With adjustment of ARMMMU_improve_cases, the decode functions can all
be done in a single crunch invocation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These have either already been resolved, are trivial moves within one
theory, or they are questions that the rest of the proof has now
answered.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Correctly check the type of the table the PageTableCap points to in
checkVSpaceRoot (must be a VSRootPT, not NormalPT).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The argument numbers in the error messages for
decodeARMFrameInvocationMap are slightly off.
Same bug exists in C, see also seL4/seL4#1075.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The user_vtop check in decode_fr_inv_map_wf can be relaxed from >= to >
as done in Haskell and C.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Tweak formulation of createNewCaps for page tables to be in the expected
"addr ~elem~ map .." form. The previous definition was not wrong, but
the lemmas in Retype_R expect the set membership form.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Main progress is in VSpace_R, with some fallout in ArchAcc_R, ADT_R, and
Schedule_R for invariant and spec changes.
General obj_at preservation for setVMRoot does not hold and is relegated
to something more specific in Schedule_R
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Refine needs slightly stricter information about asid maps, in
particular we need to know explicitly that asid 0 never maps to
a VSpace. This is the reverse of valid_vmid_table, but unfortunately
does not fully follow from valid_vmid_table, because there can
be VSpaces mapped without an assigned VMID.
We shift the test for 0 < asid from entry_for_asid to vspace_for_asid
so we can use entry_for_asid in the formulation of the invariant.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The vmid_table never maps ASID 0. We managed to get through AInvs
without this property, but Refine does need it later.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This concept no longer makes sense on AARCH64, we will either need to
know that certain addresses are in user_region (which implies
canonical_user, which is more strict than canonical), or we will need
to know they are in the kernel_window, which is also more strict than
canonical. We'll only find out for sure in CRefine.
Both cases are liftable from valid_vspace_uses and
pspace_in_kernel_window from AInvs, so instead of a new invariant, the
plan is to use Haskell assertions to transport the relevant info to
CRefine when needed.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Trying to figure this out was very educational, since ccorres_abstract
was used without intending to abstract a variable, the xf' and lambda
name were both red herrings (in fact, this proof only worked if xf' was
instantiated with an *irrelevant* C local var name), and the body was
not transformed.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Factor out is_safe_wp from corres method, so that we can refer to it
later in the documentation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Explain that these are not nice simp rules, what one should do instead,
and why we leave them as is despite all that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The (no_asm) for corres goals is now properly enforced, which means
it is now really necessary to provide terminal corres rules in their
proper form.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The subst_all rule in the standard simp set can circumvent the (no_asm)
mode of simp, which we are using in the corres method.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is useful for debugging the proof method for solving side
conditions, and will show which goals corres_cleanup is invoked on.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Gerwin Klein
Rafal Kolanski
Corey Lewis