Several constants are are added to the top level crunch_ignore statement in
Bits_R.thy, then removed from individual crunch statements across Refine and
CRefine.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
unat_ucast_8_64 states that upcasting an 8 word to a 64 word does not
changes its value. We have a generic lemma for this which can be
specialised to this lemma: unat_ucast_up_simp[where 'a=8 and 'b=64,
simplified].
Prior to this commit the kernel would always trigger a full reschedule
on setPriority. This change allows the kernel to attempt a direct
switch, avoiding invoking the scheduler.
When the bitfield generator switches to python 3, the dicts we use to
track data won't be iterated deterministically. These changes
disambiguate (some) record literals and accessors so that they aren't
sensitive to the definition order.
Changes in the C boot code mean that `tcb_C` and `asid_pool_C` are now
overloaded in the Isabelle C specification: They are constructors for
the respective C structs, and also accessors for fields of an unrelated
struct (`root_server_mem_t`). Consequently, we need to be more explicit
when naming the constructors.
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
The ARM C kernels have renamed the LR_svc and FaultInstruction registers
to NextIP and FaultIP respectively, for consistency with x86 kernels. A
patch for a similar renaming in the abstract and Haskell specifications
is forthcoming.
Previously, the C kernel maintained a global pointer to the IRQ node.
This pointer was only initialised during boot, when the actual IRQ node
was dynamically allocated from untyped memory.
The C kernel now includes a statically allocated IRQ node, which is just
a suitably sized array of CTEs. This commit updates the proofs to verify
this change to the C kernel.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
Previously, tactics like `ctac` and `csymbr` would use definition names
to produce new bound variables. Now that the C parser always emits long
name *definitions* and short name *aliases*, we adjust these tactics to
try and shorten any new names they produce.
Recent changes to the C kernel mean that various structures and
constants are generated from DTS files. In particular, verification now
sees interrupt identifiers as integer literals instead of defined
constants.
Victor Phan
Gerwin Klein
Corey Lewis
MiladKetabi
Japheth Lim
Edward Pierzchalski
Amirreza Zarrabi
Matthew Brecknell
Michael McInerney
Rafal Kolanski