Japheth Lim
68ed7b1731
regression: bump timeouts for some builds from 600 to 3600.
2016-02-03 13:00:44 +11:00
Joel Beeren
1d0366ac5e
msi: Restructure IOAPIC, MSI interrupts for x86, fix up ARM proofs for new API
2016-02-02 15:57:28 +11:00
Japheth Lim
253b04f6d9
regression: use CPU instead of real-time timeouts for all tests.
...
Also update and clarify test spec documentation.
2016-02-01 19:51:13 +11:00
Miki Tanaka
b287127924
DRefine and DPolicy finished (includes a small change in ASpec)
2016-01-29 07:11:11 +11:00
Daniel Matichuk
0063075ba4
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-28 18:26:53 +11:00
Daniel Matichuk
ac03bb3dd9
arch_split: everything but WholeSysExamplesC?
2016-01-28 18:26:27 +11:00
Japheth Lim
b9c23eaa74
autocorres-crefine: update another corres_UL that snuck in before rebasing.
2016-01-28 14:30:54 +11:00
Matthew Brecknell
5ede1923a1
port Access proofs to Isabelle2016-RC2
2016-01-28 14:20:20 +11:00
Miki Tanaka
671c5673bd
more fixes in DRefine: some changes in proofs involving uint / unat
2016-01-28 14:07:42 +11:00
Daniel Matichuk
a1f23e5b28
arch_split: DRefine now builds
2016-01-25 18:42:27 +11:00
Daniel Matichuk
7aaa8ed774
arch_split: Access and InfoFlow now build
2016-01-25 18:42:06 +11:00
Miki Tanaka
d11f24a3a1
Refine finished for RC1
2016-01-23 22:51:48 +11:00
Miki Tanaka
674d476d83
option name changed from RC0
2016-01-23 00:34:41 +11:00
Miki Tanaka
b43f41abfd
A few more changes.
...
inj_on_image_set_diff: resolved the injection map lemma application issue in CSpace1_R.thy, CSpace_R.thy
Pair_fst_snd_eq chaged to prod_eq_iff in TcbAcc_R.thy, Schedule_R.thy, Retype_R.thy
TrueI removed in Schedule_R.thy
not_leE changed to not_le_imp_less in Retype_R.thy
2016-01-22 15:10:42 +11:00
Miki Tanaka
83574af10e
Invariants_H.thy: inductive definition needs explicit declaration to make xxx_def available
...
CSpace_I.thy: locale qualifier default changed
2016-01-22 15:10:42 +11:00
Japheth Lim
3ede1a33b0
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...
corres proof by Joel B.
JIRA VER-489
2016-01-22 15:10:02 +11:00
Japheth Lim
65e1f39acb
autocorres-crefine: update CRefine with new corres_UL.
2016-01-22 15:10:02 +11:00
Japheth Lim
1b14082291
autocorres-crefine: add pre-no-fail flag to corres. Updated AI+Refine.
2016-01-22 15:08:14 +11:00
Japheth Lim
7d422a6d57
autocorres-CRefine: cleanup some proofs and validate idealised ccorres.
2016-01-22 15:02:21 +11:00
Japheth Lim
b23b2fa622
autocorres-CRefine: progress on exporting ccorres to autocorres proofs.
2016-01-22 15:02:21 +11:00
Japheth Lim
3a8bc2f81f
Refactor experiments to separate theory. This allows CRefine heap to be used.
2016-01-22 15:02:21 +11:00
Japheth Lim
8277a52b30
WIP experiments: verify backwards compat for my_corres_underlying.
2016-01-22 15:02:21 +11:00
Japheth Lim
b5bbc44703
WIP: Refine_C experiments: corres between DSpec and AutoCorres.
2016-01-22 15:02:21 +11:00
Japheth Lim
10a8b3f3cc
WIP: Refine_C: autocorres experiments.
2016-01-22 15:02:21 +11:00
Japheth Lim
fcf7aff890
Try running AutoCorres at the top of CRefine. Currently, its output is unused.
2016-01-22 15:02:15 +11:00
Daniel Matichuk
b6f6da208e
arch_split: fixed CRefine
2016-01-22 10:34:54 +11:00
Daniel Matichuk
c282969c54
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-21 10:22:48 +11:00
Joel Beeren
919676250c
added use of seL4_arch_invocation_label
2016-01-20 14:54:47 +11:00
Daniel Matichuk
a34de66b9f
arch_split: fix crefine up to Interrupt_C
2016-01-20 14:42:36 +11:00
Daniel Matichuk
a8b7ee4ffe
repairing refine (simplified attribute now solves True)
2016-01-18 16:09:30 +11:00
Miki Tanaka
b7376a56e2
Isabelle 2016 update: minor fixes
2016-01-15 16:03:30 +11:00
Joel Beeren
efb4c61816
archirq: Remove redundant invocation, renamed
...
arch_decode_interrupt_control.
2016-01-14 17:50:33 +11:00
Miki Tanaka
92cde6069f
Isabelle2016: fixed VSpace_AI
2016-01-14 15:17:46 +11:00
Japheth Lim
65e98199e1
regression: adjust unnecessarily large test timeouts.
...
Some tests had timeouts of up to 4 hours. Note that timeouts are
applied on a per-test basis, not per-testsuite. This is now clarified
in the tests.xml documentation.
2016-01-13 16:59:25 +11:00
Joel Beeren
fd477c43f6
get everything building for release
2016-01-13 13:48:06 +11:00
Daniel Matichuk
ca808130e6
repair ARM proofs up to Refine after factoring out architecture
2016-01-13 12:02:12 +11:00
Daniel Matichuk
3be2eaa7b0
repairing AInvs: checks up to the middle of VSpace_AI
2016-01-12 18:10:36 +11:00
Daniel Matichuk
d37a344783
cleanup for prod and when keyword
2016-01-12 16:07:28 +11:00
Daniel Matichuk
b7563eb788
fix lib for isabelle 2016
2016-01-12 14:58:16 +11:00
Joel Beeren
7b1d4a12a6
SELFOUR-114: remove duplicated message_info struct
2016-01-11 14:13:13 +11:00
Japheth Lim
3c4b566484
regression: fix tests.xml dependencies to be consistent with ROOTs.
2016-01-07 18:39:50 +11:00
Joel Beeren
1ccd4f5dcc
conversion: Rationalise standard types
2015-12-10 21:24:22 +11:00
Thomas Sewell
29648ac243
Reduce verbosity in GraphRefine.
2015-12-08 19:36:28 +11:00
Thomas Sewell
15d09a093a
Parallelise GraphRefine in its default run.
2015-12-08 17:39:07 +11:00
Thomas Sewell
175eb2da2d
More fixes for pointer array assertions.
2015-12-03 17:30:08 +11:00
Thomas Sewell
df40425731
Repair SimplExport/GraphRefine.
2015-12-03 16:34:11 +11:00
Thomas Sewell
043a69c81b
Fix Orphanage from array changes, refactor.
...
Some generalisation is done in finaliseSlot_invs'' to avoid
duplicating it in Orphanage and PageTableDuplicates.
Finally cleanup in haskell translation.
2015-12-02 09:15:32 +11:00
Thomas Sewell
860f8f2225
Fixes for merge/rebase with mainline.
2015-12-02 09:15:26 +11:00
Thomas Sewell
375b526b0c
Finally done with array assertions.
2015-12-02 09:08:27 +11:00
Thomas Sewell
7e40646c48
Proof up to Fastpath_C.
...
The very last twist of this: the proof that resolveAddressBits can
be seen as functional needs to change, a lot, because it's now
sensitive to gsCNodes. Still working on that.
2015-12-02 09:07:49 +11:00
Thomas Sewell
22f5f2f005
Further work on array assertions.
2015-12-02 09:07:15 +11:00
Thomas Sewell
4fd43512bb
WIP on handling array assertions. Up to Retype_C.
...
This is quite a lot of work in the end. I've had to gut most of
Retype_C along the way. Nearly done there.
2015-12-02 09:06:06 +11:00
Thomas Sewell
6fa0909124
Partial progress on using array assertions.
2015-12-02 09:05:04 +11:00
Japheth Lim
411ef475dc
crefine: fix theory import path.
2015-11-27 13:55:23 +11:00
Matthew Fernandez
24aaad4f8b
infoflow: Remove a find_theorems invocation.
2015-11-25 10:30:29 +11:00
Matthew Fernandez
d9154d00af
crefine: Remove a find_theorems invocation.
2015-11-25 10:29:22 +11:00
Gerwin Klein
7bc4236077
remove accidentally committed file
2015-11-25 09:54:30 +13:00
Gerwin Klein
0f2d557679
terminology in comments: async ep -> notifications
2015-11-24 16:58:22 +13:00
Gerwin Klein
df519ffd25
avoid `make` warning, remove SimplExportOnly from HEAPS
...
Make ignores the HEAPS rule for SimplExportOnly anyhow (as it should).
2015-11-20 16:02:14 +11:00
Gerwin Klein
ac632c5aaa
Wait -> Recv: update proofs
2015-11-20 16:02:14 +11:00
Joel Beeren
457a55a831
add arch_tcb object to C, rename aep -> ntfn
2015-11-20 16:02:13 +11:00
Rafal Kolanski
ac9c3bb1a3
Remove sorry on clz_spec (C parser changes allow it to be proved now).
...
(with some magic from Thomas)
2015-11-20 15:58:15 +11:00
Thomas Sewell
7f664edf13
One more fix for strengthen change.
2015-11-02 16:02:03 +11:00
Thomas Sewell
314a46ee6f
One last fix, hopefully.
2015-11-02 10:52:06 +11:00
Thomas Sewell
bdd8819f50
More minor adjustments.
2015-10-30 12:22:55 +11:00
Thomas Sewell
7c3a06a8d7
Minor adjustments caused by Strengthen changes.
2015-10-29 11:27:54 +11:00
Rafal Kolanski
d3f3acb9fc
Fix up CRefine after seL4_NBWait merge.
2015-10-22 07:45:49 +11:00
Rafal Kolanski
d51402a5a2
Merge remote-tracking branch 'verification/master' into priority-bitmap
...
(seL4_NBWait)
2015-10-21 16:23:01 +11:00
Rafal Kolanski
c94b27b7ae
priority-bitmap: clean up CRefine
...
Cleaned up proof of tcbSchedDequeue_ccorres' (still ugly)
2015-10-21 16:22:11 +11:00
Joel Beeren
e403eb8f0a
poll: added non blocking sync wait
2015-10-21 14:24:49 +11:00
Joel Beeren
d6f7579be7
poll: Added new syscall for polling async endpoints (non-blocking wait)
2015-10-21 14:24:49 +11:00
Rafal Kolanski
6f8cdae201
priority-bitmap: clean up Refine (i.e. "FIXME RAF")
2015-10-21 13:38:29 +11:00
Rafal Kolanski
c1eb235105
Merge 'verification/master' into priority-bitmap
...
Green build except for:
CParserTest (WTF Duplicate fact declaration "dc_20081211.dc_20081211.test_modifies")
AutoCorresSEL4 (waiting on result)
There is still a carefully managed sorry in Schedule_R, waiting on the C
parser FNSPEC+DONT_TRANSLATE fix.
2015-10-21 06:19:20 +11:00
Rafal Kolanski
fca34f4a7f
priority-bitmap: TEMPORARY SORRY FOR JIRA VER-464
...
In Schedule_C:
(**** FIXME FIXME FIXME ***)
(* As per JIRA VER-464, the C Parser does not handle
DONT_TRANSLATE+MODIFIES+FNSPEC correctly. This is the spec given in util.h
in seL4 for clz. We do not get that spec back at present.
In order to have a working build until the C parser is fixed, we sorry this
proof. My apologies.
*)
2015-10-20 23:52:14 +11:00
Rafal Kolanski
3230d601ae
priority-bitmap: Update InfoflowC
2015-10-20 23:52:14 +11:00
Rafal Kolanski
930a2ff179
priority-bitmap: Update Haskell->C refinement
...
(modulo clz_spec locale problem)
2015-10-20 23:52:07 +11:00
Rafal Kolanski
7860bd4351
priority-bitmap: move word_log2/clz to WordLemmaBucket
...
Resolves some FIXMEs in Schedule_R.
2015-10-20 23:50:37 +11:00
Rafal Kolanski
2a9d3022f2
priority-bitmap: Update abstract->Haskell refinement
...
Added word_log2 and word_clz (inline for now, will migrate them out to
lib later).
Proved most important properties of word_log2 and some basic
count leading zeros properties (word_clz). The former were painful.
Thanks to Thomas, we have a nice tactic for dealing with complicated
obj_at' predicates in conclusion: normalise_obj_at'
2015-10-20 23:40:44 +11:00
Joel Beeren
d0693fc7d5
fix CRefine after libseL4 NotificationObject terminology update
2015-10-14 14:00:27 +11:00
Joel Beeren
38fe85e784
aep-binding: cleanup v3
2015-10-07 15:02:26 +11:00
Joel Beeren
038891ac7b
aep-binding: more cleanup
2015-10-07 14:57:55 +11:00
Joel Beeren
e3704742f0
aep-binding: cleanup
2015-10-07 14:18:09 +11:00
Joel Beeren
4525a78c0f
aep-binding: removed quick and dirty from AInvs build options
2015-10-07 13:58:11 +11:00
Daniel Matichuk
c8d0692008
sys-init now checks
2015-09-22 12:14:27 +10:00
Daniel Matichuk
dab3914e95
change sending on a bound async ipc to avoid revoke_cap
2015-09-21 17:18:37 +10:00
Joel Beeren
21f429fe60
aep-binding: finished InfoFlowC
2015-09-18 13:54:01 +10:00
Ramana Kumar
e6eb9c837c
aep-binding: finish Bisim
...
with help from Dan
2015-09-18 11:08:32 +10:00
Ramana Kumar
1ae434b9d5
aep-binding: attempted progress on Bisim, 1 sorry remains
...
assumptions include aep_obj aep = IdleAEP and aep_bound_tcb aep = Some
x, which I guess is probably a contradiction, but I don't know how to
prove that.
2015-09-17 17:55:57 +10:00
Joel Beeren
8fa63f07ba
aep-binding: finished infoflow
2015-09-16 11:41:01 +10:00
Daniel Matichuk
478ce437fe
removed sorry
2015-09-16 11:19:49 +10:00
Daniel Matichuk
90a719dcf4
Merge branch 'aep-merge' of github.inside.nicta.com.au:seL4/l4v into aep-merge
...
Conflicts:
proof/infoflow/PolicySystemSAC.thy
2015-09-16 11:10:08 +10:00
Daniel Matichuk
aa1014d0d0
update SAC for coarser subjectAffects policy
2015-09-16 11:04:29 +10:00
Ramana Kumar
ef5f419885
update rm_affects (also now affects more)
2015-09-16 10:43:03 +10:00
Joel Beeren
9bcb5cb7b7
aep-binding: fixed crefine, drefine, dpolicy with new decode_bind_aep definition
2015-09-16 10:35:31 +10:00
Ramana Kumar
1812925265
update r_affects (in SAC example) for aep binding
...
r now affects more
2015-09-16 10:24:29 +10:00
Daniel Matichuk
8109a05468
fixed Example_Valid_State.thy
2015-09-15 18:10:26 +10:00
Ramana Kumar
45629a38cc
some progress fixing PolicySystemSAC
...
had to change definition of abd_affects_set
work done with Dan
2015-09-15 18:07:36 +10:00
Daniel Matichuk
8dfb775f34
finished Noninterference.thy
2015-09-15 16:31:40 +10:00
Joel Beeren
f117c99903
aep-binding: updated AInvs, Access, Refine for new decodeBindAEP
2015-09-15 16:31:14 +10:00
Daniel Matichuk
50adc350d9
Syscall_IF building (1 sorry in decode)
2015-09-15 12:04:46 +10:00
Daniel Matichuk
8451c17837
fixed decode with sorry
2015-09-15 12:02:26 +10:00
Ramana Kumar
53919eda6e
handle_wait_globals_equiv
2015-09-15 11:53:40 +10:00
Ramana Kumar
2de96bb5bf
handle_wait_reads_respects_f
...
most of the hard work done by Dan
2015-09-14 18:38:49 +10:00
Daniel Matichuk
229f521d3b
finished Ipc_IF
2015-09-14 15:54:17 +10:00
Ramana Kumar
1bde303763
receive_ipc_reads_respects
2015-09-14 11:58:09 +10:00
Ramana Kumar
cfc5841b38
complete_async_ipc_reads_respects
2015-09-14 09:47:46 +10:00
Daniel Matichuk
f956842e93
finished send_async_ipc_reads_respects
2015-09-11 15:54:53 +10:00
Ramana Kumar
0fb88ea01c
Merge branch 'master' into aep-merge
...
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
2015-09-10 17:06:45 +10:00
Ramana Kumar
d88a931ec7
history squashed patch for aep-binding
2015-09-02 15:43:39 +10:00
Thomas Sewell
3c85373823
Treat SimplExportOnly specially in proof Makefile.
...
SimplExportOnly builds both a (useless) Isabelle image and a (useful) output
file. We need to adjust the build command to ensure the file actually gets
built if the image already existed.
2015-09-01 18:25:32 +10:00
Thomas Sewell
09e155d59d
Repair crefine for fastpath changes.
2015-08-21 14:48:55 +10:00
Thomas Sewell
2619356d07
Configure SimplExport targets in proof/Makefile.
2015-08-21 13:56:24 +10:00
Thomas Sewell
bd928d1793
Try to avoid emitting const-globals via memory.
...
Sometimes it's simpler to access an unknown field of a const
global by just computing the offset from its symbol in memory
and assuming the relevant words are in the .rodata section. But
for known fields, it's easier to just figure out what the
constant value is. This complicates the proof slightly, since
it has to guess which case it is in.
2015-08-17 23:35:06 +10:00
Thomas Sewell
5f4a25b078
Improve guard handling in GraphRefine.
...
Needed for recent changes to how global validity assertions are
generated.
2015-07-28 22:43:03 +10:00
Joel Beeren
3372cd32a8
SELFOUR-220: When calling handleWait, only delete the
...
TCB's ReplyCap when actually waiting on a synchronous
endpoint.
2015-07-23 14:45:17 +10:00
Thomas Sewell
440081c0f4
Add a gsMaxObjectSize as needed.
2015-07-17 14:30:08 +10:00
Thomas Sewell
af86632985
Fix remaining sorries in crefine.
2015-07-16 14:44:56 +10:00
Thomas Sewell
0b5182bd84
More adjustments to graph export/refine.
2015-07-16 13:44:25 +10:00
Thomas Sewell
b5f796184a
Repair spec/refine, I think.
2015-07-15 17:25:47 +10:00
Thomas Sewell
e9180d5cb5
Repair refine/crefine for WCET annotations.
2015-07-14 14:23:29 +10:00
Thomas Sewell
ca4391881c
WIP on WCET annotations.
2015-07-14 14:23:29 +10:00
Daniel Matichuk
d9bef8965c
Moved wp-specific eisbach methods higher up import chain
2015-07-10 12:51:15 +10:00
Daniel Matichuk
30db9bb7a5
ArchAcc_AI checks with new subgoal command
2015-07-08 15:44:34 +10:00
Daniel Matichuk
2b10a875ca
some usage of subgoal command
2015-07-08 15:44:33 +10:00
Matthew Fernandez
d7e874c833
Access: Fix trivial comment typo.
2015-07-01 10:51:04 +10:00
Toby Murray
b7f679338d
remove long-broken and unused Residual.thy
2015-06-25 16:35:32 +10:00
Gerwin Klein
f95b9dad9b
infoflow: remove unused theory
2015-05-28 14:21:54 +10:00
Gerwin Klein
cfec9ea0db
Merge branch 'master' into 2015
2015-05-28 11:45:13 +10:00
Joel Beeren
002cf370bb
Updated proof with new fastpath changes removing setCurrentASID and armv_contextSwitch_fp
2015-05-28 11:30:22 +10:00
Gerwin Klein
ce51c71fc7
crefine: remove unused ML file
2015-05-22 12:52:35 +10:00
Gerwin Klein
7a8f9cfab6
record more dependencies to avoid redundant rebuilds
2015-05-22 11:48:11 +10:00
Gerwin Klein
c6564cb4cb
infoflow: 2015 update for infoflow C refinement
2015-05-20 21:10:59 +10:00
Gerwin Klein
d4be402559
crefine: even more complete 2015 update
2015-05-20 21:03:48 +10:00
Gerwin Klein
bfef1e10d3
crefine: 2015 update complete
2015-05-20 20:39:47 +10:00
Gerwin Klein
eea646c84a
crefine: 2015 update up to Tcb_C
2015-05-18 09:11:43 +10:00
Gerwin Klein
cba6a4f59e
infoflow: minor cleanup
2015-05-16 21:49:01 +10:00
Gerwin Klein
a6f1ab41f8
ainvs: some more cleanup
2015-05-16 21:48:24 +10:00
Gerwin Klein
12fa86863a
fewer warnings
2015-05-16 19:52:49 +10:00
Gerwin Klein
b46bc4e78d
infoflow: 2015 update (apart from C refinement)
2015-05-16 18:14:59 +10:00
Gerwin Klein
c124554d83
Dpolicy 2015 udpate
2015-05-14 18:56:32 +02:00
Gerwin Klein
164f1db611
proof/capDL-api: 2015 update
2015-05-14 11:41:20 +02:00
Gerwin Klein
330e730fa3
retire old obsolete ADT refinement phrasing
...
The observable state has been strengthened significantly years ago and
this theory has fallen into disrepair. The toplevel refinement statement
here was nicely concise for a paper, but the practical value is in the
much stronger corres statement, so instead of attempting proof
acrobatics with a new observable state, I'm retiring this theory.
2015-05-13 10:49:30 +02:00
Gerwin Klein
f6124669fc
2015 update for DRefine
2015-05-13 09:52:32 +02:00
Gerwin Klein
0c67e0bfa1
2015 update for Refine
2015-05-12 17:17:31 +02:00
Gerwin Klein
177e5bf185
2015 update for access
2015-05-06 13:46:20 -04:00
Gerwin Klein
baa5791918
Isabelle2015 update: Bisim
2015-04-19 10:25:42 +01:00
Gerwin Klein
42e037ea9d
Isabelle2015 update: AInvs
2015-04-19 10:25:21 +01:00
Gerwin Klein
f9e40c29db
cleanup: there already is a separate Bisim session
2015-04-19 10:24:42 +01:00
Gerwin Klein
17826f9b49
more Isabelle2015 update; AInvs up to (excluding) Syscall_AI
...
also includes some global replacements
2015-04-18 21:51:26 +01:00
Gerwin Klein
22af66555c
remove even arch calls from separation kernel setup
...
(patch by Simon Winwood)
2015-04-10 17:39:24 +10:00
Daniel Matichuk
a221a52350
Added new proofcount tool to "tools" and removed old one from "lib".
...
Removed reference to old proof_counting from proof/ROOT and spec/ROOT
2015-02-11 17:46:34 +11:00
Gerwin Klein
2e58320711
adjust for seL4 rev 28d7fda6a9128efe
2015-01-10 08:34:52 +11:00
Gerwin Klein
0466161f2d
CRefine for XN
2014-11-28 08:58:57 +11:00
Gerwin Klein
29eb636d31
re-establish InfoFlow; generalising ptable_xn
...
UserOp_IF had its own way of extracting the XN bit from page tables.
This is now unified with the existing functions in ADT_AI, which also
means that the proof for XN bit equality is basically the same as for
pt_rights and pt_lift.
2014-11-28 08:58:57 +11:00
Gerwin Klein
7e7d39c24e
enable XN in abstract spec; update AInvs and Refine
2014-11-28 08:58:57 +11:00
Gerwin Klein
57bef16d8e
sync Makefile and test.xml
2014-11-23 19:54:59 +11:00
Gerwin Klein
118093af99
add capDL separation logic to regression test
2014-11-23 15:03:35 +11:00
Gerwin Klein
ee94da7473
de-bitrot DPolicy; add back into regression
2014-11-23 14:52:21 +11:00
deang
f9b9f9ba53
infoflow: remove s0_ptrs_distinct from Example_Valid_StateH
...
subsumed by distinct command in Example_Valid_State
2014-11-19 16:01:49 +11:00
deang
77c600038f
infoflow: fixed and added Example_Valid_StateH to testing
...
Some of the noninterference results depend on executions at the haskell level starting at a valid initial state. This file demonstrates this condition being realised.
2014-11-18 17:39:17 +11:00
Gerwin Klein
dfa9c09892
abstract Haskell init parameters into constants
2014-11-06 18:48:36 +11:00
deang
f9ea932cfb
noninterference: remove duplicate lemmas
...
Some redundant duplicate lemmas with duplicate names were proven under locale contexts 'unwinding_system' and 'complete_unwinding_system'.
2014-11-03 13:14:18 +11:00
David Greenaway
127c7cd63e
infoflow: trivial: Add some comments to "do_user_op_if" definition.
2014-10-27 09:31:31 +11:00
David Greenaway
759a7fa8cb
infoflow: trivial: Add some minor comments to "Noninterference_Base.thy".
...
Added while trying to work out some details. Perhaps more useful than
not?
2014-10-16 17:09:11 +11:00
deang
77f85b334d
trivial: typo in comment
2014-10-14 17:29:47 +11:00
deang
6df2eb6cf9
infoflow: weakened assumptions for c refinement of infoflow adts
...
The fact that the C infoflow adt refines the abstract infoflow adt now only requires that given user operation is nonempty and not sane (nonempty and doesn't return an interrupt).
Also added some more general lemmas about fw_sim and refinement to lib/Simulation.thy.
2014-10-14 17:01:11 +11:00
David Greenaway
6c915fa629
infoflow: Move "EquivValid" out of "infoflow/", into "lib/".
...
More importantly, remove seL4 from the dependencies of "EquivValid", so
others can use it.
Also, we fixup the fallout.
2014-10-13 11:05:31 +11:00
David Greenaway
b0832637e6
infoflow: Change definition of "the_nat_to_bl" to avoid undefined outputs.
...
...and clean up some fallout.
In particular, we now say that the output of "nat_to_bl sz n" is taken
to be the bitlist of "n mod 2^sz", so the output is always defined.
The idea is to remove the undefinedness of "the_nat_to_bl" so that it is
easier to generate simp rules for it; some of these are developed in the
theory below, and simplify some of the more concrete infoflow proofs.
2014-10-07 08:59:17 +11:00
David Greenaway
bf2d517009
infoflow: Use the "distinct" command in "Example_Valid_State".
...
Use the previously-added "distinct" command to simplify the
"Example_Valid_State" proof. This brings quite significant speedups as
it means that raw definitions need not be unfolded, and hence automated
tactics don't get side-tracked with their numerical definitions.
2014-10-07 08:59:17 +11:00
David Greenaway
1f16bc8c2b
access: Remove now-redundant "apply blast".
...
Previously introduced "simp" rule makes this command redundant.
2014-10-01 17:43:11 +10:00
Thomas Sewell
a818e13e3e
Don't reuse the s_footprint_intvl theorem name.
2014-10-01 11:16:40 +10:00
Thomas Sewell
665a3c15a0
Restore global valid assertions in graph refine.
...
The global-object pointer validity assertion is now created at
export time, and the graph refine mechanism now proves them. It
seems they were forgotten about once again in adjusting the globals
logic.
2014-09-30 16:09:22 +10:00
David Greenaway
0288aeb1b8
bisim: Isabelle 2014 changes.
2014-09-24 12:24:00 +10:00
David Greenaway
df8237c08a
drefine: Isabelle 2014 changes.
2014-09-24 12:21:10 +10:00
Thomas Sewell
60f06246c7
Commit some of the GraphRefine testing rig.
...
Otherwise I have to fetch this out from history every
time that SEL4GraphRefine breaks.
2014-09-23 16:40:07 +10:00
David Greenaway
0c004d2a93
Merge branch 'master' into 'isabelle-2014'.
...
Conflicts:
proof/drefine/Arch_DR.thy
proof/drefine/Finalise_DR.thy
proof/drefine/StateTranslation_D.thy
sys-init/DuplicateCaps_SI.thy
sys-init/Proof_SI.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-23 14:31:33 +10:00
David Greenaway
22b9118432
infoflow: Fix non-terminating proof for Isabelle 2014.
...
Remove useless ROOT.ML file, while I am here.
2014-09-19 14:33:54 +10:00
Thomas Sewell
f59767cdac
Slight fudges for Fastpath use with PIDE.
2014-09-18 20:12:43 +10:00
Thomas Sewell
4a56fb49f9
Fix a triviality in Interrupt_C.
2014-09-18 19:30:32 +10:00
Andrew Boyton
ea58753cd7
Merge branch 'cdl_page_map_cancel'
...
Merge in the setting of registers and the starting of threads in the system initialser.
2014-09-18 17:21:17 +10:00
Andrew Boyton
2b7b258997
sys-init: Prove the starting of threads is done correctly.
...
We no longer assume the starting of threads, but prove it correct
(assuming the behaviour of the scheduler).
2014-09-18 12:30:04 +10:00
David Greenaway
cc71c3aadf
drefine: More updates for Isabelle 2014.
2014-09-18 11:04:47 +10:00
David Greenaway
cf0d1abce6
Merge 'master' into 'isabelle-2014'.
...
Conflicts:
proof/crefine/Fastpath_C.thy
proof/drefine/KHeap_DR.thy
proof/infoflow/Noninterference.thy
spec/design/version
sys-init/DuplicateCaps_SI.thy
sys-init/InitTCB_SI.thy
sys-init/Proof_SI.thy
tools/asmrefine/SimplExport.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-17 14:21:13 +10:00
David Greenaway
e141eecca8
infoflow: Port to Isabelle 2014.
2014-09-16 10:39:22 +10:00
Gao Xin
f014045e52
merge
2014-09-12 16:23:44 +10:00
Gao Xin
0199c5c19c
Fix seL4_TCB_Resume
2014-09-12 15:28:47 +10:00
Andrew Boyton
ded25f4067
sys-init: Refactor the writing of register to happen earlier, and prove correctness.
2014-09-12 15:15:43 +10:00
David Greenaway
730825abe5
capDL-api: Port to Isabelle 2014.
2014-09-12 11:40:28 +10:00
David Greenaway
5af2327de4
crefine: Port fastpath proof and final refine theorem to Isabelle 2014.
2014-09-12 09:56:06 +10:00
David Greenaway
452a4ce943
crefine: Remove stray "goals_limit = 1".
2014-09-12 09:04:33 +10:00
David Greenaway
03b1952aaa
crefine: Port CRefine to Isabelle 2014.
2014-09-11 16:57:59 +10:00
Gao Xin
5015f53d95
fix seL4_TCB_WriteRegisters
2014-09-10 17:30:35 +10:00
Gao Xin
47662af345
fix DSpecProofs
2014-09-09 15:57:52 +10:00
Thomas Sewell
2825c9a403
Make regression test more likely to pass.
2014-09-09 14:37:18 +10:00
Andrew Boyton
7167ea42ac
CapDL: Made IRQ Nodes a new object type, not a small CNode.
...
IRQ Nodes are now their own object type in capDL. This makes it much easier
to distinguish between "real" CNodes and IRQ Nodes.
Updated:
* the capDL refinement,
* the access proofs, and
* the system initialiser.
2014-09-09 14:07:50 +10:00
Thomas Sewell
083a4b68d7
Really add binary verification to regression test.
2014-09-08 16:23:10 +10:00
Thomas Sewell
41c0e994ad
Make SIMPL->Graph regression testable.
2014-09-05 19:10:03 +10:00
Gao Xin
77dd554227
page_map_unmap_cancel : cdl spec changed and drefine fixed.
2014-09-05 14:48:22 +10:00
Thomas Sewell
4c7ef803d7
SEL4GraphRefine now completed.
...
These final changes complete the SEL4GraphRefine process. Some
cleanup remains to be done, especially in SEL4GlobalsSwap, but the
process is now mature and working, and the testing code
in SEL4GraphRefine can be discarded.
Success depends on seL4 commit 97d6bc96d54f1f0beafb25033b03b57ba54a5113
which is compatible with crefine and will be included in the repo
manifest immediately.
2014-09-03 17:38:45 +10:00
Joel Beeren
a5f2cab271
Merge branch 'master' into ioapic
2014-09-02 11:13:55 +10:00
Thomas Sewell
caf0529c7f
Move burden of 'halt' proof, use less modifies.
...
In detail:
- add a general user-specified exception to c_exntype
(for use in tools like Substitute)
- wrap calls to 'halt' in Guard {}, making it clearer that
halt is never called, simplifying asmrefine
- repair halt changes in crefine
- avoid use of some suspicious 'modifies' properties in crefine
which were generated by the parser for functions where inline
ASM blocks have been elided, and which may be inaccurate.
2014-08-29 13:57:28 +10:00
Joel Beeren
463df8e083
Merge branch 'master' into ioapic
2014-08-29 13:14:53 +10:00
Joel Beeren
b3e2eb1f9d
ioapic: finished up to InfoFlowC
2014-08-28 15:56:26 +10:00
Thomas Sewell
0346fb20b6
SIMPL->Graph proofs largely working.
2014-08-27 15:30:34 +10:00
Thomas Sewell
0c52978dd8
More asmrefine work, global swapping ready.
2014-08-21 14:13:46 +10:00
Gerwin Klein
f1d808c96a
integrate separation kernel config proofs
...
Hooked up into build system and regression test; added READMEs
2014-08-13 22:08:46 +10:00
Thomas Sewell
71e7dcc319
Fix Access, InfoFlow and DRefine.
2014-08-13 16:45:40 +10:00
Gerwin Klein
3556bee2dc
github import of static cap config proofs
2014-08-13 15:31:21 +10:00
Thomas Sewell
9b01fada15
Refine working.
2014-08-11 18:51:04 +10:00
Thomas Sewell
fc6e57716a
Proof updates, working as far as AInvs.
2014-08-11 14:50:56 +10:00
Gerwin Klein
ded3a4a86f
option_map_def -> map_option_case for 2014-RC0
2014-08-09 21:09:37 +10:00
Gerwin Klein
1af1d2b67b
some of the global Isabelle2014 renames
...
option_case -> case_option
sum_case -> case_sum
prod_case -> case_prod
Option.set -> set_option
Option.map -> map_option
option_rel -> rel_option
list_all2_def -> list_all2_iff
map.simps -> list.map
tl.simps -> list.sel(2-3)
the.simps -> option.sel
2014-08-09 15:39:20 +10:00
David Greenaway
0fb7a8084d
misc: Proofing and formatting of README.md files.
...
Attempt to improve readability of the files when viewed as plain ASCII;
proof-read and fix minor issues.
2014-07-28 13:15:48 +10:00
Andrew Boyton
63c6ef2785
Updated READMEs for capDL-api and sep-capDL, and added one for sys-init.
2014-07-26 12:28:38 +10:00
Toby Murray
35b6099732
remaining README.md for proof/
2014-07-25 11:51:31 +10:00
Corey Lewis
1421b09366
Even more cleanup of drefine.
2014-07-25 11:23:24 +10:00
Andrew Boyton
c060f715db
Add a top-level file for the capDL API proofs.
2014-07-24 19:56:24 +10:00
Toby Murray
283b54b351
comment to explain different do_user_op function in infoflow ADT
2014-07-24 14:53:57 +10:00
Toby Murray
93375ba96d
Initial README.md files for proof/
2014-07-24 13:31:57 +10:00
Corey Lewis
ffb0d165f6
Some more cleanup of drefine.
2014-07-23 15:29:20 +10:00
Andrew Boyton
add3ea9cd5
sys-init: Show the separation algebra for capDL is a cancellative separation algebra.
...
* The separation algebra for capDL is also a cancellative separation algebra.
* The arrows are strictly_exact, meaning they describe only a single heap.
* Since we have a cancellative separation algebra, this means the arrows are also precise.
2014-07-23 15:20:52 +10:00
Gerwin Klein
154da63715
remove old levity and taint-mode comments
2014-07-22 18:10:28 +02:00
Gerwin Klein
50dda7708c
comment cleanup
2014-07-22 18:10:20 +02:00
Andrew Boyton
acf0abe16a
Cleanup of a number of definitions of the separation algebra for capDL.
...
* The definitions of the separation "arrows" is slightly nicer and more consistent.
- We have a nicer correspondence between sep_map_c and sep_map_s.
- sep_map_irq now specifies exactly what the IRQ table contains
(that it *only* has one entry, not that it contains at least that entry).
- Nicer LaTeX output for the arrows.
* A number of minor renaming of constants and types.
- cdl_component => cdl_component_id
- sep_entity => cdl_component
- state_sep_projection => sep_state_projection
- obj_to_sep_state => object_to_sep_state
* Removed a few unused lemmas.
2014-07-22 14:37:37 +10:00
Gerwin Klein
a6d4ed8151
Merge branch 'getpaddr-merge'
2014-07-18 17:31:09 +02:00
Gerwin Klein
9d9a325032
Updates for getpaddr system call (by Joel Beeren)
2014-07-18 17:21:34 +02:00
Corey Lewis
07b85fe034
Move some more lemmas into lib.
2014-07-18 17:23:07 +10:00
Gerwin Klein
84595f4233
release cleanup
2014-07-17 18:22:50 +02:00
Gerwin Klein
2a03e81df4
Import release snapshot.
2014-07-14 21:32:44 +02:00