Previously, the C kernel maintained a global pointer to the IRQ node.
This pointer was only initialised during boot, when the actual IRQ node
was dynamically allocated from untyped memory.
The C kernel now includes a statically allocated IRQ node, which is just
a suitably sized array of CTEs. This commit updates the proofs to verify
this change to the C kernel.
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
Added set_object_wp_strong, which infers from a given hoare triple with
command set_object that the object of same type already exists in the
heap, and hoare_set_object_weaken_pre which does the same thing, but can
be applied on top of existing lemmas about set_object.
ainvs: improve proof of set_thread_state_runnable_valid_blocked
ainvs: change return value to a more general one
in_set_object has a return value that is empty '()', but the theorem
still holds true when replaced with a generic parameter 'rv' making it
easier to use this lemma.
ainvs: trivial - updated style of proof
ainvs: strengthen set_object_idle lemma
Add conditions imposed by valid_idle into precondition.
Thank you to Matt Brecknell for the help.
ainvs: abbreviated Hoare triples and proof fix
ainvs: restated set_object_wp_strong with auxiliary lemmas
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Move in a few set_object and set_aobject theorems from x64 theory files
as these theorems were architecture generic.
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Removed update_object, which does the same thing as the new version of
set_object, and replaced it with set_object.
x64 ainvs: update for new definition of set_object
Rename legacy update_object definitions to set_object definitions and
remove related lemmas (to move up into architecture generic
KHeap_AI.thy). Remove simpler_defs as the set_object definitions are now
equivalent.
x64 ainvs: move x64 specific lemma back to ArchKHeap_AI
set_aobject_valid_arch move back after confirmation with Matt Brecknell
that it is x64 specific
x64 ainvs: update for new definition of set_object
Fixed some proofs a result of removing set_arch_obj_simps from the simp
set.
VER-1072: Something in the recent C parser changes has increased the
time taken by SimplExportAndRefine by around 30%. This is a quick fix
for the regression timeouts while we take a closer look.
Increased to 8 hours.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
Previously, tactics like `ctac` and `csymbr` would use definition names
to produce new bound variables. Now that the C parser always emits long
name *definitions* and short name *aliases*, we adjust these tactics to
try and shorten any new names they produce.
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
Addresses issue VER-1036.
Previously, there were pointer alignment invariants in valid_pte, etc.
However, these had two problems:
1. valid_pte was conditioned on the PTE being mapped, so we couldn't
rely on PTE pointers being aligned unconditionally (see VER-1036).
2. The existing alignments were actually incorrect for large pages.
Proofs that needed the true alignments, obtained them from other
parts of invs (e.g. valid_objs).
This commit moves the alignment invariants to wellformed_pte, etc.
and changes them to use the correct values.
Recent changes to the C kernel mean that various structures and
constants are generated from DTS files. In particular, verification now
sees interrupt identifiers as integer literals instead of defined
constants.
The proof structure still largely follows Thibaut's scheme; this commit
merely adds some speedup, style cleanup, and documentation.
Unfortunately, the proof state seems to be just large enough that the
built-in record update ruleset runs into limitations, and the standard
clasimp tactics start to fail on subgoals in an unpredictable way.
This is ostensibly more principled than the earlier proof, which simply
unfolded all the monad combinators. However, there was also no existing
framework for using monad_commute, so we need to make one up just to
do this single proof.