The non_kernel_IRQs constant collects IRQs that cannot occur in kernel
mode. For non-hyp platforms this is usually empty, for hyp platforms we
add software-generated virtual interrupts.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
On ARM_HYP we added a fix for a problem discovered during the proof of
the VCPU invariant that the current VCPU always belongs to the current
thread. This commit ports that fix from ARM_HYP to AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- align init_irq_node_ptr to its size (which is larger than in RISCV)
- remove ArmVSpaceUserRegion, because kernel has its own page table
- define global_pt_obj, add to initial heap
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Sync both values with what the C code does. The corresponding comment
in C is wrong and would not produce a safe value for pptrTop (the
comment says 2^48 - 2^30), but the actual definition in C (the
equivalent of 2^40 - 2^30) is safe.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Previously the wrong cap argument was checked against being the vspace
root (cap vs vspace_cap).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Ensure in valid_pti that page table operations, in particular
unmap_page_table, are only called on NormalPTs. This means we can
remove the vspace_for_asid precondition in the associated lemmas.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
While we do want to break up full OptionMonad terms in assumptions, we
do not usually want to break up projections.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
wp rules for most operators such as return, get, gets are named
return_wp, get_wp, etc. Then when, whenE, unless, unlessE operators had
an additional hoare_.. prefix that this commit removes for more
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Moving `Monad_Equations.thy` and `More_NonDetMonadVCG.thy` into Monads
session enables us to remove the Lib and CLib session dependencies in
AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This session currently contains only one theory (CLib), which we want
to include both in Lib and later independently in CParser/AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove dependency on Lib.thy. Theory imports of AutoCorres are now
reduced to theories that can be moved out of the Lib session.
The proof context changes a bit, but impact on test cases is minimal.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove Lib dependency. Introduce a new theory CLib which contains base
lemmas needed in LemmaBucket_C.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since most bitwise operations are now available by default for nat,
only word abstraction in AutoCorres depends on NatBitwise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It has no other lib dependencies and over time should probably be
merged directly into umm theories. For now, move the entire file
and keep dependency structure.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The idea is to collect Eisbach extensions and things like Apply_Trace,
Apply_Debug etc here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
So that it is available together with the other empty_fail lemmas.
Eventually, these should go into their own theory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Michael McInerney
Rafal Kolanski