The links to nicta.com.au have stopped working, so the publication links
now point to the TS publication pages.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
SimplExportAndRefine is now split into two steps;
AutoCorresTest moved to its own directory.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This allows SimplExportAndRefine to handle some new heap update patterns
arising in MCS.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`init_freemem` isn't verified (and therefore is low-priority for
translation validation). It also takes several hours to show refinement,
much longer than any other function. Until we need to validate it, we
should skip it to improve regression times.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Also cleans up some of the debug config setup and makes result reporting
more useful.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
A new version of `arch_init_freemem` for RISC-V introduces some heap
access patterns which are not well supported by SimplExportAndRefine.
`arch_init_freemem` is already ignored by `graph-refine`, because it is
inlined into `init_freemem`, which contains complex loops. Therefore, we
don't lose anything by ignoring it in SimplExportAndRefine. Although the
problem only manifests on RISC-V, we ignore it on all platforms.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Previously, if a graph refine proof failed it would cause the ML block
defining the debug variable to be discarded; this prevented the user
from investigating the debug output. This change splits the ML block to
avoid the issue.
Adds a 'debug' configuration type to the main ProveSimplToGraphGoals
functions. Configuration lets the user control which functions will be
tested, and logs which functions fail testing.
Adds a 'single step' debug tactic for use in TestGraphRefine, and
demonstrates a few useful initial ML tactic for e.g. narrowing down
which subgoals are failing, and how to inspect a successful subgoal.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
Sometimes it's simpler to access an unknown field of a const
global by just computing the offset from its symbol in memory
and assuming the relevant words are in the .rodata section. But
for known fields, it's easier to just figure out what the
constant value is. This complicates the proof slightly, since
it has to guess which case it is in.
Gerwin Klein
Rafal Kolanski
Matthew Brecknell
Mitchell Buckley
Gerwin Klein
Gerwin Klein
Edward Pierzchalski
Adrian Danis
Thomas Sewell
Alejandro Gomez-Londono
Thomas Sewell
Rafal Kolanski
Gerwin Klein