This includes a few hopefully useful lemmas about page table type
uniqueness.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The remaining interesting lemma (which is not proved) is
vs_lookup_non_PageTablePTE which needed two statement adjustments, one
to adjust the ptes_of update (certain that this is correct), and one to
add a new precondition valid_vspace_objs (speculative, but hopefully
enough to solve the lemma).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Check that the type of the page table that is present is the type we
are requested to update. The same assert is already present for ptes_of.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- use vspace_objs_of instead of aobjs_of where possible to reduce
scope and make lifting rules stronger
- prove remaining lifting rules in ArchKHeap_AI
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- provides case split rules for vspace_objs_of lifting
- proves the provable vspace_objs_of/vspace_obj_pred lifting rules. The
other lifting rules will need rephrasing for AARCH64 since
vspace_objs_of does not cover all arch objects.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Domain equality is nice to state and sometimes nice to prove, but it is
hard to use in automation (fastforce/auto). The new phrasing here is not
as nice to read, but useful in automation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Carefully not disturbing the simpset, because too many things break
otherwise.
Similarly, if_option_Some2 is not included with if_option_Some, because
the latter is being declared globally [simp] at some stage and then
breaks things in too many random places.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We so far have unfolded opt_map in these ... = None situations. Using
the new rule directly eliminates one of the cases (the Some case), so
is slightly more efficient when we stack them and get many of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This rewrites the extraction function to a simpler form, which is
consistent with how the lemma is written on the other architectures.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
fwd_all and ALLGOALS_FWD act like `all`, but supplied method is applied
to goals in first-to-last order, taking into account goals solved and
generated.
fwd_all_new and FWD_ALL_NEW act like `;` and THEN_ALL_NEW, but with the
second method is applied to the results of the first in the order they
were produced, making it safe for WP reasoning.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In `Rules_Tac`, add a `rules_tac` which is `rule_tac` but with the
ability to instantiate the same variable name in multiple theorems.
Also add the specialised `single_instantiate_tac` which allows using the
above mechanism to instantiate a specific variable name in a specific
set of theorems (e.g. "rv" in a set of symbolic-execution lemmas).
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow for pattern-matching on the conclusion and reacting to
whether the match succeeded.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow selective eta-contraction in the goal based on the bound
variable's name. The `no_name_eta` method speficially targets
abstractions where the variable has no name, which can come up in
complicated unification scenarios.
These nameless abstractions can cause symbolic execution lemmas to no
longer pick up on the name of the bound variable in do-notation,
requiring multiple rename_tac invocations.
Co-authored-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This removes the mcs-export matrix job from the proof-deploy workflow,
as the first step towards solving seL4/l4v#497. This should unblock
verification manifest deployments.
The mcs-export job was added to the proof-deploy workflow to perform
SimplExportAndRefine for binary verification targets. It took a short
cut, using the master branch of l4v to perform SimplExportAndRefine for
MCS configurations, since there were no differences between rt and
master that were relevant to SimplExportAndRefine. This is no longer the
case, because MCS seL4 C code now contains C parser annotations that use
symbols only available in the rt branch of l4v.
We intend to add an equivalent job that uses the rt branch of l4v for
MCS SimplExportAndRefine, but are still working out the best way to do
that.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
The strict function application operator made sense when performance
mattered because the model was used from a simulator. Now it's just
noise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 requires a space between ! and the operand to distinguish
the expression from a bang pattern.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 is more strict in its pattern syntax and rejects @ patterns
that are surrounded by parentheses.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch to lts-19.12 (GHC 9.0.2)
- use cabal v2 commands, which build locally by default and don't
need a separate sandbox
- update SEL4.cabal file to cabal spec version 3
- remove generated `cabal.project.local~*` backup files after configure
to avoid flooding the directory
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>