AArch64 fastpath proofs #739
Merged
Commits on Mar 25, 2024
-
lib: generic monadic_rewrite_state_assert/stateAssert
These rules completely discarded the assertion and directly linked the assertion with the precondition. The general form allows assuming the assertion in subsequent statements under the assumption on non-failure. Signed-off-by: Rafal Kolanski <[email protected]>
-
crefine: update for monadic_rewrite_stateAssert
Signed-off-by: Rafal Kolanski <[email protected]>
-
haskell+design: add fastpathKernelAssertions
Add fastpathKernelAssertions to start of callKernel. Fastpath rewrite proofs don't get the state relation, so can't cross properties over from the abstract invariants. We also can't rely on asserts on the fast path side, since any failure in the rewrite must be correlated with failure in the original, and the locations and conditions of those failures can be quite distant. Signed-off-by: Rafal Kolanski <[email protected]>
-
refine+crefine: define and handle fastpathKernelAssertions
Currently, this is only interesting on AARCH64 where we need no_fail preconditions for looking up an ASID map entry. Signed-off-by: Rafal Kolanski <[email protected]>
-
aarch64 crefine: fastpath specs for call and replyrecv
Update the existing fastpath function "design" specs with AArch64-specific functionality: * looking up the VMID / hardware asid is more complex, going via the ASID map, with additional checks necessary * redundant check for ReplyMaster no longer happens These specs will be shown to be equivalent to the slow path (callKernel) and fastpath C code. Signed-off-by: Rafal Kolanski <[email protected]>
-
aarch64 crefine: prove fastpath equivalent to slow path
Plus cleanup and commentary. Signed-off-by: Rafal Kolanski <[email protected]>
-
aarch64 crefine: prove fastpath equivalent to C fastpath
Shows fastpath spec refines down to C for Call and ReplyRecv. Includes much effort to document what is happening in the main proofs, updates for AArch64-specific and 64-bit-specific mechanisms and bitfields. Signed-off-by: Rafal Kolanski <[email protected]>
-
proof: remove AArch64 quick_and_dirty CRefine
CRefine on AARCH64 is now sorry-free, and there are no other sorried developments at this time. Signed-off-by: Rafal Kolanski <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.