wp rules for most operators such as return, get, gets are named
return_wp, get_wp, etc. Then when, whenE, unless, unlessE operators had
an additional hoare_.. prefix that this commit removes for more
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This invariant states that the current active vcpu is
equal to the vcpu of the current thread
Signed-off-by: Michael McInerney <m.mcinerney@unsw.edu.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
Addresses issue VER-1036.
Previously, there were pointer alignment invariants in valid_pte, etc.
However, these had two problems:
1. valid_pte was conditioned on the PTE being mapped, so we couldn't
rely on PTE pointers being aligned unconditionally (see VER-1036).
2. The existing alignments were actually incorrect for large pages.
Proofs that needed the true alignments, obtained them from other
parts of invs (e.g. valid_objs).
This commit moves the alignment invariants to wellformed_pte, etc.
and changes them to use the correct values.
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
Gerwin Klein
Corey Lewis
Michael McInerney
Corey Lewis
Michael McInerney
Rafal Kolanski
Mitchell Buckley
Gerwin Klein
Victor Phan
Corey Lewis
MiladKetabi
Michael McInerney
Japheth Lim
Edward Pierzchalski
Thomas Sewell
Joel Beeren
Matthew Brecknell
Miki Tanaka
Joel Beeren