remove valid_arch_mdb_ctes #849
Conversation
lsf37
added
the
arch-split
Actually, it is better to do it the other way around. I haven't applied the changes to RISCV64 here, because that one doesn't work yet, but they are probably much easier to apply after RISCV64 is split than trying to get the split to work on things that are broken because of the changes here. So RISCV64 split without this PR first, then I can adjust this PR, and then everything should be fine. |
Xaphiosis
force-pushed
the
arch-split_arm
branch
2 times, most recently
from
50c3892 to
6de46b6
Compare
Xaphiosis
force-pushed
the
arch-split
branch
3 times, most recently
from
9b1f4c2 to
3a9be00
Compare
| @@ -4876,6 +4786,15 @@ lemma maskedAsFull_revokable_safe_parent: | |||
|
|
|||
| context begin interpretation Arch . (*FIXME: arch-split*) | |||
|
|
|||
| (* FIXME arch-split: generic statement, arch specific proof *) | |||
There was a problem hiding this comment.
ok to leave here, but I should ask whether there's a better place...
There was a problem hiding this comment.
I was going to leave that question for you :-). There probably is eventually, but for now I think leaving it in this theory is good.
There was a problem hiding this comment.
(Will leave this in for later when we get there in the arch split process)
| @@ -1051,6 +1051,17 @@ definition | |||
| where | |||
| "valid_x64_irq_state irqState \<equiv> \<forall>irq > maxIRQ. irqState irq = IRQFree" | |||
|
|
|||
| definition ioport_control_unique_2 :: "(cslot_ptr \<Rightarrow> cap option) \<Rightarrow> bool" where | |||
There was a problem hiding this comment.
might be good to have a comment here about what this means and its intent/use for crossing to Refine
There was a problem hiding this comment.
Also, for my own curiosity since I wasn't a part of this: how did you come up with this as the necessary invariant?
There was a problem hiding this comment.
it's the same invariant as what used to be in Refine minus the bits that are already proved elsewhere in AInvs
|
Looks good. Thank you for doing this! These parts from non-x64 InvariantUpdates_H should be able to go after your changes: and from Invariants_H, the requalify of Also, upstream got RISCV64 as well now. |
|
The conflicts disappear after rebase, so no problem at all. I'll have a look at fixing up the review feedback and RISCV. |
This invariant is currently proved on the Haskell level only. This commit is in preparation of removing the invariant from the Haskell level, crossing it over via assertions. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce the name and assertion "archMDBAssertions" in cteInsert so that specific architectures can make additional MDB assumptions (e.g. IOControlPortCap uniqueness in X64). Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- replace the ioport_control invariant with archMDBAssertions - remove lemmas needed only for the invariant - add corresponding crossing lemmas for caps_of_state based on existing older cte_wp_at lemmas Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Cross over the contents of
valid_arch_mdb_ctesfrom the abstract side after proving the missing bits as invariants.Introduces the assertion
archMDBAssertionsin Haskell, which is defined generically asarch_mdb_assert (ctes_of s).arch_mdb_assertin turn is architecture dependent andTrueanywhere that is not X64.This took quite a bit longer than I had anticipated, and doesn't actually remove that many lines of proof, but it hopefully removes many annoying lines that we would have had to write in the future for arch split to continue. So overall still worth it, I think.
This is on top of PR #847 -- when we start RISCV64 that should probably go on top of this work to avoid duplication.