the point it is
accessed. However, previously, the automation was unaware of exceptional
control flow. This limits the effectiveness of variable lifting in
situations like the following:
// `var` has not yet been modified.
if (condition) {
var = new_value;
// Here, `var` has been modified.
return;
}
// Has `var` been modified before the following access?
do_something(var);
Prior to this commit, the answer would be "yes": `cinit` would conclude
that `var` has been modified prior to the access for `do_something`, so
the variable access would not be abstracted.
With this commit, the answer is "no": `cinit` recognises the `return` in
the `if` block, and can abstract the variable access for `do_something`.
The new automation is enabled for `cinit`, `clift` and `ctac`. It is
currently disabled for `csymbr`, since the new behaviour breaks some
existing proofs.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The `cinit` and `clift` methods already provided a way to abstract
accesses to specified local variables to Isabelle variables that do not
depend on the state, provided that the procedure does not write to those
variables. The proof methods included automation of proofs that the
values of variables being abstracted remain constant throughout the
procedure.
This commit adds support for abstracting accesses to *global* variables.
The additional challenge here is that calls to other procedures might
modify global variables. We use the `modifies` facts produced by the C
parser to determine (and prove) when variables of interest are preserved
across procedure calls.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
* ainvs: reduce Finalise interface
The lemma finalise_cap_replaceable is only used in arch proofs,
so it doesn't need to be in the interface locale to generic proofs.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The seL4 commit factors out special treatment of specific VCPU
registers, and this commit updates the ARM_HYP proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
seL4 commit c381c7e14c changes cache flushing behaviour for the
verified ARM_HYP configuration. This commit adjusts accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This brings the naming convention closer to the other architectures,
closer to the Haskell, and closer to the constant renames that happened
in C. It is, however, quite an invasive change.
kernelBase_addr -> pptrBase
kernelBase -> pptrBase
physMappingOffset -> ptrBaseOffset
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Remove resolve_address_bits'.simps from the simp set at the definition
site, instead of in the middle of the proofs.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Make these a separate target so that other sessions that depend on
ASpec can kick off generation of these files (necessary because some
are mentioned in spec/ROOT, and the session structure will fail if they
don't exist).
This is only relevant in a fresh check-out when you've never built
ASpec, but in test environments this can happen if only specific
sessions are tested.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
- preemption in C is not associated to an irq
- updating aspec to reflect this so that we can have irq-independent
preemptions (needed in MCS)
- proof fix for the above: remove intr
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
The github CI runners are low on memory and might just get
through with a bit more time for ARM_HYP.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This allows SimplExportAndRefine to handle some new heap update patterns
arising in MCS.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`init_freemem` isn't verified (and therefore is low-priority for
translation validation). It also takes several hours to show refinement,
much longer than any other function. Until we need to validate it, we
should skip it to improve regression times.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Also cleans up some of the debug config setup and makes result reporting
more useful.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
As currently defined, the C state relation is empty, and consequently,
`ccorres` is trivially true for any pair of functions. This means that,
in a very technical sense, our C refinement proofs are meaningless.
The state relation is empty because several conjuncts in
`cstate_relation` form a contradiction:
- Two conjuncts claim that `intStateIRQNode_array_Ptr` points to a heap
object within the set of addresses `kernel_data_refs`.
- Another implies that all heap objects are within `domain`.
- Another claims that `kernel_data_refs = -domain`, forming the
contradiction.
This commit proves the contradiction, and also proves that `ccorres` is
trivially true for any pair of functions.
Fortunately, we never made any essential use of this contradiction, and
so the issue can be fixed fairly easily. The issue seems to have arisen
out of a conflation of two different concepts:
- `kernel_data_refs` is introduced in the intermediate specification,
and is intended to be the set of addresses containing global heap
objects that are not covered by capabilities.
- `domain` was introduced for binary verification, and was intended to
be the set of all addresses that may be used for heap objects.
The easiest fix seems to be to expand the meaning of `kernel_data_refs`
to include all addresses that are not covered by capabilities. If we
assert that `kernel_data_refs = -domain`, then this does not allow for
heap objects that are not covered by capabilities. If instead, we make a
weaker assertion that `-domain <= kernel_data_refs`, we can have heap
objects that are not covered by capabilities, such as the one pointed to
by `intStateIRQNode_array_Ptr`.
This fix will be performed in a subsequent commit.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The reason `CKernel` depends on `design-spec` is quite obscure, so we
add a comment to relevant `Makefile`s to help us avoid wasting time
trying to remove the dependency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
A new version of `arch_init_freemem` for RISC-V introduces some heap
access patterns which are not well supported by SimplExportAndRefine.
`arch_init_freemem` is already ignored by `graph-refine`, because it is
inlined into `init_freemem`, which contains complex loops. Therefore, we
don't lose anything by ignoring it in SimplExportAndRefine. Although the
problem only manifests on RISC-V, we ignore it on all platforms.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
We already have find_goal, but the interface is a bit too unwieldy to
casually use frequently. This commit introduces (or moves from RISCV)
two methods on top of find_goal:
- `in_case x`: asserts the goal has an assumption `?t = x`
- `find_case x`: finds a goal such that `in_case x`
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This makes sure Isabelle doesn't complain about a missing dependency in
the ROOT file when ARM_HYP is selected. The complaint only shows up in
jedit, and doesn't stop anything, but it's still nicer without.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The new kernelExitAssertions need to be threaded through the fastpath
and integrated in the right place in the theorems about callKernel.
In InfoFlowC we have yet another refinement framework, and we're taking apart
callKernel to isolate the `schedule` call which is significant in the
infoflow proof and needs the new assertion inserted as wel. After some force
applied, this does work as well.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This dependency made sense on smaller test rigs in the past to avoid building
CRefine when AInvs fails, but removing the dependency opens a faster path
from scratch to CRefine for checking seL4 C code changes.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
the definition of objBits is in Haskell, so has to use pteBits instead of
pte_bits (not in scope)
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Completed decodeRISCVFrameInvocation_ccorres, synced with C changes and
cleaned up a little.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
This was incorrect, but unused in the proofs. Once used, the numbers
turned out to be unrelated to the C.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Since on RISCV64 we do not have restrictions on arch objects in
valid_obj', for the state relation to form a function from abstract to
concrete, we need to restrict the domains of the abstract asid pools.
Further we also need to ensure ASID 0 is not used in any of them, as
that is a sentinel value for "no ASID".
This is analogous to the restriction placed by valid_obj' on ASIDs on
X64, except occurring in the state relation rather than an invariant.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
No examination of failing proofs this time. All CRefine files are now
present and accounted for.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Broken bits blindly sorried or commented out with FIXME RISCV.
carch_state_to_H is currently wrong as valid_arch_state' is
insufficient to accurately describe global page tables.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>