5ce7ed478f
x64: crefine: add SetTLSBase invocation to x64 CRefine
2018-07-05 16:23:15 +10:00
2558a7c6e5
x64: crefine: update decodeX64FrameInvocation to not mask with PPTR_USER_TOP
2018-07-05 16:23:15 +10:00
89df98ec14
x64: fix inadvertently broken lemma in CSpace_C
2018-07-05 16:23:15 +10:00
417e6b8bc1
arm-hyp: crefine: fix up eisr_calc proof for strengthened ccorres_rewrite
2018-07-05 16:23:15 +10:00
584c6e9d26
x64: crefine: prove decodeX64FrameInvocation_ccorres
2018-07-05 16:23:15 +10:00
7f52da6571
x64: ainvs+refine: fix up proofs for decodeX64FrameInvocation changes
2018-07-05 16:23:15 +10:00
5ed7bb16be
x64: fix up definition of performPageInvocation for unmapping pages
2018-07-05 16:23:15 +10:00
700060b642
x64 crefine: prove Arch_decodeInvocation_ccorres in Arch_C
2018-07-05 16:23:15 +10:00
047f96c711
x64 crefine: prove kernel_mappings conditions in Retype_C
2018-07-05 16:23:15 +10:00
3686d79677
x64 crefine: prove createObjects_asidpool_ccorres in Arch_C
...
In x64, asid_map_C is now a bitfield union type, whereas in ARM,
the ASID pool contains plain pointers. This means that proving
ccorres for the x64 ASID pool placeNewObject operation requires
some additional unfolding of C type information.
2018-07-05 16:23:15 +10:00
c390013909
x64 crefine: prove several lemmas in Retype_C
...
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
2018-07-05 16:23:15 +10:00
26b218e4bd
x64: crefine: clear sorries for decode PT/PD/PDPT
2018-07-05 16:23:15 +10:00
151ca60b9f
x64: refine: add new invariant "pspace_in_kernel_mappings'"
...
This invariant shows that all pointers in ksPSpace are above pptr_base -
that is, in the kernel window. This was never formally proven before, as
had never truly been required (although it is true).
2018-07-05 16:23:15 +10:00
0bad7af88b
x64: crefine: actually clear last ioport_table_C sorry
2018-07-05 16:23:15 +10:00
1dea36ed6f
x64: crefine: add some tag disjunctions for ioport_table_C to SR_Lemmas_C
2018-07-05 16:23:15 +10:00
bcd21f27bf
x64: crefine: clear final two sorries from ioport_bitmap_relation fallout
2018-07-05 16:23:15 +10:00
d6a620ec5d
x64: crefine: move setIOPortMask_ccorres to CSpace_C, finish freeIOPortRange_ccorres
2018-07-05 16:23:15 +10:00
3c65b91512
x64: crefine: finished invokeX86PortControl_ccorres and decodeIOPortControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
d487d1fc6a
x64: crefine: added ioport bitmap to StateRelation_C
2018-07-05 16:23:15 +10:00
95cdaa8ad7
x64: crefine: cleared sorry in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
cf1052e303
x64: crefine: prove prepareThreadDelete_ccorres (VER-837)
2018-07-05 16:23:15 +10:00
b91ee8e4d0
x64: spec+ainvs+refine: add machine ops for nativeThreadUsingFPU and switchFpuOwner
2018-07-05 16:23:15 +10:00
f68aa38531
x64: crefine: almost finished decodeX86PortInvocation_ccorres
2018-07-05 16:23:15 +10:00
68456a1979
x64: crefine: decodeIOPortInvocation progress
2018-07-05 16:23:15 +10:00
f21096d987
x64: crefine: progress in Arch_C, added performPDPTInvocationMap_ccorres, makeUserPML4E_spec
2018-07-05 16:23:15 +10:00
df1c4b1e45
x64: spec+refine: plumb call through perform_ioport_invocation
2018-07-05 16:23:15 +10:00
648938513f
x64: crefine: prove Arch_finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
e9940dee83
x64: spec+refine: remove VMIOSpaceMap, tighten valid_cap' map type guarantees
2018-07-05 16:23:15 +10:00
b48f530591
x64: crefine: assorted progress in Arch_C
2018-07-05 16:23:15 +10:00
278e0fcbb9
x64: crefine: finished ensurePortOperationAllowed_ccorres, progress in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
a4a9a9f721
x64: spec: update ensurePortOperationAllowed to better match C
2018-07-05 16:23:15 +10:00
9bef874088
x64: crefine: finished performPageInvocation[Map|Remap]PDPTE_ccorres
2018-07-05 16:23:15 +10:00
80f54f33f0
x64: crefine: progress in Arch_C
2018-07-05 16:23:15 +10:00
215d235b37
x64: crefine: unmapPDPointerTable_ccorres
2018-07-05 16:23:15 +10:00
2b7a529724
x64: crefine: clear sorry in CSpace_C (VER-930)
2018-07-05 16:23:15 +10:00
219622476d
x64: crefine: remove blank lines from EOF
2018-07-05 16:23:15 +10:00
4fedfb5e35
x64: crefine: clear remaining sorry in Interrupt_C (VER-879)
2018-07-05 16:23:15 +10:00
43f482ab26
x64: ainvs: refine: changes for IRQ invocations (VER-879)
2018-07-05 16:23:15 +10:00
cdaf0923ee
x64: crefine: remove outdated comment about VER-830
2018-07-05 16:23:15 +10:00
c481c7d2df
x64: set cteRightsBits to 0 (VER-930)
2018-07-05 16:23:15 +10:00
e5ecf10b14
arm+arm_hyp: crefine: use ccorres_disj_division from lib
2018-07-05 16:23:15 +10:00
87f22b6171
x64: crefine: cleared more sorries in Arch_C, narrowed others
2018-07-05 16:23:15 +10:00
7786f4856f
x64: crefine: cleared sorry from performASIDControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
f8d04ac291
x64: crefine: cleared perform PD/PDPT unmap sorries
2018-07-05 16:23:15 +10:00
1a83b536e3
x64: crefine: cleared deleteASID_ccorres and deleteASIDPool_ccorres
2018-07-05 16:23:15 +10:00
8953543843
x64: ainvs+refine: remove invalidateASIDEntry, simplify with just hwASIDInvalidate
2018-07-05 16:23:15 +10:00
06bd3ca2fa
x64: crefine: cleared isFinalCapability_ccorres
2018-07-05 16:23:15 +10:00
33d34ad2e2
x64: crefine: narrowed sorries in Finalise_C
2018-07-05 16:23:15 +10:00
9b22083af4
x64: progress on Arch_finaliseCap_ccorres, added unmap lemmas
2018-07-05 16:23:15 +10:00
30b4433138
x64: cleared sorry in finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
04d557f8bb
x64: crefine: narrowed sorry in finaliseCap_ccorres, awaiting C code change
2018-07-05 16:23:15 +10:00
338203c9d8
x64: cleared flushTable_ccorres sorry, need to bubble up page_table_at' assumption
2018-07-05 16:23:15 +10:00
b13f274185
x64: crefine: narrowed down sorries in CSpace_C, updates for ioportcontrol
2018-07-05 16:23:15 +10:00
8cb2744306
x64: refine: cleanup after ioportcontrol
2018-07-05 16:23:15 +10:00
d4b830738f
x64: ainvs: cleanup after ioportcontrol
2018-07-05 16:23:15 +10:00
0335855e4e
x64 crefine: partially remove unmapPageTable_ccorres sorry
2018-07-05 16:23:15 +10:00
8a3df01380
x64 crefine: remove performPageTableInvocationUnmap_ccorres sorry
2018-07-05 16:23:15 +10:00
4049edaac0
x64: clear copyGlobalMappings sorries in Retype_C
2018-07-05 16:23:15 +10:00
4ac8a32c78
x64: clear last sorry in ADT_C
2018-07-05 16:23:15 +10:00
4fafbb76a1
x64: clear last sorry in VSpace_C
2018-07-05 16:23:15 +10:00
bdbcda7b3d
x64: VER-917: ensure map type and vspace mappings are consistent
2018-07-05 16:23:15 +10:00
58f74efb56
x64: clear some sorries in VSpace_C
2018-07-05 16:23:15 +10:00
4967850316
x64: clear wordFromMessageInfo_spec sorry in VSpace_C
2018-07-05 16:23:15 +10:00
cf87e5c8e0
x64: s/framSizeConstants/frameSizeConstants/
2018-07-05 16:23:15 +10:00
7a3e1e7387
x64 crefine: Invoke_C sorry free
2018-07-05 16:23:15 +10:00
e7145a693e
x64: proof update for crunch changes
2018-07-05 16:23:15 +10:00
dcae6bc292
x64: clear some sorries in VSpace_C
...
Includes experiments with AutoCorres.
2018-07-05 16:23:15 +10:00
f649240cde
x64: CR3 and machine op updates for Meltdown
2018-07-05 16:23:15 +10:00
a3de401c09
x64: more abstract specs and invariants for ASIDs
2018-07-05 16:23:15 +10:00
b9efd5f7b2
clib: infrastructure for using AutoCorres in CRefine
2018-07-05 16:23:15 +10:00
dc2069aba0
x64 crefine: Refine_C sorry free
2018-07-05 16:23:15 +10:00
1a29b76e12
x64 crefine: close Arch_finaliseInterrupt sorry
2018-07-05 16:23:15 +10:00
49545b0235
x64 crefine: remaining Invoke_C sorries are C bugs
2018-07-05 16:23:15 +10:00
bec409b99c
x64 crefine: removed 5 sorries in Invoke_C
2018-07-05 16:23:15 +10:00
c8218a81d6
x64 crefine: Syscall_C sorry free
2018-07-05 16:23:15 +10:00
25681afb98
x64 refine: IpcCancel_C sorry free
...
also moved up a couple of canonical_address lemmas to SR_lemmas_C
2018-07-05 16:23:15 +10:00
2b6f472c19
x64 crefine: CSpace_All sorry free
2018-07-05 16:23:15 +10:00
2a3639c6f6
x64 crefine: Schedule_C sorry free
2018-07-05 16:23:15 +10:00
8e9c6acd0f
x64 crefine: Delete_C sorry free
2018-07-05 16:23:15 +10:00
5b45186152
x64 crefine: Recycle_C sorry free
2018-07-05 16:23:15 +10:00
4bdcf91149
x64 crefine: remove some sorries in Retype_C; document rest
2018-07-05 16:23:15 +10:00
f20ec59695
x64: crefine: performPageInvocationUnmap
...
Depends on one lemma that will remain sorried until VER-917 is complete.
2018-07-05 16:23:15 +10:00
e38bcf6bd2
x64 CRefine: proof repairs after wp changes
2018-07-05 16:23:15 +10:00
42ad2cbad9
x64 CRefine: more update for C-parser change to avoid complex call lvals (JIRA VER-881)
...
Also completes some Ipc_C proofs that were blocked by the C-parser problem.
2018-07-05 16:23:15 +10:00
87f6ad3f6c
x64: crefine: prove unmapPage_ccorres
...
This required the addition of a new assumption in Machine_C about
invalidateTranslationSingleASID
2018-07-05 16:23:15 +10:00
0a6a028a80
crefine x64: Refine_C sorried
2018-07-05 16:23:15 +10:00
99f2868803
x64 refine: RAB_FN (needed for x64 crefine)
2018-07-05 16:23:14 +10:00
1e73cba198
x64 crefine: remove ADT_C sorries up to missing arch defs
2018-07-05 16:23:14 +10:00
06d9ff7853
x64 crefine: ADT_C sorried, Init_C added
2018-07-05 16:23:14 +10:00
82474647a3
x64 crefine: FPU updates
2018-07-05 16:23:14 +10:00
3fb9903ea1
x64: crefine: update for C-parser change to avoid complex call lvals (JIRA VER-881)
2018-07-05 16:23:14 +10:00
81fca9ab65
x64: crefine: clear some sorries from VSpace_C
2018-07-05 16:23:14 +10:00
c2797809ec
x64: crefine: fix confused deputy problem when setting priorities
2018-07-05 16:23:14 +10:00
88f5f072b1
x64: crefine: Genericise deletion actions that occur after empty_slot
...
Based on Joel's changes for ARM_HYP
2018-07-05 16:23:14 +10:00
511d2e3693
x64: update proofs for new ccorres_rewrite
2018-07-05 16:23:14 +10:00
10c6a46405
x64: update proofs for msgLabelBits
2018-07-05 16:23:14 +10:00
4666cf43ba
x64: crefine: cleared some sorries in Ipc_C
...
Cleared all bitfield sorries as well as remnant sorries from previous
spec changes. Only sorries remaining require spec changes
(msgLabelBits, VER-910) or C/c-parser changes (VER-881).
2018-07-05 16:23:14 +10:00
9141e3c1c2
x64: crefine: move lemma from Tcb_C to SR_lemmas_C, and more canonical_address lemmas to SR_Lemmas
2018-07-05 16:23:14 +10:00
c12aa74ca3
x64: refine: add valid_pspace' -> pspace_canonical' drule
2018-07-05 16:23:14 +10:00
bcac2c8492
x64: clear some sorry proofs from CSpace_C
...
Also update some Haskell and abstract specs relating to IO ports.
2018-07-05 16:23:14 +10:00
b072714ca1
x64: crefine: move pspace_canonical' lemmas to refine
2018-07-05 16:23:14 +10:00
5d425337d2
x64: crefine: cleared sorries in Tcb_C
2018-07-05 16:23:14 +10:00
74a4be7a74
x64: crefine: cleared non sign extend sorries in Tcb_C
2018-07-05 16:23:14 +10:00
022f6a5981
x64 crefine: update existing proofs for pspace_canonical'
...
The logic roughly follows what happens in Refine, but gets woven into
ccorres proofs making this non-obvious.
Similar breakage will become evident once more sorries are cleared
around retyping/deleting.
2018-07-05 16:23:14 +10:00
9159cf7c0d
x64 refine: add pspace_canonical' invariant
...
All kernel objects in the kheap exist at canonical addresses. Additional
constraint needed on Untyped caps: they must refer to a canonical
address in memory, since the Untyped objects themselves do not live in
the kheap.
The invariant is needed to discharge pointer dereference guards in C for
pointers obtained from kernel objects. We managed to prove it without
adding abstract invariants.
2018-07-05 16:23:14 +10:00
d15b4e5cb6
x64 ainvs: preservation of canonical_address under addition
2018-07-05 16:23:14 +10:00
334949125c
x64 crefine: update or sorry broken proofs up to Syscall_C
2018-07-05 16:23:14 +10:00
569abcff5a
x64 crefine: add Syscall_C to Refine_C for testing
2018-07-05 16:23:14 +10:00
53553ea260
x64 crefine: update scheduler bitmap lemmas
...
Applied the changes from invert-fastpath on ARM_HYP to available X64
files, updated relevant proofs to 64-bit, reduced IpcCancel sorries to
sign_extend only, reduced Schedule to one sorry.
2018-07-05 16:23:14 +10:00
e94d70f42c
x64: crefine: remove 3 sorries in Retype_C
...
(added 3 more)
2018-07-05 16:23:14 +10:00
5ef384cf07
x64 crefine: Detype_C sorry-free
2018-07-05 16:23:14 +10:00
c858e6b75b
x64: crefine: cleared sorry in checkCapAt_ccorres
2018-07-05 16:23:14 +10:00
812828fd35
x64: crefine: initial, broken commit of ADT_C
2018-07-05 16:23:14 +10:00
dbf763ad01
x64: crefine: cleared sorries in SyscallArgs_C
2018-07-05 16:23:14 +10:00
710090f8e7
x64: crefine: cleared sorries in CSpace_RAB_C
2018-07-05 16:23:14 +10:00
25abf2b929
x64: crefine: onle Arch_decodeIRQControlInvocation_ccorres remains in Interrupt_C
2018-07-05 16:23:14 +10:00
88b2d4988d
x64: crefine: added Syscall_C
2018-07-05 16:23:14 +10:00
94a1215405
x64: crefine: added Arch_C
2018-07-05 16:23:14 +10:00
daaeed46aa
x64: crefine: added Invoke_C
2018-07-05 16:23:14 +10:00
abda36a8f7
x64: crefine: added Recycle_C
2018-07-05 16:23:14 +10:00
d27f7c9f60
x64: crefine: added Retype_C
2018-07-05 16:23:14 +10:00
ff95aec20f
x64: crefine: added Interrupt_C
2018-07-05 16:23:14 +10:00
1fc3536aff
x64: crefine: added Schedule_C
2018-07-05 16:23:14 +10:00
5ccbe6061d
x64: crefine: added Tcb_C
2018-07-05 16:23:14 +10:00
1079673d34
x64: crefine: adjust value_abbreviation in Delete_C
2018-07-05 16:23:14 +10:00
fa38926ac3
x64: crefine: update for isabelle-2017
2018-07-05 16:23:14 +10:00
c9633be900
x64: crefine: added Delete_C
2018-07-05 16:23:14 +10:00
05ace54dd4
x64: crefine: update sorries for C changes
...
changes include:
* zombie bit numbers changing
* object sizes abstracted
2018-07-05 16:23:14 +10:00
b5d5b973f6
x64: crefine: added Ipc_C
2018-07-05 16:23:14 +10:00
24bc43a65a
x64: crefine: added IsolatedThreadAction.thy
2018-07-05 16:23:14 +10:00
f4e33ad6c6
x64: crefine: minor tweaks in VSpace_C
2018-07-05 16:23:14 +10:00
4668abb6b7
x64: crefine: added Finalise_C
2018-07-05 16:23:14 +10:00
bb4cdf564b
x64: crefine: added Detype_C
2018-07-05 16:23:14 +10:00
0bad4a3918
x64: crefine: add CSpace_All.thy
2018-07-05 16:23:14 +10:00
767b2612be
x64: crefine: added IpcCancel_C
2018-07-05 16:23:14 +10:00
a07380a7fc
x64: crefine: added SyscallArgs_C
2018-07-05 16:23:14 +10:00
3a9818b070
x64: crefine: added CSpace_RAB_C.thy
2018-07-05 16:23:14 +10:00
3c3ce87df0
x64: crefine: added DetWP.thy
2018-07-05 16:23:14 +10:00
5982952444
x64: crefine: added StoreWord_C
2018-07-05 16:23:14 +10:00
c69b10e2d4
x64: crefine: VSpace_C sorried
...
There are probably lots of lemmas missing but this will allow people to
move forward beyond VSpace_C to other files.
Many sorries are dependent on C changes still in the pipeline
2018-07-05 16:23:14 +10:00
3fb61f92a6
x64: crefine: interim commit of VSpace_C
2018-07-05 16:23:14 +10:00
55b5f165b7
x64: crefine: added getFaultAddr_ccorres to machine assumptions
2018-07-05 16:23:14 +10:00
72b1edaf96
x64: crefine: add CSpace_C to Refine_C for regression testing
2018-07-05 16:23:14 +10:00
bf25de6b5b
x64: crefine: added CSpace_C with sorries
2018-07-05 16:23:14 +10:00
5909835331
x64: crefine: adjust cl_valid_cap for irq_handler caps
2018-07-05 16:23:14 +10:00
0326c2a956
x64: crefine: add frame_cap condition to cl_valid_cap
...
On x64, there are only 3 possible page sizes, so it is no longer
possible to deduce that a page size is well-formed from just the
bitfield struct (previously there were 4 page sizes for a 2-bit field).
2018-07-05 16:23:14 +10:00
1069cb70f2
x64: crefine: fix default case in vmrights_to_H
2018-07-05 16:23:14 +10:00
f24785cb8b
x64: crefine: add neglected IOPortCap case to a few lemmas
2018-07-05 16:23:14 +10:00
c80d51bf2a
x64: crefine: added Machine_C
2018-07-05 16:23:14 +10:00
a5aae07229
x64 crefine: added CSpaceAcc_C
2018-07-05 16:23:14 +10:00
c71fa27e14
Whitespace and typos
2018-07-03 13:42:23 +10:00
571ef6d0ca
crefine+drefine+access+infoflow: update proofs for SetTLSBase (VER-807)
2018-07-03 13:42:22 +10:00
9d315cda20
ainvs+refine: update proofs for SetTLSBase (VER-807)
2018-07-03 13:42:19 +10:00
a93dafb21c
proofs: record tests.xml dependencies for SepTacticsExamples
2018-06-27 10:06:48 +02:00
967a091cf6
ainvs: Remove unnecessary crunches and whitespace
2018-06-27 11:48:56 +10:00
97c24b95c9
ainvs: Add itcb_arch to the itcb projection
...
This allows us to more easily show that arch specific tcb fields are
preserved by many functions of the spec. For ARM_HYP we add a
projection for the tcb_vcpu field.
2018-06-27 11:48:56 +10:00
d77d31a77c
lib: Refactor crunch so that it can be used for both the nondet monad and the trace monad
2018-06-26 14:45:28 +10:00
15d6b62040
arm: address setCurrentPD mismatch between abstract/haskell/C
...
ARM setCurrentPD was recently refactored as part of multi-VM support for
ARM_HYP. The Haskell was updated correctly, and the C was not.
Unfortunately, setCurrentPD was manually redefined in MachineOps.thy for
ARM hiding the change, making the C look correct when it wasn't.
We scrap the second definition of setCurrentPD, load it from the Haskell,
and have an abstract set_current_pd that's a bit simpler to refine down
from.
The proofs are updated for the above change and the update to the C
setCurrentPD that was breaking on KZM.
2018-06-22 11:59:30 +10:00
4a3d7a958c
arm-hyp: update proofs for SELFOUR-584: running multiple VMs on ARM
...
As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG
I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.
2018-06-15 18:48:47 +10:00
c686d6e776
lib: Make Crunch more effective at applying supplied rules
2018-06-08 15:48:32 +10:00
70212ec799
dpolicy: add a comment summarising the result in proof/access-control/Dpolicy.thy
2018-05-08 10:19:02 +10:00
5cff1d47ac
crefine: fix finaliseCap proof for 1ul shift change
2018-04-27 07:12:09 +10:00
25125763bd
arm-hyp: ioportcontrol: fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
1634608453
arm: ioportcontrol: Fixes after adding IOPortControlCaps to x64
2018-04-19 05:27:06 +10:00
f728dd25e8
x64: Add IOPortControlCaps to control IO port allocation
...
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
2018-04-19 05:27:06 +10:00
02e5096534
x64: VER-917: correct VSpace invocations to update map_type, and add invariants to check that maptype and mapped addresses correspond for PageCaps
2018-04-19 05:27:05 +10:00
4c7ca8c076
arm+arm_hyp crefine: Split TLB functions to local and local+remote functions
2018-04-19 11:12:27 +10:00
cf601cb3c6
refine+crefine: update proofs for range check change
2018-04-11 08:05:46 +10:00
9813f6a09f
arm-hyp haskell+refine: reorder arch invocation labels to match C
2018-04-07 00:02:51 +10:00
31290e2d92
arm-hyp crefine: update proofs for ARMv7 refactor
2018-04-06 14:24:47 +10:00
2d0baab462
Proof update for crunch changes
2018-04-04 14:13:55 +10:00
e3774a8813
asmrefine: ctcb_offset AUXUPD
2018-03-26 14:37:22 +11:00
9b0441e288
arm + arm_hyp: crefine for ctcb_offset C AUXUPD
2018-03-26 14:37:22 +11:00
62bee91f12
cspec/crefine: make ctcb_offset available to AUXUPD
2018-03-26 14:37:22 +11:00
0f38e20094
Many proof repairs.
2018-03-16 14:57:51 +11:00
652cbb966e
Initial proof updates for combinator changes.
2018-03-16 14:53:22 +11:00
bea2e09c04
crefine: further update for C-parser change to avoid complex call lvals (JIRA VER-881)
2018-03-14 17:58:43 +11:00
44bd2788cd
arm-hyp crefine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
53996e94d9
arm-hyp refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
830f407d7f
arm-hyp ainvs: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
3f7d6e1ce9
ARM infoflow: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
84633ccb7f
ARM access: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
51190d18d1
ARM bisim: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
b0cac3ec77
ARM drefine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
4eb4ddf53f
ARM crefine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
2d9de5b9a6
ARM refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
8601dce656
ARM ainvs: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
21bbc51d9b
x64 crefine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
72c4123d10
x64 refine: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
b29e9c9fd3
x64 ainvs: proof update for user_context refactor
2018-03-08 18:41:28 +11:00
79cea8452f
retire out-of-date effort calculation
2018-03-08 08:32:42 +11:00
d7ec3eb986
crefine: update for C-parser change to avoid complex call lvals (JIRA VER-881)
2018-02-28 11:22:53 +11:00
f0795805d1
SELFOUR-1016: fix confused deputy problem when setting priorities
2018-02-26 11:19:43 +11:00
4601f2a1ab
Genericise deletion actions that occur after empty_slot
...
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
2018-02-23 09:12:55 +11:00
6e74fa1ae3
arm/arm-hyp crefine: update proofs for new ccorres_rewrite
2018-02-18 13:05:41 +11:00
3d225cde69
VER-910: add msgLabelBits to haskell
...
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
2018-02-07 10:36:59 +11:00
9fb7c5cf4d
arm_hyp ainvs: fix a typo
2018-01-30 12:00:25 +11:00
4efe5392f7
arm ainvs: fix a typo
2018-01-30 12:00:21 +11:00
d675e253ba
fix broken README links
2018-01-29 13:24:35 +11:00
eabbd86327
x64: remove references to x64KSCurrentCR3, following Meltdown mitigation
...
Changes to the C kernel to mitigate the Meltdown vulnerability have
removed x64KSCurrentCR3, and replaced it with other state. As a
temporary fix, this commit removes references to x64KSCurrentCR3 from
the C state relation to keep existing proofs working.
For x64 verification, this ultimately needs to be replaced with a
relation on the new state that has been added, and the specs updated
accordingly.
2018-01-22 16:28:33 +11:00
Joel Beeren
Matthew Brecknell
Michael Sproul
Thibaut Perami
Gerwin Klein
Corey Lewis
Japheth Lim
Rafal Kolanski
Maksym Bortin
Thomas Sewell
Miki Tanaka
Matthew Fernandez