331a0ee1c2
Minor adjustments to the patch for selfour-1491.
...
There were some sloppy last-minute changes that were not properly tested
and managed to evade testing. These contained a single logical omission
and a few typographic mistakes.
2018-09-21 10:09:49 +10:00
8173a37c2d
Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM.
2018-09-19 16:18:09 +10:00
0044c57e14
lib: change runErrorT to runExceptT to match Haskell code
2018-09-04 14:59:45 +10:00
0619a4694d
Isabelle2018 x64: CRefine
2018-08-20 09:06:37 +10:00
ba38cc0f16
Isabelle2018 arm-hyp: CRefine
2018-08-20 09:06:37 +10:00
934ba36fd1
lib/clib: move DetWPLib from CLib to Lib
...
Doesn't have any C dependencies.
2018-08-20 09:06:37 +10:00
6ac17c3243
Isabelle2018: use session ident in @theory antiquotes
2018-08-20 09:06:37 +10:00
a1d1b69776
Isabelle2018 arm: CRefine
2018-08-20 09:06:37 +10:00
6b9d9d24dd
Isabelle2018: new "op x" syntax; now is "(x)"
...
(result of "isabelle update_op -m <dir>")
2018-08-20 09:06:35 +10:00
011e08458e
Isabelle2018: new comment syntax
...
(result of "isabelle update_comments <dirs>")
2018-08-20 09:06:35 +10:00
b5cdf4703f
globally use session-qualified imports; add Lib session
...
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
2018-08-20 09:06:34 +10:00
2151a57c51
x64: crefine: move two lemmas up to CSpaceAcc_C
2018-08-17 15:41:12 +10:00
4ddf8ec2e4
x64: crefine: remove needless `unwrap_or` def
2018-08-17 15:41:12 +10:00
5ae7cc23b1
aspec: msg_align_bits and related are arch independent
...
While the numerical value is arch dependent, the definition and symbolic value
are not. This commit factors out the symbolic computation and only unfolds the
numeric value in the architecture dependent spec.
2018-08-06 11:22:51 +10:00
26049db669
Repair proofs for wpsimp/crunch changes.
...
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
2018-08-03 18:25:30 +10:00
9e0551f56a
arm-hyp: update proofs for TPIDRUR[OW]/TLS_BASE preservation
...
TPIDRUR[OW] registers removed from VCPU registers. Their saving now
lives in arch_c_entry_hook, which is before verified code is hit.
Relevant for verification, TPIDRURO is already handled as TLS_BASE
register, and TPIDRURW (holds IPC buffer) is saved/restored as part of
normal thread register save/restore.
2018-07-12 23:38:58 +10:00
e11abb6011
x64: crefine: prove isIOPortRangeFree_spec
2018-07-05 17:07:58 +10:00
80693df8e2
x64 crefine: add mask_eq_ucast_shiftl
2018-07-05 17:07:58 +10:00
3231ee17bf
x64 crefine: prove 'return false' case of isIOPortRangeFree_spec postcondition
2018-07-05 17:07:58 +10:00
aabf8ded2e
x64 crefine: progress on isIOPortRangeFree_spec postcondition
2018-07-05 17:07:58 +10:00
7eb8e01443
x64: crefine: proved word_highbits_bounded_highbits_eq
...
Contributed by: Michael Sproul <michael.sproul@data61.csiro.au>
2018-07-05 17:07:57 +10:00
da05f4f72e
x64: crefine: cleared vcg precondition sorry in isIOPortRangeFree_spec, modulo small word lemma
2018-07-05 17:07:57 +10:00
b9c3279779
x64 crefine: prove mask_le_mono
...
Contributed by: Thomas Sewell <Thomas.Sewell@data61.csiro.au>
2018-07-05 17:07:57 +10:00
7a951cad95
x64 crefine: prove invariant preservation for isIOPortRangeFree_spec
2018-07-05 17:07:49 +10:00
7af93e5bc1
x64: crefine: prove word_minus_1_shiftr
2018-07-05 16:23:15 +10:00
07b60ec185
x64: crefine: progress on sorries in isIOPortRangeFree_spec
2018-07-05 16:23:15 +10:00
f0a8621434
x64 crefine: prove isIOPortRangeFree_ccorres in Arch_C (WIP)
2018-07-05 16:23:15 +10:00
91b55bc74b
x64 crefine: progress on spec and inv for isIOPortRangeFree
2018-07-05 16:23:15 +10:00
74e74571ca
x64 crefine: prove setIOPortMask_ccorres in CSpace_C
2018-07-05 16:23:15 +10:00
72e3dcc8e2
x64: crefine: prove decodeX64MMUInvocation_ccorres
...
Required adding a case to cl_valid_cap to encode the relationship between a
PML4Cap's IsMapped bit and its MappedASID.
2018-07-05 16:23:15 +10:00
5ce7ed478f
x64: crefine: add SetTLSBase invocation to x64 CRefine
2018-07-05 16:23:15 +10:00
2558a7c6e5
x64: crefine: update decodeX64FrameInvocation to not mask with PPTR_USER_TOP
2018-07-05 16:23:15 +10:00
89df98ec14
x64: fix inadvertently broken lemma in CSpace_C
2018-07-05 16:23:15 +10:00
417e6b8bc1
arm-hyp: crefine: fix up eisr_calc proof for strengthened ccorres_rewrite
2018-07-05 16:23:15 +10:00
584c6e9d26
x64: crefine: prove decodeX64FrameInvocation_ccorres
2018-07-05 16:23:15 +10:00
5ed7bb16be
x64: fix up definition of performPageInvocation for unmapping pages
2018-07-05 16:23:15 +10:00
700060b642
x64 crefine: prove Arch_decodeInvocation_ccorres in Arch_C
2018-07-05 16:23:15 +10:00
047f96c711
x64 crefine: prove kernel_mappings conditions in Retype_C
2018-07-05 16:23:15 +10:00
3686d79677
x64 crefine: prove createObjects_asidpool_ccorres in Arch_C
...
In x64, asid_map_C is now a bitfield union type, whereas in ARM,
the ASID pool contains plain pointers. This means that proving
ccorres for the x64 ASID pool placeNewObject operation requires
some additional unfolding of C type information.
2018-07-05 16:23:15 +10:00
c390013909
x64 crefine: prove several lemmas in Retype_C
...
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
2018-07-05 16:23:15 +10:00
26b218e4bd
x64: crefine: clear sorries for decode PT/PD/PDPT
2018-07-05 16:23:15 +10:00
0bad7af88b
x64: crefine: actually clear last ioport_table_C sorry
2018-07-05 16:23:15 +10:00
1dea36ed6f
x64: crefine: add some tag disjunctions for ioport_table_C to SR_Lemmas_C
2018-07-05 16:23:15 +10:00
bcd21f27bf
x64: crefine: clear final two sorries from ioport_bitmap_relation fallout
2018-07-05 16:23:15 +10:00
d6a620ec5d
x64: crefine: move setIOPortMask_ccorres to CSpace_C, finish freeIOPortRange_ccorres
2018-07-05 16:23:15 +10:00
3c65b91512
x64: crefine: finished invokeX86PortControl_ccorres and decodeIOPortControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
d487d1fc6a
x64: crefine: added ioport bitmap to StateRelation_C
2018-07-05 16:23:15 +10:00
95cdaa8ad7
x64: crefine: cleared sorry in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
cf1052e303
x64: crefine: prove prepareThreadDelete_ccorres (VER-837)
2018-07-05 16:23:15 +10:00
f68aa38531
x64: crefine: almost finished decodeX86PortInvocation_ccorres
2018-07-05 16:23:15 +10:00
68456a1979
x64: crefine: decodeIOPortInvocation progress
2018-07-05 16:23:15 +10:00
f21096d987
x64: crefine: progress in Arch_C, added performPDPTInvocationMap_ccorres, makeUserPML4E_spec
2018-07-05 16:23:15 +10:00
648938513f
x64: crefine: prove Arch_finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
b48f530591
x64: crefine: assorted progress in Arch_C
2018-07-05 16:23:15 +10:00
278e0fcbb9
x64: crefine: finished ensurePortOperationAllowed_ccorres, progress in decodeIOPortInvocation_ccorres
2018-07-05 16:23:15 +10:00
9bef874088
x64: crefine: finished performPageInvocation[Map|Remap]PDPTE_ccorres
2018-07-05 16:23:15 +10:00
80f54f33f0
x64: crefine: progress in Arch_C
2018-07-05 16:23:15 +10:00
215d235b37
x64: crefine: unmapPDPointerTable_ccorres
2018-07-05 16:23:15 +10:00
2b7a529724
x64: crefine: clear sorry in CSpace_C (VER-930)
2018-07-05 16:23:15 +10:00
219622476d
x64: crefine: remove blank lines from EOF
2018-07-05 16:23:15 +10:00
4fedfb5e35
x64: crefine: clear remaining sorry in Interrupt_C (VER-879)
2018-07-05 16:23:15 +10:00
cdaf0923ee
x64: crefine: remove outdated comment about VER-830
2018-07-05 16:23:15 +10:00
e5ecf10b14
arm+arm_hyp: crefine: use ccorres_disj_division from lib
2018-07-05 16:23:15 +10:00
87f22b6171
x64: crefine: cleared more sorries in Arch_C, narrowed others
2018-07-05 16:23:15 +10:00
7786f4856f
x64: crefine: cleared sorry from performASIDControlInvocation_ccorres
2018-07-05 16:23:15 +10:00
f8d04ac291
x64: crefine: cleared perform PD/PDPT unmap sorries
2018-07-05 16:23:15 +10:00
1a83b536e3
x64: crefine: cleared deleteASID_ccorres and deleteASIDPool_ccorres
2018-07-05 16:23:15 +10:00
06bd3ca2fa
x64: crefine: cleared isFinalCapability_ccorres
2018-07-05 16:23:15 +10:00
33d34ad2e2
x64: crefine: narrowed sorries in Finalise_C
2018-07-05 16:23:15 +10:00
9b22083af4
x64: progress on Arch_finaliseCap_ccorres, added unmap lemmas
2018-07-05 16:23:15 +10:00
30b4433138
x64: cleared sorry in finaliseCap_ccorres
2018-07-05 16:23:15 +10:00
04d557f8bb
x64: crefine: narrowed sorry in finaliseCap_ccorres, awaiting C code change
2018-07-05 16:23:15 +10:00
338203c9d8
x64: cleared flushTable_ccorres sorry, need to bubble up page_table_at' assumption
2018-07-05 16:23:15 +10:00
b13f274185
x64: crefine: narrowed down sorries in CSpace_C, updates for ioportcontrol
2018-07-05 16:23:15 +10:00
0335855e4e
x64 crefine: partially remove unmapPageTable_ccorres sorry
2018-07-05 16:23:15 +10:00
8a3df01380
x64 crefine: remove performPageTableInvocationUnmap_ccorres sorry
2018-07-05 16:23:15 +10:00
4049edaac0
x64: clear copyGlobalMappings sorries in Retype_C
2018-07-05 16:23:15 +10:00
4ac8a32c78
x64: clear last sorry in ADT_C
2018-07-05 16:23:15 +10:00
4fafbb76a1
x64: clear last sorry in VSpace_C
2018-07-05 16:23:15 +10:00
58f74efb56
x64: clear some sorries in VSpace_C
2018-07-05 16:23:15 +10:00
4967850316
x64: clear wordFromMessageInfo_spec sorry in VSpace_C
2018-07-05 16:23:15 +10:00
cf87e5c8e0
x64: s/framSizeConstants/frameSizeConstants/
2018-07-05 16:23:15 +10:00
7a3e1e7387
x64 crefine: Invoke_C sorry free
2018-07-05 16:23:15 +10:00
e7145a693e
x64: proof update for crunch changes
2018-07-05 16:23:15 +10:00
dcae6bc292
x64: clear some sorries in VSpace_C
...
Includes experiments with AutoCorres.
2018-07-05 16:23:15 +10:00
f649240cde
x64: CR3 and machine op updates for Meltdown
2018-07-05 16:23:15 +10:00
a3de401c09
x64: more abstract specs and invariants for ASIDs
2018-07-05 16:23:15 +10:00
b9efd5f7b2
clib: infrastructure for using AutoCorres in CRefine
2018-07-05 16:23:15 +10:00
dc2069aba0
x64 crefine: Refine_C sorry free
2018-07-05 16:23:15 +10:00
1a29b76e12
x64 crefine: close Arch_finaliseInterrupt sorry
2018-07-05 16:23:15 +10:00
49545b0235
x64 crefine: remaining Invoke_C sorries are C bugs
2018-07-05 16:23:15 +10:00
bec409b99c
x64 crefine: removed 5 sorries in Invoke_C
2018-07-05 16:23:15 +10:00
c8218a81d6
x64 crefine: Syscall_C sorry free
2018-07-05 16:23:15 +10:00
25681afb98
x64 refine: IpcCancel_C sorry free
...
also moved up a couple of canonical_address lemmas to SR_lemmas_C
2018-07-05 16:23:15 +10:00
2b6f472c19
x64 crefine: CSpace_All sorry free
2018-07-05 16:23:15 +10:00
2a3639c6f6
x64 crefine: Schedule_C sorry free
2018-07-05 16:23:15 +10:00
8e9c6acd0f
x64 crefine: Delete_C sorry free
2018-07-05 16:23:15 +10:00
5b45186152
x64 crefine: Recycle_C sorry free
2018-07-05 16:23:15 +10:00
4bdcf91149
x64 crefine: remove some sorries in Retype_C; document rest
2018-07-05 16:23:15 +10:00
f20ec59695
x64: crefine: performPageInvocationUnmap
...
Depends on one lemma that will remain sorried until VER-917 is complete.
2018-07-05 16:23:15 +10:00
Mitchell Buckley
Ilya Yanok
Gerwin Klein
Michael Sproul
Thomas Sewell
Rafal Kolanski
Matthew Brecknell
Joel Beeren
Thibaut Perami
Corey Lewis