- define formally where 14 is coming from instead of trying to explain
in a comment,
- also remove unused parts of the lemma where it is used.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make it possible to refer to the size of the irq type symbolically.
So far, this is only necessary in an example state for kernel init,
but it's still nicer to avoid magic numbers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch off quick_and_dirty for AInvs session
- switch on quick_and_dirty for Refine session for development
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
For the proofs in ArchAInvsPre we require knowledge that the default
user-level tables do not map any user-space addresses. In hyp mode, the
default user-level table is completely empty, because the kernel has
its own separate table. We encode that empty table in the
`valid_global_tables` predicate analogously to the RISCV64 formulation.
We explicitly leave `valid_global_arch_objs` as a `typ_at` predicate,
because the proofs expect `valid_global_arch_objs` to be liftable.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The non_kernel_IRQs constant collects IRQs that cannot occur in kernel
mode. For non-hyp platforms this is usually empty, for hyp platforms we
add software-generated virtual interrupts.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On ARM_HYP we added a fix for a problem discovered during the proof of
the VCPU invariant that the current VCPU always belongs to the current
thread. This commit ports that fix from ARM_HYP to AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- align init_irq_node_ptr to its size (which is larger than in RISCV)
- remove ArmVSpaceUserRegion, because kernel has its own page table
- define global_pt_obj, add to initial heap
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Sync both values with what the C code does. The corresponding comment
in C is wrong and would not produce a safe value for pptrTop (the
comment says 2^48 - 2^30), but the actual definition in C (the
equivalent of 2^40 - 2^30) is safe.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously the wrong cap argument was checked against being the vspace
root (cap vs vspace_cap).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Ensure in valid_pti that page table operations, in particular
unmap_page_table, are only called on NormalPTs. This means we can
remove the vspace_for_asid precondition in the associated lemmas.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
While we do want to break up full OptionMonad terms in assumptions, we
do not usually want to break up projections.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
wp rules for most operators such as return, get, gets are named
return_wp, get_wp, etc. Then when, whenE, unless, unlessE operators had
an additional hoare_.. prefix that this commit removes for more
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Moving `Monad_Equations.thy` and `More_NonDetMonadVCG.thy` into Monads
session enables us to remove the Lib and CLib session dependencies in
AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This session currently contains only one theory (CLib), which we want
to include both in Lib and later independently in CParser/AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove dependency on Lib.thy. Theory imports of AutoCorres are now
reduced to theories that can be moved out of the Lib session.
The proof context changes a bit, but impact on test cases is minimal.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove Lib dependency. Introduce a new theory CLib which contains base
lemmas needed in LemmaBucket_C.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since most bitwise operations are now available by default for nat,
only word abstraction in AutoCorres depends on NatBitwise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It has no other lib dependencies and over time should probably be
merged directly into umm theories. For now, move the entire file
and keep dependency structure.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The idea is to collect Eisbach extensions and things like Apply_Trace,
Apply_Debug etc here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
So that it is available together with the other empty_fail lemmas.
Eventually, these should go into their own theory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Michael McInerney
Rafal Kolanski