The new find_theorems tries to inspect rule_prems, which previously
raised an exception within Rule_By_Method. This just makes rule_prems
an empty dynamic fact.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
Adds an additional analysis option to the external C parser. This
will report about any asm statements that were encountered and could
not be properly handled.
[NO_PROOF]
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
With analysis of ASM statements included, some previous modifies
proofs get weakened. This has in particular consequences for proofs
about a cache clean done during retype. Make a weak assumption here
(bytes which actually have a type are unchanged), and strengthen some
logic to fit with this.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
* tcb_context rephrasing to (tcb_context o tcb_arch) and respectively
for set operations
* unfolding of reserved_irq for trivially solving most lemmas
* Changes to the inductive definition of integrity_obj to account for
tcb_arch and tcb_context new location
* Changes to the tcb examples in ExampleSystem to include tcb_arch
* Rephrasing of domain_sep_inv to accommodate the ReservedIRQ case
* Mostly rephrasing of tcb_context to (some form of) (tcb_context o tcb_arch)
* Trivial unfolding of handle_reserved_irq for hoare rules
* Examples in Example_Valid_State.thy were updated
* Nothing remarkable, mostly rephrasing of tcb_context and ReservedIRQ
handling
* Fun fact, some proofs are now shorter
tags: [VER-623][SELFOUR-413]
* The majority of changes involved rephrasing references to tcb_context
for the equivalente (arch_tcb_context_get o tcb_arch) (the same
applies for set operations)
* Mayor refactoring of setMRs and handleFaultReply C functions both of
which introduced new function calls when dealing with UserException
and SyscallException faults
* handleFaultReply' (definition) was modified to include less redundant
code
* handleFaultReply' (lemma) was completely refactored to use the
monadicrewrite framework for "easier" and simpler proofs
* IsolatedThreadAction framework striped from Fastpath_C into new
standalone file
tags: [VER-623][SELFOUR-413]
* Generalized version of bind_inv_inv_comm for easier swapping inside
the nondet monad
* New ccorres_symb_exec_r_known_rv
* New zip_take lemmas for handling `take n (zip x y)` situations
tags: [VER-623][SELFOUR-413]
* Changes to StateRelation.thy, most notably the addition of
arch_tcb_relation and arch_fault_map to acount for the new
arch_tcb and arch_fault types
* On ADT_H ArchFault_Map and ArchTcbMap were added to account for
(yet again) the new arch_tcb and arch_fault types
* Also irq_state_map and IRQStateMap were extended to support the new
IRQReserved
* Everything else was mostly unfolding stuff and
(tcb_arch -> tcb_context) rearrangement
tags: [VER-623][SELFOUR-413]
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
* arch_tcb is now correctly imported as a datatype not as a type
synonym
tags: [VER-623][SELFOUR-413]
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
tags: [VER-623][SELFOUR-413]
* Rephrasing of all the lemmas that used to refer to tcb_context as
a direct value on tcb.
* Providing arch-specific lemmas about handle_arch_fault_reply and
make_arch_fault_msg to deal with handle_fault_reply and make_fault_msg
new arch-specific cases.
* Trivial but arch-specific proofs about reserved_irq
tags: [VER-623][SELFOUR-413]
* Rephrasing of all the lemmas that used to refer to tcb_context as
a direct value on tcb.
* Providing arch-specific lemmas about handle_arch_fault_reply and
make_arch_fault_msg to deal with handle_fault_reply and make_fault_msg
new arch-specific cases.
* Trivial but arch-specific proofs about reserved_irq
tags: [VER-623][SELFOUR-413]
* fixing name space for arch_tcb and tcb_context
* arch_fault added
* changing name space for arch_tcb
- as_user, set_mrs, get_mrs, copyRegsToArea, and copyRegsToArea are
moved to the ARM_HYP directory. This breaks the proofs in
refinement, etc., mostly in tcb related files.
* removed a duplicate range check definition
* fixes ARM for arch_tcb
* adding arch_thread_get/set
* add ReserveIRQ
- initInterruptController is not added yet.
* add arch_fault
- arch_fault and related functions are added.
* arch-parametrising arch-specific extra registers
- ArchDefaultExtraRegisters is the common interface that refers to the
arch-specific data (ARMNoExtraRegisters for ARM/ARM_HYP)
* Adding accesors for tcb_context
- Despite the fact that tcb_context has an arch-specific definition,
it is reasonable to assume that some form of tcb_context will be
available in any architecture, thus the need for accesors to handle
updates.
* as_user updated to use tcb_context accesors
* set_mrs and get_mrs updated to use tcb_context accesors
- Several function on ArchTcb_A and ArchTcbAcc_A (both theories where
removed) can be defined in a general context by using the
tcb_context accesors
tags: [VER-623][SELFOUR-413]
* skeletons, adding new constructs (arch_tcb, arch_fault)
* adjusting skeletons for ReserveIRQ + small change in haskell (ARM)
Changes in: spec/haskell/src/SEL4/Object/Interrupt/ARM.lhs:37:21
Due to "Defined but not used: ‘irq’"
* arch-splitting faults in skeletons (ARM)
* fix arch_tcb and asUser namespace issues in skeletons (ARM)
* checking in current generated files
tags: [VER-623][SELFOUR-413]
Hypervisor extensions add extra fault types which are entirely
arch-specific. While the concept of a VM fault exists on all platforms,
these faults are also arch-specific.
This change adds an ArchFault datatype and constructor to the generic
Faults and Failures, and moves VMFault into ArchFault for the ARM
platform.
NOTE: fault indices have changed (generic goes before arch) as per
the changes needed for SELFOUR-413, which is the seL4 C equivalent of
this commit.
* add arch faults and failures to SEL4.cabal
* introduce and handle IRQReserved
On ARM this does nothing, but on other platforms reserved IRQs are
actually used.
* split TCB into ArchTCB (userContext)
* changing ArchFault to make haskell-translator to work
tags: [VER-623][SELFOUR-413]
This reverts:
- a67b443ca5
"SELFOUR-242: update goal number based indentation in Fastpath_C"
- f704cf0404
"SELFOUR-242: invert bitfield scheduler and optimise fast path"
Verification confirmed functional correctness and refinement of the
system in this case. However, guarantees on thread scheduling and
fairness are not modeled in the current verification. Once this issue is
addressed, SELFOUR-242 will be re-examined.
Currently every image (heap?) is build in top of one (JUST ONE) ancestor image,
so there is no reason for any image-related test to depend on
more than 1 image-related test, granted no external things are being
build as a result of any dependency.
I'm keeping this separate as it changes a lot of whitespace that
SELFOUR-242 touches only indirectly by influencing the number of
subgoals.
A few small cleanups got thrown in.
* Reverse the level 2 of the bitmap scheduler to move the highest priority
threads' level 2 entries into the same cache line as the level 1.
* Use the bitfield scheduler to make the fast path a more common occurrence.
* Change possibleSwitchTo to not invoke scheduler when the fast path would not
invoke it either (using implicit assumptions about the current thread being
the highest priority schedulable thread)
These changes to the automatons are required by:
SELFOUR-242: invert bitfield scheduler and optimise fast path
Details:
When we enter the kernel, the domain time left (ksDomainTime) is never zero.
If we entered on a timer interrupt, we may decrement it to zero before the
scheduler runs. If we do so, we set the scheduler state to choose_new_thread.
When choosing a new thread, the scheduler switches to a new domain if the
present one is required, and sets the new domain time left from domain_list
(ksDomSchedule).
When entering the kernel on a non-interrupt event, we never touch the domain
time left, which trivially preserves the new constraints.
To prove these, we had to ban a transition from kernel entry to kernel being
preempted when handling an interrupt event in InfoFlow. This is fine, as by
design handling interrupts is not meant to be preempted by interrupts.
Analogous to the _UNIV versions, they are:
ccorres_symb_exec_r_rv_abstract: you know some property about the return
value you want to exploit
ccorres_symb_exec_r_known_rv: you know exactly how the return value
can be generated from the Haskell side (e.g. using from_bool, ucast)
As discussed in the past, the _UNIV versions can be dangerous as they
expect a trivial postcondition of the subsequent SIMPL statement.
The watch_kill_switch loop was pretty busy, adding a simple
timeout reduces CPU consumption.
The CPU consumption of run_tests.py is still higher than I'd expect
to just update a terminal, but I don't know where to investigate
further.
Matthew Brecknell
Alejandro Gomez-Londono
Thomas Sewell
Joel Beeren
Miki Tanaka
Rafal Kolanski
Xin,Gao
Ramana Kumar