This rewrites the extraction function to a simpler form, which is
consistent with how the lemma is written on the other architectures.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
fwd_all and ALLGOALS_FWD act like `all`, but supplied method is applied
to goals in first-to-last order, taking into account goals solved and
generated.
fwd_all_new and FWD_ALL_NEW act like `;` and THEN_ALL_NEW, but with the
second method is applied to the results of the first in the order they
were produced, making it safe for WP reasoning.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In `Rules_Tac`, add a `rules_tac` which is `rule_tac` but with the
ability to instantiate the same variable name in multiple theorems.
Also add the specialised `single_instantiate_tac` which allows using the
above mechanism to instantiate a specific variable name in a specific
set of theorems (e.g. "rv" in a set of symbolic-execution lemmas).
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow for pattern-matching on the conclusion and reacting to
whether the match succeeded.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow selective eta-contraction in the goal based on the bound
variable's name. The `no_name_eta` method speficially targets
abstractions where the variable has no name, which can come up in
complicated unification scenarios.
These nameless abstractions can cause symbolic execution lemmas to no
longer pick up on the name of the bound variable in do-notation,
requiring multiple rename_tac invocations.
Co-authored-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
According to the RISC-V spec, PageTablePTEs must have the access,
dirty, and user bits set to 0. This means that
- there is no user attribute that can be set on PageTablePTEs
(removed from Haskell spec)
- the encoding for PageTablePTEs in C must have 0 in these fields
instead of 1.
See PR seL4/seL4#880 for discussion and corresponding C changes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This removes the mcs-export matrix job from the proof-deploy workflow,
as the first step towards solving seL4/l4v#497. This should unblock
verification manifest deployments.
The mcs-export job was added to the proof-deploy workflow to perform
SimplExportAndRefine for binary verification targets. It took a short
cut, using the master branch of l4v to perform SimplExportAndRefine for
MCS configurations, since there were no differences between rt and
master that were relevant to SimplExportAndRefine. This is no longer the
case, because MCS seL4 C code now contains C parser annotations that use
symbols only available in the rt branch of l4v.
We intend to add an equivalent job that uses the rt branch of l4v for
MCS SimplExportAndRefine, but are still working out the best way to do
that.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
The strict function application operator made sense when performance
mattered because the model was used from a simulator. Now it's just
noise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 requires a space between ! and the operand to distinguish
the expression from a bang pattern.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
GHC 9.0.2 is more strict in its pattern syntax and rejects @ patterns
that are surrounded by parentheses.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- switch to lts-19.12 (GHC 9.0.2)
- use cabal v2 commands, which build locally by default and don't
need a separate sandbox
- update SEL4.cabal file to cabal spec version 3
- remove generated `cabal.project.local~*` backup files after configure
to avoid flooding the directory
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The previous spec was trying to set message registers manually
when instead it should have just returned the list of data words
that forms the reply. This correctly modeled the currently wrong
behaviour in C, which seL4/seL4#243 fixes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Pull in generic lemmas from theories in repository.
Re-order lemmas into sections.
Shorten proofs where possible and uninteresting.
Attempt to conform to more modern style, and remain consistent within
this theory.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Lemmas not relying on any specifications or more local concepts will be
moved into MonadicRewrite.thy
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
C code changed to drop stage 1 translation from constructing VM fault
messages when in a hypervisor context.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Explicitly provide file information for errors and warnings (where not
already present in the message).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- Make message printing available to pars_skl.py as well, not only
lhs_pars.py.
- Add potential file/line number information printing (so far unused).
- Print status messages in a status line in the terminal (and stdout
without terminal).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Suppress parameterised-type warnings for types we know have been
defined in Isabelle already.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use ANSI yellow + red to make warnings/errors stand out from output.
Suppress colours if output is not a tty, apart from on GitHub, where
they do get rendered by the interface even though it is not a tty.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use functions for uniform error reporting, so we can later introduce
terminal colours, verbosity options etc.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Handle abstract machine ops in large crunch passes.
Clean up some proofs, standardise others, and rearrange into topical
areas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- the lifting rule now needs an additional vcpus_of assumption
- this makes the rule not applicable any more for the proof of other
lifting rules that are for vspace objs only; these will now need
different proofs
- add FIXME suggestion for equivalence of projection and vspace_obj_pred
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a rough pass over all the vcpu|vppi|vgic items found in ARM_HYP
abstract invariants. Broken items and issues tagged with FIXMEs,
lemmas sorried when possible.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Some definitions needed to change to take VCPUs into account, breaking
some lifting lemmas that assumed vspace objects and arch objects were
the same thing. FIXMEs added.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>