verification for IOAPIC PR seL4/seL4#896 #753

lsf37 · 2024-05-07T19:35:39Z

seL4/seL4#896 changes IOAPIC-related decoding slightly and requires a few new small invariants on the Haskell level.

corlewis

Looks good to me (assuming that the Word_Lib failure is trivial)!

Did the new invariant in valid_arch_state' really not need any proof updates to show that it's maintained? I'm actually pretty impressed if so, even with it only depending on such specific parts of the state, I would have thought that some of the higher level functions would need at least some manual steps to show it.

proof/crefine/X64/ADT_C.thy

proof/crefine/X64/Interrupt_C.thy

lsf37 · 2024-05-08T11:32:34Z

Looks good to me (assuming that the Word_Lib failure is trivial)!

It should be, I moved the lemma manually without checking dependencies, and that's what I get for my laziness :-)

Did the new invariant in valid_arch_state' really not need any proof updates to show that it's maintained? I'm actually pretty impressed if so, even with it only depending on such specific parts of the state, I would have thought that some of the higher level functions would need at least some manual steps to show it.

I was also pretty impressed. AFAICS it works, because I managed to export the state dependency via abbreviation and therefore the lifting rule for valid_arch_state' still works as before and anything that unfolds valid_arch_state' will simplify out the new parts trivially. It's nice to see those ideas actually fully working every once in a while.

lib/Word_Lib/Word_Lemmas_Internal.thy

proof/crefine/X64/Interrupt_C.thy

spec/cspec/c/gen-config-thy.py

proof/refine/X64/Invariants_H.thy

Xaphiosis

Cool, another long-standing seL4 PR closed.

lsf37 · 2024-05-08T20:01:21Z

The Word_Lib failure has drawn in a whole slate of word lemma movement from CRefine, so it's probably worth looking at this again before I merge.

corlewis

I'm confused by the remaining failures but assuming that it's mostly unrelated then it still looks good to me.

proof/crefine/Move_C.thy

lsf37 · 2024-05-09T00:36:15Z

I'm confused by the remaining failures but assuming that it's mostly unrelated then it still looks good to me.

They were because the seL4 PR was not rebased yet and didn't have some of the hyp related changes that happened in the meantime. I've pushed a rebased version of the PR and restarted the tests.

proof/crefine/lib/Ctac.thy

proof/crefine/X64/Interrupt_C.thy

Xaphiosis

Approved v2, very nice, and I appreciate the emptying of Move_C.
Super minor nitpick:
x64 ainvs+refine: ioapic_nirqs proof updates
but
x64 crefine: ioapic_nirqs updates

Separate IOAPICs can have different max numbers of IRQs. This PR adds the logic of seL4/seL4#896 for that to the specs. Signed-off-by: Gerwin Klein <[email protected]>

Slighly weaken arch_irq_control_inv_valid -- the condition `pin < ioapicIRQLines` was unused and would now require a new state invariant on x64_ioapic_nirqs to prove. Signed-off-by: Gerwin Klein <[email protected]>

Place constraints on the new IOPAPIC state components x64KSNumIOAPICs and x64KSIOAPICnIRQs to support CRefine arithmetic. Signed-off-by: Gerwin Klein <[email protected]>

Signed-off-by: Gerwin Klein <[email protected]>

lsf37 force-pushed the ioapic branch from 7d2cc21 to 3df421e Compare May 7, 2024 19:36

lsf37 self-assigned this May 7, 2024

lsf37 added the seL4-PR requires merging a corresponding seL4 pull request label May 7, 2024

lsf37 marked this pull request as draft May 7, 2024 19:41

lsf37 force-pushed the ioapic branch 3 times, most recently from 0d9a0a2 to ad180ed Compare May 7, 2024 19:55

lsf37 marked this pull request as ready for review May 7, 2024 20:00

lsf37 requested review from corlewis and Xaphiosis May 7, 2024 20:01

corlewis approved these changes May 8, 2024

View reviewed changes

proof/crefine/X64/ADT_C.thy Outdated Show resolved Hide resolved

proof/crefine/X64/Interrupt_C.thy Show resolved Hide resolved