Adding a spec with precondition False means verification has to show
that the function is not called.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Wrap config_set macro in a static inline function so that verification
automation does not simplify away dead code branches based on it, but
the compiler still does.
In most parts of the proofs we want to pretend that we don't know the
config value yet and consider both options. This makes the proofs more
independent on the config value that is selected.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Put the parameter in brackets to ensure it is an atom. This makes the
macro work as expected in corner cases like ARRAY_SIZE(foo + 3) also.
Signed-off-by: Axel Heider <axelheider@gmx.de>
When building seL4 on a host whose default encoding is not UTF-8,
tools/bitfield_gen.py complains, as with the following log from
Python 3.6 on a Ubuntu 18.04 host says:
Traceback (most recent call last):
File "tools/bitfield_gen.py",
line 2773, in <module>
string = f.read()
File "/usr/lib/python3.6/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position
607543: ordinal not in range(128)
As the Python 3 doc for open() [1] says the default encoding is
platform dependent, such build error may happen on some hosts.
We can either updating tools/bitfield_gen.py to call open() with
an explicit encoding="utf-8" parameter, or avoiding UTF-8 characters
in the source codes.
After inspecting the two places in current source tree that use UTF-8
characters, none of them is absolutely necessary. Let's convert them
to ASCII characters.
[1] https://docs.python.org/3.6/library/functions.html#open
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
- Since uint32_t and uint64_t are used, stdint.h needs to be included.
- Improve comments about GCC/LLVM internals.
Co-authored-by: Matthew Brecknell <matthew@brecknell.net>
Signed-off-by: Axel Heider <axelheider@gmx.de>
Make the definition for NULL generic, so it can be used in constants
that are shared by C and assembly code.
Signed-off-by: Axel Heider <axelheider@gmx.de>
- Provide the macro ULL_CONST() for 'unsigned long long' constants, and
use it where applicable.
- Add a verbose explanation why the 'unsigned long long' type is used
for time constants.
Signed-off-by: Axel Heider <axelheider@gmx.de>
- Reorder the macro definitions to ensure things are define before they
are used.
- provide a verbose explanation why the UL_CONST() macro is needed.
- make BIT() macro is defined generic by using UL_CONST().
Signed-off-by: Axel Heider <axelheider@gmx.de>
A previous commit (9ec5df5f) to provide more efficient CLZ (count
leading zeros) and CTZ (count trailing zeros) removed the `__clzsi2` and
`__ctzsi2` symbols, due to a misunderstanding of the types of these and
other library functions expected by GCC's intrinsics. 9ec5df5f broke the
riscv32 build.
This commit corrects the misunderstanding:
- `__clzsi2` and `__ctzsi2` are reinstated with correct types.
- The types of `__clzdi2` and `__ctzdi2` are corrected.
- `__clzti2` and `__ctzti2` are removed, since seL4 contains no compiler
intrinsics that would require them.
- `clzl` and `ctzl` dispatch to the appropriate library functions based
on the size of `unsigned long`.
- Configuration options are updated to ensure that the library functions
are included in the kernel binary only when needed.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
For RISC-V platforms that do not provide machine instructions to count
leading and trailing zeros, this commit includes more efficient library
functions. For verification, we expose the bodies of the functions to
the proofs.
Kernel config options `CLZ_BUILTIN` and `CTZ_BUILTIN` allow selection of
whether compiler builtin functions should be used. These are only
supported on platforms where the builtin compiles to inline assembly. By
default, the options are on for all platforms except RISC-V.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
All the kernel header files now use pargma once rather than the ifndef,
as the pre-processed C files do not change while header files
are protected with pargma once. This will also solve any naming issues
caused by ifndef.
This commit also converts our own copyright headers to directly use
SPDX, but leaves all other copyright header intact, only adding the
SPDX ident. As far as possible this commit also merges multiple
Data61 copyright statements/headers into one for consistency.
This changes the budget/remaining fields in scheduling contexts
to contain timer ticks, not number of abstract sel4ticks.
seL4_SchedControl_Configure now takes microseconds, not ticks.
This commit is plat-independant - the platform and arch specific
timer code follows in later commits.
Clang doesn't provide support for __attribute__((optimize ...)). There
are alternatives to provide the same functionality but due to how rarely
the kernel is compiled without optimisations, this can be added on
demand.
This fixes a problem with -O0 SMP builds on ARM visible as kernel
data aborts whenever the idle thread executes.
The idle thread receives no stack pointer. At -O2, this is fine
as the wfi() call is inlined and stack operations in idle_thread
are optimized out. At -O0, the stack operations remain and wfi()
is not inlined, resulting in stack accesses in the idle thread
that cause data aborts.
Forcing -O2 behaviour was deemed the simplest solution for now.
Giving the idle thread a stack would have had larger verification
ramifications for what is now a fairly uncommon use case.
The UL_CONST macro provides a way to declare a constant that may or may not have a UL
suffix. In the case of assembly the UL suffix will be an error to many assemblers and
is not needed.
When compiling the kernel as a whole program it is possible that these functions may
be inlined and not emitted in the resulting binary. However at the same time the
compiler may itself emit calls to these functions. Marking these functions as
externally visible tells the compiler that there may be more usages of them than
it sees immediately in the source code, in this cases usages that the compiler
itself is going to generate
This actually leads to better code. Copies of the halt loop inlined
in various places will instead be single instructions 'bl halt'. It's
also important for the translation validation to avoid having
pointless loops everywhere, especially inside the bodies of other
loops.
Add compatible prototypes for compiler builtins
__builtin_unreachable, __builtin_ctzl, __builtin_clzl,
and __builtin_popcountl.
The compiler ignores these, but they are necessary for the Isabelle
C parser to handle them. This is needed to drop DONT_TRANSLATE markers
from various functions which call these builtins.
config_default was intended to either evaluated to the passed configuration
value, or the a default value if the config didn't exist. For integer values
this does not actually work, and the default value always gets returned.
This commit reimplements the desired functionality as config_ternary, which
takes 3 arguments, a config to switch on and a desired true and false expansion
* commit 'ed95f84a438aea6365762a180cc493113e9282e0':
SELFOUR-413: changes for verification
SELFOUR-567: use seL4_CapRights_t from libsel4
SELFOUR-413: refactor libsel4 fault API
Split fault types into arch/generic
