0603b7d57c
riscv ainvs: adjust frame invocation conditions; prove decode
2019-07-31 16:55:32 +10:00
ea334dc044
riscv ainvs: cleanup, combine unique_vs_lookup_table/no_loop_vs_lookup_table
...
Prove the same for vs_lookup_slot, moving up lemmas and global_pt abbreviation
from ArchVSpace.
2019-07-31 16:55:32 +10:00
f443145e9c
riscv ainvs: more vs_lookup_target/table properties
2019-07-31 16:55:32 +10:00
e46c7403fc
riscv ainvs: reduce ArchArch to page invocation decode
2019-07-31 16:55:32 +10:00
7a712d9d53
riscv ainvs: close 2 more sorries in ArchFinalise
2019-07-31 16:55:32 +10:00
faa124c6a1
riscv ainvs: clean out unused and vcpu-related lemmas
2019-07-31 16:55:32 +10:00
c08668c165
riscv ainvs: prove empty_slot invs in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
06f59c5f32
riscv ainvs: remove unused lemmas in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
cc02bb366c
riscv ainvs: close 4 asid_table sorries in ArchFinalise
2019-07-31 16:55:32 +10:00
e268d57128
riscv ainvs: clear sorries in ArchArch up to decode lemmas
2019-07-31 16:55:32 +10:00
ae30dff1a4
riscv ainvs: adjust and prove asid_update locale in ArchArch_AI
2019-07-31 16:55:32 +10:00
40587d59fe
riscv ainvs: progress in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
159a11baea
riscv ainvs: prove set_asid_pool_invs_restrict
...
+ update for extra preconditions on asid removal
2019-07-31 16:55:32 +10:00
f78f8c9092
riscv ainvs: minor cleanup/moving lemmas in ArchAcc_AI
2019-07-31 16:55:32 +10:00
57b8f451b1
riscv ainvs: prove set_asid_pool_vs_lookup_unmap'
2019-07-31 16:55:32 +10:00
f52c70af73
riscv ainvs: valid_vspace_objs over non-PTPTE store_pte
...
Weakened rules specific to InvalidPTE, showed
store_pte_PagePTE_valid_vspace_objs
2019-07-31 16:55:32 +10:00
a252e040e4
riscv ainvs: prove perform_asid_pool_invs
...
This includes various lemmas on copy_global_mappings.
2019-07-31 16:55:32 +10:00
0122b80dc5
riscv ainvs: improve ex_vs_lookup_table notation
...
Should now contract.
2019-07-31 16:55:32 +10:00
0f8d69a029
riscv ainvs: idempotency of lookups over unreachable updates
...
If there is no way to look up a vspace object, then changing it cannot
affect existing lookup paths.
2019-07-31 16:55:32 +10:00
2901899cc8
riscv ainvs: more invariant preservation over store_pte
...
shown preservation of:
valid_table_caps
valid_global_tables
valid_global_arch_objs
unique_table_refs
unique_table_caps
valid_asid_pool_caps
2019-07-31 16:55:32 +10:00
7409acb3e6
riscv ainvs: lift some set_pt properties to store_pte
2019-07-31 16:55:32 +10:00
744a85c311
riscv ainvs: remove simple sorries ArchArch_AI
2019-07-31 16:55:32 +10:00
6448a3c47d
riscv ainvs: clean out invariants and preconditions on ASID size
...
These are now already enforced by type.
2019-07-31 16:55:32 +10:00
75efc6a90c
riscv ainvs: remove 3 sorries ArchVSpace_AI
2019-07-31 16:55:32 +10:00
bb7062c263
riscv ainvs: clear out 7 sorries about replacable caps in ArchFinalise
...
(plus removal of one unused lemma)
2019-07-31 16:55:32 +10:00
d6a5b3c983
riscv ainvs: wellformed_mapdata more RISCV-idiomatic
...
use "vref : user_region", instead of pptr_base and canonical_address, which
was more an X64 idiom
2019-07-31 16:55:32 +10:00
f90a9d1080
riscv ainvs: close one sorry in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
6c3fb3a1cb
riscv ainvs: removed two unused lemmas (and sorries)
2019-07-31 16:55:32 +10:00
406a3eb9b4
riscv ainvs: idempotency of vs_lookup_table over kheap update
...
When we look up a vref and reach a page table / asid pool, it could not
have been used in the lookup and hence changing it has no effect on the
lookup.
2019-07-31 16:55:32 +10:00
8db6a74716
riscv ainvs: clear unneeded is_aligned from pt_walk_eqI up
2019-07-31 16:55:32 +10:00
a893a40aa5
riscv ainvs: reduce sorries in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
8fb9aa8b91
riscv ainvs: reduce sorries in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
1b9a7d3174
riscv ainvs: more automatic atyp_at lifting; vs_ap_ref_arch_simps
2019-07-31 16:55:32 +10:00
a88891ea7c
riscv ainvs: adjustments for is_valid_vtable root spec fix
2019-07-31 16:55:32 +10:00
c386d2a85e
riscv ainvs: remove trivial sorry in ArchVSpace_AI
2019-07-31 16:55:32 +10:00
2f2b7b0c7f
riscv ainvs: ArchRetype_AI sorry-free
2019-07-31 16:55:32 +10:00
298445c347
riscv ainvs: update ArchKernelInit_AI for user_region refactor
2019-07-31 16:55:32 +10:00
3171901efd
riscv ainvs: -1 sorry in ArchRetype_AI
2019-07-31 16:55:32 +10:00
cd49720dbe
riscv ainvs: refactor user_region to be state-independent
...
This refactoring makes user_region statically equal to {0 .. canonical_user},
which removes the need for a valid_uses s precondition in most lemmas about
user_region, which is needed for the generic/architecture interface in
ArchRetype_AI.
To express that this is equivalent with the old concept, there is a new
"user_window s", which under valid_uses, is the same set as user_region, but
demands that memory uses are correctly set to RISCVVSpaceUserRegion.
2019-07-31 16:55:32 +10:00
04926d48e4
riscv ainvs: clean-up (comment addressed in ArchAInvsPre)
2019-07-31 16:55:32 +10:00
30bda7cdc4
riscv ainvs: reduce sorries in ArchFinalise_AI
2019-07-31 16:55:32 +10:00
b27fa1e41e
riscv ainvs: reduce sorries in ArchAcc_AI
2019-07-31 16:55:32 +10:00
2b359f6265
riscv ainvs: typos: canoncial->canonical
2019-07-31 16:55:32 +10:00
89aafed912
riscv aspec+ainvs+haskell: update kernelBase, paddrLoad to match C
...
update for changeset 897aaf5b13f39ba2b9ca8ade3a58d1350eb42ad7
This changes properties of kernel_base, thereby invalidating two unused
lemmas: mask_out_8_le_kernel_base, mask_out_8_less_kernel_base
2019-07-31 16:55:32 +10:00
96b3876ad1
riscv ainvs: complete level uniqueness proof
...
ex_vs_lookup_level shows we can't find the same table/pool at different
lookup depths; combined with unique_vs_lookup_table we can now show that
there exists only one lookup path from the ASID table to any table/pool
object in the system
2019-07-31 16:55:32 +10:00
240302d89b
riscv ainvs: complete proof of no_loop_vs_lookup_table
...
Long-running joint work with Gerwin Klein.
This lemma demonstrates that from our invariants, when looking up two virtual
addresses in the same ASID, if lookups end up at the same page table, then
the page table must be found at the same level, disallowing loops in
either of the lookups.
2019-07-31 16:55:32 +10:00
b2600af6ec
riscv ainvs: -2 sorries in ArchRetype_AI
2019-07-31 16:55:32 +10:00
439b56eb11
riscv ainvs: adjust for pt_walk_0[simp]
2019-07-31 16:55:32 +10:00
5b0aa53836
riscv ainvs: add and migrate lemmas to ArchInvariants_AI
...
Adds properties of:
- vm_levels
- ptrFromPAddr alignment
- alignment of lookup/walk results
Some other lemmas migrated from ArchAcc_AI.
2019-07-31 16:55:31 +10:00
0296b241c8
riscv ainvs: generalise pt_slot_offset_vref/pt_slot_offset_vref_for_level_eq
...
Apply to any higher level rather than only max_pt_level.
2019-07-31 16:55:31 +10:00
223b41dbfa
riscv ainvs: -2 sorries in ArchRetype_AI
2019-07-31 16:55:31 +10:00
f774c6cc27
riscv ainvs: ArchVSpaceEntries_AI sorry-free
2019-07-31 16:55:31 +10:00
05b547c8bf
riscv ainvs: change pte to store ppn instead of address
...
We preserve the functionality of pte_info by converting the ppn to an address.
2019-07-31 16:55:31 +10:00
745b7d1863
riscv ainvs: update comment for vs_lookup_InvalidPTE proof
2019-07-31 16:55:31 +10:00
73aa8c85e4
ainvs: adjust to new None_upd_eq[simp] context
2019-07-31 16:55:31 +10:00
4112cae517
riscv ainvs: remove last numerical mentions of asid_high/low bits
2019-07-31 16:55:31 +10:00
47d8c75e76
riscv ainvs: reduce sorries in ArchAcc_AI
2019-07-31 16:55:31 +10:00
4e0bdf6572
riscv ainvs: reduce sorries in ArchCSpace_AI
2019-07-31 16:55:31 +10:00
4c190598bc
riscv ainvs: change valid_vs_lookup to use asid directly
...
(since we always look up from ASID level)
2019-07-31 16:55:31 +10:00
08a4b74d5a
riscv ainvs: strength kernel mapping invs; close sorries in ArchAInvsPre
...
Kernel mapping invariants enriched to show that:
- global tables never permit user rights
- global top-level table has no user mappings
2019-07-31 16:55:31 +10:00
80bbd083af
riscv ainvs/cleanup: lemma moves
2019-07-31 16:55:31 +10:00
9e83803199
riscv ainvs: close last sorry in ArchDetype_AI
2019-07-31 16:55:31 +10:00
f0d4054ec0
riscv ainvs: strengthen pt_lookup_target_pt_upd_eq; add _eqI version
...
(to be used in ArchDetype_AI)
2019-07-31 16:55:31 +10:00
c9399f56da
riscv ainvs: proved valid_arch_state_detype
2019-07-31 16:55:31 +10:00
254670fb54
riscv ainvs: reduce sorries in ArchDetype_AI
2019-07-31 16:55:31 +10:00
ed5b72b72a
riscv ainvs: ArchCNodeInv_AI sorry-free; valid_asid_pool_caps tweak
...
Tweaked valid_asid_pool_caps again to be more careful about which ASIDs
are required in the caps. The previous version was too strong.
2019-07-31 16:55:31 +10:00
f39db91457
riscv ainvs: -2 sorries in ArchCNodeInv_AI
...
(mostly cleared by previous is_nondevice_page_cap_simps addition)
2019-07-31 16:55:31 +10:00
f2f9c68fc4
riscv ainvs: -1 sorry in ArchCNodeInv_AI; is_nondevice_page_cap_simps
2019-07-31 16:55:31 +10:00
c44392fd89
riscv ainvs: ArchTCB_AI sorry-free
2019-07-31 16:55:31 +10:00
8725351ccc
riscv ainvs: ArchCSpaceInv_AI sorry-free; fix replaceable_final_arch_cap
2019-07-31 16:55:31 +10:00
4754ebbf7e
riscv ainvs: fewer sorries in ArchCSpaceInvPre_AI; adjusted invariants
...
1 sorry left, which should disappear after sync with work in ArchAcc_AI.
Strengthened valid_asid_pool_caps invariant to same phrasing as valid_vs_lookup
to get uniform preconditions for set_cap.
Strengthened reachable_target to actually cover all reachable targets of a
lookup (incl ASIDPools).
2019-07-31 16:55:31 +10:00
956255809e
riscv ainvs: sync ArchKernelInit_AI with invariant changes
2019-07-31 16:55:31 +10:00
f2ed0a5944
riscv ainvs: tweak valid_uses invariant to solve sorry in ArchAInvsPre
...
We previously had the user region from 0 to user_vtop, which does not
necessarily include all canonical addresses in the low range. However, even if
users are not able to map anything above user_vtop, they can still access a
virtual address > user_vtop, and our invariants cover this case. (Either the
address will simply not be mapped or it will be a lookup into the kernel part
of the vspace, i.e. a page fault for the user).
This commit introduces canonical_user as the largest canonical address in the
low range of canonical addresses, which is the range reserved for users.
2019-07-31 16:55:31 +10:00
bee9099ae6
riscv ainvs: implement arch ADT interface; reduce ArchAInvsPre sorries
...
The remaining 3 sorries in ArchAInvsPre need small invariant changes.
2019-07-31 16:55:31 +10:00
65cc19c172
lib: move up library lemmas from RISCV64 and X64
2019-07-31 16:55:31 +10:00
3cc2aa477e
riscv ainvs: ArchKHeap_AI sorry-free
...
Weakened assumptions of lifting lemma in ArchInvariants_AI for the proofs in
ArchKHeap_AI to go through.
2019-07-31 16:55:31 +10:00
3a5cc87d67
ainvs: allow multiple assumptions in use of lifting rule
2019-07-31 16:55:31 +10:00
fdc14273a8
riscv ainvs: ArchDetSchedSchedule_AI sorry-free
2019-07-31 16:55:31 +10:00
557803c8c4
riscv ainvs: ArchTcbAcc sorry-free
...
(proof from X64)
2019-07-31 16:55:31 +10:00
b8ed8a6115
riscv ainvs: ArchSchedule sorry-free
2019-07-31 16:55:31 +10:00
b99de6bee7
riscv ainvs: clear sorry in ArchIpc_AI
2019-07-31 16:55:31 +10:00
eb15e6a350
riscv ainvs: clear sorries related to decoding
2019-07-31 16:55:31 +10:00
0154a8bb77
riscv ainvs: clear sorries related to handle_vm_fault
2019-07-31 16:55:31 +10:00
c7d055eaa8
riscv ainvs: clear sorries related to user_vtop adjustment
2019-07-31 16:55:31 +10:00
0dad1f53ab
riscv ainvs: remove warnings for pt_slot_offset_id
...
(now in simpset)
2019-07-31 16:55:31 +10:00
87afc177f1
riscv ainvs: strengthen valid_uses for C sync; prove it consistent
...
C now has a user_vtop different from pptr_base, so valid_uses needed updating,
and since the intervals don't fully join up any more, also strengthening of the
user and kernel window properties.
To make sure this is all still consistent, there is now an example state in
ArchKernelInit_AI that is shown to satisfy these conditions.
2019-07-31 16:55:31 +10:00
9187c7d826
riscv ainvs: remove sorries caused by SELFOUR-1955
...
Currently this is a workaround, because the defect still exists, but if the
fix is done right, none of these proofs should have to change.
2019-07-31 16:55:31 +10:00
3f32b21d3c
riscv ainvs: add valid_global_tables to valid_arch_state
...
Previously valid_global_tables was nor deriveable from invs.
The best place I could think to put it is inside valid_arch_state.
This made a mess of some valid_arch_state_lift-related lemmas and
trivial valid_arch_state preservation in two cases, but seems a decent
tradeoff.
2019-07-31 16:55:31 +10:00
762c3f1eea
riscv ainvs: progress on ArchAcc_AI
...
set_pt_caps_of_state
store_pte_valid_objs
set_pt_equal_kernel_mappings
2019-07-31 16:55:31 +10:00
07f10f986e
riscv ainvs: convert valid_global_tables to _2 style
2019-07-31 16:55:31 +10:00
ab23a6bd45
riscv ainvs: preservation of valid_global_tables over set_pt
2019-07-31 16:55:31 +10:00
4319e81887
riscv ainvs: tweak global mapping invariants, port lookups to projections
...
Main change is valid_global_tables, which was previously insufficient
for preservation proofs over set_pt.
2019-07-31 16:55:31 +10:00
014f351265
riscv ainvs: global crunch ignore for recursive pt_lookup_from_level
2019-07-31 16:55:31 +10:00
46d1ba3cc4
riscv ainvs: remove ARM ref
2019-07-31 16:55:31 +10:00
da26a83c18
riscv ainvs: finished sorrying AInvs
2019-07-31 16:55:31 +10:00
06672e9724
riscv ainvs: sorried up to end AInvs
2019-07-31 16:55:31 +10:00
78b1d07bb9
riscv ainvs: sorries for ArchADT, ArchUntyped, ArchArch
2019-07-31 16:55:31 +10:00
a37d867e66
riscv aspec: abbreviations for asid_table & pt table base + index
...
(moved from riscv ainvs)
2019-07-31 16:55:31 +10:00
bdd9a3f1ea
riscv ainvs: introduce second_level_tables as interface concept
2019-07-31 16:55:31 +10:00
f9e6607ea3
ainvs: sync ARM/ARM_HYP/X64 with lemmas that are now arch dependent
2019-07-31 16:55:31 +10:00
b147fe7d9d
riscv ainvs: sorried ArchDetype_AI
2019-07-31 16:55:31 +10:00
4eba33e349
ainvs: move unique_table_refs into arch
2019-07-31 16:55:31 +10:00
2eb3cd3917
riscv ainvs: sorried ArchTcb, ArchEmptyFail, ArchCNodeInv, ArchBCorres2
2019-07-31 16:55:31 +10:00
749546cf6e
riscv ainvs: sorried ArchIpc_AI and ArchInterrupt_AI
2019-07-31 16:55:31 +10:00
d23772ce64
riscv ainvs: sorried ArchFinalise_AI
2019-07-31 16:55:31 +10:00
cf1c3b898c
riscv ainvs: sorry ArchIpcCancel, ArchRetype, and ArchSchedule
2019-07-31 16:55:31 +10:00
5321c8f340
ainvs: move Retype_AI lemma to arch for RISC-V
2019-07-31 16:55:31 +10:00
5315a4f030
riscv ainvs: sorried ArchVSpace_AI
2019-07-31 16:55:31 +10:00
585989948a
riscv ainvs: two more lemma statements for store_pte_*_map
2019-07-31 16:55:31 +10:00
d91c83f3a6
riscv aspec+ainvs: rename lookup_pt_* to pt_lookup_* to resemble vs_lookup_*
...
More consistent naming, easier to remember.
2019-07-31 16:55:31 +10:00
2dd69a1b7e
riscv ainvs: progress on set_pt_valid_global_vspace_mappings
...
Removed a number of previous dependencies that are now irrelevant.
2019-07-31 16:55:31 +10:00
e60ee77c86
riscv ainvs: introduce lookup_pt_target, reformulate valid_global_tables
...
- translate_address now uses lookup_pt_target
- valid_global_tables now resolves from riscv_global_pt instead of all
ASIDs
2019-07-31 16:55:31 +10:00
2f9e070f99
riscv ainvs: more store_pte properties
2019-07-31 16:55:31 +10:00
602dfd2317
riscv ainvs: lifting lemma for vspace_for_asid
2019-07-31 16:55:31 +10:00
0009222876
riscv ainvs: fix lemma name in ArchCSpacePre_AI
2019-07-31 16:55:31 +10:00
d9d1e6d472
riscv ainvs: begin sorrying ArchVSpace_AI
2019-07-31 16:55:31 +10:00
4c6b8c4dcd
riscv ainvs: sorried ArchInterruptAcc_AI
2019-07-31 16:55:31 +10:00
a9d866c870
riscv ainvs: add saturated version of vs_lookup_pages_arch_update for simp
2019-07-31 16:55:31 +10:00
8f119cbfec
riscv ainvs: sorried ArchTcbAcc_AI
2019-07-31 16:55:31 +10:00
d0a5262b04
riscv ainvs: restore complex form if interface lemma
...
(The simpler form breaks the generic proofs that expect the more complex statement)
2019-07-31 16:55:31 +10:00
eb7adb182a
riscv ainvs: sorried ArchCSpacePre_AI and ArchCSpace_AI
2019-07-31 16:55:31 +10:00
a2a5163712
ainvs: make another lemma arch specific (unique_table_refs again)
2019-07-31 16:55:31 +10:00
bd88d2906b
riscv ainvs: sorried ArchCSpaceInv_AI
2019-07-31 16:55:31 +10:00
63a49d469d
riscv ainvs: provide arch_cap_simps and enriched cap_simps
2019-07-31 16:55:31 +10:00
4fd8eba182
riscv ainvs: make unique_table_refs lemma arch specific
...
This lemma worked by (planned) accident for all architectures so far, but
the type of unique_table_refs is different on RISC-V
2019-07-31 16:55:31 +10:00
6c540c37d8
riscv ainvs: add interfaces lemmas to ArchInvariants_AI
2019-07-31 16:55:31 +10:00
b1f444be6b
riscv ainvs: sorried ArchCSpaceInvPre_AI
2019-07-31 16:55:31 +10:00
2c2e82c94c
riscv ainvs: tweak vs_cap_ref_arch to include ASIDPoolCaps
...
The ASIDPoolCap case is not used in the invariant definitions, but
is convenient later in the proofs.
2019-07-31 16:55:31 +10:00
537992b41e
riscv ainvs: add interface definitions; refactor invariants for clarity
...
All invariants that are pure interface definitions and otherwise
unused in RISC-V are now collected in a separate section to make more clear
what is used and what is not.
Added definitions for cap_asid and empty_table, which turns out is needed in
its complex form, because it is used in generic theorems. The simple form lives
on as empty_pt.
2019-07-31 16:55:31 +10:00
a4bbab0985
riscv ainvs: sorried ArchAcc_AI
...
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 16:55:26 +10:00
5d6fd554f2
riscv ainvs: tweak valid_vs_lookup invariant
...
Mask out bottom bits of asid and vref in the cap; otherwise this
invariant would demand many caps for the same vspace object, one for
each combination of bottom "junk" bits.
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 16:26:36 +10:00
0fcc2c8a6f
riscv ainvs: factor out has_kernel_mappings for use in preconditions later
2019-07-31 16:26:36 +10:00
3be3a8ea8a
riscv ainvs: global pts must point to page tables
2019-07-31 16:26:36 +10:00
12d4439ddb
ainvs: make some KHeap lemmas arch specific
...
These lemmas have different statements in RISC-V
2019-07-31 16:26:36 +10:00
c2e95e53c9
riscv ainvs: eta expand def for later unfolding
2019-07-31 16:26:36 +10:00
bea2739ff2
riscv ainvs: a few more lifting lemmas in ArchKHeap_AI
2019-07-31 16:26:36 +10:00
3c64ec187a
riscv ainvs: proof progress: invalidating pte mappings
...
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 16:26:36 +10:00
b6301ba636
riscv ainvs: initial invariant setup for RISC-V and initial proofs
...
co-authored-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
2019-07-31 16:26:36 +10:00
78e57e2d90
ainvs: add a type projection
...
currently only used in RISC-V, but should replace typ_at (or make typ_at an abbreviation for it) over time.
2019-07-31 14:13:56 +10:00
f59639342c
ainvs: changes to generic invariants to accomodate RISC-V
...
These changes are mostly removing declarations and lemmas, making them
architecture specific.
2019-07-31 14:13:56 +10:00
ac886401d7
ainvs: add support to thread id registers
2019-06-28 11:34:13 +10:00
c34840d09b
global: isabelle update_cartouches
2019-06-14 11:41:21 +10:00
3300e119be
ainvs: minor update for Isabelle2019 not included in previous commit
2019-06-13 16:22:33 +10:00
26fdedad4d
ainvs, spec: changes to remove errors for Isabelle 2019 update
2019-06-13 16:22:33 +10:00
4463e9750e
SELFOUR-1198: update proofs for correct restart PC
...
Fixes a case where a thread can go from Running->Inactive->Restart and
use a restart PC that is out of date. An out of date restart PC occurs
when a thread was transitioned to running after being in a blocked
state, but was never scheduled and so did not execute the traps code
that updates the restart PC.
This also renames relevant register names for consistency across
architectures (FaultIP and NextIP).
2019-06-13 11:43:50 +10:00
4a07af9d9d
ainvs refine: update arch-split locale names
...
Previously, some arch-specific names were qualified with the wrong
architecture abbreviation.
2019-06-13 11:43:50 +10:00
aec289ceb6
ainvs cleanup: remove unused as_user_valid_vspace_objs lemmas
2019-06-13 11:43:50 +10:00
75f1a25948
ainvs: add as_user_bind lemma
2019-06-13 11:43:50 +10:00
1689dd94fe
cleanup
...
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
2019-04-18 14:32:08 +10:00
c9094ccbb3
ainvs: update for new definition of set_object
...
Added set_object_wp_strong, which infers from a given hoare triple with
command set_object that the object of same type already exists in the
heap, and hoare_set_object_weaken_pre which does the same thing, but can
be applied on top of existing lemmas about set_object.
ainvs: improve proof of set_thread_state_runnable_valid_blocked
ainvs: change return value to a more general one
in_set_object has a return value that is empty '()', but the theorem
still holds true when replaced with a generic parameter 'rv' making it
easier to use this lemma.
ainvs: trivial - updated style of proof
ainvs: strengthen set_object_idle lemma
Add conditions imposed by valid_idle into precondition.
Thank you to Matt Brecknell for the help.
ainvs: abbreviated Hoare triples and proof fix
ainvs: restated set_object_wp_strong with auxiliary lemmas
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Move in a few set_object and set_aobject theorems from x64 theory files
as these theorems were architecture generic.
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
2019-04-18 14:32:08 +10:00
Gerwin Klein
Rafal Kolanski
Amirreza Zarrabi
Michael McInerney
Victor Phan