make proofs generic in cacheLineBits #814
Conversation
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use generated CONFIG_L1_CACHE_LINE_SIZE_BITS as source of truth for the value of cacheLineBits The requirements for cacheLineBits are numeric: we need more than 1 and less than or equal to ptBits, which is only available as a constant after ExecSpec. 1 is excluded, because we want to be able to fold the value of cacheLineBits inside C cache operations, and 1 is mentioned as index increment. No other numerals conflict in these functions. The only observed values for cacheLineBits are 5 and 6 on Arm, but there is no need to be more restrictive than cacheLineBits_sanity. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
None of the unfoldings of cacheLineBits turn out to be necessary. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
addrFromPPtr_mask and ptrFromPAddr_mask are only needed for masking with cacheLineBits in CRefine. Move to CRefine where the rest of the cacheLineBits infrastructure is. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On AArch64 we have so far only seen cacheLineBits = 6 in the kernel. To be future-proof, bring AArch64 proofs into line with AArch32 anyway, rename cacheLineSize to cacheLineBits to stay consistent, and make proof generic in cacheLineBits. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
| apply (simp flip: mask_eqs(7)) | ||
| done | ||
|
|
||
| (* ------------ *) |
There was a problem hiding this comment.
Not a fan of this. It's not clear what it's for. Is it the end of the cache line bits, the end of the informal abstraction interface, or what.
There was a problem hiding this comment.
You're right, what we usually do is error "..." -- I'll use that here as well.
There was a problem hiding this comment.
Er, what? Why not remove it like it was previously and have two new lines to the next "section"? I don't think I know what error means in this context.
There was a problem hiding this comment.
Sorry, my comment somehow went into the wrong box, it was supposed to be an answer to the next one down (the "Overwritten in Isabelle" bit).
For this one, the problem was that the entire configuration section has no end, it just keeps going into abbreviations for notifications etc, which is weird. You're right that the divider is not great either. I guess the proper way to do this would be to find a good name for whatever comes next.
There was a problem hiding this comment.
At that point, it makes sense to give it a section/subsection for the configuration part, and/or end it with (* end of Kernel_Config interface section *) or something, then the general chaos can continue afterwards without a good name.
| @@ -164,7 +164,7 @@ cacheInvalidateL2RangeCallback _ _ _ = return () | |||
| cacheCleanL2RangeCallback :: Ptr CallbackData -> PAddr -> PAddr -> IO () | |||
| cacheCleanL2RangeCallback _ _ _ = return () | |||
|
|
|||
| -- For the ARM1136 | |||
| -- Overwritten in Isabelle | |||
There was a problem hiding this comment.
I don't like this phrase. Don't we have an existing one that makes sense already? I'm not sure it's "overwritten in Isabelle", but rather it's clobbered by the abstract spec, or (non-exclusive) it's not imported by the translator.
There was a problem hiding this comment.
Or maybe unused by the design/exec spec ...
There was a problem hiding this comment.
Ah, this is what the error comment was about. Yes, might be good to error them out.
|
|
||
| (* Folding cacheLineBits_val in C functions only works reliably if cacheLineBits is not 1 and | ||
| not too large to conflict with other values used inside cache ops. | ||
| 12 is ptBits, which is only available after ExecSpec. Anything smaller than ptBits works. *) |
There was a problem hiding this comment.
This is a bit of a worry, since it's a purely syntactic restriction. What is the risk that the proofs will fail in the future due to the appearance of some other number that happens to be the same as cacheLineBits?
| not too large to conflict with other values used inside cache ops. | ||
| 10 is ptBits, which is only available after ExecSpec. Anything smaller than ptBits works. *) | ||
| lemma cacheLineBits_sanity: | ||
| "cacheLineBits \<in> {2..10}" |
There was a problem hiding this comment.
would it make sense to say ptBits for these instead of the ..10 or whatever and have a [simplified ptBits_def] or whatever on the lemma statement?
There was a problem hiding this comment.
oh right, "which is only available after ExecSpec". Hmm. Nitpick: "anything smaller than" and "not 1" don't gel together well
| by (simp add: pageBits_def) | ||
|
|
||
| lemma pageBits_leq_pptrBaseOffset_alignment: | ||
| "pageBits \<le> pptrBaseOffset_alignment" |
There was a problem hiding this comment.
I'm a bit lost, is pptrBaseOffset_alignment related to cache line size?
There was a problem hiding this comment.
yes, it's larger :-)
The relationship is that addrFromPPtr alignment is preserved by anything smaller or equal to pptrBaseOffset_alignment, which is what we need for the .. && mask cacheLineBits = ... lemma
|
|
||
| lemma ptBits_leq_pdBits: | ||
| "ptBits \<le> pdBits" | ||
| by (simp add: pt_bits_def pd_bits_def pde_bits_def pte_bits_def) |
There was a problem hiding this comment.
it's odd to me that the above two lemmas are in the cacheLineBits interface section
| by (simp add: pd_bits_def APIType_capBits_def pde_bits_def) | ||
|
|
||
| lemma cacheLineBits_le_PageDirectoryObject_sz: | ||
| "cacheLineBits \<le> APIType_capBits PageDirectoryObject us" |
There was a problem hiding this comment.
what's the intuition behind this constraint?
| @@ -3129,18 +3130,13 @@ lemma ccorres_return_void_C': | |||
| done | |||
|
|
|||
| lemma is_aligned_cache_preconds: | |||
| "\<lbrakk>is_aligned rva n; n \<ge> 7\<rbrakk> \<Longrightarrow> rva \<le> rva + 0x7F \<and> | |||
| addrFromPPtr rva \<le> addrFromPPtr rva + 0x7F \<and> rva && mask 6 = addrFromPPtr rva && mask 6" | |||
| "\<lbrakk>is_aligned rva n; n \<ge> 7\<rbrakk> \<Longrightarrow> rva \<le> rva + 0x7F \<and> addrFromPPtr rva \<le> addrFromPPtr rva + 0x7F" | |||
There was a problem hiding this comment.
do you happen to know where the 7 and 0x7F come from here? I'm wondering if it's related to cache line size in any way, or from somewhere else
| "ccorres dc xfdc | ||
| (\<lambda>s. vs \<le> ve \<and> ps \<le> ps + (ve - vs) | ||
| \<and> vs && mask cacheLineBits = ps && mask cacheLineBits | ||
| \<comment> \<open>ahyp version translates ps into kernel virtual before flushing\<close> |
There was a problem hiding this comment.
while we're here, could you change ahyp to arm-hyp?
| field_simps is_aligned_mask[symmetric] mask_AND_less_0)+ | ||
| field_simps is_aligned_mask[symmetric] mask_AND_less_0 | ||
| cacheLineBits_le_PageDirectoryObject_sz[unfolded APIType_capBits_def, | ||
| simplified])+ |
There was a problem hiding this comment.
By the way, are you aware of @ from Rule_By_Method? We might be able to abbreviate these kinds of things with [@<simp add: APIType_capBits_def>]
There was a problem hiding this comment.
(not needed in this one, but more general observation)
| (\<lbrace>\<acute>start = w1\<rbrace> \<inter> \<lbrace>\<acute>end = w2\<rbrace> \<inter> \<lbrace>\<acute>pstart = w3\<rbrace>) [] | ||
| (doMachineOp (cleanCacheRange_PoU w1 w2 w3)) | ||
| (Call cleanCacheRange_PoU_'proc)" | ||
| apply (rule ccorres_gen_asm) | ||
| apply (cinit' lift: start_' end_' pstart_') | ||
| apply (fold cacheLineBits_val) |
There was a problem hiding this comment.
I think some kind of comment on this line (and in other lemmas) would be good, it's the linchpin of this whole exercise.
cacheLineBitsfrom config (only used on Arm, defined but unused on RISCV, fixed on x64)cacheLineBits_valwhich is used in ARM and ARM_HYP to fold C values (safe, because the range of values forcacheLineBitsis small)There is a bunch of commits. I think they make reasonable sense as logical units, but happy to be persuaded otherwise if people want more squashing.
This changes bring Cortex-A72 into the ARM/ARM_HYP range.