9ebaa2c3ea
arm-hyp refine: new invariant: VMNoAccess is unused
2017-06-19 14:32:35 +10:00
a488e8dd44
arm-hyp refine: various fixes and renames for obj_at' related rules
2017-06-19 14:32:34 +10:00
2dc5ec8601
arm-hyp refine: update for do_flush/doFlush
2017-06-19 14:32:32 +10:00
b96877f244
arm-hyp refine: (Fix) Correctly defining setCurrentPD
2017-06-19 14:32:32 +10:00
a8b7b7887d
arm-hyp refine: update for asidHighBits change
2017-06-19 14:32:31 +10:00
fc74a6440f
arm-hyp refine: repair for rebase (new corres)
...
- fixes the fallout from the updated corres method.
- also includes some fixes by: Daniel Matichuk <daniel.matichuk@data61.csiro.au>
2017-06-19 14:32:31 +10:00
bf98897a98
arm-hyp refine: Refine sorry free
2017-06-19 14:32:31 +10:00
ca9582a2e8
arm-hyp refine: VSpace_R sorry free
2017-06-19 14:32:31 +10:00
ddb5c4043c
arm-hyp refine: VSpace_R, 2 sorries left
2017-06-19 14:32:31 +10:00
34a7c911e2
arm-hyp refine: VSpace_R, 2 sorries left, 1 sorry elsewhere
2017-06-19 14:32:31 +10:00
37ef712322
arm-hyp refine: zobj_refs adjustments; Arch_R sorry-free
2017-06-19 14:32:31 +10:00
0bf8d784b5
arm-hyp refine: zobj_refs' for VCPU (needed for liveness)
2017-06-19 14:32:31 +10:00
e48643f785
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
19b519ba29
arm-hyp refine: VSpace_R, 4 sorries left
2017-06-19 14:32:30 +10:00
3edf057812
arm-hyp refine: tidying up Schedule_R
2017-06-19 14:32:30 +10:00
bee7435458
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
5e9080c77b
arm-hyp refine: Syscall_R sorry-free
2017-06-19 14:32:30 +10:00
501e71adbe
arm-hyp refine: CNodeInvs_R sorry-free
2017-06-19 14:32:30 +10:00
8118968a05
arm-hyp refine: remove sorry in Syscall_R
2017-06-19 14:32:30 +10:00
c34aef1ee3
arm-hyp refine: DomainTime_R sorry-free
2017-06-19 14:32:30 +10:00
14b0f600ab
arm-hyp refine: Finalise_R sorry-free
2017-06-19 14:32:30 +10:00
187611825c
arm-hyp refine: dissociateVCPUTCB_invs'
2017-06-19 14:32:30 +10:00
31575f1065
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
ff6da2f76c
arm-hyp refine: Retype_R sorry free
2017-06-19 14:32:30 +10:00
6f32ddc7e9
arm-hyp refine: remove setVCPU_invs from wp set.
...
(The rule will need more preconditions, so we don't want it used
automatically yet.)
2017-06-19 14:32:30 +10:00
f727cc983c
arm-hyp refine: remove crunch sorries in DomainTime_R
...
Still two sorries left that depend on vgicMaintenance.
2017-06-19 14:32:30 +10:00
23d80dd261
arm-hyp refine: Ipc_R sorry free
2017-06-19 14:32:30 +10:00
fa5448625b
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:29 +10:00
cb5e0bcd7e
arm-hyp refine: VSpace_R incremental progress (vcpuSwitch invariants)
2017-06-19 14:32:29 +10:00
b74e8c59a2
arm-hyp refine: Schedule_R sorry free
...
- last few sorries are moved to VSpace_R
2017-06-19 14:32:29 +10:00
774448a7de
arm-hyp refine: Untyped_R sorry free
2017-06-19 14:32:29 +10:00
35e751f005
arm-hyp refine: PageTableDuplicates sorry-free
2017-06-19 14:32:29 +10:00
10e8973abb
arm-hyp refine: reduce sorries in Ipc_R
2017-06-19 14:32:29 +10:00
8ccba110a1
arm-hyp refine: reduce (more) sorries in VSpace_R
2017-06-19 14:32:29 +10:00
36146506ee
arm-hyp refine: reduce sorries in VSpace_R
2017-06-19 14:32:29 +10:00
4067704e99
arm-hyp refine: reduce sorries in PageTableDuplicates
2017-06-19 14:32:29 +10:00
8ae1d84e94
arm-hyp refine: reduce sorries in Finalise_R
2017-06-19 14:32:29 +10:00
96958113ef
arm-hyp refine: IPCCancel sorry-free
...
inlcuding simplification to ep and ntftn state_hyp_refs_of lemmas
2017-06-19 14:32:29 +10:00
1e9d0dc006
arm-hyp refine: completed remaining instances of no_vcpu class
2017-06-19 14:32:29 +10:00
2f972cfffd
arm-hyp refine: more vcpuSwitch hoare triples
2017-06-19 14:32:29 +10:00
69d16699ee
arm-hyp refine: Introducing no_vcpu typeclass to avoid duplicated lemmas
...
* Then idea with this class is to be able to genericaly constrain
predicates over pspace_storable values to are not of type VCPU,
this is useful for invariants such as obj_at' that are trivialy
true (sort of) if the predicate and the function (in the hoare
triple)
2017-06-19 14:32:29 +10:00
89496b3d90
arm-hyp: valid_arch_state'
2017-06-19 14:32:28 +10:00
a751e4f798
arm-hyp refine: More invariants for vcpuSwitch and alike
2017-06-19 14:32:28 +10:00
d1eef6c026
arm-hyp refine: Detype_R sorry free
2017-06-19 14:32:28 +10:00
511d3f5c40
arm-hyp refine: one sorry left in Detype_R
2017-06-19 14:32:28 +10:00
bdd6f9c896
arm-hyp refine: add armUSGlobalPD to global_refs' in Invariants_H
2017-06-19 14:32:28 +10:00
a6b0559e23
arm-hyp refine: set_vm_root_corres and auxiliary lemmas
2017-06-19 14:32:28 +10:00
e52c985b4b
arm-hyp refine: add valid_arch_tcb' invariant (vcpu_at' for atcbVCPUPtr)
2017-06-19 14:32:28 +10:00
9103207d8a
arm-hyp refine: fix storePDE/storePTE sorries in VSpace_R
2017-06-19 14:32:28 +10:00
4260a2c545
arm-hyp refine: new definition of valid_arch_state', with more sorries for now
...
valid_arch_state' now requires armHSCurVCPU to be a pointer to a live' vcpu
2017-06-19 14:32:28 +10:00
aa82471c17
arm-hyp refine: Invariants_H sorry free
2017-06-19 14:32:28 +10:00
1c85326bac
arm-hyp refine: new definition of valid_vcpu'
...
this introduces a more accessible definition of valid_vcpu'
2017-06-19 14:32:27 +10:00
4e90b0558f
arm-hyp refine: fixing some broken lemmas after the last batch of changes
2017-06-19 14:32:27 +10:00
b7e754bf1b
arm-hyp refine: vcpu{Switch,Save,Enable,etc}_corres + other related lemmas
2017-06-19 14:32:27 +10:00
76b02fe736
arm-hyp ainvs: Fixing StateRelation due to some renaming in abstract/haskell
2017-06-19 14:32:27 +10:00
740d606774
refine: closed the Orphanage
...
Not necessary for CRefine and better proved on the abstract spec now.
To be resurrected (on abstract) in the future.
2017-06-19 14:32:27 +10:00
75acdb3823
arm-hyp refine: add IRQReserved to state relation
2017-06-19 14:32:27 +10:00
e2d8a0ae50
arm-hyp refine: Tcb_R sorry free
2017-06-19 14:32:27 +10:00
bc40dc4a46
arm-hyp refine: remove unused ADT_H lemma
2017-06-19 14:32:27 +10:00
e9d3c3eb54
arm-hyp: remove unused ParityEnabled in aspec; solve sorries in ADT_H
...
ParityEnabled isn't used in ARM_HYP and we had to prove its absence as
invariant, which in turn makes the abstraction function from Haskell
to abstract partial (only works when invariants hold).
This commit removes that problem by removing ParityEnabled from the
abstract spec. Updated ainv and refine as necessary.
2017-06-19 14:32:27 +10:00
61136c29fd
arm-hyp: wp_pre rebase repair
2017-06-19 14:32:27 +10:00
f33d584cac
arm-hyp refine: proof repair for spec updates
2017-06-19 14:32:26 +10:00
5a03004e2c
refine: minor cleanup
2017-06-19 14:32:26 +10:00
29abd9a19e
arm-hyp/refine: vgic maintenance updates
2017-06-19 14:32:26 +10:00
e4d8bb1d4f
arm_hyp/refine: 'getActiveIRQ in_kernel' updates
2017-06-19 14:32:26 +10:00
e6c70be8a5
arm-hyp refine: Adding vcpuSwitch_corres and similar
2017-06-19 14:32:25 +10:00
43c742901b
arm-hyp refine: trivial: remove spurious Eisbach import
2017-06-19 14:32:25 +10:00
edee892ac0
arch_split: refine: remove spurious reference to ARM namespace
2017-06-19 14:32:25 +10:00
4d97cdd6a3
arch_split: refine: update DetSchedSchedule_AI imports
2017-06-19 14:32:25 +10:00
56c00ab03a
arm-hyp refine: sorrying done
2017-06-19 14:32:25 +10:00
18d76773fa
arm-hyp refine: sorrying done upto VSpace_R
2017-06-19 14:32:25 +10:00
fd79501491
arm-hyp refine: ArchAcc_R done
...
tags: [VER-696]
2017-06-19 14:32:24 +10:00
881ce3e8cb
arm-hyp refine: Invariants_H done for now, sorried up to ArchAcc_R
2017-06-19 14:32:24 +10:00
9060562bfe
arm-hyp refine: update refine for the rebase (includes all the changes)
...
None of these files contain arm-hyp specific changes yet.
2017-06-19 14:32:24 +10:00
00a68d1470
arm-hyp refine: sorrying in progress (now in CSpase_R)
2017-06-19 14:32:23 +10:00
8cf46846b5
arm-hyp refine: Invariants_H and StateRelation updated
2017-06-19 14:32:23 +10:00
e3cb71ef04
arm-hyp refine: copy ARM files to ARM_HYP directory, updating invariants in progress
2017-06-19 14:32:23 +10:00
da28d94974
VER-717: refactor tpidrurwRegister and fix corresponding proof
2017-05-05 15:17:41 +10:00
71e2db88a4
arm: refactor sanitise_register to take a bool instead of a kernel_object
...
This simplified the sanitise_register logic in CRefine for arm-hyp.
2017-05-03 21:51:57 +10:00
2c742ed2c6
x64 refine: fix proofs after rebase and spec updates
2017-04-24 23:58:05 +10:00
1a3debd78e
x64: refine: clear sorries for setVMRoot
2017-04-24 15:44:36 +10:00
2652a7d773
x64: refine: proved perform_aci_invs
2017-04-24 14:46:12 +10:00
fe26c457d3
x64 refine: fix findVSpaceForASID_vs_at_wp
2017-04-24 14:36:56 +10:00
c01e9f68c6
x64: progress in VSpace_R
...
Corres lemmas are proven. Remaining:
- A handfull of Hoare triples.
- The Haskell spec for invalidateASID needs to be updated
to close a small hole in each of unmap_pd_corres and
unmap_pdpt_corres.
2017-04-24 13:58:37 +10:00
990b6a02df
x64: cleared sorries in Detype_R
2017-04-24 12:11:39 +10:00
93f6029fbf
x64: refine: Refine.thy fixed again
2017-04-21 14:32:53 +10:00
3b2c465497
x64: refine: KernelInit_R done
2017-04-21 14:25:48 +10:00
1463da973f
x64: refine: EmptyFail_H done
2017-04-21 14:25:03 +10:00
84f827a042
x64: refine: Refine.thy done
2017-04-21 14:15:56 +10:00
9c10fde9f7
x64: refine: PageTableDuplicates done
2017-04-21 14:01:56 +10:00
8cd3ae5389
x64: refine: DomainTime_R done
2017-04-21 13:37:09 +10:00
c0296a7bf1
x64: refine: ADT_H done
2017-04-21 13:33:06 +10:00
35f147d3fa
x64: refine: Syscall_R done
2017-04-21 10:49:24 +10:00
0ce6a7da88
x64: refine: finished sorries in Arch_R
2017-04-20 16:56:51 +10:00
d725084ae6
x64: refine: Arch_R done with sorries
2017-04-20 14:38:45 +10:00
991fa244e4
x64: refine: Untyped_R done
2017-04-13 16:11:07 +10:00
774570483e
x64: refine: fix sameRegionAs_def2
2017-04-13 15:39:45 +10:00
1b46cb1379
x64: refine: Detype_R done with some sorries
2017-04-12 18:14:45 +10:00
1696932ad2
x64: refine: readd VSpace_R to Retype_R imports
2017-04-12 18:14:32 +10:00
2c9aa53c6b
x64: refine: Tcb_R done
2017-04-12 13:45:21 +10:00
ae5d190220
x64: refine: CNodeInv_R done
2017-04-12 11:20:48 +10:00
ac7232326c
x64: refine: Interrupt_R done
2017-04-11 18:48:40 +10:00
0d5a0e42cc
x64: refine: finished Ipc_R
2017-04-11 11:42:07 +10:00
5788ada1eb
x64 refine: fix Retype_R
...
Also:
- Design spec and haskell invariants fixes.
- Moves corresK rules for mapM and mapM_x into Corres_Method.
2017-04-11 10:19:21 +10:00
b331932786
x64: fix Finalise_R
2017-04-10 15:35:18 +10:00
f86b7b078e
x64 refine: fix InterruptAcc_R
2017-04-07 18:03:03 +10:00
c2aba18e1d
ainvs x64: replace a conditional simp rule lookup_empty_refl
...
This was causing simplifier loops in some places, and slow-downs in
others.
2017-04-07 18:01:49 +10:00
1e5fe128fd
x64: refine: fixed IpcCancel_R
2017-04-07 16:43:50 +10:00
72cd56340f
x64: refine: fix Schedule_R
2017-04-07 16:05:02 +10:00
a6807f9fe6
x64: refine: adjust setCurrentCR3 et al after rename
2017-04-07 16:05:02 +10:00
ac0a55496c
x64: Retype_R checking with sorry proofs
2017-04-07 11:38:41 +10:00
25ea0a9422
x64: refine: VSpace_R now processes with correct sorries
2017-04-06 14:47:49 +10:00
431b134b19
x64: refine: remove valid_pde_mappings' for the moment
2017-04-06 14:47:26 +10:00
5c574a6da4
x64: refine: perform vspace functions done with a few sorries
2017-04-06 11:42:58 +10:00
83b2f30c53
x64: progress in VSpace_R
2017-04-04 17:33:35 +10:00
53e0f5e476
x64: refine: update group lemma
2017-04-03 17:48:15 +10:00
0c011df0ef
x64: refine: CSpace_R, TcbAcc_R done
2017-03-31 16:58:51 +11:00
1768779b90
x64: refine: update valid_irq_node
2017-03-31 16:58:31 +11:00
94ba60b07c
x64: fixed sorries in CSpace1_R
2017-03-31 16:57:17 +11:00
7827c2fc73
x64: CSpace1_R now processes with a few minor sorries
2017-03-30 13:13:45 +11:00
659088cc13
x64: merge master
2017-03-29 20:22:12 +11:00
aaa9d19ed5
x64: progress in CSpace1_R.thy
2017-03-29 18:28:14 +11:00
c0a998140d
x64: refine: CSpace_I now builds, updated for new specs
2017-03-29 17:23:25 +11:00
df7693b687
refinement refactor: up to resolve_address_bits
...
Proofs have been refactored to use new corres methods, including
marking rules with the [corres] attribute so they are automatically
applied.
VER-737
2017-03-28 22:37:34 +11:00
03e25952e3
x64: progress in CSpace_I
2017-03-23 16:48:39 +11:00
e6fcfaf476
x64: refine: ArchAcc_R done
2017-03-23 15:35:02 +11:00
62fb7c8ae8
x64: refine: s/find_pd_for_asid/find_vspace_for_asid/g
2017-03-23 15:34:52 +11:00
263ebe904a
x64: s/ARM/X64/g proof/refine/X64/*.thy
2017-03-22 18:06:52 +11:00
72f6b33659
x64: progress in ArchAcc_R
2017-03-22 18:06:21 +11:00
bdbaef2e64
x64: KHeap_R done
2017-03-21 17:06:33 +11:00
e4c5679050
x64: get StateRelation, Invariants_H building
...
This will now allow sorrying of proofs in refine to aid parallelism as
we proceed.
Note: the invariants are in no way complete and the aim should be to
update them as required - allowing people to start working on refine
proofs without the high initial cost of fixing/writing all of the
invariants.
2017-03-21 15:09:37 +11:00
4620f7622f
refine ARM: minor cleanup
2017-03-17 15:14:41 +11:00
16ec027469
x64: progress in Invariants_H
2017-03-17 10:22:29 +11:00
7ad3ef3b3e
wp: update the proofs for the new wp/wpc/wpsimp
2017-03-16 19:39:11 +11:00
a0eb3c6f23
x64: add refine files, copied from ARM
2017-03-14 13:36:27 +11:00
6ce6c97397
arch_split: DetSchedDomainTime_AI, DetSchedSchedule_AI for ARM
2017-03-09 12:10:44 +11:00
c0c52700fb
trivial: rename split_if to if_split following Isabelle2016-1
2017-03-09 11:59:33 +11:00
99c7dd8a04
cleanup: remove old wp_cleanup comments
2017-03-03 09:01:28 +11:00
8a7d450f3a
ainvs + refine: remove hv_inv_ex
...
The lemma was convenient, but is subsumed by others. It is not true on
ARM_HYP.
2017-03-02 10:26:10 +11:00
2699254382
Refine: updates for Hypervisor stub
2017-02-22 15:26:49 +11:00
3db5dd778d
Refine fix for prepare_thread_delete
2017-02-20 09:23:55 +11:00
2ac4fa3509
corres_method: use corres method by default
2017-02-15 15:00:23 +11:00
520921351a
provide TCB argument for sanitiseRegister
...
Other platforms such as arm-hyp will need to look into additional TCB state
such as VCPU in sanitiseRegister. This commit provides the scaffolding for
that.
2017-02-12 12:54:42 +11:00
7657681fca
move refine/* to refine/ARM/*, parametrise over $L4V_ARCH
2017-01-30 12:22:22 +11:00
3dafec7d46
backport changes to ARM proofs from X64 work in progress
...
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2017-01-27 08:31:07 +11:00
47119bf43e
wp_cleanup: update proofs for new wp behaviour
...
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
2017-01-13 14:04:15 +01:00
b5158e31bc
Isabelle2016-1: fix proofs involving UNION
...
SUPREMUM changed from a definition to an abbreviation.
A number of proofs that previously used blast, fastforce or auto to
solve goals involving UNION, now either fail or loop. This commit
includes various ad-hoc workarounds.
2017-01-05 14:27:33 +11:00
08d8a8f2fa
Isabelle2016-1: replace 'unfolded' attr with 'simplified' where the former now loops
2017-01-05 14:27:04 +11:00
a84ac9c411
Isabelle2016-1: remove references to empty 'assms'
...
Isabelle now only creates a local fact named 'assms' when there is a
non-zero number of structured assumptions.
2017-01-05 14:26:47 +11:00
aadc5125ba
Isabelle2016-1: follow Isabelle's choice of meta-forall bindings
...
Fix some proofs that were broken because Isabelle chose different
names for meta-forall-bound variables.
2017-01-05 14:25:18 +11:00
511c6b2d3a
Isabelle2016-1: rename free variables to avoid capture
2017-01-05 14:24:36 +11:00
41d4aa4f1d
Isabelle2016-1: update references to renamed constants and facts
2017-01-05 14:23:05 +11:00
5fcb3c3197
Refine: Updating refine for tcb_arch reserved_irq and arch_fault changes
...
* Changes to StateRelation.thy, most notably the addition of
arch_tcb_relation and arch_fault_map to acount for the new
arch_tcb and arch_fault types
* On ADT_H ArchFault_Map and ArchTcbMap were added to account for
(yet again) the new arch_tcb and arch_fault types
* Also irq_state_map and IRQStateMap were extended to support the new
IRQReserved
* Everything else was mostly unfolding stuff and
(tcb_arch -> tcb_context) rearrangement
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:55 +11:00
d7450607a8
SELFOUR-553: rebase and fix styles and comments
2016-11-21 20:47:15 +11:00
a2d707d17e
SELFOUR-553: update rpidrurw in TCBConfigure for simpler Infoflow proofs.
2016-11-18 16:27:26 +11:00
f8f88c6952
SELFOUR-553: Change Spec according to C code and fix ASpec and AInvs
2016-11-18 16:19:14 +11:00
2553371a14
SELFOUR-64: Remove general Recycle operation
...
This removes the RecycleCap CNodeInvocation, whilst
retaining recycle behaviour for Endpoints -- now renamed
CNodeCancelBadgedSends.
2016-11-18 14:11:12 +11:00
72349f81fd
Revert SELFOUR-242: invert bitfield scheduler and optimise fast path
...
This reverts:
- a67b443ca5f704cf0404
2016-11-16 14:02:50 +11:00
f704cf0404
SELFOUR-242: invert bitfield scheduler and optimise fast path
...
* Reverse the level 2 of the bitmap scheduler to move the highest priority
threads' level 2 entries into the same cache line as the level 1.
* Use the bitfield scheduler to make the fast path a more common occurrence.
* Change possibleSwitchTo to not invoke scheduler when the fast path would not
invoke it either (using implicit assumptions about the current thread being
the highest priority schedulable thread)
2016-11-15 09:20:31 +11:00
c1c636a24f
Simplify obj_bits to not check well_formed_cnode_n
2016-11-11 16:24:37 +11:00
ff7ca60df7
ADT: add kernel entry/exit constraints on domain time left
...
These changes to the automatons are required by:
SELFOUR-242: invert bitfield scheduler and optimise fast path
Details:
When we enter the kernel, the domain time left (ksDomainTime) is never zero.
If we entered on a timer interrupt, we may decrement it to zero before the
scheduler runs. If we do so, we set the scheduler state to choose_new_thread.
When choosing a new thread, the scheduler switches to a new domain if the
present one is required, and sets the new domain time left from domain_list
(ksDomSchedule).
When entering the kernel on a non-interrupt event, we never touch the domain
time left, which trivially preserves the new constraints.
To prove these, we had to ban a transition from kernel entry to kernel being
preempted when handling an interrupt event in InfoFlow. This is fine, as by
design handling interrupts is not meant to be preempted by interrupts.
2016-11-11 06:01:30 +11:00
f1d546db85
SELFOUR-444: Fix for rebase.
2016-11-02 11:19:10 +11:00
dcd7fd8c17
SELFOUR-444: Refine proof with ghost invariant.
2016-11-02 11:19:09 +11:00
9e7fb1daf0
SELFOUR-444: Structure of crefine.
...
Figured out how to pass the necessary assumptions about the region
being zeroed through the createNewObjects loop and resolve at
invokeUntyped_Retype. Still WIP.
2016-11-02 11:19:09 +11:00
74adb7a283
SELFOUR-444: Avoid unnecessary cache clears.
...
Adjust both specs and propagate the changes.
2016-11-02 11:19:09 +11:00
7ebefa69ab
SELFOUR-444: Work on untyped zero invariant.
...
The invariant just proves that the ghost field is up to date.
2016-11-02 11:19:09 +11:00
d765a64b81
SELFOUR-444: Haskell implementation, begin refine.
...
First attempt at a haskell implementation of preemptible retyping
and the refinement proof to abstract.
2016-11-02 11:19:08 +11:00
a3714e8190
SELFOUR-276: Finish proofs for maximum controlled priority (MCP)
...
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
b352769016
SELFOUR-276: Prove refinement to Haskell for MCP
...
Also includes fixes to specs and invariants, and initial progress
towards C refinement.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
8d4a8eb238
SELFOUR-421: fix coding style
2016-09-22 19:23:28 +10:00
8f3a4dee31
SELFOUR-421: merge with master, fix wholesystem proofs
2016-09-22 19:23:19 +10:00
113315d9a6
SELFOUR-421: merge and fix up to ArmConfidentiality proof
2016-09-22 19:21:56 +10:00
252ce8df4c
SELFOUR-421: infoflow and infoflow_c builds
2016-09-22 19:11:37 +10:00
328846ee1a
SELFOUR-421: crefine builds
2016-09-22 19:11:37 +10:00
ba03caf644
SELFOUR-421: commit before change abstract again
2016-09-22 19:11:37 +10:00
7784e80940
SELFOUR-421: fix refine
2016-09-22 19:11:36 +10:00
c3be923ca0
SELFOUR-421: a defend version before wild changes
2016-09-22 19:11:36 +10:00
765d8aa88e
SELFOUR-421: fixed Refine after merge with master
2016-09-22 19:11:36 +10:00
9617e22ce6
SELFOUR-421: random uncommitted stuff before merge
2016-09-22 19:11:36 +10:00
df877769fc
SELFOUR-421: refine done
2016-09-22 19:11:36 +10:00
3c223b42fe
SELFOUR-421: AInvs done, no added invariants yet
2016-09-22 19:11:29 +10:00
9a1ec71a2d
Refactor of crunch.
...
Substantial adjustments to crunch. Main user changes are:
- 'lift' and 'unfold' mechanisms replaced by more general 'rule'.
- some more 'ignores' standardised.
- crunch has a more principled overall design:
+ discover crunch rule
* provided or by definition extraction
+ recurse according to rule
+ prove goal based on rule, recursive discoveries, standard tactic
* wp/simp adjustments tweak tactic
2016-08-24 15:53:53 +10:00
1013e959c1
arch_split: give some vspace concepts more generic names
...
In particular rename "pd" to "vspace", when the pd represents
an address space.
2016-08-03 14:46:48 +10:00
eb7f7b1564
arch-split: Tcb_AI.thy done
2016-07-07 13:57:16 +10:00
b9313f6d11
arch_split: invariants: tidied
2016-06-15 10:15:26 +10:00
26a7907c95
Merge pull request #43 in SEL4/l4v from ~JALIM/l4v:autocorres-seL4 to master
...
* commit 'ecbb860532b4c576fc4726a805802f16bcf5302c': (29 commits)
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
Add license tags for autocorres-crefine files
crefine: refactor AutoCorresTest a bit
autocorres-crefine: remove local debugging imports
Fix InfoFlowC to accommodate corres_underlying changes.
Fix DRefine to accommodate corres_underlying changes.
autocorres-crefine: experiment with manually translating a function (clzl).
autocorres-crefine: experiment with translating bitfield_gen specs.
autocorres-crefine: start a test case for function calls.
autocorres-crefine: update example proofs to work with no_c_termination, which does not require proving termination for the C spec.
autocorres: add user option "no_c_termination" for previous patch.
Making termination proof optional for AutoCorres.
WIP: autocorres: hacky proof of concept for incremental translation.
autocorres: add some missing WordAbstract rules.
autocorres-crefine: fix some comments in work theory.
autocorres-crefine: prove modifies and (simple) terminates specs.
autocorres-crefine: experiment with generating modifies proofs
autocorres-crefine: run autocorres in kernel_all_substitute locale
autocorres-crefine: update another corres_UL that snuck in before rebasing.
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...
2016-05-19 01:19:58 +00:00
ecbb860532
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
...
The generic rule is now named corres_no_failI_base.
2016-05-18 15:28:43 +10:00
322f1023f5
word_lib: adjust theory dependencies
2016-05-16 21:11:40 +10:00
445efb7c29
lib: closure for Word_Lib and own session
2016-05-16 21:11:40 +10:00
f0faa90f8a
lib/spec/proof/tools: fix word change fallout
2016-05-16 21:11:40 +10:00
0f0f731ab7
Merge branch 'master' of ssh://bitbucket.keg.ertos.in.nicta.com.au:7999/SEL4/l4v into autocorres-seL4
...
This is to prepare for merging back into master.
Conflicts:
proof/crefine/Refine_C.thy
2016-05-11 15:08:22 +10:00
60afdc1288
trivial: fixups including some licence headers
2016-05-09 13:27:15 +10:00
b16496e7cf
arch_split: InfoFlowC checking
2016-05-06 13:15:37 +10:00
56b226a608
arch_split: CRefine: use requalify instead of shadow
2016-05-06 08:59:33 +10:00
9ceed1eb12
arch_split: fix proofs after removing shadow and unqualify commands and adding fix for crunch. Checks up to DPolicy.
2016-05-04 15:14:41 +10:00
ec399ad38e
arch_split: CRefine checking
2016-05-04 15:07:51 +10:00
33b4848061
arch_split: Refine: fixup some qualified references
2016-05-02 16:11:13 +10:00
a2135ca8ce
arch_split: Refine checking, including Orphanage
2016-04-30 16:25:20 +10:00
e8c5b916ef
arch_split: Refine checking, except Orphanage
2016-04-29 18:15:54 +10:00
e0ecdf2281
arch_split: Refine checking up to ADT_H
2016-04-29 15:06:32 +10:00
Gerwin Klein
Alejandro Gomez-Londono
Rafal Kolanski
Miki Tanaka
Gerwin Klein
Matthew Brecknell
Pang Luo
Joel Beeren
Daniel Matichuk
Daniel Matichuk
Xin,Gao
Ramana Kumar
Thomas Sewell
Matthew Brecknell
Japheth Lim