Some attributes attached to global variables weren't kept in
the AST if they appeared at the front of the declaration rather
than the back.
For instance, the aligned attribute was lost in this declaration:
int __attribute__((aligned(16))) x;
but kept if it appeared last:
int y __attribute__((aligned(16)));
Now fixed.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
Previously, everything was counted under session CParser, incl most of
Word_Lib. The dependency on Word_Lib thus revealed means Word_lib is the
better base image for session Simpl-VCG.
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
In particular, some intro! attributes for some wp rules are removed.
These previously caused auto/fastforce to play a really strange role
in some proofs.
These combinator rules do something like what wp_pre does now.
They were helpful in the ancient past, but now that wp_pre exists it is
much better to just use automation.
Abandon post-processing. There's some fragility somewhere that requires
process_stmt to see exactly the statements that go out, so it needs to run
last.
To handle initialiser elements, re-run process_stmt over the initialiser
statements that are created by process_decl. That's repeating some steps,
but it seems to work.
Waiting on input from Michael N about how crazy this is, but for now we're
pushing it to testing.
Two kinds of function calls were escaping the analysis. The first is simple,
the ReturnFnCall statement type, which was a silly omission from before.
Function calls inside initialiser statements are a more difficult problem.
The simplest solution was to move the VER-881 calculation into a
post-processing phase once those function calls have been moved to statement
positions.
This scans for statement-level function calls which will have complex
lvalue translations, either because their lvalues are compound
expressions or because their function return type will be promoted to
be stored. It treats them like expression-level function calls, with
an additional call statement added (saving to a ret_ variable) and
the complex lvalue step treated like an assignment.
When given a theorem, find_names finds other names the theorem appears
under, via matching on the whole proposition. It will not identify
unnamed theorems.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
* make_spec.sh was generating a `version` file regardless of the
outcome of the script, this was causing `make design` (in
spec/design) to always succeed when ran a second time, which in
was generating confusing (and semi-non-deterministic) error
messages when called through `./run-test`
tags: [NO_PROOF]
The C kernel build in cspec was changed to have a different directory structure and
build targets. This updates the make_munge.sh script to reflect those changes
tags: [NO_PROOF]
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
This adds the lemma td_names_word64 to match existing lemmas
td_names_word32 and td_names_word8, allowing further simplification
using typ_heap_simps in CRefine.
Failing to do this can result in variables that haven't been
appropriately "munged", resulting in the wrong or no var_info being
associated with them in the AST.
JIRA VER-808
Rewrite associative array usage as a function lookup.
OSX users do not have access to a non-ancient /bin/bash by default and
complain that our use of associative arrays (declare -A) does not work.
Tags: VER-802
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
Modifies proofs now include a preprocessing step which breaks programs
into parts before passing goals to the VCG. This means there are more
calls to the VCG, but the VCG only sees individual Basic and Spec
commands, and procedure calls.
This avoids performance issues in some pathological cases. In
particular, long sequences of updates to arrays via pointer-to-struct
previously seemed to be exponential in the number of updates.
These are copied verbatim from ARM as the word and pointer sizes are
identical.
These could be auto-generated by a Makefile, but a Makefile is not
invoked when building CKernel.
(copied from ARM)
Per-plaform CPP configuration for spec-check and make-spec.
The configuration is still duplicated between the two scripts, but now
the translation/check for ARM_HYP will use correct CPP settings.
The 'success' messages in the modifies proof were being produced as
soon as Goal.prove_future returned, which is pretty much right away.
Instead produce messages once the forked proof is finished.
Unify some tracing features that didn't go through the Feedback structure.
Add config to isar_install allowing Feedback to be traced to a file in real
time as well as to standard Isabelle output channels.
* Consistently use the c-parser 'addr' type alias for pointer values.
* Include word abstraction and polish for 64-bit integral types.
* Include all current c-parser platforms in release packaging scripts.
More work is required to properly abstract AutoCorres tests across
architectures. The tests currently pass for both ARM and X64. However,
in a number of tests, we exploit the coincidences that 'int' is the same
size on both platforms (32 bits), and that 'long' is the same as the
pointer size on each platform (32 bits and 64 bits, respectively).
This creates an issue because "unat x < 1" is reduced to "unat x = 0"
by the simplifier, meaning the unat_mono tactic doesn't get to operate on
it. The fix is pretty easy. Also includes some extra investigation material.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
Some lemmas that were specific instances of more general lemmas have
been removed from the library. In most cases, broken references could
simply be replaced with the more general fact.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
Adds an additional analysis option to the external C parser. This
will report about any asm statements that were encountered and could
not be properly handled.
[NO_PROOF]
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
* commit '8d4a8eb238090999b4b41f588d5fa63453d58ae8':
SELFOUR-421: fix coding style
SELFOUR-421: fix drefine
SELFOUR-421: add device bit in UntypedCap and FrameCap in capdl
SELFOUR-421: infoflow and infoflow_c builds
SELFOUR-421: crefine builds
SELFOUR-421: commit before change abstract again
SELFOUR-421: fix refine
SELFOUR-421: a defend version before wild changes
SELFOUR-421: new haskell spec after UserDataDevice changes
SELFOUR-421: broken crefine after conversation with gerwin
SELFOUR-421: up to VSpace_C done
SELFOUR-421: temp work in CSpace_C
SELFOUR-421: fixed Refine after merge with master
SELFOUR-421: retranslate haskell after merge with master
SELFOUR-421: random uncommitted stuff before merge
SELFOUR-421: retranslate haskell for fixed range check
SELFOUR-421: refine done
SELFOUR-421: added check to decoding asid control invocations and stole an asid bit from the high bits not the low ones
SELFOUR-421: AInvs done, no added invariants yet
SELFOUR-421: first attempt at abstract spec
Architecture names follow L4V_ARCH-style naming conventions ('ARM', 'FAKE64').
However, the standalone parser does not make use of the L4V_ARCH environment
variable.
The standalone-parser Makefile builds all architectures at once, producing
binaries at 'ARM/c-parser', 'FAKE64/c-parser', and similarly for the tokenizer.
There are also wrapper scripts 'c-parser' and 'tokenizer' in the
standalone-parser directory, which take an architecture on the command line.
The make_munge.sh script calls the appropriate binary parser directly.
This is apparently valid C:
enum {
One,
Two = One + 1,
};
It's easy to support this by using the partially modified enum
environment in evaluation of the following right hand sides.
A skeleton line of the form
\#INCLUDE_SETTINGS keep_constructor=asidpool
now ensures that the asidpool type constructor is actually created in
subsequent #INCLUDE_HASKELL declarations. It turns out this feature was already
available, and already used for asidpools, this change just makes it externally
adjustable.
CParseTools was triggering a race condition by removing a mistakenly
added license header on CSpec.grm.sig while (potentially) the CParser
session was still being build by Isabelle, thus causing all sessions
depending on CParser to rebuild (At the same time!).
Give the standalone c-parser the facility to dump out its internal AST. Only
half finished, I got bored writing serialisers for the many syntax datatypes.
There has been some discussion about how to check whether an seL4 change
impacts verification. My thought was that the obvious thing to check is the
C-parser's AST. If this is unchanged, then further analyses must be unchanged.
The “statistics” output has been disabled for some time, and the
print_stats option has never been part of the publicly documented
interface, so hopefully this removal will go unnoticed.
Some of the terms measured by the stats code are available through
the recently-added trace_* options (but not all).
This is the “last” step of the Jira VER-517/VER-522 refactoring
(still does not support pausing between phases, but the relevant
infrastructure is there now).
Ought to pass AutoCorresTest suite now.
Brain fart: the corres proofs still have recursive assumptions,
even if the final function does not use them. This means that
attempting to split groups prior to definitions is doomed to fail.
The topology of recursive function groups can change due to dead code
elimination. This used to be handled (buggily, after define stages) by
the old code. This commit attempts to handle it properly (between convert
and define stages), using a new variant of the Seq data structure.
(Still not done for TS, though.)
Also (literally) fixes many free variables that used to be unhygienic.
Also makes the L2,HL,WA dataflow more uniform (but not yet refactored).
Heap lifting is annoying because we need to join all intermediate L2 results
before defining the lifted heap and proving heap lemmas.
This has been refactored into a new prepare_heap_lift stage that runs between
L2 conversion and HL proper.
With this we move away from a global mutable fn_info; instead we will
use a table of persistent (lazy) entries for each phase.
Function call metadata is also now either stored locally or recomputed
on-demand for each stage (with a few TODOs).
Specification of file to emit to is via command-line switch. Take the
opportunity to make comand-line processing be done via GetOpt library.
JIRA VER-473
This removes some modifications that the theories make to the simpset
and other global context, which slightly reduces breakage when importing
AutoCorres into other theories.
Unfortunately, some of the tests/examples seem to rely on specific
modifications to simp and wp, so removing those will be harder.
Also some simplification stages still seem to use the global simpset
instead of AUTOCORRES_SIMPSET; need to debug later.
* commit 'ecbb860532b4c576fc4726a805802f16bcf5302c': (29 commits)
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
Add license tags for autocorres-crefine files
crefine: refactor AutoCorresTest a bit
autocorres-crefine: remove local debugging imports
Fix InfoFlowC to accommodate corres_underlying changes.
Fix DRefine to accommodate corres_underlying changes.
autocorres-crefine: experiment with manually translating a function (clzl).
autocorres-crefine: experiment with translating bitfield_gen specs.
autocorres-crefine: start a test case for function calls.
autocorres-crefine: update example proofs to work with no_c_termination, which does not require proving termination for the C spec.
autocorres: add user option "no_c_termination" for previous patch.
Making termination proof optional for AutoCorres.
WIP: autocorres: hacky proof of concept for incremental translation.
autocorres: add some missing WordAbstract rules.
autocorres-crefine: fix some comments in work theory.
autocorres-crefine: prove modifies and (simple) terminates specs.
autocorres-crefine: experiment with generating modifies proofs
autocorres-crefine: run autocorres in kernel_all_substitute locale
autocorres-crefine: update another corres_UL that snuck in before rebasing.
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...