AArch64 Information Flow: initial setup

[ryybrr]

Partial information flow proofs for AArch64. Please see c75ee1a when reviewing the bulk of the changes as this provides the most minimal diff.

• Removed various instances of pspace_aligned, valid_vspace_objs, and
  valid_arch_state. This mirrors previous cleanup efforts for access control (see: a759ea1).
• Strengthened domain_sep_inv, allowing proofs to relate getActiveIRQ instances with different flags.
• Ported the RISCV64 InfoFlow proofs to AARCH64. The majority of breakages have been addressed, with outstanding proof obligations deferred using the sorry command. Additional context is provided by FIXME AARCH64 IF comments in the theory files.

[Xaphiosis]

I don't understand. You're saying "build InfoFlow with sorries" in ROOT in this commit, but you're disabling InfoFlow testing for all arches that had it? Wouldn't we want to still test those arches, but have AARCH64 run through with sorries?

[lsf37]

Unless there are changes to the generic files that are temporarily breaking the infoflow proofs on ARM/RISCV. @ryybrr is that the case? If not, we should indeed not remove them.

[ryybrr]

Yep, have made changes to the generic files without updating ARM/RISCV. I was planning to leave them for now; since this PR also includes partial proofs, the interface may shift further. If you'd prefer, I could see if it's a quick fix?

[lsf37]

It's worth checking out, but not high priority. We're not expecting this to be a very long-lived branch.

[Xaphiosis]

proof indentation

[Xaphiosis]

trivial: can use thread_set (tcb_arch_update blah) t ⦃silc_inv aag st⦄ short syntax for same pre/post and no rv

[Xaphiosis]

this kind of thing feels like it could be moved to AInvs during cleanup, possible FIXME move?

[ryybrr]

I should be able to cut it altogether. CNode_AC_assms appearing here makes me think it's an unused remnant from WIP proofs.

[Xaphiosis]

Likely. I think normally we don't unfold it, i.e.

lemma arch_thread_set_is_thread_set:
  "arch_thread_set f t = thread_set (tcb_arch_update f) t"

but then we have this:

lemma arch_thread_set_sym_refs_hyp':
  "⟦⋀tcb. hyp_refs_of (TCB tcb) = hyp_refs_of (TCB (tcb_arch_update f tcb))⟧
   ⟹ arch_thread_set f t ⦃λs. P (state_hyp_refs_of s)⦄

which can't be interfaced directly. There's an instantiated version for FPU state, but not one for state_hyp_refs_of. There's also an ominous comment a bit above it in ArchTcbAcc_AI:

― ‹FIXME: Shouldn't state_hyp_refs_of be generic? If it was, then this and
          arch_thread_set_sym_refs_hyp' could be generic as well›

so that might be worth fixing up.

[Xaphiosis]

no chance for wps for these?

[ryybrr]

I'll review, but I recall there being a reason why it didn't work.

[Xaphiosis]

can use short form

[Xaphiosis]

parentheses, can use two line by proof

[Xaphiosis]

AARCH64 we have level_defs and bit_simps which should greatly reduce the amount of things you need to mention; you can find them by doing:

find_names asid_pool_level_def
find_names ptTranslationBits_def

[ryybrr]

Not directly related, but these lemmas tagged with FIXME AARCH64 IF: move were copied from other architectures as I couldn't find equivalent rules. Do you know if something similar exists for AARCH64 already?

[Xaphiosis]

RISCV64 has these in ArchInvariants_AI.thy but I'm not seeing anything in AARCH64 (if you mean "is there something like pt_bits_left_le_canonical already in AARCH64)

[Xaphiosis]

potentially can fold into previous with intro!: requiv_get_pt_entry_eq, no?

[Xaphiosis]

wpsimp usually supplants wpc and clarsimp

[Xaphiosis]

extra newline?

[Xaphiosis]

wpsimp possible here?

[Xaphiosis]

tag with FIXME?

[Xaphiosis]

hang on, can't the name move from the shows to the lemma? this is very unusual format

[lsf37]

Agreed, unless we have multiple parts to the shows (separated with and), the name should be at lemma so it remains searchable.

[Xaphiosis]

helper is a poor name, usually these are named after the lemma(s) they help with (e.g. blah_update_helper)

[ryybrr]

This part of the file comes under a previous FIXME AARCH64 IF: proof cleanup comment, so ideally this lemma would be removed altogether. I wanted to brute force a proof but didn't have the time to perform the proper cleanup.

[Xaphiosis]

Proof-wise, the quality is very good, thank you. I found some nitpicks while looking around to figure out what's going on (as I'm a rather behind on the Access/InfoFlow comprehension).

My main concern for this one is for the comprehension/longer-term maintenance aspect. Commits:

• relax assumptions : were these unnecessary assumptions? what's the reason for their removal? might want to say that in the commit message, even briefly
• access: strengthen domain_sep_inv: again, I feel like there was discussion about this. The commit only says what the commit contains, but is this a conclusion of some deeper discussion?

None of the commits say anything about what's happened, what's majorly different/difficult for AARCH64 (e.g. the kernel interrupt situation). I feel like we'd want more of the "why" in the historical record. I looked through the commits and didn't see any comments talking about any of this stuff either (indeed, not many comments at all aside from the FIXMEs).

Now, it may be the case that the interrupt situation was already handled by Access and I missed it somehow, or the problem is brushed under the sorries at the moment (fine for initial setup), but I feel like I would've come across some trace of documentation in this one.