Previously, everything was counted under session CParser, incl most of
Word_Lib. The dependency on Word_Lib thus revealed means Word_lib is the
better base image for session Simpl-VCG.
Accept "[f x | x \leftarrow t]" in addition to "[f x . x \leftarrow t]",
because the former is what naturally comes out of the Haskell translator, and
the regexps that would be necessary in the Haskell translator for this are
distasteful.
JIRA-VER 927
While the numerical value is arch dependent, the definition and symbolic value
are not. This commit factors out the symbolic computation and only unfolds the
numeric value in the architecture dependent spec.
Strictly speaking vmrights might at some point become architecture dependent,
but all present architectures have precisely the same implementation, and there
are no plans to do anything different in the foreseeable future.
A handle of fiddly proofs change slightly. A common offender involves
tcb_cap_cases, which should be unfolded with the ran_tcb_cap_cases
rule where possible rather than with tcb_cap_cases_def.
Adds "non-conditional simplification" method simp_no_cond, and
various equivalents.
This is done by setting the simplifier depth limit to 0, which seems
to be a useful case. It prevents expensive conditional simplification
attempts but leaves the simplifier strategy otherwise unchanged.
This is easy to set up, and link to wpsimp.
Discard some magic that was done to instantiate an induction rule,
and instead use the existing Induct_Tacs package to apply induction
rules, which seems to be successful more often.
Adjusting the strengthen congruence rules for conjunction
and disjunction makes other conjuncts available as assumptions
in strengthening a conjunction. This may be useful occasionally.
This speeds up a bunch of the slowest uwr and automaton proofs in
Noninterference, mainly by adjusting the simp depth limit to avoid
unneeded backtracking. Inspired by a rant from Tom Sewell.
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
Add the design-spec dependency to the SimplExport* targets, since the
haskell conversion needs to be done to create the MachineTypes theory
before the CKernel image can be created.
Adds a target name that ensures that the preprocessed kernel source
is up to date, but doesn't do any other work. This avoids confusion
when doing a check of source compatibility in building the seL4 input
for graph-refine.
TPIDRUR[OW] registers removed from VCPU registers. Their saving now
lives in arch_c_entry_hook, which is before verified code is hit.
Relevant for verification, TPIDRURO is already handled as TLS_BASE
register, and TPIDRURW (holds IPC buffer) is saved/restored as part of
normal thread register save/restore.
Gerwin Klein
Michael Sproul
Matthew Brecknell
Japheth Lim
Corey Lewis
Thomas Sewell
Thibaut Perami
Rafal Kolanski