diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
Mainly repercusion of changes occuring for Access:
- Fix subjectReads and subjectAffects with new authorities
- SILC label is forbidden to contain any transferable cap
- Lots of lemma that required is_subject on their parameter now only
require aag_can_read when possible
- Major cleanup of the integrity ==> subjectAffects proofs for kheap,
CDT and user memory.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
Ryan Barry
Gerwin Klein
Victor Phan
Corey Lewis
Japheth Lim
Thibaut Perami
Mitchell Buckley
Thomas Sewell
Michael Sproul
Miki Tanaka
Matthew Brecknell
Alejandro Gomez-Londono
Gerwin Klein
Thomas Sewell
Xin,Gao
Matthew Brecknell
Joel Beeren
Daniel Matichuk
Ramana Kumar
David Greenaway