Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove valid_arch_mdb_ctes #849

Open
wants to merge 3 commits into
base: arch-split_arm
Choose a base branch
from
Open

remove valid_arch_mdb_ctes #849

wants to merge 3 commits into from

Conversation

lsf37
Copy link
Member

@lsf37 lsf37 commented Jan 31, 2025

Cross over the contents of valid_arch_mdb_ctes from the abstract side after proving the missing bits as invariants.

Introduces the assertion archMDBAssertions in Haskell, which is defined generically as arch_mdb_assert (ctes_of s). arch_mdb_assert in turn is architecture dependent and True anywhere that is not X64.

This took quite a bit longer than I had anticipated, and doesn't actually remove that many lines of proof, but it hopefully removes many annoying lines that we would have had to write in the future for arch split to continue. So overall still worth it, I think.

This is on top of PR #847 -- when we start RISCV64 that should probably go on top of this work to avoid duplication.

lsf37 added 3 commits January 30, 2025 10:07
@lsf37
x64 ainvs: prove uniqueness of IOPortControlCaps
24000f9 
This invariant is currently proved on the Haskell level only. This
commit is in preparation of removing the invariant from the Haskell
level, crossing it over via assertions.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
@lsf37
haskell+design: archMDBAssertions in cteInsert
1c5ebd9 
Introduce the name and assertion "archMDBAssertions" in cteInsert so
that specific architectures can make additional MDB assumptions (e.g.
IOControlPortCap uniqueness in X64).

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
@lsf37
refine+crefine: remove valid_arch_mdb_ctes
708927e 
- replace the ioport_control invariant with archMDBAssertions
- remove lemmas needed only for the invariant
- add corresponding crossing lemmas for caps_of_state based on existing
  older cte_wp_at lemmas

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
@lsf37 lsf37 requested a review from Xaphiosis January 31, 2025 02:19
@lsf37 lsf37 added the arch-split splitting proofs into generic and architecture dependent label Jan 31, 2025
@lsf37
Copy link
Member Author

lsf37 commented Jan 31, 2025

This is on top of PR #847 -- when we start RISCV64 that should probably go on top of this work to avoid duplication.

Actually, it is better to do it the other way around. I haven't applied the changes to RISCV64 here, because that one doesn't work yet, but they are probably much easier to apply after RISCV64 is split than trying to get the split to work on things that are broken because of the changes here. So RISCV64 split without this PR first, then I can adjust this PR, and then everything should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xaphiosis Xaphiosis Awaiting requested review from Xaphiosis

Assignees
No one assigned
Labels
arch-split splitting proofs into generic and architecture dependent
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lsf37