adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,397 Commits 7 Branches 0 Tags 86 MiB
Commit Graph

2554 Commits

Author SHA1 Message Date
Michael McInerney 49ff8457f2 clib+crefine: improve and consolidate variants of ccorres_to_vcg 
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
 2023-10-17 13:54:56 +10:30
Gerwin Klein 1cce5b3ff7
proof: switch AArch64 quick_and_dirty from Refine to CRefine 
Refine for AArch64 is now completed and doesn't need quick_and_dirty
any more. CRefine is now in development mode.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-10-13 09:12:09 +11:00
Gerwin Klein 4c0b3dfe9d
capdDL-api: update to Isabelle2023 mapsto syntax 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-10-06 14:41:53 +11:00
Gerwin Klein f7768ee90e
sep-capDL: update to Isabelle2023 mapsto syntax 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-10-06 14:41:53 +11:00
Gerwin Klein 314158480a
proof: update to Isabelle2023 mapsto syntax 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-10-06 14:41:41 +11:00
Corey Lewis 7999632872 proof: update for changes to nondet monad 
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
 2023-10-05 11:24:05 +11:00
Gerwin Klein 5497666b8b
aarch64 ainvs+refine: remove unused dom_ucast_eq 
The old version of dom_ucast_eq in AInvs is not useful, because the
necessary constants are not available yet in AInvs.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:37 +10:00
Gerwin Klein dcf6ee4d55
aarch64 ainvs+refine: move lemmas from Refine 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:36 +10:00
Gerwin Klein 0369a4bd91
lib+ainvs+aarch64 refine: move+consolidate vcg_op_lift lemmas 
Collect all operator lifting lemmas in one place under
hoare_vcg_op_lift. (Moved from Refine)

Move the lifting lemmas that were still in AInvs up to lib.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:36 +10:00
Gerwin Klein de50741ec0
lib+aarch64 refine: move lemmas to lib 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:36 +10:00
Gerwin Klein a24ddbefad
aarch64 refine: move lemmas internally 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:36 +10:00
Gerwin Klein 26a3a6eb07
aarch64 refine: lemmas moved to aarch64 ainvs 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:36 +10:00
Gerwin Klein 2251bf85d1
aarch64 refine: lemmas moved to lib 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:35 +10:00
Gerwin Klein dc4955de6e
aarch64 refine: lemma moved to Word_Lib 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:35 +10:00
Gerwin Klein 5f741944aa
aarch64 refine: move lemmas to lib 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:35 +10:00
Gerwin Klein 62618fc48f
aarch64 refine: improve decode invariance crunch 
With adjustment of ARMMMU_improve_cases, the decode functions can all
be done in a single crunch invocation.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:34 +10:00
Gerwin Klein c263749d4f
aarch64 refine: consolidate dmo_invs_no_cicd' lemmas 
With a slightly better lifting rule, these can all be grouped and
proved automatically.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:34 +10:00
Gerwin Klein 6bfdecdbf9
aarch64 refine: defer some FIXMEs to CRefine 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:34 +10:00
Gerwin Klein 43c0759388
aarch64 refine: leave comment instead of FIXME 
Might be useful for later proofs, but no need to fix now.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:34 +10:00
Gerwin Klein cf0e636c0e
aarch64 refine: resolve trivial FIXMEs 
These have either already been resolved, are trivial moves within one
theory, or they are questions that the rest of the proof has now
answered.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:34 +10:00
Rafal Kolanski 2e3c97d055
aarch64 refine: Orphanage sorry-free 
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein 8f2710d54d
aarch64 refine: Detype_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein 1fde0480c7
aarch64 refine: progress in Detype_R 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein ffd038f69e
aarch64 refine: ADT_H sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein a0311bd946
aarch64 refine: Interrupt_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein 1f05109562
aarch64 refine: Ipc_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:33 +10:00
Gerwin Klein da76bcaac8
aarch64 refine: Arch_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:32 +10:00
Gerwin Klein 1fb96c7f1c
aarch64 ainvs: mark addrFromPPtr_mask_ipa 
Lemma can potentially be removed if not used in the rest of Refine.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:32 +10:00
Gerwin Klein 0e8048b49e
aarch64 aspec+ainvs: sync user_vtop check with C 
The user_vtop check in decode_fr_inv_map_wf can be relaxed from >= to >
as done in Haskell and C.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:32 +10:00
Gerwin Klein 522cef18c1
aarch64 refine: Finalise_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:31 +10:00
Gerwin Klein 73ba0cee03
aarch64 refine: IpcCancel_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:31 +10:00
Gerwin Klein 1f60044d83
aarch64 refine: Schedule_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:31 +10:00
Gerwin Klein 1ea097a7bf
aarch64 refine: Untyped_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:31 +10:00
Gerwin Klein 2ec696f224
aarch64 refine: Retype_R sorry-free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:31 +10:00
Gerwin Klein e74d5fe4b8
aarch64 refine: progress in Retype_R 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:30 +10:00
Gerwin Klein f14217e294
aarch64 refine: progress in Retype_R 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:30 +10:00
Gerwin Klein d16d35ef58
aarch64 refine: VSpace_R sorry-free 
Main progress is in VSpace_R, with some fallout in ArchAcc_R, ADT_R, and
Schedule_R for invariant and spec changes.

General obj_at preservation for setVMRoot does not hold and is relegated
to something more specific in Schedule_R

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:30 +10:00
Gerwin Klein c6281810d4
aarch64 aspec+ainvs: add valid_asid_map invariant 
Refine needs slightly stricter information about asid maps, in
particular we need to know explicitly that asid 0 never maps to
a VSpace. This is the reverse of valid_vmid_table, but unfortunately
does not fully follow from valid_vmid_table, because there can
be VSpaces mapped without an assigned VMID.

We shift the test for 0 < asid from entry_for_asid to vspace_for_asid
so we can use entry_for_asid in the formulation of the invariant.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:30 +10:00
Gerwin Klein 7713dffccc
aarch64 ainvs: updates for spec change 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:29 +10:00
Gerwin Klein d16b4fd518
aarch64 ainvs: new invariant on vmid_table 
The vmid_table never maps ASID 0. We managed to get through AInvs
without this property, but Refine does need it later.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:29 +10:00
Gerwin Klein 7ae4e55594
aarch64 refine: ArchAcc_R sorry free 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:29 +10:00
Gerwin Klein 6e576674eb
aarch64 refine: invariant update lemmas 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:29 +10:00
Gerwin Klein 322f4f91d6
aarch64 refine: remove pspace_canonical' 
This concept no longer makes sense on AARCH64, we will either need to
know that certain addresses are in user_region (which implies
canonical_user, which is more strict than canonical), or we will need
to know they are in the kernel_window, which is also more strict than
canonical. We'll only find out for sure in CRefine.

Both cases are liftable from valid_vspace_uses and
pspace_in_kernel_window from AInvs, so instead of a new invariant, the
plan is to use Haskell assertions to transport the relevant info to
CRefine when needed.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-09-27 14:28:26 +10:00
Rafal Kolanski deade608ac crefine: change misleading proof step in CSpace_RAB_C 
Trying to figure this out was very educational, since ccorres_abstract
was used without intending to abstract a variable, the xf' and lambda
name were both red herrings (in fact, this proof only worked if xf' was
instantiated with an *irrelevant* C local var name), and the body was
not transformed.

Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
 2023-09-15 06:10:04 +10:00
Gerwin Klein 7595c02d49 riscv refine: adjust for (no_asm) in Corres_Method 
The (no_asm) for corres goals is now properly enforced, which means
it is now really necessary to provide terminal corres rules in their
proper form.

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-08-30 21:59:37 +02:00
Corey Lewis a084de4993 refine: update for changes to nondet monad 
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
 2023-08-23 11:48:13 +10:00
Gerwin Klein 4d97b26dbf arm-hyp crefine: proof update for object_type enum reorder 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-08-14 15:51:34 +02:00
Gerwin Klein 71dc79a879 arm crefine: proof updates for object_type enum reorder 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-08-14 15:51:34 +02:00
Gerwin Klein f7c3ee5760 drefine: adjust for object_type enum reorder 
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
 2023-08-14 15:51:34 +02:00
Corey Lewis 02116815be proof+autocorres: update for select_wp and alternative_wp 
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
 2023-08-09 16:42:01 +10:00