Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This adds support for indexing into user contexts when `register_t` is
smaller than a word type, e.g. `uint8_t`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Also cleans up some of the debug config setup and makes result reporting
more useful.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Initially the `Makefile` copied `umm_heap/ARM_HYP` from `umm_heap/ARM`,
and deleted `umm_heap/ARM_HYP` during `make clean`. However, the
contents of `umm_heap/ARM_HYP` have since been committed, so this is no
longer appropriate.
Reported-by: Michael Norrish <Michael.Norrish@data61.csiro.au>
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This commit replaces separately generated selector functions with Isabelle's
built-in datatype selectors of the new datatype package (which is not that
new any more).
It currently does not touch discriminators yet, because they have a different
naming scheme and would require larger proof updates.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Changes the mungedb to also indicate whether a given munged name has an
alias.
In the Distant Past, the C parser emitted long and short names, and the
mungedb output recorded those names. When definitions were reordered in
a C file, different C variables might get the short name; this could
break proofs, but the mungedb output would indicate the change ahead of
time.
Now, the C parser emits long names for every C variable, but it also
emits a short abbreviation to replicate the behaviour of the C parser in
the Distant Past. However, the mungedb only displayed *definitions*, not
*abbreviations*, so if the variable abbreviated by a short name changed
then the mungedb wouldn't pick up on the change.
This commit changes the output to include an "alias status", indicating
whether the short C name has been exported as an alias for the indicated
Isabelle name. It also adds a test to confirm that the mungedb output
tracks aliasing correctly.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
This gives a significant speedup to the install_C_file command
when it generates field_lookup lemmas for struct types.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Turns out the reuse tool will get confused by the addition SPDX tag
in the file, even though it is not in a comment. This commit pulls
out the tag such that string matching will not trigger on it.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
A rule to generate `%.thy` from `%.c` was previously too general, such
that it could fire for `%.thy` files that were not intended to be
generated, overwriting existing `%.thy` files.
This recently became an intermittent problem, when several `%.c` files
were updated to comply with style checks. Depending on how an `l4v`
checkout was updated, this sometimes made those `%.c` files newer than
the corresponding `%.thy` files.
This commit converts the implicit pattern rule into a static pattern
rule that applies to exactly those `%.thy` files that are intended to be
generated.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Previously AUXUPD did not contribute to modifies proofs, and the only
reason this worked was that there usually is some heap assignment
somewhere else in the function if there is an AUXUPD. This commit adds
a modifies clause for the heap if a function has an AUXUPD.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Python 2 has passed its sunset date, and many distributions are
withdrawing support for Python 2.
PEP 394 recommends distributions always install versioned interpreter
commands (e.g. `python3`), but does not make a recommendation about
whether or not an unversioned command (`python`) should exist, or what
version it should run.
It therefore seems advisable to explicitly run scripts using the
`python3` command, for scripts that are compatible with Python 3.
Here, we do this for Python scripts used by `run_tests`. For this to
work, some scripts have been updated in ways that will break Python 2
compatibility. But for some other scripts which were already compatible
with both Python 2 and 3, we have not yet removed Python 2
compatibility. There are also miscellaneous scripts that are not used by
`run_tests`, and these have not yet been updated to Python 3.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
There is a special case for deriving Enum for datatypes with a single
constructor, but it should only fire when that constructor has exactly
one argument. Previously, one constructor with any other argument count
that one resulted in assertion failed.
Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Previously the parser rejected symbolic names in assembly specifiers
(the `[foo]` in `[foo]"r"(bar)`). Since the SIMPL semantics ignores the
body content of assembly, and since these specifiers only affect the
meaning of the body, this rejection was overcautious.
Previously, the parser rejected rval `"i"` and `"rK"` specifiers (which
indicate that the expression is to be used in some kind of immediate
mode). Again, this is out of scope for the SIMPL semantics, so we allow
it.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
Adds a 'debug' configuration type to the main ProveSimplToGraphGoals
functions. Configuration lets the user control which functions will be
tested, and logs which functions fail testing.
Adds a 'single step' debug tactic for use in TestGraphRefine, and
demonstrates a few useful initial ML tactic for e.g. narrowing down
which subgoals are failing, and how to inspect a successful subgoal.
This adds translation rules for bitwise operators, along with suitable
guards. Note that the guard for signed `shiftl` follows the C standard,
rather than the incorrect c-parser guard (see VER-509).
There was no standard instance of `nat :: bit_operations` for unsigned
abstraction, so we also add one. It should be merged with the
(incomplete) HaskellLib instance later.
Closes Jira VER-1122.
Some code in the parser would incorrectly delete the source file
jiraver337.c, because the `Path` module now normalises the filename to
a different-looking name. This is fixed by adding a boolean flag for
whether the parsed file should be deleted or not.
Fixes Jira VER-1114.
A common frustration is seeing a term `Ptr x :: foo ptr` and not being
able to inspect the inferred type `foo` (this is especially true when
`Ptr` occurs within another expression).
Copying the style of `UCAST`, this adds syntax rules for displaying `Ptr
x :: foo ptr` as `PTR(foo) x` and `ptr_coerce (bar :: a ptr) :: b ptr`
as `PTR_COERCE(a -> b) bar`.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
The C parser tracks what short names a given long name corresponds to.
Change AutoCorres to use that information, instead of trying to demangle
the names 'manually'.
Previously, the C parser would define locals differently depending on
the order they appear in the source (the first instance got a short
name, the second etc. got a longer one). This would sometimes make
things break when source was reordered.
Now, the C parser emits the long name for _every_ local, and emits an
abbreviation for backwards-compatibility and convenience for common
variables (like loop indexes `int i`).
Adjusts the Simpl syntax modifiers to work with abbreviations.
Modifies the VCG tactic to try and convert long-name bound variables in
the goal to their abbreviated names.
Note that we have removed the LIB_FILES manifest and no longer intend
to maintain it manually. Instead, we just extract the entire Lib and
CLib sessions from the L4.verified repository. This means that the
next AutoCorres release will have some unneeded theories and a couple
of files with GPL licenses.
Some attributes attached to global variables weren't kept in
the AST if they appeared at the front of the declaration rather
than the back.
For instance, the aligned attribute was lost in this declaration:
int __attribute__((aligned(16))) x;
but kept if it appeared last:
int y __attribute__((aligned(16)));
Now fixed.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
Previously, everything was counted under session CParser, incl most of
Word_Lib. The dependency on Word_Lib thus revealed means Word_lib is the
better base image for session Simpl-VCG.
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
In particular, some intro! attributes for some wp rules are removed.
These previously caused auto/fastforce to play a really strange role
in some proofs.
These combinator rules do something like what wp_pre does now.
They were helpful in the ancient past, but now that wp_pre exists it is
much better to just use automation.
Abandon post-processing. There's some fragility somewhere that requires
process_stmt to see exactly the statements that go out, so it needs to run
last.
To handle initialiser elements, re-run process_stmt over the initialiser
statements that are created by process_decl. That's repeating some steps,
but it seems to work.
Waiting on input from Michael N about how crazy this is, but for now we're
pushing it to testing.
Two kinds of function calls were escaping the analysis. The first is simple,
the ReturnFnCall statement type, which was a silly omission from before.
Function calls inside initialiser statements are a more difficult problem.
The simplest solution was to move the VER-881 calculation into a
post-processing phase once those function calls have been moved to statement
positions.
Gerwin Klein
Matthew Brecknell
Edward Pierzchalski
Brian Huffman
Rafal Kolanski
Zoltan Kocsis
Corey Lewis
Victor Phan
Japheth Lim
Michael McInerney
Thibaut Perami
Mitchell Buckley
Michael Norrish
Rafal Kolanski
Joel Beeren
Thomas Sewell