6bfa3bd7a5
proof/ROOT: remove unnecessary quick_and_dirty
2018-08-20 09:06:37 +10:00
a64ac59d47
Isabelle2018: DSpecProofs
2018-08-20 09:06:37 +10:00
1a82f8bdd8
Isabelle2018: SepDSpec
2018-08-20 09:06:37 +10:00
296043b7e8
Isabelle2018: InfoFlow
2018-08-20 09:06:36 +10:00
08027d4afa
Isabelle2018: Access
2018-08-20 09:06:36 +10:00
77ef6a3506
Isabelle2018: DPolicy
2018-08-20 09:06:36 +10:00
1e8a7505ef
Isabelle2018: DRefine
2018-08-20 09:06:36 +10:00
a7782f4af4
Isabelle2018 x64: Refine
2018-08-20 09:06:36 +10:00
0c407a64d9
Isabelle2018 arm_hyp: Refine
2018-08-20 09:06:36 +10:00
9646c3a315
Isabelle2018 arm: Refine
2018-08-20 09:06:36 +10:00
590b83ceb7
Isabelle2018 arm: AInvs
2018-08-20 09:06:36 +10:00
75b38be012
Isabelle2018: new AsmRefine session + test
2018-08-20 09:06:36 +10:00
6b9d9d24dd
Isabelle2018: new "op x" syntax; now is "(x)"
...
(result of "isabelle update_op -m <dir>")
2018-08-20 09:06:35 +10:00
011e08458e
Isabelle2018: new comment syntax
...
(result of "isabelle update_comments <dirs>")
2018-08-20 09:06:35 +10:00
2d39b88dfb
proof/ROOT: proper document_files for bisim session
2018-08-20 09:06:34 +10:00
8c19ee35b0
proof/ROOT: comment out unused AutoLevity sessions
2018-08-20 09:06:34 +10:00
c6981d5556
x64 refine: add IOPortControl to EmptyFail_H
2018-08-20 09:06:34 +10:00
7cd5538934
arm_hyp refine: prove EmptyFail_H
...
This theory is part of the Refine session, but only used in InfoFlow,
which is why it has been missed so far.
2018-08-20 09:06:34 +10:00
24e80f8034
proof/ROOT: make parent sessions available
2018-08-20 09:06:34 +10:00
6486bad264
lib: make Lib session a test dependency
...
Also ensure that the C parser is built before Lib, because it depends
on generated grammar files that need `make'.
2018-08-20 09:06:34 +10:00
b5cdf4703f
globally use session-qualified imports; add Lib session
...
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
2018-08-20 09:06:34 +10:00
2151a57c51
x64: crefine: move two lemmas up to CSpaceAcc_C
2018-08-17 15:41:12 +10:00
4ddf8ec2e4
x64: crefine: remove needless `unwrap_or` def
2018-08-17 15:41:12 +10:00
9a4d2677e3
lib+spec: move definition of machine_word to Word_Lib
...
JIRA VER-963
2018-08-06 11:22:52 +10:00
5ae7cc23b1
aspec: msg_align_bits and related are arch independent
...
While the numerical value is arch dependent, the definition and symbolic value
are not. This commit factors out the symbolic computation and only unfolds the
numeric value in the architecture dependent spec.
2018-08-06 11:22:51 +10:00
ead3e6fdc4
aspec: message_info_to_data is mostly arch independent
...
Factored out msg_label_bits, which is the only architecture specific part.
2018-08-06 11:22:51 +10:00
8f1122270c
aspec/ainvs: move TLS/ipc buffer FIXME to appropriate position in ADT_AI
2018-08-06 11:22:49 +10:00
26049db669
Repair proofs for wpsimp/crunch changes.
...
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
2018-08-03 18:25:30 +10:00
8392624f6c
infoflow: hacky speedups for Noninterference.thy
...
This speeds up a bunch of the slowest uwr and automaton proofs in
Noninterference, mainly by adjusting the simp depth limit to avoid
unneeded backtracking. Inspired by a rant from Tom Sewell.
2018-08-02 16:53:04 +10:00
31737df065
infoflow: improve header comment for Noninterference.thy
2018-08-02 16:53:04 +10:00
166af9e5ee
access, infoflow: cleanup from previous commit; some style cleanup
2018-08-02 16:53:04 +10:00
a6c11a2b28
access-control, infoflow: use generic relation for pasDomainAbs
...
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
2018-08-02 15:01:42 +10:00
f3957348e8
proof/Makefile: add SimplExport* dependencies
...
Add the design-spec dependency to the SimplExport* targets, since the
haskell conversion needs to be done to create the MachineTypes theory
before the CKernel image can be created.
2018-07-24 11:38:40 +10:00
9523eea0d6
infoflow: Clean up infoflow, comment, wrap lines, ...
2018-07-16 15:36:21 +10:00
9e0551f56a
arm-hyp: update proofs for TPIDRUR[OW]/TLS_BASE preservation
...
TPIDRUR[OW] registers removed from VCPU registers. Their saving now
lives in arch_c_entry_hook, which is before verified code is hit.
Relevant for verification, TPIDRURO is already handled as TLS_BASE
register, and TPIDRURW (holds IPC buffer) is saved/restored as part of
normal thread register save/restore.
2018-07-12 23:38:58 +10:00
e11abb6011
x64: crefine: prove isIOPortRangeFree_spec
2018-07-05 17:07:58 +10:00
80693df8e2
x64 crefine: add mask_eq_ucast_shiftl
2018-07-05 17:07:58 +10:00
3231ee17bf
x64 crefine: prove 'return false' case of isIOPortRangeFree_spec postcondition
2018-07-05 17:07:58 +10:00
aabf8ded2e
x64 crefine: progress on isIOPortRangeFree_spec postcondition
2018-07-05 17:07:58 +10:00
7eb8e01443
x64: crefine: proved word_highbits_bounded_highbits_eq
...
Contributed by: Michael Sproul <michael.sproul@data61.csiro.au>
2018-07-05 17:07:57 +10:00
da05f4f72e
x64: crefine: cleared vcg precondition sorry in isIOPortRangeFree_spec, modulo small word lemma
2018-07-05 17:07:57 +10:00
b9c3279779
x64 crefine: prove mask_le_mono
...
Contributed by: Thomas Sewell <Thomas.Sewell@data61.csiro.au>
2018-07-05 17:07:57 +10:00
7a951cad95
x64 crefine: prove invariant preservation for isIOPortRangeFree_spec
2018-07-05 17:07:49 +10:00
7af93e5bc1
x64: crefine: prove word_minus_1_shiftr
2018-07-05 16:23:15 +10:00
07b60ec185
x64: crefine: progress on sorries in isIOPortRangeFree_spec
2018-07-05 16:23:15 +10:00
f0a8621434
x64 crefine: prove isIOPortRangeFree_ccorres in Arch_C (WIP)
2018-07-05 16:23:15 +10:00
91b55bc74b
x64 crefine: progress on spec and inv for isIOPortRangeFree
2018-07-05 16:23:15 +10:00
74e74571ca
x64 crefine: prove setIOPortMask_ccorres in CSpace_C
2018-07-05 16:23:15 +10:00
72e3dcc8e2
x64: crefine: prove decodeX64MMUInvocation_ccorres
...
Required adding a case to cl_valid_cap to encode the relationship between a
PML4Cap's IsMapped bit and its MappedASID.
2018-07-05 16:23:15 +10:00
0f0f46b2b0
x64: refine: fix fallout from decodeX64PageInvocation change
2018-07-05 16:23:15 +10:00
5ce7ed478f
x64: crefine: add SetTLSBase invocation to x64 CRefine
2018-07-05 16:23:15 +10:00
2558a7c6e5
x64: crefine: update decodeX64FrameInvocation to not mask with PPTR_USER_TOP
2018-07-05 16:23:15 +10:00
89df98ec14
x64: fix inadvertently broken lemma in CSpace_C
2018-07-05 16:23:15 +10:00
417e6b8bc1
arm-hyp: crefine: fix up eisr_calc proof for strengthened ccorres_rewrite
2018-07-05 16:23:15 +10:00
584c6e9d26
x64: crefine: prove decodeX64FrameInvocation_ccorres
2018-07-05 16:23:15 +10:00
7f52da6571
x64: ainvs+refine: fix up proofs for decodeX64FrameInvocation changes
2018-07-05 16:23:15 +10:00
5ed7bb16be
x64: fix up definition of performPageInvocation for unmapping pages
2018-07-05 16:23:15 +10:00
700060b642
x64 crefine: prove Arch_decodeInvocation_ccorres in Arch_C
2018-07-05 16:23:15 +10:00
047f96c711
x64 crefine: prove kernel_mappings conditions in Retype_C
2018-07-05 16:23:15 +10:00
3686d79677
x64 crefine: prove createObjects_asidpool_ccorres in Arch_C
...
In x64, asid_map_C is now a bitfield union type, whereas in ARM,
the ASID pool contains plain pointers. This means that proving
ccorres for the x64 ASID pool placeNewObject operation requires
some additional unfolding of C type information.
2018-07-05 16:23:15 +10:00
c390013909
x64 crefine: prove several lemmas in Retype_C
...
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
2018-07-05 16:23:15 +10:00
26b218e4bd
x64: crefine: clear sorries for decode PT/PD/PDPT
2018-07-05 16:23:15 +10:00
151ca60b9f
x64: refine: add new invariant "pspace_in_kernel_mappings'"
...
This invariant shows that all pointers in ksPSpace are above pptr_base -
that is, in the kernel window. This was never formally proven before, as
had never truly been required (although it is true).
2018-07-05 16:23:15 +10:00
0bad7af88b
x64: crefine: actually clear last ioport_table_C sorry
2018-07-05 16:23:15 +10:00
1dea36ed6f
x64: crefine: add some tag disjunctions for ioport_table_C to SR_Lemmas_C
2018-07-05 16:23:15 +10:00
bcd21f27bf
x64: crefine: clear final two sorries from ioport_bitmap_relation fallout
2018-07-05 16:23:15 +10:00
d6a620ec5d
x64: crefine: move setIOPortMask_ccorres to CSpace_C, finish freeIOPortRange_ccorres
2018-07-05 16:23:15 +10:00
3c65b91512
x64: crefine: finished invokeX86PortControl_ccorres and decodeIOPortControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
d487d1fc6a
x64: crefine: added ioport bitmap to StateRelation_C
2018-07-05 16:23:15 +10:00
95cdaa8ad7
x64: crefine: cleared sorry in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
cf1052e303
x64: crefine: prove prepareThreadDelete_ccorres (VER-837)
2018-07-05 16:23:15 +10:00
b91ee8e4d0
x64: spec+ainvs+refine: add machine ops for nativeThreadUsingFPU and switchFpuOwner
2018-07-05 16:23:15 +10:00
f68aa38531
x64: crefine: almost finished decodeX86PortInvocation_ccorres
2018-07-05 16:23:15 +10:00
68456a1979
x64: crefine: decodeIOPortInvocation progress
2018-07-05 16:23:15 +10:00
f21096d987
x64: crefine: progress in Arch_C, added performPDPTInvocationMap_ccorres, makeUserPML4E_spec
2018-07-05 16:23:15 +10:00
df1c4b1e45
x64: spec+refine: plumb call through perform_ioport_invocation
2018-07-05 16:23:15 +10:00
648938513f
x64: crefine: prove Arch_finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
e9940dee83
x64: spec+refine: remove VMIOSpaceMap, tighten valid_cap' map type guarantees
2018-07-05 16:23:15 +10:00
b48f530591
x64: crefine: assorted progress in Arch_C
2018-07-05 16:23:15 +10:00
278e0fcbb9
x64: crefine: finished ensurePortOperationAllowed_ccorres, progress in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
a4a9a9f721
x64: spec: update ensurePortOperationAllowed to better match C
2018-07-05 16:23:15 +10:00
9bef874088
x64: crefine: finished performPageInvocation[Map|Remap]PDPTE_ccorres
2018-07-05 16:23:15 +10:00
80f54f33f0
x64: crefine: progress in Arch_C
2018-07-05 16:23:15 +10:00
215d235b37
x64: crefine: unmapPDPointerTable_ccorres
2018-07-05 16:23:15 +10:00
2b7a529724
x64: crefine: clear sorry in CSpace_C (VER-930)
2018-07-05 16:23:15 +10:00
219622476d
x64: crefine: remove blank lines from EOF
2018-07-05 16:23:15 +10:00
4fedfb5e35
x64: crefine: clear remaining sorry in Interrupt_C (VER-879)
2018-07-05 16:23:15 +10:00
43f482ab26
x64: ainvs: refine: changes for IRQ invocations (VER-879)
2018-07-05 16:23:15 +10:00
cdaf0923ee
x64: crefine: remove outdated comment about VER-830
2018-07-05 16:23:15 +10:00
c481c7d2df
x64: set cteRightsBits to 0 (VER-930)
2018-07-05 16:23:15 +10:00
e5ecf10b14
arm+arm_hyp: crefine: use ccorres_disj_division from lib
2018-07-05 16:23:15 +10:00
87f22b6171
x64: crefine: cleared more sorries in Arch_C, narrowed others
2018-07-05 16:23:15 +10:00
7786f4856f
x64: crefine: cleared sorry from performASIDControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
f8d04ac291
x64: crefine: cleared perform PD/PDPT unmap sorries
2018-07-05 16:23:15 +10:00
1a83b536e3
x64: crefine: cleared deleteASID_ccorres and deleteASIDPool_ccorres
2018-07-05 16:23:15 +10:00
8953543843
x64: ainvs+refine: remove invalidateASIDEntry, simplify with just hwASIDInvalidate
2018-07-05 16:23:15 +10:00
06bd3ca2fa
x64: crefine: cleared isFinalCapability_ccorres
2018-07-05 16:23:15 +10:00
33d34ad2e2
x64: crefine: narrowed sorries in Finalise_C
2018-07-05 16:23:15 +10:00
9b22083af4
x64: progress on Arch_finaliseCap_ccorres, added unmap lemmas
2018-07-05 16:23:15 +10:00
30b4433138
x64: cleared sorry in finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
04d557f8bb
x64: crefine: narrowed sorry in finaliseCap_ccorres, awaiting C code change
2018-07-05 16:23:15 +10:00
338203c9d8
x64: cleared flushTable_ccorres sorry, need to bubble up page_table_at' assumption
2018-07-05 16:23:15 +10:00
b13f274185
x64: crefine: narrowed down sorries in CSpace_C, updates for ioportcontrol
2018-07-05 16:23:15 +10:00
8cb2744306
x64: refine: cleanup after ioportcontrol
2018-07-05 16:23:15 +10:00
d4b830738f
x64: ainvs: cleanup after ioportcontrol
2018-07-05 16:23:15 +10:00
0335855e4e
x64 crefine: partially remove unmapPageTable_ccorres sorry
2018-07-05 16:23:15 +10:00
8a3df01380
x64 crefine: remove performPageTableInvocationUnmap_ccorres sorry
2018-07-05 16:23:15 +10:00
4049edaac0
x64: clear copyGlobalMappings sorries in Retype_C
2018-07-05 16:23:15 +10:00
4ac8a32c78
x64: clear last sorry in ADT_C
2018-07-05 16:23:15 +10:00
4fafbb76a1
x64: clear last sorry in VSpace_C
2018-07-05 16:23:15 +10:00
bdbcda7b3d
x64: VER-917: ensure map type and vspace mappings are consistent
2018-07-05 16:23:15 +10:00
58f74efb56
x64: clear some sorries in VSpace_C
2018-07-05 16:23:15 +10:00
4967850316
x64: clear wordFromMessageInfo_spec sorry in VSpace_C
2018-07-05 16:23:15 +10:00
cf87e5c8e0
x64: s/framSizeConstants/frameSizeConstants/
2018-07-05 16:23:15 +10:00
7a3e1e7387
x64 crefine: Invoke_C sorry free
2018-07-05 16:23:15 +10:00
e7145a693e
x64: proof update for crunch changes
2018-07-05 16:23:15 +10:00
dcae6bc292
x64: clear some sorries in VSpace_C
...
Includes experiments with AutoCorres.
2018-07-05 16:23:15 +10:00
f649240cde
x64: CR3 and machine op updates for Meltdown
2018-07-05 16:23:15 +10:00
a3de401c09
x64: more abstract specs and invariants for ASIDs
2018-07-05 16:23:15 +10:00
b9efd5f7b2
clib: infrastructure for using AutoCorres in CRefine
2018-07-05 16:23:15 +10:00
dc2069aba0
x64 crefine: Refine_C sorry free
2018-07-05 16:23:15 +10:00
1a29b76e12
x64 crefine: close Arch_finaliseInterrupt sorry
2018-07-05 16:23:15 +10:00
49545b0235
x64 crefine: remaining Invoke_C sorries are C bugs
2018-07-05 16:23:15 +10:00
bec409b99c
x64 crefine: removed 5 sorries in Invoke_C
2018-07-05 16:23:15 +10:00
c8218a81d6
x64 crefine: Syscall_C sorry free
2018-07-05 16:23:15 +10:00
25681afb98
x64 refine: IpcCancel_C sorry free
...
also moved up a couple of canonical_address lemmas to SR_lemmas_C
2018-07-05 16:23:15 +10:00
2b6f472c19
x64 crefine: CSpace_All sorry free
2018-07-05 16:23:15 +10:00
2a3639c6f6
x64 crefine: Schedule_C sorry free
2018-07-05 16:23:15 +10:00
8e9c6acd0f
x64 crefine: Delete_C sorry free
2018-07-05 16:23:15 +10:00
5b45186152
x64 crefine: Recycle_C sorry free
2018-07-05 16:23:15 +10:00
4bdcf91149
x64 crefine: remove some sorries in Retype_C; document rest
2018-07-05 16:23:15 +10:00
f20ec59695
x64: crefine: performPageInvocationUnmap
...
Depends on one lemma that will remain sorried until VER-917 is complete.
2018-07-05 16:23:15 +10:00
e38bcf6bd2
x64 CRefine: proof repairs after wp changes
2018-07-05 16:23:15 +10:00
42ad2cbad9
x64 CRefine: more update for C-parser change to avoid complex call lvals (JIRA VER-881)
...
Also completes some Ipc_C proofs that were blocked by the C-parser problem.
2018-07-05 16:23:15 +10:00
87f6ad3f6c
x64: crefine: prove unmapPage_ccorres
...
This required the addition of a new assumption in Machine_C about
invalidateTranslationSingleASID
2018-07-05 16:23:15 +10:00
0a6a028a80
crefine x64: Refine_C sorried
2018-07-05 16:23:15 +10:00
99f2868803
x64 refine: RAB_FN (needed for x64 crefine)
2018-07-05 16:23:14 +10:00
1e73cba198
x64 crefine: remove ADT_C sorries up to missing arch defs
2018-07-05 16:23:14 +10:00
06d9ff7853
x64 crefine: ADT_C sorried, Init_C added
2018-07-05 16:23:14 +10:00
82474647a3
x64 crefine: FPU updates
2018-07-05 16:23:14 +10:00
3fb9903ea1
x64: crefine: update for C-parser change to avoid complex call lvals (JIRA VER-881)
2018-07-05 16:23:14 +10:00
81fca9ab65
x64: crefine: clear some sorries from VSpace_C
2018-07-05 16:23:14 +10:00
c2797809ec
x64: crefine: fix confused deputy problem when setting priorities
2018-07-05 16:23:14 +10:00
88f5f072b1
x64: crefine: Genericise deletion actions that occur after empty_slot
...
Based on Joel's changes for ARM_HYP
2018-07-05 16:23:14 +10:00
511d2e3693
x64: update proofs for new ccorres_rewrite
2018-07-05 16:23:14 +10:00
10c6a46405
x64: update proofs for msgLabelBits
2018-07-05 16:23:14 +10:00
4666cf43ba
x64: crefine: cleared some sorries in Ipc_C
...
Cleared all bitfield sorries as well as remnant sorries from previous
spec changes. Only sorries remaining require spec changes
(msgLabelBits, VER-910) or C/c-parser changes (VER-881).
2018-07-05 16:23:14 +10:00
9141e3c1c2
x64: crefine: move lemma from Tcb_C to SR_lemmas_C, and more canonical_address lemmas to SR_Lemmas
2018-07-05 16:23:14 +10:00
c12aa74ca3
x64: refine: add valid_pspace' -> pspace_canonical' drule
2018-07-05 16:23:14 +10:00
bcac2c8492
x64: clear some sorry proofs from CSpace_C
...
Also update some Haskell and abstract specs relating to IO ports.
2018-07-05 16:23:14 +10:00
Gerwin Klein
Michael Sproul
Thomas Sewell
Japheth Lim
Thibaut Perami
Rafal Kolanski
Matthew Brecknell
Joel Beeren
Corey Lewis