Memory regions in the boot code are represented as top-end-exclusive
and so printing them as [a..b] is at best misleading (especially
as the elfloader code that runs beforehand uses [a..b] for inclusive
ranges). The boot log now looks like this (QEMU AArch64):
ELF-loading image 'rootserver' to 40239000
paddr=[40239000..4061efff]
vaddr=[400000..7e5fff]
virt_entry=40e3f8
Enabling MMU and paging
Jumping to kernel-image entry point...
Bootstrapping kernel
Warning: Could not infer GIC interrupt target ID, assuming 0.
available phys memory regions: 1
[40000000..80000000)
reserved virt address space regions: 3
[ffffff8040000000..ffffff8040237000)
[ffffff8040237000..ffffff8040238e11)
[ffffff8040239000..ffffff804061f000)
Booting all finished, dropped to user space
Signed-off-by: julia <git.ts@trainwit.ch>
This was missed in cb8ee83f0cd2268b1d6b1cd5ca30b031db5896c4; their
use was removed from syscall_stub_gen but their typedefs remained.
Signed-off-by: julia <git.ts@trainwit.ch>
This would previously create regions that were off-by-1 on the upper
end with addresses such as 0x40001. This seems to have been fine, and
just created an extra unnecessary memory region covering the extra
bootinfo memory. But at the same time this was inconsistent with e.g.
calculate_rootserver_size() which contained the check:
size += extra_bi_size_bits > 0 ? BIT(extra_bi_size_bits) : 0;
and this created issues when I was experimenting with some boot code
changes as the bootinfo size accounting was inconsistent.
Signed-off-by: julia <git.ts@trainwit.ch>
Recent doxygen versions generate references for constants that are named
in the text. Since we do not produce a constant table in the manual
(neither markdown nor tex), these references point to nowhere and
produce a KeyError in the ref_dict on lookup.
The corresponding xml nodes are of this form:
<ref kindref="member"
refid="include_2sel4_2constants_8h_1a9a3...">seL4_TCBFlag</ref>
Ignore such dangling references and return the content (seL4_TCBFlag in
the example) instead. Run text escape on the content to cover
underscores etc in LaTeX.
Does not produce a warning since we expect this to be normal behaviour.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously, this would error with a (confusing) warning since #546 about
Variable 'KernelArch' is not set
sel4test/settings.cmake had some code which complained about an invalid
platform, but it only ran if the kernel was found correctly:
set(valid_platforms ${KernelPlatform_all_strings})
set_property(CACHE PLATFORM PROPERTY STRINGS ${valid_platforms})
if(NOT "${PLATFORM}" IN_LIST valid_platforms)
message(FATAL_ERROR "Invalid PLATFORM selected: \"${PLATFORM}\"
Valid platforms are: \"${valid_platforms}\"")
endif()
Because of the CMake cache, if a correct platform was set, *then* an
incorrect platform, you could see this error, as the KernelArch would be
retained between builds in the cache. (Note: because of the cache, the
error message within the kernel is not triggered if we go from a valid
to an invalid platform. However the sel4test/settings.cmake one is).
Previously:
- If no platform is specified:
sel4test/build$ ../init-build.sh
loading initial cache file sel4test/projects/sel4test/settings.cmake
-- Set platform details from PLATFORM=
-- KernelPlatform:
-- Found seL4: sel4test/kernel
CMake Error at sel4test/kernel/configs/seL4Config.cmake:185
Variable 'KernelArch' is not set.
Call Stack (most recent call first):
sel4test/kernel/FindseL4.cmake:21 (include)
settings.cmake:32 (sel4_configure_platform_settings)
- If an invalid platform is specified:
sel4test/build$ ../init-build.sh -DPLATFORM=Cheshire
loading initial cache file sel4test/projects/sel4test/settings.cmake
-- Set platform details from PLATFORM=Cheshire
-- KernelPlatform: Cheshire
-- Found seL4: sel4test/kernel
CMake Error at sel4test/kernel/configs/seL4Config.cmake:185
Variable 'KernelArch' is not set.
Call Stack (most recent call first):
sel4test/kernel/FindseL4.cmake:21 (include)
settings.cmake:32 (sel4_configure_platform_settings)
Now, it looks like:
- If no platform is specified:
sel4test/build$ ../init-build.sh
loading initial cache file sel4test/projects/sel4test/settings.cmake
-- Set platform details from PLATFORM=
-- KernelPlatform:
-- Found seL4: sel4test/kernel
CMake Error at sel4test/kernel/configs/seL4Config.cmake:180
Variable 'KernelPlatform' is not set - is PLATFORM '' correct? Valid
platforms are
'allwinnerA20;am335x;apq8064;ariane;bcm2711;bcm2837;cheshire;...'
Call Stack (most recent call first):
sel4test/kernel/FindseL4.cmake:21 (include)
settings.cmake:32 (sel4_configure_platform_settings)
- If an invalid platform is specified:
sel4test/build$ ../init-build.sh -DPLATFORM=Cheshire
loading initial cache file sel4test/projects/sel4test/settings.cmake
-- Set platform details from PLATFORM=Cheshire
-- KernelPlatform: Cheshire
-- Found seL4: sel4test/kernel
CMake Error at sel4test/kernel/configs/seL4Config.cmake:180
Variable 'KernelPlatform' is not set - is PLATFORM 'Cheshire'
correct? Valid platforms are 'allwinnerA20;am335x;apq8064;...'
Call Stack (most recent call first):
sel4test/kernel/FindseL4.cmake:21 (include)
settings.cmake:32 (sel4_configure_platform_settings)
- If a valid platform is specified:
sel4test/build$ ./init-build.sh -DPLATFORM=cheshire
loading initial cache file sel4test/projects/sel4test/settings.cmake
-- Set platform details from PLATFORM=cheshire
-- KernelPlatform: cheshire
-- Found seL4: sel4test/kernel
-- platform cheshire supports multiple architectures, none was given
-- defaulting to: riscv64
-- Found GCC with prefix riscv64-none-elf-
Signed-off-by: julia <git.ts@trainwit.ch>
According to Arm documentation, the exception-handling routine
needs to zero the following bits in FPEXC:
DEX, IDF, IXF, UFF, OFF, DZF and IOF
In seL4, the user space fault handler should do this, as the kernel
doesn't know when user space is done handling the FPU trap.
In case of virtualisation, the guest kernel should clear these bits.
Now that the seL4 kernel doesn't handle FPU traps itself any more,
user space can handle asynchronous traps if it wants to.
Signed-off-by: Indan Zupancic <indan@nul.nu>
On 32-bit ARM the fpexc system register is set by loadFpuState,
which includes the FPU enable/disable bit FPEXC_EN_BIT. This
register is part of the usercontext and needs to be initialised
correctly, otherwise the FPU will be disabled by loadFpuState.
Before, this bug was hidden because the FPU was enabled lazily
after a trap. This bug just caused one extra FPU trap at first
FPU use for each task: The first handleFPUFault would fail to
enable the FPU, causing another FPU trap when user space gets
restarted.
On the second FPU fault, switchLocalFpuOwner calls enableFpu first
and then calls saveFpuState because ksActiveFPUState is set to the
current task's FPU state. Then it gets saved with FPEXC_EN_BIT set
and the task can continue with the FPU actually enabled.
This also means that with the old code, the initial FPEXC state
of each task was equal to the previous active FPU task's.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Also release FPU when dissociating a vcpu, otherwise ksCurFPUOwner
may be wrong.
fpuRelease() sets ksCurFPUOwner to NULL, if this happens before
we return to the host, it may end up with the FPU disabled and no
FPU state loaded. Instead of hunting down and handling all obscure
corner cases where this might happen (dissociating vcpus, cross-core
operations), just check for this in vcpu_fpu_to_host().
Signed-off-by: Indan Zupancic <indan@nul.nu>
It's not only used when deleting a thread any more.
Swapping fpuRelease and dissociateVCPUTCB makes no practical
difference as they are independent, but it simplifies
verification slightly.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Add config choice and change the default from XSAVEOPT to XSAVE.
The first config choice is used as the default option. Only XSAVE
is guaranteed to always work, the others require newer CPUs.
Get rid of dubious FPU state headers, we don't need them:
- XCOMP_BV_COMPACTED_FORMAT is set by xsavec or xsaves.
- We can init MXCSR with the ldmxcsr instruction.
Only system state should be configured in IA32_XSS_MSR,
setting FPU user state bits causes an exception.
All memory should be zeroed already, no need to do it again.
See also issue #179.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Trivial change, except for x86 virtualisation and bootup.
Normally the seL4_TCBFlag_fpuDisabled flag is used to decide whether
to enable or disable the FPU. However, with x86 virtualisation there
is only one TCB. Use the task flag for the host and always enable FPU
for the guest.
When either the host or the guest's FPU is loaded, ksCurFPUOwner will
point to our TCB. saveFpuState and loadFpuState check fpu_active and
do the right thing depending on the current FPU user. To make this
work it was necessary to pass tcb_t to saveFpuState and loadFpuState.
Use the idle thread to store the initial FPU state. x86KSnullFpuState
is kept to simplify verification.
However, when Arch_initFpu is called, the idle thread hasn't been
created yet, so move the initialisation to after create_idle_thread,
but before create_initial_thread, as that leads to Arch_initFpuContext
using x86KSnullFpuState.
Also initialise VCPU FPU registers correctly for x86, otherwise the
initial state is wrong and can't be loaded when XSAVES is enabled.
Signed-off-by: Indan Zupancic <indan@nul.nu>
On x86 both the VM monitor as the VM guest have their own FPU state.
The FPU of the monitor is controlled with seL4_TCBFlag_fpuDisabled
TCB flag. For the guest running on the VCPU the FPU will always be
enabled.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Remove fault-based FPU state saving and loading.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add flags to tcb_t and the seL4_TCBFlag_fpuDisabled flag.
Enums are signed, make TCB flags word_t to make it unsigned.
Signed-off-by: Indan Zupancic <indan@nul.nu>
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Retain the ridiculous name to make clear which invocation is being
handled.
Rename tptr to tcb for consistency within the file.
We have a dom_t type, use it as early as possible.
Signed-off-by: Indan Zupancic <indan@nul.nu>
This was removed in 2016 289bf92bf0.
Additionally, 5fac9e8198 removed the
section of the comment regarding having enough room for all the
untyped caps; because otherwise "enough space for 12 caps" is
somewhat uninteresting (most of the cspace is taken up by untypeds).
Signed-off-by: julia <git.ts@trainwit.ch>
As decided at the most recent TSC meeting, bump cmake format to the
latest version. This will change/break style in many of the existing
cmake files, but pinning pyyaml to < 6 is not a long-term option.
Also bump patch version of autopep8, which should not lead to style
changes.
Bump overall sel4-deps version because the cmake-format change is
incompatible. Version 0.6.0 was not published because of the pyyaml
pinning/downgrade.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Migrate documentation of the API docs generation process here from the
docsite where it is too much out of view. Here it is closer to where it
is needed an more likely to get updated when things change.
Compared to the docsite version, this has applied:
- standard wrap column
- markdown lints
- adjusted headings
- `object-api-sel4-arch.xml` etc renames
- include RISC-V in structure
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove manual table of contents for rendering on the docsite, which will
provide an automatic TOC.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
When evaluating XML condition expressions, properly treat undefined
values as undefined, not as False. Otherwise, the negation of an
undefined value may make an entire expression true and incorrectly
label some methods as MCS methods.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- introduce arch interface for IRQControlCap dependencies as well as for
isMDBParentOf (Arch_isIRQControlDescendant, Arch_isMDBParentOf). This
mirrors the corresponding interface in the proofs and Haskell and
avoids #ifdef proliferation in generic code.
- Arch_isIRQControlDescendant is currently only used for SGISignalCaps
- Arch_isMDBParentOf is used for SGISignalCaps and SMCCaps
- fix argument checking in Arch_decodeIRQControlInvocation (+ style
tweak)
- Arch_sameObjectAs must return false for SGISignalCaps to align with
finality definition of caps, i.e. SGISignalCaps are always final. This
has no behaviour change, because finality doesn't matter for behaviour
for SGISignalCaps, but we require for the proofs that the concept of
finality aligns with the spec.
- simplify checks for IRQControlCap in sameObjectAs: sameObjectAs can
never be true for IRQControlCap.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Allow SGIs to be generated from non-SMP kernels.
Signed-off-by: Kent McLeod <kent@kry10.com>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Fix a bug in VGIC Maintenance/VPPI logic that allowed a thread to be
simultaneously BlockedOnReply and in the release queue.
Co-authored-by: Alwin Joshy <joshyalwin@gmail.com>
Signed-off-by: Krishnan Winter <krishnanwinter1@gmail.com>
set ts-2025 for master branch l4v and leave on ts-2024 for MCS until MCS
is updated to Isabelle2025 as well.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Krishnan Winter