This commit adds compiler prefixes for AArch64 so that the preprocess
test finds the right cross compilers for this architecture.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
${{github.ref}} will resolve to the base branch of the PR, not the
PR branch, so it is not useful for distinguishing PRs. The pull request
number will do the job.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
By default GitHub spawns a new test for each push event. To avoid
hitting the maximum number of AWS instances too quickly, we run the PR
and master proof tests only on the most recent push since the last test
finished.
The concurrency exclusion is per git ref, i.e. separate PRs and
separate branches still run tests concurrently.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This script takes the gen_config.h file CMake produces for each kernel
configuration, parses it, and emits corresponding Isabelle definitions
into Kernel_Config.thy in spec/machine/$L4V_ARCH/
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The InfoFlow proof itself does not care about the number of domains, and
that assumption was removed in another commit.
The specific example in the information flow refinement requires two
domains (one "high" and one "low") to be of any interest. Since it
cannot be instantiated with only one domain, the example theorems in
Example_Valid_StateH now assume that `1 <= maxDomain`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
For CRefine, this process is much more complex than for Refine and up,
as the C code both has its own definitions `maxDom` and `numDomains`,
but they are not defined in terms of each other, only numbers.
Similarly, array size types and their corresponding ArrayGuard bounds
checks refer to specific numbers, making a fullproof abstraction impossible.
A reasonably constrained interface to numDomains/maxDomain/maxDom in
Wellformed_C provides a sufficient abstraction to allow the proofs to be
independent of the number of domains (constrained to <= 256). Using the
value_type command allows more abstraction techniques, such as linking
the size of the scheduler queues back to numDomains*numPriorities,
without stating what the numbers are. Finally, for getting past the
ArrayGuard bounds checks, we do leak some information in the form of
`explicit` lemmas. These are the least safe, but short of augmenting the
C parser to re-wrap array sizes into equivalent constants/types, they
constitute a limited risk. Nonetheless, `explicit` lemmas should be used
as sparingly as possible.
Refinement to C proceeds by pretending we don't know the number of
domains, and whenever a control flow decision is made based on
`numDomains > 1`, we follow both branches, as we did for Refine. We also
attempt to avoid clever rewrites such as `(x < 1) = (x = 0)` which mess
up bounds checks into a domain-size array when `numDomains = 1`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Proofs now don't care about numDomains, except for a small interface in
Invariants_H. The interface is currently by convention only, and has no
enforcement capabilities.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The proofs work without knowing the number of domains, including with
only a single domain.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Make proofs work with any number of domains that fits in the domain type
(at this time an 8-bit word).
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Introduce Kernel_Config theory for storage of non-architecture-specific
seL4 configuration variables that are shared by the abstract and design
specs.
Remove `num_domains`, in lieu of `numDomains` that is now defined only
in `Kernel_Config.thy`. The definition is hidden and must be referred to
as Kernel_Config.numDomains_def when avoiding unfolding is not possible.
Include required properties of `numDomains` as lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The `value_type` top-level command allows evaluating a term down to a
natural number, and using that number to define an enumerated type, as
well as (optionally) a constant definition.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This link is stable over Isabelle releases and can be updated once
the repo switches over to the next release.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The new docker containers that upgraded to gcc-10 use a different
version of the gcc Arm toolchain (`arm-linux-gnueabi`).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The aim of the PR was readability, but it actually also brings the
C more in line with the spec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
In the rest of the proofs we use machine_word to refer to addresses.
This commit brings the machine definitions in line with that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Apparently, we still did releases with python2 in the past. This commit
updates the script to work cleanly with python3 and with both of Linux
and Darwin.
For the latter, untarring and executing a downloaded tarball is not
easily supported on MacOS, so instead of the tarball, we take a path to
the already unpacked Isabelle release.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski
Ryan Barry
Corey Lewis