This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
These are copied verbatim from ARM as the word and pointer sizes are
identical.
These could be auto-generated by a Makefile, but a Makefile is not
invoked when building CKernel.
(copied from ARM)
Per-plaform CPP configuration for spec-check and make-spec.
The configuration is still duplicated between the two scripts, but now
the translation/check for ARM_HYP will use correct CPP settings.
* Consistently use the c-parser 'addr' type alias for pointer values.
* Include word abstraction and polish for 64-bit integral types.
* Include all current c-parser platforms in release packaging scripts.
More work is required to properly abstract AutoCorres tests across
architectures. The tests currently pass for both ARM and X64. However,
in a number of tests, we exploit the coincidences that 'int' is the same
size on both platforms (32 bits), and that 'long' is the same as the
pointer size on each platform (32 bits and 64 bits, respectively).
This creates an issue because "unat x < 1" is reduced to "unat x = 0"
by the simplifier, meaning the unat_mono tactic doesn't get to operate on
it. The fix is pretty easy. Also includes some extra investigation material.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
Some lemmas that were specific instances of more general lemmas have
been removed from the library. In most cases, broken references could
simply be replaced with the more general fact.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
Adds an additional analysis option to the external C parser. This
will report about any asm statements that were encountered and could
not be properly handled.
[NO_PROOF]
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
Alejandro Gomez-Londono
Thomas Sewell
Miki Tanaka
Alejandro Gomez-Londono
Rafal Kolanski
Matthew Brecknell
Joel Beeren
Daniel Matichuk
Gerwin Klein
Thomas Sewell