Add and carry around a `pfx` parameter indicating the prefix under which
constants should be found. Without this prefix, items such as
enumeration constant names are guessed at from unqualified names. If the
unqualified name is hidden for some reason, or clobbered with another
name, the wrong constant gets used and leads to exciting errors.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The setup for L4V_ARCH=AARCH64 is identical to RISCV64, i.e. same word
length, encoding, and endianness. The setup includes the standalone
parser used for compile and preprocess checks in the seL4 repo.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Apparently, we still did releases with python2 in the past. This commit
updates the script to work cleanly with python3 and with both of Linux
and Darwin.
For the latter, untarring and executing a downloaded tarball is not
easily supported on MacOS, so instead of the tarball, we take a path to
the already unpacked Isabelle release.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Makes the release script more portable between BSD (MacOs etc) and
Linux. Assumes a `brew` install on MacOs instead of the older macports.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Standard bash on MacOS is very old; invoking it via /usr/bin/env allows
the user to put a newer version in the PATH.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
typ_name of word types was not simplifying fully, because a shorter
simp rule is taking precedence over the shortcut rules. The added
rules make the system confluent again.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Word_Lib was included multiple times in the graph, leading to name
shadowing. This commit makes Addr_Type the single point of entry.
Includes some cleanup/warning reductions.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This includes a tweak to Word_Lib to simplify ucast(-1) which
is now a term that occurs more often.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Loading the FunctionaRecordUpdate file in Isabelle is slow.
This change expands the fN family of functions, which fixes the problem.
Signed-off-by: vjackson725 <v.jackson@unsw.edu.au>
Prior to rendering an expression to SIMPL, the C parser extracts
function calls from the expression and reinserts them as new statements
placed just before the statement containing the expression. The result
of each such function call is assigned to a temporary variable which
takes the place of the function call in the original expression.
Prior to this commit, the C parser would not always generate fresh
temporary variable names when multiple temporaries were needed. In
particular, when the left-hand side of an assignment contained a
function call returning the same type as a function call in the
right-hand side expression, the extracted function calls would be
assigned to the *same* temporary variable.
This commit addresses the issue by carrying name generation state across
all expressions in each statement. It implements a state monad as an
abstract data type for this purpose.
Fixes https://sel4.atlassian.net/browse/VER-1389.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The AutoCorres quickstart document includes code from `*.c` files from a
given line number, to avoid including license headers and other details
that aren't useful in the document. This updates the line numbers for
the current license headers.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This commit adds support for inline assembly whose `lhs` updates a
global variable (such as the heap).
Prior to this commit, the modifies prover assumed that the `lhs` update
of an `asm_spec` only updated local variables. Specifically, the use of
`asm_store_eq_helper[OF globals.surjective globals.surjective]` as a
rewrite rule assumes that `globals (lhs v s)` simplifies to `globals s`,
exposing the `asm_store` inside `s` to the rewrite rule.
This commit avoids the assumption by using `globals.equality` as an
introduction rule. This produces more subgoals, but the subgoals are
relatively simple, so the perfomance is essentially unchanged.
This also slightly refactors `modifies_tactic` slightly:
- `asm_spec` is handled without the `vcg`, using a new rule
`asm_spec_preserves`. This avoids having to deal with
`asm_spec_enabled` separately in `modifies_tactic`.
- `seq_all_new`, which chains `THEN_ALL_NEW`, avoid the need to
repeatedly use `ALLGOALS`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This should not be ignored longer term. The test itself is failing anyway,
but the code now throws an exception, which it shouldn't do.
See VER-1295
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This adds support for indexing into user contexts when `register_t` is
smaller than a word type, e.g. `uint8_t`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Also cleans up some of the debug config setup and makes result reporting
more useful.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Initially the `Makefile` copied `umm_heap/ARM_HYP` from `umm_heap/ARM`,
and deleted `umm_heap/ARM_HYP` during `make clean`. However, the
contents of `umm_heap/ARM_HYP` have since been committed, so this is no
longer appropriate.
Reported-by: Michael Norrish <Michael.Norrish@data61.csiro.au>
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This commit replaces separately generated selector functions with Isabelle's
built-in datatype selectors of the new datatype package (which is not that
new any more).
It currently does not touch discriminators yet, because they have a different
naming scheme and would require larger proof updates.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Changes the mungedb to also indicate whether a given munged name has an
alias.
In the Distant Past, the C parser emitted long and short names, and the
mungedb output recorded those names. When definitions were reordered in
a C file, different C variables might get the short name; this could
break proofs, but the mungedb output would indicate the change ahead of
time.
Now, the C parser emits long names for every C variable, but it also
emits a short abbreviation to replicate the behaviour of the C parser in
the Distant Past. However, the mungedb only displayed *definitions*, not
*abbreviations*, so if the variable abbreviated by a short name changed
then the mungedb wouldn't pick up on the change.
This commit changes the output to include an "alias status", indicating
whether the short C name has been exported as an alias for the indicated
Isabelle name. It also adds a test to confirm that the mungedb output
tracks aliasing correctly.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
This gives a significant speedup to the install_C_file command
when it generates field_lookup lemmas for struct types.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Turns out the reuse tool will get confused by the addition SPDX tag
in the file, even though it is not in a comment. This commit pulls
out the tag such that string matching will not trigger on it.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
A rule to generate `%.thy` from `%.c` was previously too general, such
that it could fire for `%.thy` files that were not intended to be
generated, overwriting existing `%.thy` files.
This recently became an intermittent problem, when several `%.c` files
were updated to comply with style checks. Depending on how an `l4v`
checkout was updated, this sometimes made those `%.c` files newer than
the corresponding `%.thy` files.
This commit converts the implicit pattern rule into a static pattern
rule that applies to exactly those `%.thy` files that are intended to be
generated.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously AUXUPD did not contribute to modifies proofs, and the only
reason this worked was that there usually is some heap assignment
somewhere else in the function if there is an AUXUPD. This commit adds
a modifies clause for the heap if a function has an AUXUPD.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Python 2 has passed its sunset date, and many distributions are
withdrawing support for Python 2.
PEP 394 recommends distributions always install versioned interpreter
commands (e.g. `python3`), but does not make a recommendation about
whether or not an unversioned command (`python`) should exist, or what
version it should run.
It therefore seems advisable to explicitly run scripts using the
`python3` command, for scripts that are compatible with Python 3.
Here, we do this for Python scripts used by `run_tests`. For this to
work, some scripts have been updated in ways that will break Python 2
compatibility. But for some other scripts which were already compatible
with both Python 2 and 3, we have not yet removed Python 2
compatibility. There are also miscellaneous scripts that are not used by
`run_tests`, and these have not yet been updated to Python 3.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
There is a special case for deriving Enum for datatypes with a single
constructor, but it should only fire when that constructor has exactly
one argument. Previously, one constructor with any other argument count
that one resulted in assertion failed.
Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Previously the parser rejected symbolic names in assembly specifiers
(the `[foo]` in `[foo]"r"(bar)`). Since the SIMPL semantics ignores the
body content of assembly, and since these specifiers only affect the
meaning of the body, this rejection was overcautious.
Previously, the parser rejected rval `"i"` and `"rK"` specifiers (which
indicate that the expression is to be used in some kind of immediate
mode). Again, this is out of scope for the SIMPL semantics, so we allow
it.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
Adds a 'debug' configuration type to the main ProveSimplToGraphGoals
functions. Configuration lets the user control which functions will be
tested, and logs which functions fail testing.
Adds a 'single step' debug tactic for use in TestGraphRefine, and
demonstrates a few useful initial ML tactic for e.g. narrowing down
which subgoals are failing, and how to inspect a successful subgoal.
Rafal Kolanski
Gerwin Klein
Gerwin Klein
Florian Haftmann
Matthew Brecknell
Corey Lewis
vjackson725
Gerwin Klein
Gerwin Klein
Edward Pierzchalski
Brian Huffman
Rafal Kolanski
Zoltan Kocsis
Victor Phan
Japheth Lim