This alternative formulation determines the set of used_irqs in
a way that is less roundabout and closer to the C implementation:
instead of "every irq such that some object has an irqhandler cap
for it", it's "every irq such that there is an irq node for it".
For the proofs, we prove that the two formulations agree on well-formed
specs. Beyond using this fact, the old proofs need not change at all.
Incorporates some proof improvements suggested by @jalim and
shamelessly stolen.
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
IRQ Nodes are now their own object type in capDL. This makes it much easier
to distinguish between "real" CNodes and IRQ Nodes.
Updated:
* the capDL refinement,
* the access proofs, and
* the system initialiser.
Gerwin Klein
Michael McInerney
IlmariReissumies
Michael Sproul
Callum Bannister
Gerwin Klein
Andrew Boyton