Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
Several constants are are added to the top level crunch_ignore statement in
Bits_R.thy, then removed from individual crunch statements across Refine and
CRefine.
Currently the vcpu_switch function is called in the setVMRoot function
after possible early returns. In order to make sure the vcpu is
always switched, the call is moved into Arch_switchToThread before the
call to setVMRoot.
Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Previously, if a graph refine proof failed it would cause the ML block
defining the debug variable to be discarded; this prevented the user
from investigating the debug output. This change splits the ML block to
avoid the issue.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
irqInvalid is manually requalified into Interrupt_R. If it's defined for all
architectures, then can be requalified instead in the more suitable
spec/machine/MachineExports.thy
Reimplement the following primrecs:
- arch_irq_control_inv_relation
- arch_irq_control_inv_valid'
- irq_control_inv_valid'
Add the following lemmas:
- arch_check_irq_corres
- crunches arch_check_irq, checkIRQ
- arch_check_irq_valid
- arch_check_irq_valid'
- no_fail_setIRQTrigger
- setIRQTrigger_corres
- dmo_setIRQTrigger_invs'
- Add setTrigger lemmas: setIRQTrigger_irq_masks, dmo_setIRQTrigger_invs
and no_irq_setIRQTrigger
- Modify primrec arch_irq_control_inv_valid_real to include similar
conditions to its equivalent in ARM, but with the minor chnage of irq !=
irqInvalid.
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
Gerwin Klein
Victor Phan
Rafal Kolanski
Zoltan Kocsis
Edward Pierzchalski