Trying to figure this out was very educational, since ccorres_abstract
was used without intending to abstract a variable, the xf' and lambda
name were both red herrings (in fact, this proof only worked if xf' was
instantiated with an *irrelevant* C local var name), and the body was
not transformed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- rename corres_pre set in CRefine to ccorres_pre
- rename internal corres_pre method in Corres_Method to corres_pre'
- use corres_pre instead of old wp_pre in refine
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These rules allow the simplifier to solve almost all existing goals that
involve the C constants true and false, without unfolding their
definitions.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Using named constructor arguments added to the datatype package allows
removal of the old way of writing them out explicitly.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Lemmas not relying on any specifications or more local concepts will be
moved into MonadicRewrite.thy
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Several parts of CRefine did not or should not depend on anything
C-related, but the import hierarchy (and theory content) did not reflect
this. Namely:
* Move_C and ArchMove_C were intended to hold items that could be moved
to Refine yet used `kernel_m` locale and imported the C spec.
* IsolatedThreadAction indicates how to rearrange statements in the
design spec and has nothing to do with the C spec or framework.
* Fastpath_C contained the design spec of the fastpath, the design spec
rewrite proofs, and the C refinement. Having to rebuild nearly all of
CRefine to work on rewrite proofs wasted time.
In the new import hierarchy:
* Move_C imports only Refine; ArchMove_C builds on Move_C
* IsolatedThreadAction imports only ArchMove_C
* The fastpath proofs are split into the spec definition (Fastpath_Defs)
and rewrite proofs (Fastpath_Equiv), which don't depend on anything
C-related, with their C refinement remaining in Fastpath_C.
While it is possible to separate out the fastpath definitions and rewire
proofs into a separate image or even move them to Refine, development
experience indicates keeping them alongside their C refinement remains
more convenient for the proof engineer involved.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
This includes replacing previous ASpec names for such constants with
the names used in Haskell/ExecSpec to avoid duplication. This also
makes some of the proofs slightly more generic.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
For CRefine, this process is much more complex than for Refine and up,
as the C code both has its own definitions `maxDom` and `numDomains`,
but they are not defined in terms of each other, only numbers.
Similarly, array size types and their corresponding ArrayGuard bounds
checks refer to specific numbers, making a fullproof abstraction impossible.
A reasonably constrained interface to numDomains/maxDomain/maxDom in
Wellformed_C provides a sufficient abstraction to allow the proofs to be
independent of the number of domains (constrained to <= 256). Using the
value_type command allows more abstraction techniques, such as linking
the size of the scheduler queues back to numDomains*numPriorities,
without stating what the numbers are. Finally, for getting past the
ArrayGuard bounds checks, we do leak some information in the form of
`explicit` lemmas. These are the least safe, but short of augmenting the
C parser to re-wrap array sizes into equivalent constants/types, they
constitute a limited risk. Nonetheless, `explicit` lemmas should be used
as sparingly as possible.
Refinement to C proceeds by pretending we don't know the number of
domains, and whenever a control flow decision is made based on
`numDomains > 1`, we follow both branches, as we did for Refine. We also
attempt to avoid clever rewrites such as `(x < 1) = (x = 0)` which mess
up bounds checks into a domain-size array when `numDomains = 1`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The aim of the PR was readability, but it actually also brings the
C more in line with the spec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The PR seL4/seL4#473 removes Arch_finaliseInterrupt; this commit
updates the C proofs accordingly.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Corey Lewis
Rafal Kolanski
Michael McInerney
Ryan Barry
Corey Lewis
Ryan Barry