Instead of doing rewriting corres should only rely on
rule application to ensure it only manipulates the
head function (and only if such manipulation causes
corres progress to be made).
Generated goal premises (i.e. from bind or if split rules)
should in most cases be redundant, as necessary conditions can
simply be propagated. By aggressively protecting them, we afford
ourselves greater control over how function bodies are rewritten.
Allow corressimp to use the return-value relation in its clarsimp step
if doing so allows it to solve the subgoal.
This addresses some occasions where wp generates in-place goals that can
be easily solved (rather than pushing them into preconditions).
Some schematic instantiations require knowledge from return-value
relations. The special const "corres_eq_inst" indicates to corres
that a schematic instantiation should be possible/obvious by
unfolding the protected assumptions and applying fastforce.
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
This commit fixes a typo in apply_trace which
prevented correct printing of the index of
the lemma used in a grouped lemma.
An example is given in Apply_Trace_Cmd.thy
- a case-statement in decodeARMMMUInvocation has an if-statement with a conjunction of three conditions, but they are translated in different orders between arm and arm-hyp and currently the crefine proofs depend on those orders.
- this fix is not a fundumental solution, but, given how reliable the haskell translator is, not sure how much effort we should be putting in here
- both ARM and ARM_HYP haskell specs are now generated from the same set of files using cpp
- callbacks and platform files are merged into one directory (ARM)
- remove check-arm-hyp.py now that there are no ARM_HYP.lhs files
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
* This is trivial/irrelevant since getActiveIRQ ignores its argument
in ARM, but it makes a bit more sense to have it being this way,
and it is consistent with the equivalent function in InfoFlowC.
* Defined largePagePTE_offsets and superSectionPDE_offsets as is the
case in arm-hyp
* Used a map over largePagePTE_offsets/superSectionPDE_offsets
instead of upto_enum
Daniel Matichuk
Alejandro Gomez-Londono
Joel Beeren
Thomas Sewell
Sidney Amani
Miki Tanaka
Alejandro Gomez-Londono
Matthew Brecknell