The worklow_dispatch trigger adds a button in the GitHub UI that lets
one trigger the workflow manually. Useful for testing the workflows.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also moves several lemmas required for obj_range'_disjoint
to Invariants_H
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
These rules allow the simplifier to solve almost all existing goals that
involve the C constants true and false, without unfolding their
definitions.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
word_less_bit_eq turns `<` into a bitwise expression on abstract word
length to make it easier to reason about the relationship of < and bit
operations (boolean, but also shift etc).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The Eisbach method command doesn't seem to allow providing a doc
string. Instead at least place a comment right next to the definition
so that people can find that when they discover the method name with
print_methods.
Update doc string of word_bitwise to clarify where it is useful.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Adds generic (ring_bit_operations) relationships between boolean and
arithmetic operations. These automatically hold for word and int.
In particular:
x + y = (x OR y) + (x AND y)
x + y = (x XOR y) + 2 * (x AND y)
x XOR y = (x OR y) - (x AND y)
Similar laws for OR, AND, and -.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Provide sgn (sign, mapping to -1, 0, 1) and abs (absolute value)
functions for 'a word by instantiating the relevant type classes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The condition `pptrBase < kernelELFBase` is not required on AArch64 in
hyp mode and was left over from the initial RISC-V setup.
Since this check does fail for some platforms (where physBase = 0 and
consequently pptrBase = kernelELFBase) we remove it here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Extracted from verification-manifest README which now only points to
the instructions in this repo.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- Provide one flattened set of instructions to install all
dependencies, google repo, manifest checkout, and Isabelle
installation. At the end of it, link to the description on how to run
the proofs.
- Remove jEdit section from main README, since it's duplicated in
`setup.md`.
- update Google repo link to a page that contains installation
instructions
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Avoid mixing `isabelle`, `make`, and `run_tests` invocations.
Standardise on `run_tests` and mention `L4V_ARCH` each time to
indicate that you can and should set `L4V_ARCH`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- Distinguish between virtual and physical address for the shared page
in the example state.
- Reuse lemmas from ArchKernelInit to solve address translation proofs.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Move physBase into Arch_Kernel_Config_Lemmas, and move basic lemmas
about kernel constants that do not directly unfold physBase into
ArchInvariants_AI.
Because Arch_Kernel_Config_Lemmas does not have all names available
yet, some of the lemmas are folded and shadowed later in
ArchInvariants_AI.
Also refactor translate_address_kernel_elf_window to have two helper
lemmas that can be used in infoflow.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- adjust the example init state such that it does not constrain the
value of physBase and kernelELFBase too much. We assume 4M physical
memory and 4k of kernel ELF memory. We need 4M for the infoflow
example, because it requires a 2M RISCVLargePage plus additional
kernel objects.
- make the PagePTE for kernelELFBase point to kernelELFPAddrBase so
that the mapping stays consistent when physBase changes.
- introduce shorthand constants for the index in the page table that
is responsible for kernelELFBase, and for the number of bits left
to translate from the top-level page table (= size of the pages in
that table).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out pptrTop from the definition in kernelELFBase and define it
as a constant as on other platforms. Shadows the equivalent definition
in Haskell.
Also remove incorrect comment -- the term was not PADDR_TOP, but
PPTR_TOP in C.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove the only unfolding of Kernel_Config.physBase_def in
ArchKernelInit by removing an unused lemma. Move the remaining
unfolding in ArchAInvariants to Kernel_Config_Lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The example valid state is changed to correctly use both the virtual
and physical address of the shared page, instead of just the virtual
address.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
While having a single Kernel_Config_Lemmas was fine for constraining the
number of domains, it does not work for constraining architecture-specific
configuration options/values.
Add an (empty for now) Arch_Kernel_Config_Lemmas theory to every architecture
that imports the generic Kernel_Config_Lemmas. Change all imports of
Kernel_Config_Lemmas to import Arch_Kernel_Config_Lemmas instead.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Make the C kernel config extraction visible as a separate test session
in run_tests so that run_tests can do concurrency control for it.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
physBase is now a generated definition on all arches except X64, with
the expectation that this value can change (for static multikernel systems).
All definitions that depend on physBase in C must therefore adapt to
depend on the physBase constant instead of its unfolded value.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
A previous commit added a new job which depended on a job that didn't
exist. We rename the `all` job to `proofs` for consistency with other
workflows.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
This rule allows us to prove correspondence in the case
where the result of a function call is assigned to a
global variable
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Terms of the form "(if P then None else Some _) = None" and all their
combinations can be simplified automatically. For the "Some" variants
we provide a safer form, e.g.:
((if P then Some x else None) = Some x) = P
because
((if P then Some x else None) = Some y) = (P /\ x = y)
adds an equation to the goal that the simplifier will pick up. That is
often wanted, but sometimes leads to non-termination.
Even the safer form can lead to non-termination if P is an equation, so
none of these are [simp] by default.
- `if_option_eq` is the safer set
- `if_option` is the less safe set that simplifies more
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Rafal Kolanski
Gerwin Klein
Michael McInerney
Corey Lewis
Matthew Brecknell