A pattern that occurs occasionally (for some proofs, by some authors) is
something like:
```
apply (subgoal_tac "my_cool_fact x y z")
prefer 2
subgoal by magic
apply method_that_uses_my_cool_fact
```
The command `prefer 2` is noisy, and proving the introduced fact subgoal
later is disorienting, so we provide the method `prop_tac` to introduce
a fact and make proving that fact the current subgoal.
The previous lemma name collided with List.sorted_filter, which
became shadowed; thus we broke AInvs.
Thanks to Victor Phan for bringing this breakage to my attention.
This alternative formulation determines the set of used_irqs in
a way that is less roundabout and closer to the C implementation:
instead of "every irq such that some object has an irqhandler cap
for it", it's "every irq such that there is an irq node for it".
For the proofs, we prove that the two formulations agree on well-formed
specs. Beyond using this fact, the old proofs need not change at all.
Incorporates some proof improvements suggested by @jalim and
shamelessly stolen.
Cabal 2.4 deprecates the default behaviours of previous versions, and
issues warnings whenever the usual cabal-install commands are used. This
is in preparation for future versions of Cabal where the usual commands
will have entirely new default behaviours. More work would be required
to update our SEL4.cabal configuration to these new behaviours. For now,
we avoid the warnings given by Cabal 2.4 by using the `v1-` versions of
cabal-install commands, which should continue to have the old behaviours
until they are removed from Cabal.
VER-1072: Something in the recent C parser changes has increased the
time taken by SimplExportAndRefine by around 30%. This is a quick fix
for the regression timeouts while we take a closer look.
Increased to 8 hours.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
The C parser tracks what short names a given long name corresponds to.
Change AutoCorres to use that information, instead of trying to demangle
the names 'manually'.
Previously, tactics like `ctac` and `csymbr` would use definition names
to produce new bound variables. Now that the C parser always emits long
name *definitions* and short name *aliases*, we adjust these tactics to
try and shorten any new names they produce.
Previously, the C parser would define locals differently depending on
the order they appear in the source (the first instance got a short
name, the second etc. got a longer one). This would sometimes make
things break when source was reordered.
Now, the C parser emits the long name for _every_ local, and emits an
abbreviation for backwards-compatibility and convenience for common
variables (like loop indexes `int i`).
Adjusts the Simpl syntax modifiers to work with abbreviations.
Modifies the VCG tactic to try and convert long-name bound variables in
the goal to their abbreviated names.
The SML standard library is pretty bare-bones compared to that of other
functional languages, so in a large enough SML project you end up with a
bunch of reimplementations of basic combinators scattered all over the
place. We'd be able to collect them if we had somewhere to collect them,
so here it is.
A lot of the proofs in SysInit and DRefine previously had to unfold opt_object,
which was really just an alias for cdl_objects with the arguments in the
opposite order! This commit deletes opt_object in favour of using cdl_objects
directly, which should slightly reduce the burden of unfolding.
Addresses issue VER-1036.
Previously, there were pointer alignment invariants in valid_pte, etc.
However, these had two problems:
1. valid_pte was conditioned on the PTE being mapped, so we couldn't
rely on PTE pointers being aligned unconditionally (see VER-1036).
2. The existing alignments were actually incorrect for large pages.
Proofs that needed the true alignments, obtained them from other
parts of invs (e.g. valid_objs).
This commit moves the alignment invariants to wellformed_pte, etc.
and changes them to use the correct values.
Recent changes to the C kernel mean that various structures and
constants are generated from DTS files. In particular, verification now
sees interrupt identifiers as integer literals instead of defined
constants.
Instead of hardcoding basic C types, this passes most of them along as
uninterpreted strings. This allows typedefs such as time_t or ssize_t
to be used, without requiring the formal model to recognise them.
The proof structure still largely follows Thibaut's scheme; this commit
merely adds some speedup, style cleanup, and documentation.
Unfortunately, the proof state seems to be just large enough that the
built-in record update ruleset runs into limitations, and the standard
clasimp tactics start to fail on subgoals in an unpredictable way.
This is ostensibly more principled than the earlier proof, which simply
unfolded all the monad combinators. However, there was also no existing
framework for using monad_commute, so we need to make one up just to
do this single proof.
Corey Lewis
Edward Pierzchalski
IlmariReissumies
Matthew Brecknell
Amirreza Zarrabi
Japheth Lim
Luke Mondy
Michael Sproul
Callum Bannister
Gerwin Klein