The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
SUPREMUM changed from a definition to an abbreviation.
A number of proofs that previously used blast, fastforce or auto to
solve goals involving UNION, now either fail or loop. This commit
includes various ad-hoc workarounds.
With analysis of ASM statements included, some previous modifies
proofs get weakened. This has in particular consequences for proofs
about a cache clean done during retype. Make a weak assumption here
(bytes which actually have a type are unchanged), and strengthen some
logic to fit with this.
* The majority of changes involved rephrasing references to tcb_context
for the equivalente (arch_tcb_context_get o tcb_arch) (the same
applies for set operations)
* Mayor refactoring of setMRs and handleFaultReply C functions both of
which introduced new function calls when dealing with UserException
and SyscallException faults
* handleFaultReply' (definition) was modified to include less redundant
code
* handleFaultReply' (lemma) was completely refactored to use the
monadicrewrite framework for "easier" and simpler proofs
* IsolatedThreadAction framework striped from Fastpath_C into new
standalone file
tags: [VER-623][SELFOUR-413]
Figured out how to pass the necessary assumptions about the region
being zeroed through the createNewObjects loop and resolve at
invokeUntyped_Retype. Still WIP.
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
The very last twist of this: the proof that resolveAddressBits can
be seen as functional needs to change, a lot, because it's now
sensitive to gsCNodes. Still working on that.
Green build except for:
CParserTest (WTF Duplicate fact declaration "dc_20081211.dc_20081211.test_modifies")
AutoCorresSEL4 (waiting on result)
There is still a carefully managed sorry in Schedule_R, waiting on the C
parser FNSPEC+DONT_TRANSLATE fix.
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
Gerwin Klein
Matthew Brecknell
Thomas Sewell
Alejandro Gomez-Londono
Miki Tanaka
Rafal Kolanski
Xin,Gao
Joel Beeren
Matthew Brecknell
Ramana Kumar
Daniel Matichuk
Matthew Fernandez
David Greenaway