079d5dec23
autocorres-crefine: make AutoCorres tools available in CRefine
2017-11-22 12:18:16 +11:00
40f83c5637
autocorres-crefine: add tools for moving between ccorres and corres
...
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
2017-11-22 10:59:57 +11:00
bd44bab6c6
autocorres-crefine: update for Isabelle2016-1
2017-11-22 10:59:57 +11:00
68ae97454e
lib: more modifiers for wpsimp (wp_del, simp_del)
2017-11-03 08:09:29 +11:00
8753c05b20
Expand eval_bool; add a method word_eqI_solve.
...
A number of proofs begin with word_eqI followed by some similar steps,
suggesting a 'word_eqI_solve' proof method, which is implemented here.
Many of these steps are standard, however a tricky part is that constants of
type 'nat' which encode a particular number of bits must often be unfolded.
This was done by expanding the eval_bool machinery to add eval_int_nat, which
tries to evaluate ints and nats.
Testing eval_int_nat revealed the need to improve the code generator setup
somewhat. The Arch locale contains many of the relevant constants, and they are
given global names via requalify_const, but the code generator doesn't know
about them. Some tweaks make them available. I *think* this is safe for
arch_split, as long as the proofs that derive from them are true in each
architecture.
2017-11-01 17:30:46 +11:00
f66d6278b2
Isabelle2017: update CRefine (X64)
2017-10-30 12:23:26 +11:00
78341b24ef
Isabelle2017: update CRefine (ARM_HYP) for RC0
2017-10-30 12:23:26 +11:00
7da301cfc3
Isabelle2017: update CRefine (ARM) for RC0
2017-10-30 12:23:26 +11:00
d48c211ac9
Isabelle2017: update DRefine (ARM) for RC0
2017-10-30 12:23:26 +11:00
3cb118fe02
Isabelle2017: update Refine for RC0
2017-10-30 12:23:26 +11:00
8f5bf9b1ae
Isabelle2017: updates InfoFlow for RC0
...
* Rename zmod_eq_dvd_iff -> mod_eq_dvd_iff
2017-10-30 12:23:26 +11:00
4f68967bfc
Isabelle2017: update AInvs for RC0
...
* word_eqI is no longer rule_format.
* Updated Isabelle/ML Thm.join_proofs to Thm.consolidate.
* Updated suffix_refl to suffix_order.order.refl.
* Removed some lines of proofs, thanks to improved simplifier.
2017-10-30 12:23:26 +11:00
0102ef172a
Isabelle2017: remove String_Compare
...
This was a workaround for an Isabelle2016-1 performace regression, and
is no longer required.
2017-10-30 12:23:26 +11:00
48b3a8b4ca
update object and field widths for x64, and remove some magic numbers
...
In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.
For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.
2017-10-26 14:05:35 +11:00
9bdb47e114
reintroduce Orphanage test (for ARM only)
...
- Orphanage files in the ARM_HYP and X64 directories are not tested at the moment
- once we finish proving them, we will remove the restriction to ARM
2017-10-24 13:49:21 +11:00
6b9912c47a
manually adjust non-obvious cases of tab to space replacement
2017-10-20 14:22:36 +11:00
ef9a9302dd
remove trailing \r characters
2017-10-20 14:22:36 +11:00
184d6b70b7
remove most tab characters
2017-10-20 14:22:36 +11:00
2c0820c175
Improve arch-split for BCorres2_AI changes.
2017-10-10 11:02:19 +11:00
6529c7dd42
Repair schedule_bcorres.
...
This was broken a long while back because arch_switch_to_idle_thread
might sometimes be skipped in the implementation if the idle thread
was previously scheduled. Putting the same behaviour in the most
abstract (unit) specification is pretty easy, and it's not clear why
it wasn't done earlier.
2017-10-10 11:02:19 +11:00
b8fc532b4e
reject all invalid IRQ inputs to IRQ control syscall
...
This updates the proofs for a change in the C code. The IRQ control
syscall now returns an error whenever the IRQ parameter is not a valid
IRQ value. Previously, the syscall threw away some higher-order bits
before checking for IRQ validity.
Incidentally, the C now only uses the name `irq` for variables of type
`irq_t`, and `irq_w` for variables of type `word_t`. This avoids trouble
with c-parser name mangling.
2017-10-05 07:59:02 +11:00
c93ed2e629
x64: crefine: add TcbAcc_C to Refine_C for testing
2017-09-26 11:27:33 +10:00
1d103daf46
x64: crefine: add TcbAcc_C
2017-09-26 11:27:33 +10:00
87e169a78f
x64: crefine: adjust register_from_H to use 32 word as per C code
2017-09-21 16:05:35 +10:00
3744c71a48
crefine autocorres: update c-kernel import paths for new kernel build system
2017-09-21 13:23:38 +10:00
8273ca818d
cspec: Remove redundancy in build rules and theory files for c-kernel builds
...
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
2017-09-21 13:23:04 +10:00
100e738f21
ckernel: Use correct dependencies when building CKernel
...
Theory files used in the CKernel build refer to files that are generated by the
haskell translater by the design-spec target. This commit changes the dependencies
in the Makefile to reflect that
2017-09-21 13:23:04 +10:00
00bff34f07
arm-hyp crefine: bitfield generator proof updates
2017-09-20 22:03:04 +10:00
564359b13e
arm crefine: proof updates for bitfield generator changes
...
The name mangling of "v" changes in a few places, and mask_def is
occasionally needed where it wasn't before.
2017-09-20 22:03:04 +10:00
15076ecda6
x64 crefine: adjust Refine_C to also use PSpace_C for testing
2017-09-19 12:34:35 +10:00
ec5716d04b
x64 crefine: added PSpace_C
2017-09-19 12:22:13 +10:00
4d47d6540a
x64 crefine: added Ctac_lemmas_C
2017-09-19 12:21:58 +10:00
7e915e39bd
x64: adjusted abbreviation in ArchAcc_AI to restore global name-clash counter to be consistent between architectures.
...
A private abbreviation in an anonymous context incidentally incremented
the global counter Variable.max_idxof which is used to avoid
name-collisions in lemmas.
For some reason (not obvious) the abbreviation in question was
incrementing the counter, and because it
was only in an X64 file, this resulted in X64 and the other
architectures getting out of sync. This was file previously, but became
a problem when processing the generic file lib/clib/Corres_C.
This commit adjusts the abbreviation to not increment the counter, and
fixes Refine and SR_lemmas_C to account for this change.
2017-09-19 12:07:02 +10:00
7c54fc69dd
x64: change Refine_C to point to TcbQueue_C for regression testing
2017-09-14 14:51:58 +10:00
ae707eb153
x64: crefine: added TcbQueue_C
2017-09-14 14:51:58 +10:00
1160bb053c
x64: crefine: SR_Lemmas_C first attempt
2017-09-14 14:50:14 +10:00
0c117b7738
x64: crefine: StateRelation_C first attempt
2017-09-14 14:50:14 +10:00
7bbf6be54f
x64: crefine: Added Wellformed_C
...
Currently one sorried lemma due to inconsistencies in maxDomain
definition, which needs follow up with the kernel team.
2017-09-14 14:50:14 +10:00
d0782b89f8
x64: crefine: added CLevityCatch
2017-09-14 14:50:14 +10:00
15704dbc08
x64: crefine: add Move_C
2017-09-14 14:50:14 +10:00
92f5d14c0b
x64: crefine: add Include_C
2017-09-13 16:44:53 +10:00
85a20c08a5
theory_imports: depend on c-kernel instead of CParser
...
The theory_imports regression test requires bitfield-generated theory
files. Previously, the theory_imports regression test depended on
CParser, and explicitly invoked "make" to ensure bitfield-generated
theories were present. However, these theories can also be generated by
the CKernel regression test. This meant that it was non-deterministic
whether bitfield-generated theories were generated during the
theory_imports regression test or the CKernel regression test.
This change adds a c-kernel regression test which generates the relevant
theories for the current L4V_ARCH, and makes both theory_imports and
CKernel depend on c-kernel. This ensures that those theories are always
generated during the c-kernel test, and should therefore make run_tests
timing results for the CKernel image more consistent.
Unfortunately, the check_theory_imports script does not have an easy way
to restrict itself to theories for the current L4V_ARCH, so the script
still needs to invoke "make c-kernel" for architectures other than the
current L4V_ARCH.
2017-09-12 14:47:24 +10:00
71d1d4143b
x64 ainvs: rename wellformed_arch_obj to arch_valid_obj
2017-08-18 10:04:01 +10:00
55d50c7ba9
arm/arm_hyp ainvs: rename wellformed_arch_obj to arch_valid_obj
2017-08-18 09:49:11 +10:00
07e9bfa417
remove_valid_arch_objs: updates for X64
2017-08-18 09:44:00 +10:00
6d8e917087
Remove valid_arch_objs
...
now that we have valid_vspace_objs to express validiy of
vspace objects, we do not need valid_arch_objs: we have
valid_objs to state the validity of non-vspace arch objects.
2017-08-17 22:44:23 +10:00
dbd888ad3e
asmrefine: add one README.md, update another.
...
Better documentation of what's in the proof/asmrefine and
tools/asmrefine directories.
2017-08-16 18:15:21 +10:00
8c549b6764
x64: remove all trailing whitespace
2017-08-11 14:19:39 +10:00
f05bc45d59
misc: clean up before merging x64
2017-08-11 11:49:18 +10:00
82863978bd
Merge branch 'master' into x64
2017-08-09 17:10:06 +10:00
c0528e44f9
arm: drefine: update for word_size_bits changes
2017-08-09 17:02:50 +10:00
8032234af9
crefine: integrate all architectures
2017-08-09 17:02:50 +10:00
42401684b0
refine: integrate all architectures
2017-08-09 17:02:49 +10:00
3871575834
x64: add crefine stubs to keep theory_imports happy
2017-08-09 17:02:49 +10:00
254fb01de1
x64: remove special cases for x64 from proof/Makefile
2017-08-09 17:02:49 +10:00
3bbc1d0cb9
regression: remove redundant RefineOnly image
...
This was previously used to exclude Orphanage from the X64 regression.
Now that the Refine image excludes Orphange, RefineOnly is no longer
needed.
2017-08-09 17:02:49 +10:00
2f70a304da
ainvs: integrate all architectures
2017-08-09 16:57:39 +10:00
0685280906
misc: remove redundant skip_proofs flag for BaseRefine in proof/ROOT
2017-08-09 11:28:10 +10:00
2ce1bf3a25
misc: remove unnecessary theories from proof/ROOT
2017-08-08 16:13:38 +10:00
d9afe3f45c
run_tests: Adjust environment flags for build
...
*** ALERT: ANYONE USING SKIP_REFINE_PROOFS SHOULD CHANGE TO
SKIP_DUPLICATED_PROOFS IN ~/.isabelle/etc/settings!!! ***
Previously SKIP_REFINE_PROOFS was being used to skip duplicated Refine
and AInvs proofs when building CBaseRefine and InfoFlowC. This
conflicted with adding an option to actually skip building Refine proofs
(for example when trying to quickly build DBaseRefine).
After this change, we have the following SKIP_PROOFS flags:
* SKIP_AINVS_PROOFS: used to skip AInvs proofs (for example when
building Refine)
* SKIP_REFINE_PROOFS: used to skip Refine proofs (for example when
building DBaseRefine)
* SKIP_DUPLICATED_PROOFS: used to skip the rebuild of AInvs and
Refine when building forked images such as CBaseRefine and
InfoFlowC
In addition, the QUICK_AND_DIRTY flag for AInvs has been changed:
INVS_QUICK_AND_DIRTY -> AINVS_QUICK_AND_DIRTY
2017-08-08 16:11:20 +10:00
965a77215f
misc: add dependency for design spec to DBaseRefine, DRefine
...
tags: [NO_PROOF]
2017-08-08 12:22:00 +10:00
d1482e4ffa
misc: added skip proofs option for Refine
...
tags: [NO_PROOF]
2017-08-08 12:19:43 +10:00
e66b3f44d0
trivial: remove a tab character
2017-07-31 11:05:44 +10:00
149ef38252
trivial: remove a tab character
...
tags: [NO_PROOF]
2017-07-27 10:09:52 +10:00
238e8b307e
x64: merge master
2017-07-21 11:27:12 +10:00
d38a19f1bb
fix ARM_HYP Refine for newest corres method after ARM_HYP rebase
...
VER-737
2017-07-18 12:19:48 -06:00
c72bece06f
fix ARM Refine for newest corres method after ARM_HYP rebase
...
VER-737
2017-07-18 12:19:27 -06:00
2d2f2a1e1d
fix refine proofs for improved corres_pre
...
minor fix - verification condition no longer
generated mid-proof
VER-737
2017-07-17 13:09:46 -06:00
8c7163457a
remove explicit use of corres_rv rules
...
This is now handled by the corres method
VER-737
2017-07-17 13:09:46 -06:00
206be43920
use correswp and correct corres_rv rules
2017-07-17 13:09:46 -06:00
fa6112378d
cleanup refine for latest corres_method
...
Some fallout from protecting return-value relations
VER-737
2017-07-17 13:09:08 -06:00
8d454f1deb
use new lift_corres_args attribute to abstract function args
...
This avoids manually rewriting the lemma statements, but puts
the rules in the more general form
2017-07-17 13:08:19 -06:00
2bc620c670
addressing protect_r -> corres_protect rename
2017-07-17 13:08:19 -06:00
ad82c6c751
workaround for bad bug in dcorres
...
This line invokes "wp" with a schematic postcondition, which makes
this proof very unstable when new wp rules are added.
2017-07-17 13:06:55 -06:00
196e2e2e0a
fix corres proofs for corres method
...
Fixing the fact that ex_abs is slightly rephrased
VER-737
2017-07-17 13:06:55 -06:00
9ab936e815
fix refine after changes to corres_method
2017-07-17 12:54:08 -06:00
796887d9b1
Removes all trailing whitespaces
2017-07-12 15:13:51 +10:00
81064fdb55
idle-thread-pd: run idle thread with the global PD all the time.
...
This avoids the multicore scenario of the idle thread running in the
address space that has been deleted by a thread running on another core.
2017-07-11 11:29:34 +10:00
971c6782e5
Support extra specs, ctzl, clzl in SimplExport.
...
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
2017-07-05 15:27:38 +10:00
5cb2fb81f8
x64 regression: extend cspec timeouts
2017-07-04 18:13:03 +10:00
5a82068c34
crefine: resolve a small issue in design spec coming from haskell translator inflexibility
...
- a case-statement in decodeARMMMUInvocation has an if-statement with a conjunction of three conditions, but they are translated in different orders between arm and arm-hyp and currently the crefine proofs depend on those orders.
- this fix is not a fundumental solution, but, given how reliable the haskell translator is, not sure how much effort we should be putting in here
2017-07-03 10:31:34 +10:00
41fe1a0845
update proofs for SELFOUR-30/291 "Reschedule on self-modification"
...
- SELFOUR-30 Reschedule when changing own IPC buffer
Previously if you invoked the TCB of the current thread and
changed the IPC buffer frame this would not immediately take
affect, as the kernels view of the current IPC buffer is
updated in Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
- SELFOUR-291 Reschedule when changing own registers
Previously if you wrote to TCB of the current thread and
changed the TLS_BASE this would not immediately take
affect, as the kernel only updates this register in
Arch_switchToThread. This change forces Arch_switchToThread
to get called, even if we would switch back to the original
thread.
2017-06-26 15:52:35 +10:00
2f4b822da9
x64: configure arch-specific array types
2017-06-22 17:24:53 +10:00
ce748b7522
x64: create arch-specific CKernel
2017-06-22 17:24:53 +10:00
546ad8652e
regression: add dependency between haskell-translator and CKernel
...
tags: [NO_PROOF]
2017-06-22 11:43:40 +10:00
392d055e99
SELFOUR-748: rename tlb invalidation functions
2017-06-20 14:05:45 +10:00
492d6c1817
arm infoflow: Fix argument of getActiveIRQ in check_active_irq_if
...
* This is trivial/irrelevant since getActiveIRQ ignores its argument
in ARM, but it makes a bit more sense to have it being this way,
and it is consistent with the equivalent function in InfoFlowC.
2017-06-19 14:32:45 +10:00
8bac9cc586
arm infoflowc: Refactors proofs for new definitions (pteBits, pdeBits, etc)
2017-06-19 14:32:45 +10:00
a8258ae6a3
arm infoflowc: Updates for the new argument of getActiveIRQ
2017-06-19 14:32:45 +10:00
d44ab4082a
arm crefine: Refactors createMappingEntries_valid_pde_slots'2 due to new definitions
2017-06-19 14:32:45 +10:00
1950b051a5
arm crefine: Refactors Arch_finaliseCap_ccorres for new if-body
2017-06-19 14:32:45 +10:00
284cb43f7b
arm crefine: Updates clearMemory_setObject_PTE_ccorres to use pteBits
2017-06-19 14:32:45 +10:00
4c1d294a75
arm crefine: Updates {getActiveIRQ,isIRQPending}_ccorres with new argument
2017-06-19 14:32:45 +10:00
17776ce6d3
arm crefine: Refactors proofs for new definitions (pteBits, pdeBits, etc)
2017-06-19 14:32:45 +10:00
bd1a600cfb
arm DRefine: updates for backports from arm-hyp
2017-06-19 14:32:45 +10:00
a2a1522bae
arm access: updates for the backport from arm-hyp
2017-06-19 14:32:45 +10:00
2d20221396
arm refine: updates for the backport from arm-hyp completed
2017-06-19 14:32:44 +10:00
7d4a7b5f64
arm ainvs: clear sorry in ArchAcc_AI
2017-06-19 14:32:44 +10:00
fb9de60cfe
arm ainvs: Update for create_mapping_entries changes
2017-06-19 14:32:44 +10:00
b76709967b
arm refine: Updating theories for ainvs changes
2017-06-19 14:32:44 +10:00
c21127eb0f
arm InfoFlow: fixes for the backports from arm-hyp
2017-06-19 14:32:44 +10:00
93eed88af7
arm AInvs: add more valid_global_objs and valid_global_vspace_mappings lemmas (in BCorres2_AI)
2017-06-19 14:32:44 +10:00
b17a329365
arm access: ARM Access now builds on arm-hyp
2017-06-19 14:32:44 +10:00
a6304f8ef7
arm ainvs: update arch stuff to match generic for top level ainvs files
2017-06-19 14:32:44 +10:00
702bfecd5a
ainvs: reintroduce second_level_tables all over the place, update generic Arch_AI and various ArchArch_AI's to match
2017-06-19 14:32:44 +10:00
7ed3df02e6
arm ainvs: updated proofs in ArchBCorres2 + KernelInit + ArchInterrupt
2017-06-19 14:32:44 +10:00
f492f85471
ainvs: added back in second_level_tables for Untyped, ported changes to ARM_HYP also
2017-06-19 14:32:43 +10:00
5e6740464d
arm ainvs: added necessary locale assumptions in ArchIpc_AI
2017-06-19 14:32:43 +10:00
993f6a0120
arm ainvs: Updated up to ArchFinalise_AI
2017-06-19 14:32:43 +10:00
5e4df460e2
ainvs: adjust generic theories for ARM fix
2017-06-19 14:32:43 +10:00
35f714addf
arm-hyp refine: reintroduce valid_global_objs and valid_global_vspace_mappings
2017-06-19 14:32:43 +10:00
3dd695601d
arm-hyp AInvs: reintroduce valid_global_objs and valid_global_vspace_mappings
2017-06-19 14:32:43 +10:00
7470dcb698
arm-hyp invariants: make valid_arch_obj depend on valid_vspace_obj
2017-06-19 14:32:43 +10:00
a4e9ffa403
arm-hyp: refactor tpidrurwRegister and fix corresponding proofs
...
See VER-717
2017-06-19 14:32:43 +10:00
1f4b9e686a
arm-hyp: rename archTCBSanitise, arch_tcb_sanitise_condition, Arch_hasVCPU to be more appropriate
2017-06-19 14:32:43 +10:00
8076ba136a
arm-hyp crefine: adjust Syscall_C for wpsimp getting further
2017-06-19 14:32:43 +10:00
1869bfd574
arm-hyp crefine: vgicMaintenance ccorres; CRefine sorry-free
2017-06-19 14:32:43 +10:00
25ef365531
arm-hyp refine: fix proofs broken by spec updates
2017-06-19 14:32:43 +10:00
1f5a142096
arm-hyp refine: remove corresK_machine_op from the default corresK set
2017-06-19 14:32:43 +10:00
ec0c106c49
arm-hyp ainvs: fix proofs broken by spec update
2017-06-19 14:32:43 +10:00
6176e4ab60
arm-hyp crefine: Ipc_C sorry-free
2017-06-19 14:32:42 +10:00
af1b6d50e7
arm-hyp crefine: Fastpath_C sorry-free
2017-06-19 14:32:42 +10:00
a559cca656
arm-hyp crefine: weaken preconditions on vcpu_switch
...
Requiring MDB validity (contained in valid_pspace') was too strong for
fastpath proofs.
2017-06-19 14:32:42 +10:00
1adc307094
arm-hyp crefine: remove unused lemma with conflicting name
2017-06-19 14:32:42 +10:00
705b86f25b
arm-hyp crefine: fix monadic rewrite proof in Ipc_C
2017-06-19 14:32:42 +10:00
a0cb855dc9
arm-hyp crefine: VSpace_C sorry-free, vcpu_(save|restore)_ccorres done
2017-06-19 14:32:42 +10:00
f29099d490
arm-hyp crefine: prove ccorres for vcpu_init during VCPU retype
2017-06-19 14:32:42 +10:00
242296a350
arm-hyp crefine: Arch_C sorry-free
2017-06-19 14:32:42 +10:00
eb967add36
arm-hyp refine: remove remaining sorries for vcpuSave spec change
2017-06-19 14:32:42 +10:00
396039a730
arm-hyp crefine: fixes get_gic_vcpu_ctrl_lr machine op + others
...
* others: fix arg name in get_gic_vcpu_ctrl_eisr0
get_gic_vcpu_ctrl_eisr1 and get_gic_vcpu_ctrl_misr
2017-06-19 14:32:42 +10:00
f24fe6ac7d
arm-hyp crefine: remove references to FIXME in Arch_C
...
Specs got updated, FIXME lemmas removed, but the references were not
updated until now.
2017-06-19 14:32:42 +10:00
2e962ff0a3
arm-hyp refine: reduce sorries in VSpace_R for vcpu_save change
2017-06-19 14:32:41 +10:00
ea7b95d4dd
arm-hyp refine: vcpuSave_corres for the new vcpuSave
2017-06-19 14:32:41 +10:00
a36043fec1
arm-hyp crefine: update IsolatedThreadActions for vcpuSave change
2017-06-19 14:32:41 +10:00
f6f4d724fe
arm-hyp refine: more sorries in CNodeInv_R and Schedule_R for spec updates
2017-06-19 14:32:41 +10:00
c32ae000fc
arm-hyp ainvs: Clear sorries in ArchEmptyFail_AI
2017-06-19 14:32:41 +10:00
131972d498
arm-hyp refine: VSpace_R sorried for spec change fixes
2017-06-19 14:32:41 +10:00
3d859cdad7
arm-hyp invariants: more sorries and fixes
2017-06-19 14:32:41 +10:00
d037bb83f8
arm-hyp ainvs: proof fixes for new new vcpu_save definition
2017-06-19 14:32:41 +10:00
de42edf6c5
arm-hyp invariants: add invariants for new vcpu_save definition (wip)
2017-06-19 14:32:41 +10:00
08bd86042a
arm-hyp crefine: reflect spec changes for makeVIRQ and decodeVCPUInjectIRQ
2017-06-19 14:32:41 +10:00
3e65a59f1c
arm-hyp refine: fix for makeVIRQ spec change
2017-06-19 14:32:41 +10:00
2ed26c2c00
arm-hyp crefine: finish proof of invokeVCPUInjectIRQ_ccorres
...
Possible now that virq_t is storable.
2017-06-19 14:32:41 +10:00
1d72a3e389
arm-hyp crefine: put virq_C in twoToSix_packed class
...
Somewhere automation has failed, resulting in virq_C not being in a size
class, hence arrays not being in packed_type. Therefore typ_heap_simps
would not work since strictly speaking there was no indication the
object could be stored in memory.
This caused hours of suffering for all concerned.
2017-06-19 14:32:40 +10:00
6266d327f8
arm-hyp: isolate evil vgicLR update cmap_relation lemma
...
see: vcpu_vgic_lr_update_cmap_relation
This is hard, might take a while.
2017-06-19 14:32:40 +10:00
a4b8684232
arm-hyp crefine: virq_virq_pending_EN_new_spec (incl 1 sorry)
...
makeVIRQ is sadly wrong, new spec is sorried, waiting for upstream
update to conform
2017-06-19 14:32:40 +10:00
db2e052295
arm-hyp crefine: (invoke|decode)VCPUInjectIRQ_ccorres (incl. 3 sorries)
...
Sorried:
- definition waiting on upstream change (decodeVCPUInjectIRQ_def)
- hard word proof in progress
- stuckage on typ_heap_simps not firing
2017-06-19 14:32:40 +10:00
d4edba3e07
arm-hyp crefine: setMR_as_setRegister_ccorres
...
usually when we call setMR directly, we mean to only set one,
which will fit in actual registers
2017-06-19 14:32:40 +10:00
ef93982d2f
arm-hyp crefine: convenience lemmas and augmentations
...
- add proper ccorres_pre_gets_armKSGICVCPUNumListRegs_ksArchState
- many of the other ccorres_pre_gets* lemmas are TOO WEAK to use safely!
- shiftr_and_eq_shiftl (proof by Matthew Brecknell)
2017-06-19 14:32:40 +10:00
a5c9384df5
clib: ccorres_grab_asm
...
like ccorres_gen_asm, but when your last conjunct is K (...)
2017-06-19 14:32:40 +10:00
7969414919
arm-hyp crefine: fix some sorries in Ipc_C, fixed proofs broken by sanitiseRegister change
2017-06-19 14:32:40 +10:00
8ae57e7a81
arm-hyp refine: fix breakages from sanitiseRegister_refactor
2017-06-19 14:32:40 +10:00
083e65a4b2
arm-hyp ainvs: fix ainvs after sanitise_register refactor
2017-06-19 14:32:40 +10:00
e33d4d3145
arm-hyp crefine: widen VSpace_C sorry for spec changes
2017-06-19 14:32:40 +10:00
3a7d75e554
arm-hyp crefine: adapt to spec changes
2017-06-19 14:32:40 +10:00
d531dc9dc5
arm-hyp refine: fixed invokeVCPUInjectIRQ_corres
2017-06-19 14:32:40 +10:00
6b3528b24d
arm-hyp refine: sorry fallouts from invoke_vcpu_inject_irq change
2017-06-19 14:32:40 +10:00
3ef274ecf1
arm-hyp invariants: fix fallouts from invoke_vcpu_inject_irq changey
2017-06-19 14:32:39 +10:00
a07c41a43b
arm-hyp refine: fix fallouts from the spec changes (excluding those in vcpu_save), with 1 sorry in Arch_R
2017-06-19 14:32:39 +10:00
35a24ecf4e
arm-hyp crefine: repair setVMRoot lemma
...
Only the 2 loop sorries now left in VSpace_C
2017-06-19 14:32:39 +10:00
1cb83b6351
arm-hyp crefine: close 1 sorry in VSpace_C
2017-06-19 14:32:39 +10:00
85efb9d922
arm-hyp crefine: update state relation for new vgic fault message
2017-06-19 14:32:39 +10:00
c63ba94746
arm-hyp crefine: close 1 sorry in VSpace_C
2017-06-19 14:32:39 +10:00
11d7a7ab62
arm-hyp crefine: change names of vcpu ccorres rules, vpcuDisable_ccorres -> vcpu_disable_ccorres, etc.
...
similarly for vcpu_save, vcpu_enable, and vcpu_restore
2017-06-19 14:32:39 +10:00
082295491e
arm-hyp crefine: vcpu_disable_ccorres done
2017-06-19 14:32:39 +10:00
57c20b69b4
arm-hyp crefine: Finalise_C sorry free
2017-06-19 14:32:39 +10:00
e1c3e764f8
arm-hyp crefine: narrowed down sorries in Ipc_C to specific subgoals
2017-06-19 14:32:39 +10:00
35df51dd8f
arm-hyp refine: prove word lemmas relating to duplicate page table entries
2017-06-19 14:32:39 +10:00
220fa70586
arm-hyp crefine: cleared sorries in Tcb_C
2017-06-19 14:32:38 +10:00
0c40f5bbb6
arm-hyp crefine: cleared 3 sorries in Tcb_C
2017-06-19 14:32:38 +10:00
87ac6d5508
arm-hyp crefine: decodeVCPUSetTCB_ccorres
...
+ perform
2017-06-19 14:32:38 +10:00
2d4f1158cd
arm-hyp crefine: reduce Retype_C to 1 sorry
2017-06-19 14:32:38 +10:00
f27921bccb
arm-hyp crefine: Schedule_C sorry-free
2017-06-19 14:32:38 +10:00
c81c652f00
arm-hyp crefine: (minor) reduce Syscall to vgicMaintenance sorry
2017-06-19 14:32:38 +10:00
7769026872
arm-hyp crefine: decodeVCPUWriteReg_ccorres
...
+ perform
2017-06-19 14:32:38 +10:00
b82014766a
arm-hyp refine: fix resolveVAddr breakage
2017-06-19 14:32:38 +10:00
0afd65ea55
arm-hyp crefine: close resolveVAddr sorry
2017-06-19 14:32:38 +10:00
85053b2580
arm-hyp refine: new vs_valid_duplicates
...
The Haskell invariant now describes the page mappings necessary for LargePage
and SuperSection. Updates to refine/* to repair the corresponding fallout.
This commit moves some of the largePagePTEOffset et al lemmas from CRefine up
into Refine.
A small number of small but fiddly word lemmas are currently still sorried.
2017-06-19 14:32:38 +10:00
f09ba20de5
arm-hyp crefine: decodeVCPUReadReg_ccorres
...
Integrated into decodeVCPUInvocation.
2017-06-19 14:32:38 +10:00
29b20dc71a
arm-hyp crefine: add extended wp rules for readVCPUReg to Move
2017-06-19 14:32:37 +10:00
daea169e14
arm-hyp crefine: invokeVCPUReadReg_ccorres
...
Significantly complicated, needing multiple updates from kernel team to get
the reply mechanism right.
2017-06-19 14:32:37 +10:00
11a709caa4
arm-hyp crefine: associateVCPUTCB_ccorres + dissociateVCPUTCB_ccorres + others
...
* sanitiseSetRegister_ccorres
* vcpuInvalidateActive_ccorres
* armHSCurVCPU_update_active_false_ccorres
* + Other auxiliary lemmas
2017-06-19 14:32:37 +10:00
daa4e579e4
arm-hyp crefine: writeVCPUReg_ccorres
2017-06-19 14:32:37 +10:00
2ef0ba91db
arm-hyp crefine: fix arg name for vcpu reg machine ops
...
Was value_', should have been val_'.
2017-06-19 14:32:37 +10:00
25b178e4bd
arm-hyp crefine: solve_rf_sr_vcpu_update method
...
Solves goals of the following shape (rf_sr on fields of VCPUs):
⟦ (σ, σ') ∈ rf_sr; ko_at' vcpu vcpuptr σ ⟧
⟹ (σ⦇ksPSpace := ksPSpace σ(vcpuptr ↦ KOArch (KOVCPU (f vcpu)))⦈,
globals_update
(t_hrs_'_update (hrs_mem_update (heap_update (Ptr &(vcpu_Ptr vcpuptr→[''some_field''])) val)))
σ')
∈ rf_sr
I was not able to generalise this more. A rule would be better, but I don't
know how to bind one to the textual field lookup.
It's also slow, 10s per invocation, but at least it works.
2017-06-19 14:32:37 +10:00
d0eedd118b
arm-hyp crefine: sorry resolveVAddr_ccorres due to C changes
2017-06-19 14:32:37 +10:00
cb06acba7b
arm-hyp crefine: readVCPUReg_ccorres
2017-06-19 14:32:37 +10:00
57c3c70437
arm-hyp crefine: add cvcpu_relation_regs_def
...
expands cvcpu_relation into relations of VCPU registers
2017-06-19 14:32:37 +10:00
cce2e0805e
arm-hyp crefine: add rewrites for C versions of vcpureg comparisons
...
see: vcpureg_eq_use_types
Transforms (of_nat (fromEnum reg) = scast seL4_VCPUReg_SCTLR)
into (reg = VCPURegSCTLR)
letting you do cases on reg. There are no cases for seL4_VCPUReg*.
Inspired by invocation_eq_use_types
2017-06-19 14:32:37 +10:00
40057dff26
arm-hyp crefine: trivial generalisation in IpcCancel_C
...
[] -> hs in setThreadState_ccorres
2017-06-19 14:32:37 +10:00
903417e288
arm-hyp crefine: some progress in VSpace_C
2017-06-19 14:32:37 +10:00
e35dcc6b97
arm-hyp crefine: fix return types (get_gic_vcpu_ctrl_vmcr, get_gic_vcpu_ctrl_apr)
2017-06-19 14:32:37 +10:00
0af76b3242
arm-hyp crefine: update VSpace_R for new vcpu_disable (still with sorries)
2017-06-19 14:32:37 +10:00
c132fb331c
arm-hyo Refine: fix vcouDisable_corres for spec updates
2017-06-19 14:32:37 +10:00
188e0ddfc0
arm-hyp crefine: skeleton for decodeARMVCPUInvocation_ccorres
...
Needs 4 VCPU-related ccorres rules and final precondition proof.
2017-06-19 14:32:37 +10:00
b46dbe8001
arm-hyp crefine: Arch_decodeInvocation_ccorres + decodeARMMMUInvocation_ccorres
...
Repurposed nearly all of old Arch_decodeInvocation_ccorres into
decodeARMMMUInvocation_ccorres.
Educated guess at a stub for decodeARMVCPUInvocation_ccorres.
2017-06-19 14:32:37 +10:00
16946993c6
arm-hyp crefine: resolveVAddr_ccorres
...
Added valid_objs' to preconditions due to weakness of cpte_relation
w.r.t. large page base pointer alignment.
2017-06-19 14:32:36 +10:00
fa5bb8e4f4
arm-hyp crefine: createSafeMappingEntries_PTE_ccorres, some cleanup
2017-06-19 14:32:36 +10:00
cff16ccf1e
arm-hyp crefine: decodeARMPageDirectoryInvocation_ccorres
2017-06-19 14:32:36 +10:00
56f411c85d
arm-hyp crefine: widen sorry in Arch_C
...
Some accidental intermediate work got in at some point. Oops.
2017-06-19 14:32:36 +10:00
e7ce103775
arm-hyp crefine: widen sorry in VSpace_C due to C changes
2017-06-19 14:32:36 +10:00
c172938247
arm-hyp crefine: finish decodeARMFrameInvocation_ccorres
2017-06-19 14:32:36 +10:00
5db67853cf
arm-hyp crefine: drop armParityEnabled from vm_attribs_relation
...
Attribute does not exist in abstract spec, is nailed to False in
Haskell. In C it naturally gets mapped across in vmAttributesFromWord,
passed around everywhere, at which point the attribute is ignored
anyway.
2017-06-19 14:32:36 +10:00
d32b359fb9
arm-hyp crefine: Progress in Finalise_C
...
* dissociateVCPUTCB_ccorres is almost done
2017-06-19 14:32:36 +10:00
d39c2fdacc
arm_hyp crefine: Refine_C sorry-free
2017-06-19 14:32:36 +10:00
8b8a185e44
arm-hyp crefine: sorry Arch_C again due to mapPTE/PDE bug in C
...
Remap for large pages was correct in C, but hard to verify. Map however was
wrong (i.e. unchanged from ARM).
Abstract/haskell are same as ARM for both, hence they are being fixed.
2017-06-19 14:32:36 +10:00
2000a66309
arm-hyp crefine: assume vcpu_switch_ccorres
2017-06-19 14:32:36 +10:00
54159d54d1
arm-hyp crefine: add ccorres_gen_asm2_state and vcpu_at_c_guard, etc.
2017-06-19 14:32:36 +10:00
caf223fd1f
arm-hyp crefine: remove vcpu_relation sorries in Ipc
2017-06-19 14:32:36 +10:00
72fd725558
arm-hyp crefine: IpcCancel sorry-free
2017-06-19 14:32:36 +10:00
2e7bda77fa
arm-hyp crefine: Recycle_C sorry-free
2017-06-19 14:32:36 +10:00
91e253d7a5
arm-hyp crefine: remove vcpu_relation sorries in IpcCancel
2017-06-19 14:32:36 +10:00
ab068c3573
arm-hyp crefine: Arch_C: decodeARMPageTableInvocation_ccorres
2017-06-19 14:32:36 +10:00
239aed5e8c
arm-hyp crefine: IsolatedThreadAction sorry-free
2017-06-19 14:32:36 +10:00
ff6d019f42
arm-hyp crefine: reduce sorries in Arch_C
...
Several non-trivial problems remain.
2017-06-19 14:32:36 +10:00
466620755d
arm-hyp crefine: Adding setObject_ccorres rules for updating vcpuTCB and tcbVCPU
...
* New archThreadSet_tcbVCPU_Basic_ccorres for updating the
associated vcpu inside a tcb
* New setObject_vcpuTCB_Basic_ccorres for updating the
associated tcb inside a vcpu
2017-06-19 14:32:36 +10:00
a08bfb1afc
arm-hyp crefine: add move_c_guard_vcpu and vcpu_at_rf_sr
2017-06-19 14:32:35 +10:00
b4b290de04
arm-hyp crefine: add ccorres lemmas for armHSCurVCPU_update (curv, active, and both)
2017-06-19 14:32:35 +10:00
d4f698f260
arm-hyp crefine: fix return type in get_gic_vcpu_ctrl_hcr_ccorres
2017-06-19 14:32:35 +10:00
51d8fa0073
arm-hyp crefine: one sorry left in IsolatedThreadAction
2017-06-19 14:32:35 +10:00
544d46ccbd
arm-hyp crefine: ADT_C sorry-free
2017-06-19 14:32:35 +10:00
1e195355d7
arm-hyp refine: invariant: num vgic LR registers has a known maximum
2017-06-19 14:32:35 +10:00
766f32320a
arm-hyp refine: update for dissociate_vcpu_tcb
...
* Swapping set_vcpu and arch_thread_set in dissociate_vcpu_tcb to
match the order in C
2017-06-19 14:32:35 +10:00
f9b008bcee
arm-hyp ainvs: update for dissociate_vcpu_tcb
...
* Swapping set_vcpu and arch_thread_set in dissociate_vcpu_tcb to
match the order in C
2017-06-19 14:32:35 +10:00
46269c73c5
arm-hyp crefine: reduce ADT_C sorries; vmRights/HAP injectivity solved
2017-06-19 14:32:35 +10:00
9ebaa2c3ea
arm-hyp refine: new invariant: VMNoAccess is unused
2017-06-19 14:32:35 +10:00
d286fdaaf8
arm-hyp crefine: more concurrency
2017-06-19 14:32:35 +10:00
71ed9aee39
arm-hyp crefine: closed unmapPage sorry in VSpace_C
2017-06-19 14:32:35 +10:00
9f32001c78
arm-hyp: enable quick_and_dirty for snd CBaseRefine image
2017-06-19 14:32:35 +10:00
9d8f5326f5
arm-hyp crefine: add ccorres_pre rules for vcpu/tcb
...
getObject for vcpu and tcb, getCurVCPU
2017-06-19 14:32:35 +10:00
96c13859e0
proof/ROOT: add CREFINE_QUICK_AND_DIRTY flag
...
Use to build CRefine in quick_and_dirty mode.
2017-06-19 14:32:35 +10:00
84f63763e0
arm-hyp crefine: sorry Refine_C
...
This is the top level file of crefine and last file of this sorrying run.
The new handleInterrupt (due to the new getActiveIRQ flag) has more specific
requirements about the current thread's state and queued status, which
are sorried, but probably true.
Some interesting questions about ctac/cinit/csymbr resulted in sorries
that look obviously true, but any attempt at touching them results in
exeception TERM despite many attempts.
2017-06-19 14:32:35 +10:00
ffb76f063c
arm-hyp crefine: update and sorry ADT_C
...
There is a non-trivial issue with the pde/pte state relations no longer
being injective, due to HAPFromVMRights not being injective.
handleHypervisorEvent_C updated in both locations (no idea why two),
generating some interesting questions about cinit/ctac usage.
setArchTCB_C becomes setTCBContext_C because we only set the context on
entry into the kernel, not the VCPU pointer.
2017-06-19 14:32:35 +10:00
402f824950
arm-hyp crefine: use option_to_ctcb_ptr in cvcpu_relation
...
* cvcpu_relation now uses option_to_ctcb_ptr instead of
option_to_ptr since tcb pointers are special.
2017-06-19 14:32:35 +10:00
3b0d72a5df
arm-hyp crefine: update and sorry Fastpath_C
...
Don't have vcpuSwitch ccorres yet, plus one likely trivial refine-related
sorry.
2017-06-19 14:32:34 +10:00
b1269759d8
arm-hyp crefine: strengthen cur_vcpu_relation in state relation
...
Require that having Some vcpuptr on the haskell side implies that ptr is
not NULL on the C side. Required for injectivity.
2017-06-19 14:32:34 +10:00
c7b11988d4
arm-hyp crefine: update Syscall_C
2017-06-19 14:32:34 +10:00
2906a7dfec
arm-hyp crefine: trivial: rename after refine changes
2017-06-19 14:32:34 +10:00
cca9619dd6
arm-hyp crefine: Interrupt_C maxIRQ adjustment
2017-06-19 14:32:34 +10:00
0ee00e6d5f
arm-hyp crefine: Move.thy fixes
2017-06-19 14:32:34 +10:00
a488e8dd44
arm-hyp refine: various fixes and renames for obj_at' related rules
2017-06-19 14:32:34 +10:00
4628d6e8d6
arm-hyp crefine: sorry Schedule_C (missing vcpuSwitch ccorres)
2017-06-19 14:32:34 +10:00
3b447a9635
arm-hyp crefine: add refine wp sorries to Move.thy
...
For someone else to prove.
2017-06-19 14:32:34 +10:00
ff76eebb0f
arm-hyp crefine: naively sorried Tcb_C
2017-06-19 14:32:34 +10:00
7263d28c0d
arm-hyp crefine: clean up and sorry Ipc_C
...
4 interesting sorries
12 easy sorried cases for handling a vcpu case relation
2017-06-19 14:32:34 +10:00
a4ae2ad87b
arm-hyp crefine: add VCPUFault/VGICMaint. to state relation
2017-06-19 14:32:34 +10:00
b0466d15f1
arm-hyp crefine: sorry Invoke_C and IsolatedThreadAction
2017-06-19 14:32:34 +10:00
1f31473a7a
arm-hyp crefine: trivial: move some lemmas up for better visibility
2017-06-19 14:32:34 +10:00
c29fda3075
arm-hyp crefine: update prepareThreadDelete_ccorres
...
Adds dissociateVCPUTCB_ccorres that should be fine, but is sorried.
Demonstrates how to get out of stateful tcb->tcbArch.tcbVCPU
conditional.
2017-06-19 14:32:34 +10:00
de5369c94d
arm-hyp crefine: sorry Finalise_C Recycle_C Arch_C
...
Fixed the easy lemmas, but Arch_C has lots of issues outstanding.
2017-06-19 14:32:34 +10:00
a7ec8d5a2d
arm-hyp crefine: add simp dels to DetWP (includes Include_C)
2017-06-19 14:32:34 +10:00
2a24f167b2
arm-hyp crefine: archThreadGet ccores_pre + convenience functions
2017-06-19 14:32:34 +10:00
ec8d7e797e
arm-hyp crefine: move "Move.thy" up in the hierarchy
2017-06-19 14:32:34 +10:00
b8ea5e9099
arm-hyp crefine: kick more *Bits_eq from simpset, use (machine|table)_bits_defs
...
Introduce machine_bits_defs to catch even more items,
e.g. vcpu_bits and vcpuBits
Clean up all current uses of p[td]e?_bits in favour of Haskell
equivalent names and table_bits_defs simplification.
Drop p[td]eBits_eq and vcpuBits_eq from simpset.
2017-06-19 14:32:33 +10:00
f5624aace9
arm-hyp crefine: IpcCancel_C trivially sorried
2017-06-19 14:32:33 +10:00
1b79220406
arm-hyp crefine: Retype_C down to 3 sorries re Arch_createObject
...
The C code for Arch_createObject needs updates to the ghost annotations
before further proof can proceed.
2017-06-19 14:32:33 +10:00
a1b6c0afae
arm-hyp crefine: kick p(t|d)Bits_eq from simpset, use table_bits_defs
...
CRefine is a theory of refinement from Haskell spec to C.
Let's avoid having to change tons of p(t|d)Bits lemmas to refer to some
abstract spec constants for no reason.
e.g. if you have a: "P ptBits" and want to prove "P 12" "simp add: a"
will NOT work, as the simplifier does not do that level of
simplification of rules supplied to it.
2017-06-19 14:32:33 +10:00
e8b522e5fe
arm-hyp crefine: strengthen cache flush assumptions in VSpace
...
In hyp mode we don't share an address space with our users, so we flush
by kernel MVA instead. We need to also know that there isn't an overflow
after the ptrFromPAddr translation from physical to kernel virtual.
2017-06-19 14:32:33 +10:00
3400ebd00d
arm-hyp crefine: Detype_C sorry-free for now
2017-06-19 14:32:33 +10:00
e207697178
arm-hyp crefine: progress on VSpace_C, sorried
2017-06-19 14:32:33 +10:00
17949975b2
arm-hyp crefine: TcbAcc_C sorry-free
2017-06-19 14:32:33 +10:00
065baa1952
arm-hyp crefine: misc lemmas about option/ptr/0
2017-06-19 14:32:33 +10:00
68797449c7
arm-hyp crefine: TcbQueue_C sorry-free
2017-06-19 14:32:33 +10:00
68ce0e9dee
arm-hyp crefine: PSpace_C sorry-free
2017-06-19 14:32:33 +10:00
6252b0b5b8
arm-hyp crefine: convenience defs p(t|d)(_b|B)its_def'
2017-06-19 14:32:33 +10:00
dd62b49ee4
arm crefine: seL4-specific ctac lemmas now in Ctac_lemmas_C
2017-06-19 14:32:33 +10:00
11fa19c987
arm-hyp crefine: seL4-specific ctac lemmas now in Ctac_lemmas_C
2017-06-19 14:32:33 +10:00
f581b3ea7f
arm-hyp crefine: CSpace_C sorry-free
2017-06-19 14:32:33 +10:00
247601ecd8
arm-hyp crefine: Machine_C cache proofs done
2017-06-19 14:32:33 +10:00
96bd0536bf
arm-hyp crefine: wholesale change of pde and pde array sizes
...
pte_C[256] -> pte_C[512]
pde_C[4096] -> pde_C[2048]
2017-06-19 14:32:33 +10:00
c8529de532
arm-hyp crefine: update SR_Lemmas for VCPU and global state
2017-06-19 14:32:33 +10:00
fc13ffe455
arm-hyp crefine: StateRelation: VCPU relations
...
cvcpu_relation for VCPU objects in memory
cur_vcpu_relation for armHSCurVCPU
2017-06-19 14:32:32 +10:00
3c4c5f3181
arm-hyp crefine: Wellformed_C deals with VCPUs
2017-06-19 14:32:32 +10:00
cc073635ff
arm-hyp crefine: update cpte/cpde relations; StateRelation_C processes
2017-06-19 14:32:32 +10:00
a07a9b76c9
arm-hyp crefine: update ARM*. with ARM_HYP*. qualification
...
Found three quantification flavours styles: ARM. ARM_A. ARM_H.
Via find|sed on entire folder.
2017-06-19 14:32:32 +10:00
46bab6dcf3
arm-hyp crefine: preliminary machine op ccorres assumptions
...
Assume correspondence between machine ops declared in MachineOps.thy and
their C equivalents.
2017-06-19 14:32:32 +10:00
526c9af393
arm-hyp crefine: copy from ARM
2017-06-19 14:32:32 +10:00
2dc5ec8601
arm-hyp refine: update for do_flush/doFlush
2017-06-19 14:32:32 +10:00
ea2bfa2e19
arm-hyp ainvs: update for do_flush
2017-06-19 14:32:32 +10:00
b96877f244
arm-hyp refine: (Fix) Correctly defining setCurrentPD
2017-06-19 14:32:32 +10:00
cab9f2880b
arm-hyp ainvs: (Fix) Correctly defining setCurrentPD
2017-06-19 14:32:32 +10:00
cd8a45c220
arm-hyp ainvs: update lookupPtSlot
2017-06-19 14:32:32 +10:00
a8b7b7887d
arm-hyp refine: update for asidHighBits change
2017-06-19 14:32:31 +10:00
f5d073cb62
arm-hyp ainvs: update for asid_high_bits change
2017-06-19 14:32:31 +10:00
fc74a6440f
arm-hyp refine: repair for rebase (new corres)
...
- fixes the fallout from the updated corres method.
- also includes some fixes by: Daniel Matichuk <daniel.matichuk@data61.csiro.au>
2017-06-19 14:32:31 +10:00
bf98897a98
arm-hyp refine: Refine sorry free
2017-06-19 14:32:31 +10:00
ca9582a2e8
arm-hyp refine: VSpace_R sorry free
2017-06-19 14:32:31 +10:00
ddb5c4043c
arm-hyp refine: VSpace_R, 2 sorries left
2017-06-19 14:32:31 +10:00
34a7c911e2
arm-hyp refine: VSpace_R, 2 sorries left, 1 sorry elsewhere
2017-06-19 14:32:31 +10:00
37ef712322
arm-hyp refine: zobj_refs adjustments; Arch_R sorry-free
2017-06-19 14:32:31 +10:00
0bf8d784b5
arm-hyp refine: zobj_refs' for VCPU (needed for liveness)
2017-06-19 14:32:31 +10:00
e48643f785
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
19b519ba29
arm-hyp refine: VSpace_R, 4 sorries left
2017-06-19 14:32:30 +10:00
3edf057812
arm-hyp refine: tidying up Schedule_R
2017-06-19 14:32:30 +10:00
bee7435458
arm-hyp refine: reduce sorries in Arch_R
2017-06-19 14:32:30 +10:00
5e9080c77b
arm-hyp refine: Syscall_R sorry-free
2017-06-19 14:32:30 +10:00
501e71adbe
arm-hyp refine: CNodeInvs_R sorry-free
2017-06-19 14:32:30 +10:00
8118968a05
arm-hyp refine: remove sorry in Syscall_R
2017-06-19 14:32:30 +10:00
c34aef1ee3
arm-hyp refine: DomainTime_R sorry-free
2017-06-19 14:32:30 +10:00
14b0f600ab
arm-hyp refine: Finalise_R sorry-free
2017-06-19 14:32:30 +10:00
Matthew Brecknell
Gerwin Klein
Thomas Sewell
Alejandro Gomez-Londono
Miki Tanaka
Pang Luo
Joel Beeren
Adrian Danis
Joel Beeren
Daniel Matichuk
Alejandro Gomez-Londono
Rafal Kolanski