adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,067 Commits 7 Branches 0 Tags 86 MiB
Commit Graph

1358 Commits

Author SHA1 Message Date
Japheth Lim 8277a52b30 WIP experiments: verify backwards compat for my_corres_underlying. 2016-01-22 15:02:21 +11:00
Japheth Lim b5bbc44703 WIP: Refine_C experiments: corres between DSpec and AutoCorres. 2016-01-22 15:02:21 +11:00
Japheth Lim 10a8b3f3cc WIP: Refine_C: autocorres experiments. 2016-01-22 15:02:21 +11:00
Japheth Lim fcf7aff890 Try running AutoCorres at the top of CRefine. Currently, its output is unused. 2016-01-22 15:02:15 +11:00
Daniel Matichuk b6f6da208e arch_split: fixed CRefine 2016-01-22 10:34:54 +11:00
Daniel Matichuk c282969c54 Merge remote-tracking branch 'verification/master' into arch_split 2016-01-21 10:22:48 +11:00
Joel Beeren 919676250c added use of seL4_arch_invocation_label 2016-01-20 14:54:47 +11:00
Daniel Matichuk a34de66b9f arch_split: fix crefine up to Interrupt_C 2016-01-20 14:42:36 +11:00
Daniel Matichuk a8b7ee4ffe repairing refine (simplified attribute now solves True) 2016-01-18 16:09:30 +11:00
Miki Tanaka b7376a56e2 Isabelle 2016 update: minor fixes 2016-01-15 16:03:30 +11:00
Joel Beeren efb4c61816 archirq: Remove redundant invocation, renamed 
arch_decode_interrupt_control.
 2016-01-14 17:50:33 +11:00
Miki Tanaka 92cde6069f Isabelle2016: fixed VSpace_AI 2016-01-14 15:17:46 +11:00
Japheth Lim 65e98199e1 regression: adjust unnecessarily large test timeouts. 
Some tests had timeouts of up to 4 hours. Note that timeouts are
applied on a per-test basis, not per-testsuite. This is now clarified
in the tests.xml documentation.
 2016-01-13 16:59:25 +11:00
Joel Beeren fd477c43f6 get everything building for release 2016-01-13 13:48:06 +11:00
Daniel Matichuk ca808130e6 repair ARM proofs up to Refine after factoring out architecture 2016-01-13 12:02:12 +11:00
Daniel Matichuk 3be2eaa7b0 repairing AInvs: checks up to the middle of VSpace_AI 2016-01-12 18:10:36 +11:00
Daniel Matichuk d37a344783 cleanup for prod and when keyword 2016-01-12 16:07:28 +11:00
Daniel Matichuk b7563eb788 fix lib for isabelle 2016 2016-01-12 14:58:16 +11:00
Joel Beeren 7b1d4a12a6 SELFOUR-114: remove duplicated message_info struct 2016-01-11 14:13:13 +11:00
Japheth Lim 3c4b566484 regression: fix tests.xml dependencies to be consistent with ROOTs. 2016-01-07 18:39:50 +11:00
Joel Beeren 1ccd4f5dcc conversion: Rationalise standard types 2015-12-10 21:24:22 +11:00
Thomas Sewell 29648ac243 Reduce verbosity in GraphRefine. 2015-12-08 19:36:28 +11:00
Thomas Sewell 15d09a093a Parallelise GraphRefine in its default run. 2015-12-08 17:39:07 +11:00
Thomas Sewell 175eb2da2d More fixes for pointer array assertions. 2015-12-03 17:30:08 +11:00
Thomas Sewell df40425731 Repair SimplExport/GraphRefine. 2015-12-03 16:34:11 +11:00
Thomas Sewell 043a69c81b Fix Orphanage from array changes, refactor. 
Some generalisation is done in finaliseSlot_invs'' to avoid
duplicating it in Orphanage and PageTableDuplicates.

Finally cleanup in haskell translation.
 2015-12-02 09:15:32 +11:00
Thomas Sewell 860f8f2225 Fixes for merge/rebase with mainline. 2015-12-02 09:15:26 +11:00
Thomas Sewell 375b526b0c Finally done with array assertions. 2015-12-02 09:08:27 +11:00
Thomas Sewell 7e40646c48 Proof up to Fastpath_C. 
The very last twist of this: the proof that resolveAddressBits can
be seen as functional needs to change, a lot, because it's now
sensitive to gsCNodes. Still working on that.
 2015-12-02 09:07:49 +11:00
Thomas Sewell 22f5f2f005 Further work on array assertions. 2015-12-02 09:07:15 +11:00
Thomas Sewell 4fd43512bb WIP on handling array assertions. Up to Retype_C. 
This is quite a lot of work in the end. I've had to gut most of
Retype_C along the way. Nearly done there.
 2015-12-02 09:06:06 +11:00
Thomas Sewell 6fa0909124 Partial progress on using array assertions. 2015-12-02 09:05:04 +11:00
Japheth Lim 411ef475dc crefine: fix theory import path. 2015-11-27 13:55:23 +11:00
Matthew Fernandez 24aaad4f8b infoflow: Remove a find_theorems invocation. 2015-11-25 10:30:29 +11:00
Matthew Fernandez d9154d00af crefine: Remove a find_theorems invocation. 2015-11-25 10:29:22 +11:00
Gerwin Klein 7bc4236077 remove accidentally committed file 2015-11-25 09:54:30 +13:00
Gerwin Klein 0f2d557679 terminology in comments: async ep -> notifications 2015-11-24 16:58:22 +13:00
Gerwin Klein df519ffd25 avoid `make` warning, remove SimplExportOnly from HEAPS 
Make ignores the HEAPS rule for SimplExportOnly anyhow (as it should).
 2015-11-20 16:02:14 +11:00
Gerwin Klein ac632c5aaa Wait -> Recv: update proofs 2015-11-20 16:02:14 +11:00
Joel Beeren 457a55a831 add arch_tcb object to C, rename aep -> ntfn 2015-11-20 16:02:13 +11:00
Rafal Kolanski ac9c3bb1a3 Remove sorry on clz_spec (C parser changes allow it to be proved now). 
(with some magic from Thomas)
 2015-11-20 15:58:15 +11:00
Thomas Sewell 7f664edf13 One more fix for strengthen change. 2015-11-02 16:02:03 +11:00
Thomas Sewell 314a46ee6f One last fix, hopefully. 2015-11-02 10:52:06 +11:00
Thomas Sewell bdd8819f50 More minor adjustments. 2015-10-30 12:22:55 +11:00
Thomas Sewell 7c3a06a8d7 Minor adjustments caused by Strengthen changes. 2015-10-29 11:27:54 +11:00
Rafal Kolanski d3f3acb9fc Fix up CRefine after seL4_NBWait merge. 2015-10-22 07:45:49 +11:00
Rafal Kolanski d51402a5a2 Merge remote-tracking branch 'verification/master' into priority-bitmap 
(seL4_NBWait)
 2015-10-21 16:23:01 +11:00
Rafal Kolanski c94b27b7ae priority-bitmap: clean up CRefine 
Cleaned up proof of tcbSchedDequeue_ccorres' (still ugly)
 2015-10-21 16:22:11 +11:00
Joel Beeren e403eb8f0a poll: added non blocking sync wait 2015-10-21 14:24:49 +11:00
Joel Beeren d6f7579be7 poll: Added new syscall for polling async endpoints (non-blocking wait) 2015-10-21 14:24:49 +11:00
Rafal Kolanski 6f8cdae201 priority-bitmap: clean up Refine (i.e. "FIXME RAF") 2015-10-21 13:38:29 +11:00
Rafal Kolanski c1eb235105 Merge 'verification/master' into priority-bitmap 
Green build except for:
CParserTest (WTF Duplicate fact declaration "dc_20081211.dc_20081211.test_modifies")
AutoCorresSEL4 (waiting on result)

There is still a carefully managed sorry in Schedule_R, waiting on the C
parser FNSPEC+DONT_TRANSLATE fix.
 2015-10-21 06:19:20 +11:00
Rafal Kolanski fca34f4a7f priority-bitmap: TEMPORARY SORRY FOR JIRA VER-464 
In Schedule_C:
(**** FIXME FIXME FIXME ***)
(* As per JIRA VER-464, the C Parser does not handle
   DONT_TRANSLATE+MODIFIES+FNSPEC correctly. This is the spec given in util.h
   in seL4 for clz. We do not get that spec back at present.
   In order to have a working build until the C parser is fixed, we sorry this
   proof. My apologies.
*)
 2015-10-20 23:52:14 +11:00
Rafal Kolanski 3230d601ae priority-bitmap: Update InfoflowC 2015-10-20 23:52:14 +11:00
Rafal Kolanski 930a2ff179 priority-bitmap: Update Haskell->C refinement 
(modulo clz_spec locale problem)
 2015-10-20 23:52:07 +11:00
Rafal Kolanski 7860bd4351 priority-bitmap: move word_log2/clz to WordLemmaBucket 
Resolves some FIXMEs in Schedule_R.
 2015-10-20 23:50:37 +11:00
Rafal Kolanski 2a9d3022f2 priority-bitmap: Update abstract->Haskell refinement 
Added word_log2 and word_clz (inline for now, will migrate them out to
lib later).

Proved most important properties of word_log2 and some basic
count leading zeros properties (word_clz). The former were painful.

Thanks to Thomas, we have a nice tactic for dealing with complicated
obj_at' predicates in conclusion: normalise_obj_at'
 2015-10-20 23:40:44 +11:00
Joel Beeren d0693fc7d5 fix CRefine after libseL4 NotificationObject terminology update 2015-10-14 14:00:27 +11:00
Joel Beeren 38fe85e784 aep-binding: cleanup v3 2015-10-07 15:02:26 +11:00
Joel Beeren 038891ac7b aep-binding: more cleanup 2015-10-07 14:57:55 +11:00
Joel Beeren e3704742f0 aep-binding: cleanup 2015-10-07 14:18:09 +11:00
Joel Beeren 4525a78c0f aep-binding: removed quick and dirty from AInvs build options 2015-10-07 13:58:11 +11:00
Daniel Matichuk c8d0692008 sys-init now checks 2015-09-22 12:14:27 +10:00
Daniel Matichuk dab3914e95 change sending on a bound async ipc to avoid revoke_cap 2015-09-21 17:18:37 +10:00
Joel Beeren 21f429fe60 aep-binding: finished InfoFlowC 2015-09-18 13:54:01 +10:00
Ramana Kumar e6eb9c837c aep-binding: finish Bisim 
with help from Dan
 2015-09-18 11:08:32 +10:00
Ramana Kumar 1ae434b9d5 aep-binding: attempted progress on Bisim, 1 sorry remains 
assumptions include aep_obj aep = IdleAEP and aep_bound_tcb aep = Some
x, which I guess is probably a contradiction, but I don't know how to
prove that.
 2015-09-17 17:55:57 +10:00
Joel Beeren 8fa63f07ba aep-binding: finished infoflow 2015-09-16 11:41:01 +10:00
Daniel Matichuk 478ce437fe removed sorry 2015-09-16 11:19:49 +10:00
Daniel Matichuk 90a719dcf4 Merge branch 'aep-merge' of github.inside.nicta.com.au:seL4/l4v into aep-merge 
Conflicts:
	proof/infoflow/PolicySystemSAC.thy
 2015-09-16 11:10:08 +10:00
Daniel Matichuk aa1014d0d0 update SAC for coarser subjectAffects policy 2015-09-16 11:04:29 +10:00
Ramana Kumar ef5f419885 update rm_affects (also now affects more) 2015-09-16 10:43:03 +10:00
Joel Beeren 9bcb5cb7b7 aep-binding: fixed crefine, drefine, dpolicy with new decode_bind_aep definition 2015-09-16 10:35:31 +10:00
Ramana Kumar 1812925265 update r_affects (in SAC example) for aep binding 
r now affects more
 2015-09-16 10:24:29 +10:00
Daniel Matichuk 8109a05468 fixed Example_Valid_State.thy 2015-09-15 18:10:26 +10:00
Ramana Kumar 45629a38cc some progress fixing PolicySystemSAC 
had to change definition of abd_affects_set

work done with Dan
 2015-09-15 18:07:36 +10:00
Daniel Matichuk 8dfb775f34 finished Noninterference.thy 2015-09-15 16:31:40 +10:00
Joel Beeren f117c99903 aep-binding: updated AInvs, Access, Refine for new decodeBindAEP 2015-09-15 16:31:14 +10:00
Daniel Matichuk 50adc350d9 Syscall_IF building (1 sorry in decode) 2015-09-15 12:04:46 +10:00
Daniel Matichuk 8451c17837 fixed decode with sorry 2015-09-15 12:02:26 +10:00
Ramana Kumar 53919eda6e handle_wait_globals_equiv 2015-09-15 11:53:40 +10:00
Ramana Kumar 2de96bb5bf handle_wait_reads_respects_f 
most of the hard work done by Dan
 2015-09-14 18:38:49 +10:00
Daniel Matichuk 229f521d3b finished Ipc_IF 2015-09-14 15:54:17 +10:00
Ramana Kumar 1bde303763 receive_ipc_reads_respects 2015-09-14 11:58:09 +10:00
Ramana Kumar cfc5841b38 complete_async_ipc_reads_respects 2015-09-14 09:47:46 +10:00
Daniel Matichuk f956842e93 finished send_async_ipc_reads_respects 2015-09-11 15:54:53 +10:00
Ramana Kumar 0fb88ea01c Merge branch 'master' into aep-merge 
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
 2015-09-10 17:06:45 +10:00
Ramana Kumar d88a931ec7 history squashed patch for aep-binding 2015-09-02 15:43:39 +10:00
Thomas Sewell 3c85373823 Treat SimplExportOnly specially in proof Makefile. 
SimplExportOnly builds both a (useless) Isabelle image and a (useful) output
file. We need to adjust the build command to ensure the file actually gets
built if the image already existed.
 2015-09-01 18:25:32 +10:00
Thomas Sewell 09e155d59d Repair crefine for fastpath changes. 2015-08-21 14:48:55 +10:00
Thomas Sewell 2619356d07 Configure SimplExport targets in proof/Makefile. 2015-08-21 13:56:24 +10:00
Thomas Sewell bd928d1793 Try to avoid emitting const-globals via memory. 
Sometimes it's simpler to access an unknown field of a const
global by just computing the offset from its symbol in memory
and assuming the relevant words are in the .rodata section. But
for known fields, it's easier to just figure out what the
constant value is. This complicates the proof slightly, since
it has to guess which case it is in.
 2015-08-17 23:35:06 +10:00
Thomas Sewell 5f4a25b078 Improve guard handling in GraphRefine. 
Needed for recent changes to how global validity assertions are
generated.
 2015-07-28 22:43:03 +10:00
Joel Beeren 3372cd32a8 SELFOUR-220: When calling handleWait, only delete the 
TCB's ReplyCap when actually waiting on a synchronous
endpoint.
 2015-07-23 14:45:17 +10:00
Thomas Sewell 440081c0f4 Add a gsMaxObjectSize as needed. 2015-07-17 14:30:08 +10:00
Thomas Sewell af86632985 Fix remaining sorries in crefine. 2015-07-16 14:44:56 +10:00
Thomas Sewell 0b5182bd84 More adjustments to graph export/refine. 2015-07-16 13:44:25 +10:00
Thomas Sewell b5f796184a Repair spec/refine, I think. 2015-07-15 17:25:47 +10:00
Thomas Sewell e9180d5cb5 Repair refine/crefine for WCET annotations. 2015-07-14 14:23:29 +10:00
Thomas Sewell ca4391881c WIP on WCET annotations. 2015-07-14 14:23:29 +10:00
Daniel Matichuk d9bef8965c Moved wp-specific eisbach methods higher up import chain 2015-07-10 12:51:15 +10:00
Daniel Matichuk 30db9bb7a5 ArchAcc_AI checks with new subgoal command 2015-07-08 15:44:34 +10:00
Daniel Matichuk 2b10a875ca some usage of subgoal command 2015-07-08 15:44:33 +10:00
Matthew Fernandez d7e874c833 Access: Fix trivial comment typo. 2015-07-01 10:51:04 +10:00
Toby Murray b7f679338d remove long-broken and unused Residual.thy 2015-06-25 16:35:32 +10:00
Gerwin Klein f95b9dad9b infoflow: remove unused theory 2015-05-28 14:21:54 +10:00
Gerwin Klein cfec9ea0db Merge branch 'master' into 2015 2015-05-28 11:45:13 +10:00
Joel Beeren 002cf370bb Updated proof with new fastpath changes removing setCurrentASID and armv_contextSwitch_fp 2015-05-28 11:30:22 +10:00
Gerwin Klein ce51c71fc7 crefine: remove unused ML file 2015-05-22 12:52:35 +10:00
Gerwin Klein 7a8f9cfab6 record more dependencies to avoid redundant rebuilds 2015-05-22 11:48:11 +10:00
Gerwin Klein c6564cb4cb infoflow: 2015 update for infoflow C refinement 2015-05-20 21:10:59 +10:00
Gerwin Klein d4be402559 crefine: even more complete 2015 update 2015-05-20 21:03:48 +10:00
Gerwin Klein bfef1e10d3 crefine: 2015 update complete 2015-05-20 20:39:47 +10:00
Gerwin Klein eea646c84a crefine: 2015 update up to Tcb_C 2015-05-18 09:11:43 +10:00
Gerwin Klein cba6a4f59e infoflow: minor cleanup 2015-05-16 21:49:01 +10:00
Gerwin Klein a6f1ab41f8 ainvs: some more cleanup 2015-05-16 21:48:24 +10:00
Gerwin Klein 12fa86863a fewer warnings 2015-05-16 19:52:49 +10:00
Gerwin Klein b46bc4e78d infoflow: 2015 update (apart from C refinement) 2015-05-16 18:14:59 +10:00
Gerwin Klein c124554d83 Dpolicy 2015 udpate 2015-05-14 18:56:32 +02:00
Gerwin Klein 164f1db611 proof/capDL-api: 2015 update 2015-05-14 11:41:20 +02:00
Gerwin Klein 330e730fa3 retire old obsolete ADT refinement phrasing 
The observable state has been strengthened significantly years ago and
this theory has fallen into disrepair. The toplevel refinement statement
here was nicely concise for a paper, but the practical value is in the
much stronger corres statement, so instead of attempting proof
acrobatics with a new observable state, I'm retiring this theory.
 2015-05-13 10:49:30 +02:00
Gerwin Klein f6124669fc 2015 update for DRefine 2015-05-13 09:52:32 +02:00
Gerwin Klein 0c67e0bfa1 2015 update for Refine 2015-05-12 17:17:31 +02:00
Gerwin Klein 177e5bf185 2015 update for access 2015-05-06 13:46:20 -04:00
Gerwin Klein baa5791918 Isabelle2015 update: Bisim 2015-04-19 10:25:42 +01:00
Gerwin Klein 42e037ea9d Isabelle2015 update: AInvs 2015-04-19 10:25:21 +01:00
Gerwin Klein f9e40c29db cleanup: there already is a separate Bisim session 2015-04-19 10:24:42 +01:00
Gerwin Klein 17826f9b49 more Isabelle2015 update; AInvs up to (excluding) Syscall_AI 
also includes some global replacements
 2015-04-18 21:51:26 +01:00
Gerwin Klein 22af66555c remove even arch calls from separation kernel setup 
(patch by Simon Winwood)
 2015-04-10 17:39:24 +10:00
Daniel Matichuk a221a52350 Added new proofcount tool to "tools" and removed old one from "lib". 
Removed reference to old proof_counting from proof/ROOT and spec/ROOT
 2015-02-11 17:46:34 +11:00
Gerwin Klein 2e58320711 adjust for seL4 rev 28d7fda6a9128efe 2015-01-10 08:34:52 +11:00
Gerwin Klein 0466161f2d CRefine for XN 2014-11-28 08:58:57 +11:00
Gerwin Klein 29eb636d31 re-establish InfoFlow; generalising ptable_xn 
UserOp_IF had its own way of extracting the XN bit from page tables.
This is now unified with the existing functions in ADT_AI, which also
means that the proof for XN bit equality is basically the same as for
pt_rights and pt_lift.
 2014-11-28 08:58:57 +11:00
Gerwin Klein 7e7d39c24e enable XN in abstract spec; update AInvs and Refine 2014-11-28 08:58:57 +11:00
Gerwin Klein 57bef16d8e sync Makefile and test.xml 2014-11-23 19:54:59 +11:00
Gerwin Klein 118093af99 add capDL separation logic to regression test 2014-11-23 15:03:35 +11:00
Gerwin Klein ee94da7473 de-bitrot DPolicy; add back into regression 2014-11-23 14:52:21 +11:00
deang f9b9f9ba53 infoflow: remove s0_ptrs_distinct from Example_Valid_StateH 
subsumed by distinct command in Example_Valid_State
 2014-11-19 16:01:49 +11:00
deang 77c600038f infoflow: fixed and added Example_Valid_StateH to testing 
Some of the noninterference results depend on executions at the haskell level starting at a valid initial state. This file demonstrates this condition being realised.
 2014-11-18 17:39:17 +11:00
Gerwin Klein dfa9c09892 abstract Haskell init parameters into constants 2014-11-06 18:48:36 +11:00
deang f9ea932cfb noninterference: remove duplicate lemmas 
Some redundant duplicate lemmas with duplicate names were proven under locale contexts 'unwinding_system' and 'complete_unwinding_system'.
 2014-11-03 13:14:18 +11:00
David Greenaway 127c7cd63e infoflow: trivial: Add some comments to "do_user_op_if" definition. 2014-10-27 09:31:31 +11:00
David Greenaway 759a7fa8cb infoflow: trivial: Add some minor comments to "Noninterference_Base.thy". 
Added while trying to work out some details. Perhaps more useful than
not?
 2014-10-16 17:09:11 +11:00
deang 77f85b334d trivial: typo in comment 2014-10-14 17:29:47 +11:00
deang 6df2eb6cf9 infoflow: weakened assumptions for c refinement of infoflow adts 
The fact that the C infoflow adt refines the abstract infoflow adt now only requires that given user operation is nonempty and not sane (nonempty and doesn't return an interrupt).
Also added some more general lemmas about fw_sim and refinement to lib/Simulation.thy.
 2014-10-14 17:01:11 +11:00
David Greenaway 6c915fa629 infoflow: Move "EquivValid" out of "infoflow/", into "lib/". 
More importantly, remove seL4 from the dependencies of "EquivValid", so
others can use it.

Also, we fixup the fallout.
 2014-10-13 11:05:31 +11:00
David Greenaway b0832637e6 infoflow: Change definition of "the_nat_to_bl" to avoid undefined outputs. 
...and clean up some fallout.

In particular, we now say that the output of "nat_to_bl sz n" is taken
to be the bitlist of "n mod 2^sz", so the output is always defined.

The idea is to remove the undefinedness of "the_nat_to_bl" so that it is
easier to generate simp rules for it; some of these are developed in the
theory below, and simplify some of the more concrete infoflow proofs.
 2014-10-07 08:59:17 +11:00
David Greenaway bf2d517009 infoflow: Use the "distinct" command in "Example_Valid_State". 
Use the previously-added "distinct" command to simplify the
"Example_Valid_State" proof. This brings quite significant speedups as
it means that raw definitions need not be unfolded, and hence automated
tactics don't get side-tracked with their numerical definitions.
 2014-10-07 08:59:17 +11:00
David Greenaway 1f16bc8c2b access: Remove now-redundant "apply blast". 
Previously introduced "simp" rule makes this command redundant.
 2014-10-01 17:43:11 +10:00
Thomas Sewell a818e13e3e Don't reuse the s_footprint_intvl theorem name. 2014-10-01 11:16:40 +10:00
Thomas Sewell 665a3c15a0 Restore global valid assertions in graph refine. 
The global-object pointer validity assertion is now created at
export time, and the graph refine mechanism now proves them. It
seems they were forgotten about once again in adjusting the globals
logic.
 2014-09-30 16:09:22 +10:00
David Greenaway 0288aeb1b8 bisim: Isabelle 2014 changes. 2014-09-24 12:24:00 +10:00
David Greenaway df8237c08a drefine: Isabelle 2014 changes. 2014-09-24 12:21:10 +10:00
Thomas Sewell 60f06246c7 Commit some of the GraphRefine testing rig. 
Otherwise I have to fetch this out from history every
time that SEL4GraphRefine breaks.
 2014-09-23 16:40:07 +10:00
David Greenaway 0c004d2a93 Merge branch 'master' into 'isabelle-2014'. 
Conflicts:
	proof/drefine/Arch_DR.thy
	proof/drefine/Finalise_DR.thy
	proof/drefine/StateTranslation_D.thy
	sys-init/DuplicateCaps_SI.thy
	sys-init/Proof_SI.thy
	tools/autocorres/tests/examples/SchorrWaite.thy
 2014-09-23 14:31:33 +10:00
David Greenaway 22b9118432 infoflow: Fix non-terminating proof for Isabelle 2014. 
Remove useless ROOT.ML file, while I am here.
 2014-09-19 14:33:54 +10:00
Thomas Sewell f59767cdac Slight fudges for Fastpath use with PIDE. 2014-09-18 20:12:43 +10:00
Thomas Sewell 4a56fb49f9 Fix a triviality in Interrupt_C. 2014-09-18 19:30:32 +10:00
Andrew Boyton ea58753cd7 Merge branch 'cdl_page_map_cancel' 
Merge in the setting of registers and the starting of threads in the system initialser.
 2014-09-18 17:21:17 +10:00
Andrew Boyton 2b7b258997 sys-init: Prove the starting of threads is done correctly. 
We no longer assume the starting of threads, but prove it correct
(assuming the behaviour of the scheduler).
 2014-09-18 12:30:04 +10:00
David Greenaway cc71c3aadf drefine: More updates for Isabelle 2014. 2014-09-18 11:04:47 +10:00
David Greenaway cf0d1abce6 Merge 'master' into 'isabelle-2014'. 
Conflicts:
	proof/crefine/Fastpath_C.thy
	proof/drefine/KHeap_DR.thy
	proof/infoflow/Noninterference.thy
	spec/design/version
	sys-init/DuplicateCaps_SI.thy
	sys-init/InitTCB_SI.thy
	sys-init/Proof_SI.thy
	tools/asmrefine/SimplExport.thy
	tools/autocorres/tests/examples/SchorrWaite.thy
 2014-09-17 14:21:13 +10:00
David Greenaway e141eecca8 infoflow: Port to Isabelle 2014. 2014-09-16 10:39:22 +10:00
Gao Xin f014045e52 merge 2014-09-12 16:23:44 +10:00
Gao Xin 0199c5c19c Fix seL4_TCB_Resume 2014-09-12 15:28:47 +10:00
Andrew Boyton ded25f4067 sys-init: Refactor the writing of register to happen earlier, and prove correctness. 2014-09-12 15:15:43 +10:00
David Greenaway 730825abe5 capDL-api: Port to Isabelle 2014. 2014-09-12 11:40:28 +10:00
David Greenaway 5af2327de4 crefine: Port fastpath proof and final refine theorem to Isabelle 2014. 2014-09-12 09:56:06 +10:00
David Greenaway 452a4ce943 crefine: Remove stray "goals_limit = 1". 2014-09-12 09:04:33 +10:00
David Greenaway 03b1952aaa crefine: Port CRefine to Isabelle 2014. 2014-09-11 16:57:59 +10:00
Gao Xin 5015f53d95 fix seL4_TCB_WriteRegisters 2014-09-10 17:30:35 +10:00
Gao Xin 47662af345 fix DSpecProofs 2014-09-09 15:57:52 +10:00
Thomas Sewell 2825c9a403 Make regression test more likely to pass. 2014-09-09 14:37:18 +10:00
Andrew Boyton 7167ea42ac CapDL: Made IRQ Nodes a new object type, not a small CNode. 
IRQ Nodes are now their own object type in capDL. This makes it much easier
to distinguish between "real" CNodes and IRQ Nodes.

Updated:
 * the capDL refinement,
 * the access proofs, and
 * the system initialiser.
 2014-09-09 14:07:50 +10:00
Thomas Sewell 083a4b68d7 Really add binary verification to regression test. 2014-09-08 16:23:10 +10:00
Thomas Sewell 41c0e994ad Make SIMPL->Graph regression testable. 2014-09-05 19:10:03 +10:00
Gao Xin 77dd554227 page_map_unmap_cancel : cdl spec changed and drefine fixed. 2014-09-05 14:48:22 +10:00
Thomas Sewell 4c7ef803d7 SEL4GraphRefine now completed. 
These final changes complete the SEL4GraphRefine process. Some
cleanup remains to be done, especially in SEL4GlobalsSwap, but the
process is now mature and working, and the testing code
in SEL4GraphRefine can be discarded.

Success depends on seL4 commit 97d6bc96d54f1f0beafb25033b03b57ba54a5113
which is compatible with crefine and will be included in the repo
manifest immediately.
 2014-09-03 17:38:45 +10:00
Joel Beeren a5f2cab271 Merge branch 'master' into ioapic 2014-09-02 11:13:55 +10:00
Thomas Sewell caf0529c7f Move burden of 'halt' proof, use less modifies. 
In detail:
  - add a general user-specified exception to c_exntype
    (for use in tools like Substitute)
  - wrap calls to 'halt' in Guard {}, making it clearer that
    halt is never called, simplifying asmrefine
  - repair halt changes in crefine
  - avoid use of some suspicious 'modifies' properties in crefine
    which were generated by the parser for functions where inline
    ASM blocks have been elided, and which may be inaccurate.
 2014-08-29 13:57:28 +10:00
Joel Beeren 463df8e083 Merge branch 'master' into ioapic 2014-08-29 13:14:53 +10:00
Joel Beeren b3e2eb1f9d ioapic: finished up to InfoFlowC 2014-08-28 15:56:26 +10:00
Thomas Sewell 0346fb20b6 SIMPL->Graph proofs largely working. 2014-08-27 15:30:34 +10:00
Thomas Sewell 0c52978dd8 More asmrefine work, global swapping ready. 2014-08-21 14:13:46 +10:00
Gerwin Klein f1d808c96a integrate separation kernel config proofs 
Hooked up into build system and regression test; added READMEs
 2014-08-13 22:08:46 +10:00
Thomas Sewell 71e7dcc319 Fix Access, InfoFlow and DRefine. 2014-08-13 16:45:40 +10:00
Gerwin Klein 3556bee2dc github import of static cap config proofs 2014-08-13 15:31:21 +10:00
Thomas Sewell 9b01fada15 Refine working. 2014-08-11 18:51:04 +10:00
Thomas Sewell fc6e57716a Proof updates, working as far as AInvs. 2014-08-11 14:50:56 +10:00
Gerwin Klein ded3a4a86f option_map_def -> map_option_case for 2014-RC0 2014-08-09 21:09:37 +10:00
Gerwin Klein 1af1d2b67b some of the global Isabelle2014 renames 
option_case -> case_option
sum_case -> case_sum
prod_case -> case_prod
Option.set -> set_option
Option.map -> map_option
option_rel -> rel_option
list_all2_def -> list_all2_iff
map.simps -> list.map
tl.simps -> list.sel(2-3)
the.simps -> option.sel
 2014-08-09 15:39:20 +10:00
David Greenaway 0fb7a8084d misc: Proofing and formatting of README.md files. 
Attempt to improve readability of the files when viewed as plain ASCII;
proof-read and fix minor issues.
 2014-07-28 13:15:48 +10:00
Andrew Boyton 63c6ef2785 Updated READMEs for capDL-api and sep-capDL, and added one for sys-init. 2014-07-26 12:28:38 +10:00
Toby Murray 35b6099732 remaining README.md for proof/ 2014-07-25 11:51:31 +10:00
Corey Lewis 1421b09366 Even more cleanup of drefine. 2014-07-25 11:23:24 +10:00
Andrew Boyton c060f715db Add a top-level file for the capDL API proofs. 2014-07-24 19:56:24 +10:00
Toby Murray 283b54b351 comment to explain different do_user_op function in infoflow ADT 2014-07-24 14:53:57 +10:00
Toby Murray 93375ba96d Initial README.md files for proof/ 2014-07-24 13:31:57 +10:00
Corey Lewis ffb0d165f6 Some more cleanup of drefine. 2014-07-23 15:29:20 +10:00
Andrew Boyton add3ea9cd5 sys-init: Show the separation algebra for capDL is a cancellative separation algebra. 
* The separation algebra for capDL is also a cancellative separation algebra.
* The arrows are strictly_exact, meaning they describe only a single heap.
* Since we have a cancellative separation algebra, this means the arrows are also precise.
 2014-07-23 15:20:52 +10:00
Gerwin Klein 154da63715 remove old levity and taint-mode comments 2014-07-22 18:10:28 +02:00
Gerwin Klein 50dda7708c comment cleanup 2014-07-22 18:10:20 +02:00
Andrew Boyton acf0abe16a Cleanup of a number of definitions of the separation algebra for capDL. 
* The definitions of the separation "arrows" is slightly nicer and more consistent.
  - We have a nicer correspondence between sep_map_c and sep_map_s.
  - sep_map_irq now specifies exactly what the IRQ table contains
    (that it *only* has one entry, not that it contains at least that entry).
  - Nicer LaTeX output for the arrows.

* A number of minor renaming of constants and types.
  - cdl_component => cdl_component_id
  - sep_entity => cdl_component
  - state_sep_projection => sep_state_projection
  - obj_to_sep_state => object_to_sep_state

* Removed a few unused lemmas.
 2014-07-22 14:37:37 +10:00
Gerwin Klein a6d4ed8151 Merge branch 'getpaddr-merge' 2014-07-18 17:31:09 +02:00
Gerwin Klein 9d9a325032 Updates for getpaddr system call (by Joel Beeren) 2014-07-18 17:21:34 +02:00
Corey Lewis 07b85fe034 Move some more lemmas into lib. 2014-07-18 17:23:07 +10:00
Gerwin Klein 84595f4233 release cleanup 2014-07-17 18:22:50 +02:00
Gerwin Klein 2a03e81df4 Import release snapshot. 2014-07-14 21:32:44 +02:00