967a091cf6
ainvs: Remove unnecessary crunches and whitespace
2018-06-27 11:48:56 +10:00
f728dd25e8
x64: Add IOPortControlCaps to control IO port allocation
...
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
2018-04-19 05:27:06 +10:00
2d0baab462
Proof update for crunch changes
2018-04-04 14:13:55 +10:00
0f38e20094
Many proof repairs.
2018-03-16 14:57:51 +11:00
652cbb966e
Initial proof updates for combinator changes.
2018-03-16 14:53:22 +11:00
2f540e802c
add constant definitions for bounds on untyped object sizes
2017-12-18 12:58:27 +11:00
48b3a8b4ca
update object and field widths for x64, and remove some magic numbers
...
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
2017-10-26 14:05:35 +11:00
238e8b307e
x64: merge master
2017-07-21 11:27:12 +10:00
796887d9b1
Removes all trailing whitespaces
2017-07-12 15:13:51 +10:00
f492f85471
ainvs: added back in second_level_tables for Untyped, ported changes to ARM_HYP also
2017-06-19 14:32:43 +10:00
dbbc0d41b5
arm-hyp: AInvs sorry-free
2017-06-19 14:32:23 +10:00
9123c3635e
arm-hyp: changes after rebase (on top of d08ee04e2f)
2017-06-19 14:32:22 +10:00
7e79b1b7b2
changes after rebasing (for isabelle2016-1 and the new wp)
2017-06-19 14:32:21 +10:00
eb0ec4dcd0
arch_splitting, fixing sorries, some more invariants
2017-06-19 14:32:21 +10:00
5cabf38229
arm-hyp invariants: fix arch_splitting/locales
...
* tcb_arch_ref: definition and invariants (to access obj_refs in tcb_arch in generic contexts)
* fixes related hyp_refs
2017-06-19 14:32:21 +10:00
ee5e6f9607
arm-hyp invariants: some fixes for locale interpretations
2017-06-19 14:32:21 +10:00
61dffdb6cc
arm-hyp invariants: changes from rebase for ARM_HYP invariants
2017-06-19 14:32:20 +10:00
1d4b6e934b
arm-hyp invariants: updates for vcpu, alignments, valid_vspace_obj, wellformed_arch_obj, etc.
2017-06-19 14:32:20 +10:00
659088cc13
x64: merge master
2017-03-29 20:22:12 +11:00
6f3efc504a
arch_split x64 arm: make endpoint_bits and ntfn_bits arch constants
2017-03-27 19:07:42 +11:00
bb92e92f52
arch_split x64 arm: make cte_level_bits an arch constant
2017-03-27 19:07:28 +11:00
49e12ef7dc
x64: change cte_level_bits, obj_bits (Endpoint; Notification) to 5
...
rather than 4.
This is true on all 64-bit platforms as the size of these objects is 4
words (4*8 = 32 = 2^5). However, this breaks the 32-bit ARM proofs that
rely on these values being 4 - see jira issue VER-725.
2017-03-21 15:09:37 +11:00
a2de84cf3d
ainvs: repair wp_pre fallout
2017-03-16 19:39:11 +11:00
95d1671940
Merge remote-tracking branch 'verification/master' into x64-split
...
Conflicts:
lib/LemmaBucket.thy
lib/NonDetMonadLemmaBucket.thy
lib/Word_Lib/Word_Lemmas.thy
lib/X64/WordSetup.thy
proof/invariant-abstract/ARM/ArchDetype_AI.thy
proof/invariant-abstract/ARM/ArchInvariants_AI.thy
proof/invariant-abstract/BCorres_AI.thy
proof/invariant-abstract/CSpace_AI.thy
proof/invariant-abstract/DetSchedSchedule_AI.thy
proof/invariant-abstract/Interrupt_AI.thy
proof/invariant-abstract/IpcCancel_AI.thy
proof/invariant-abstract/Syscall_AI.thy
proof/invariant-abstract/Untyped_AI.thy
proof/refine/ARM/Include.thy
spec/abstract/ARM/ArchTcb_A.thy
spec/abstract/CSpace_A.thy
spec/abstract/Tcb_A.thy
spec/design/ARM/ArchIntermediate_H.thy
spec/design/X64/ArchInterruptDecls_H.thy
spec/haskell/Makefile
spec/machine/MachineExports.thy
tools/c-parser/.gitignore
tools/c-parser/standalone-parser/Makefile
tools/c-parser/testfiles/ARM/imports/MachineWords.thy
tools/c-parser/testfiles/X64/imports/MachineWords.thy
tools/haskell-translator/caseconvs
2017-03-10 19:35:39 +11:00
941d383594
ainvs: allow valid_arch_state to depend on arch objs
2017-03-03 13:51:35 +11:00
99c7dd8a04
cleanup: remove old wp_cleanup comments
2017-03-03 09:01:28 +11:00
c54cbb3828
x64: remove arch-specific detail that crept back into Untyped_AI
2017-02-16 11:08:46 +11:00
41c3abede6
x64: fix sorry in Untyped_AI, move clearMemory_invs to ArchRetype_AI
2017-02-15 11:21:44 +11:00
9d555f5197
X64: some progress on ArchUntyped_AI.thy
2017-02-14 17:06:32 +11:00
037d0566e4
x64: fix word proof in Untyped_AI, re-add set_cap_valid_arch_objs_simple
2017-02-13 12:24:47 +11:00
677c82ca11
X64: fix some sorries in ArchVSpace
2017-02-09 13:47:01 +11:00
3dafec7d46
backport changes to ARM proofs from X64 work in progress
...
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2017-01-27 08:31:07 +11:00
759a0387ab
merge master into x64-split
...
Primarily concerns wp improvements
2017-01-18 07:49:48 +11:00
47119bf43e
wp_cleanup: update proofs for new wp behaviour
...
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
2017-01-13 14:04:15 +01:00
abf1db5b51
merge master into x64-split
2017-01-13 17:22:03 +11:00
c1782fc155
x64: fix ARM build after merge
2017-01-13 11:24:06 +11:00
a1b5f16ed6
merge x64-split into local branch
2017-01-11 17:22:05 +11:00
41d4aa4f1d
Isabelle2016-1: update references to renamed constants and facts
2017-01-05 14:23:05 +11:00
f21d06d35a
AInvs: remove 32-bit references in Untyped_AI
2016-12-02 15:10:51 +11:00
73a08160a1
merge master into x64-split
2016-11-30 12:08:32 +11:00
d659794237
update references to word32_plus_mono_right_split
...
This is now called machine_word_plus_mono_right_split, since it now
works at the current architecture's machine word size.
2016-11-24 16:46:19 +11:00
c1c636a24f
Simplify obj_bits to not check well_formed_cnode_n
2016-11-11 16:24:37 +11:00
dcd7fd8c17
SELFOUR-444: Refine proof with ghost invariant.
2016-11-02 11:19:09 +11:00
74adb7a283
SELFOUR-444: Avoid unnecessary cache clears.
...
Adjust both specs and propagate the changes.
2016-11-02 11:19:09 +11:00
411af12ee9
SELFOUR-444: Logic generalised; Access finished.
...
Tweak AInvs proof for Untyped to be more reusable, finish integrity
proofs.
2016-11-02 11:19:08 +11:00
d765a64b81
SELFOUR-444: Haskell implementation, begin refine.
...
First attempt at a haskell implementation of preemptible retyping
and the refinement proof to abstract.
2016-11-02 11:19:08 +11:00
63888fa98d
SELFOUR-444: AInvs proven for preemptible retype.
2016-11-02 11:19:08 +11:00
8d4a8eb238
SELFOUR-421: fix coding style
2016-09-22 19:23:28 +10:00
113315d9a6
SELFOUR-421: merge and fix up to ArmConfidentiality proof
2016-09-22 19:21:56 +10:00
252ce8df4c
SELFOUR-421: infoflow and infoflow_c builds
2016-09-22 19:11:37 +10:00
Corey Lewis
Joel Beeren
Thomas Sewell
Matthew Brecknell
Alejandro Gomez-Londono
Joel Beeren
Gerwin Klein
Miki Tanaka
Xin,Gao
Gerwin Klein
Ramana Kumar
Thomas Sewell