87a3d9592d
cspec/crefine: readme: document significance of L4V_ARCH
...
tags: [NO_PROOF]
2017-03-31 16:13:42 +11:00
7e13fb9e91
cspec: move to ARM subdirectory
...
Configure to build with L4V_ARCH=ARM
2017-03-30 18:20:24 +11:00
1e8228700b
x64: abstract: fixup arch_same_region_as for IOPorts
2017-03-30 13:09:40 +11:00
5466ae1e9e
x64: design: translate spec
2017-03-29 18:28:14 +11:00
fb177b7303
x64: fix up updateCapData for cnodes
2017-03-29 18:28:14 +11:00
97b811c183
x64: design: run haskell translator
2017-03-29 17:23:25 +11:00
d943530233
x64: haskell: miscellaneous updates
...
* change updateCapData to do nothing for IOPorts
* update sameObjectAs for IOPorts
* add device condition for sameObjectAs for Pages
2017-03-29 17:23:25 +11:00
df94ae6fad
x64: aspec/ainvs: miscellaneous updates
...
* make update_cap_data do nothing for IOPorts
* return same_aobject_as to previous definition for IOPorts
* change cap_master_cap for IOPorts to be the identity
2017-03-29 17:23:25 +11:00
f26ba5cebd
arch_split: make cte_level_bits_def work with existing proofs
...
Many generic proofs make use of cte_level_bits_def. Although the
definition is architecture specific, the proofs work for any reasonable
value of cte_level_bits, so it's fine to expose the definition to
generic proofs.
2017-03-29 11:45:13 +11:00
6f3efc504a
arch_split x64 arm: make endpoint_bits and ntfn_bits arch constants
2017-03-27 19:07:42 +11:00
bb92e92f52
arch_split x64 arm: make cte_level_bits an arch constant
2017-03-27 19:07:28 +11:00
b9e7e99e8e
x64: haskell: remove VMWriteOnly
2017-03-23 16:48:20 +11:00
178b95a6d3
x64: haskell: fix broken caseconvs; use generic ptTranslationBits
2017-03-23 15:34:52 +11:00
d564c80be1
x64: abstract: tweak spec to match C code
2017-03-23 15:34:43 +11:00
981e05d5f7
x64: abstract: remove spurious VMPML4E from vm_map_type
2017-03-23 15:34:30 +11:00
28c13ef778
x64: abstract: update error bits used in lookup_pt_slot et al
2017-03-22 18:05:00 +11:00
004feffc4c
x64: haskell: add ptShiftBits et al
2017-03-22 18:04:36 +11:00
903b2ae87a
x64: haskell: update haskell spec
...
* use new vmmap_type from spec/machine
* add x64KSKernelVSpace to arch state
* retranslate spec
2017-03-21 15:09:37 +11:00
49e12ef7dc
x64: change cte_level_bits, obj_bits (Endpoint; Notification) to 5
...
rather than 4.
This is true on all 64-bit platforms as the size of these objects is 4
words (4*8 = 32 = 2^5). However, this breaks the 32-bit ARM proofs that
rely on these values being 4 - see jira issue VER-725.
2017-03-21 15:09:37 +11:00
34090a37a2
x64: spec: use machine_word rather than 32 word for deterministic extended state fields
2017-03-21 15:09:37 +11:00
1a12926724
x64: use generic VMMapType from haskell rather than redefine in abstract
2017-03-21 15:09:37 +11:00
af0060bf7e
x64: fix ArchKernelInit_AI
...
Includes a change to valid_global_vspace_mappings invariant, to
canonicalise virtual addresses while traversing page tables.
2017-03-21 14:42:12 +11:00
f846fd896a
x64: design: translated haskell spec now builds
2017-03-16 14:19:40 +11:00
05150477b9
x64: haskell: updated most of haskell spec for new machine functions
2017-03-16 14:19:40 +11:00
532995922b
x64: got haskell translator running on existing haskell kernel
2017-03-14 17:59:08 +11:00
637f13b994
x64: fix haskell Makefile, get haskell building without VT-d stuff
2017-03-14 17:59:08 +11:00
421c42e935
x64: add HypFault to machine skel
2017-03-14 13:56:18 +11:00
15f32f4dce
x64: ASpec builds after merge for ARM, X64
2017-03-14 13:16:14 +11:00
95d1671940
Merge remote-tracking branch 'verification/master' into x64-split
...
Conflicts:
lib/LemmaBucket.thy
lib/NonDetMonadLemmaBucket.thy
lib/Word_Lib/Word_Lemmas.thy
lib/X64/WordSetup.thy
proof/invariant-abstract/ARM/ArchDetype_AI.thy
proof/invariant-abstract/ARM/ArchInvariants_AI.thy
proof/invariant-abstract/BCorres_AI.thy
proof/invariant-abstract/CSpace_AI.thy
proof/invariant-abstract/DetSchedSchedule_AI.thy
proof/invariant-abstract/Interrupt_AI.thy
proof/invariant-abstract/IpcCancel_AI.thy
proof/invariant-abstract/Syscall_AI.thy
proof/invariant-abstract/Untyped_AI.thy
proof/refine/ARM/Include.thy
spec/abstract/ARM/ArchTcb_A.thy
spec/abstract/CSpace_A.thy
spec/abstract/Tcb_A.thy
spec/design/ARM/ArchIntermediate_H.thy
spec/design/X64/ArchInterruptDecls_H.thy
spec/haskell/Makefile
spec/machine/MachineExports.thy
tools/c-parser/.gitignore
tools/c-parser/standalone-parser/Makefile
tools/c-parser/testfiles/ARM/imports/MachineWords.thy
tools/c-parser/testfiles/X64/imports/MachineWords.thy
tools/haskell-translator/caseconvs
2017-03-10 19:35:39 +11:00
89b9e3bda4
x64: fixed up ArchCNodeInv_AI
2017-03-09 11:09:46 +11:00
ea771a8f7c
arm-hyp: configure kernel Makefile for L4V_ARCH=ARM_HYP
...
Set as required for TK1 platform.
2017-03-06 17:16:28 +11:00
c3d179cd28
aspec: standard file access rights
2017-03-04 10:32:12 +11:00
237fb11012
x64: fix ArchArch_AI
...
Also includes some corrections to the abstract specification, and minor
improvements to some existing proofs.
2017-03-01 12:11:17 +11:00
81b3e7808b
licenses: Updated licenses added from x64 backport
...
tags: [NO_PROOF]
2017-02-28 12:26:19 +11:00
5665511d84
capDL spec and DRefine: updates for Hypervisor stub
2017-02-22 15:26:50 +11:00
b2f2034bbc
Bisim / Access / InfoFlow: updates for Hypervisor stub
2017-02-22 15:26:49 +11:00
75b1680d68
abstract: add Hypervisor fault event to ARM
2017-02-22 15:26:49 +11:00
98832f8ccd
execspec: add hypervisor, HypFaultType in skeletons (ARM), generated files
2017-02-22 15:26:46 +11:00
ce1b60e16e
haskell: add Hypervisor module, add concept of Hypervisor exceptions
...
The kernel gains an entry point for hypervisor exception events, as well
as a way to add arch-specific handlers for these events.
We do this since the hypervisor has its own entry point into the kernel,
and that must be reflected in the top-level kernel entry interface.
For ARM target, which does not have hypervisor support, we add an no-op stub.
2017-02-22 15:26:41 +11:00
c957220996
capDL spec and DRefine for prepare_thread_delete
2017-02-20 09:23:56 +11:00
1ac38269b6
abstract: prepare_thread_delete stub for ARM
...
- defined prepare_thread_delete for finalise_cap
2017-02-20 09:23:55 +11:00
b853647a6d
execspec: fix skeleton for prepareThreadDelete, generated files
2017-02-20 09:23:55 +11:00
185876b89f
haskell: add a stub for prepareThreadDelete
...
this is a function called from finailiseCap to prepare a tcb for deletion
(it does nothing for ARM)
2017-02-20 09:23:55 +11:00
07b2241e37
x64: fix CR3 check in set_vm_root spec
2017-02-15 19:01:58 +11:00
cdc4813228
x64: make same_object_as for IOPortCap behave like UntypedCap
2017-02-15 19:01:58 +11:00
000b27b5d8
x64: spec: commented out IOSpace invocations
2017-02-15 18:32:52 +11:00
5ea1d903ae
x64: spec: fixed definition of same_aobject_as
2017-02-15 14:11:12 +11:00
a9bbaeb0b8
x64: ArchIPC_AI now processes, added necessary arch_fault lemmas
2017-02-15 11:50:50 +11:00
520921351a
provide TCB argument for sanitiseRegister
...
Other platforms such as arm-hyp will need to look into additional TCB state
such as VCPU in sanitiseRegister. This commit provides the scaffolding for
that.
2017-02-12 12:54:42 +11:00
3607dfabbf
haskell/design: remove unused functions
2017-02-12 12:33:05 +11:00
82ab5500a1
abstract: remove two obsolete functions
2017-02-10 22:29:07 +11:00
0dbe39edd8
X64: fix perform_asid_pool_invs
2017-02-03 16:25:06 +11:00
d08ee04e2f
haskell: update documentation for building the Haskell kernel
2017-02-03 16:23:56 +11:00
c3cd2e137b
x64: spec: add loop to delete_asid_pool; re-add asid_map updates
2017-02-02 13:30:24 +11:00
aee13996a6
haskell: use stack to obtain suitable GHC and cabal
2017-02-01 17:31:21 +11:00
7a8f2b8980
trivial: use absolute paths in haskell .gitignore
2017-02-01 17:13:04 +11:00
9ac4d1ba06
x64: progress in Detype_AI
...
May need some additional work to ensure compatibility with vspace lookup
generalisation.
2017-02-01 16:22:41 +11:00
4329c6a6bd
x64: fix endianness of storeWord and loadWord
2017-02-01 16:22:06 +11:00
3dafec7d46
backport changes to ARM proofs from X64 work in progress
...
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2017-01-27 08:31:07 +11:00
f8dadc16f0
x64: fix ArchRetype_AI
...
- Port from ARM to X64:
- Definitions and lemmas relating to copy_global_mappings.
- Device untyped patch.
- Pre-emptible retype patch.
Includes some fixes to ArchVSpace_AI and ArchVSpaceAcc_A.
There is one "sorry" in ArchRetype_AI which is waiting for a refactoring
of ArchAcc_AI and ArchVSpace_AI for simpler proofs concerning vs_lookup,
store_pml4e, etc.
2017-01-25 12:00:14 +11:00
b35c50c481
x64: spec: update machine functions, invocations, set_vm_root for new
...
kernel version
2017-01-20 16:18:49 +11:00
3504b119a4
x64: fix X64 after merge, up to ArchVSpace_AI
2017-01-19 11:12:30 +11:00
e543bf5501
merge x64-split into local branch
2017-01-18 13:49:51 +11:00
759a0387ab
merge master into x64-split
...
Primarily concerns wp improvements
2017-01-18 07:49:48 +11:00
77a657004d
x64: Interrupt_AI, ArchInterrupt_AI done
2017-01-17 14:04:55 +11:00
3fee2d83b4
cleanup: correct version info
2017-01-15 17:05:52 +01:00
8ac1200329
cleanup: remove accidentally declared const
2017-01-15 17:05:52 +01:00
abf1db5b51
merge master into x64-split
2017-01-13 17:22:03 +11:00
c1782fc155
x64: fix ARM build after merge
2017-01-13 11:24:06 +11:00
a1b5f16ed6
merge x64-split into local branch
2017-01-11 17:22:05 +11:00
5bdcbe537e
fix ARM build after merge
...
Also:
- move some ARM-specific things out of Tcb_AI
- port changes from ARM to X64, up to beginning of ArchVSpace_AI
2017-01-10 17:09:31 +11:00
47f78b30a6
x64: random stuff in BCorres, changed undefined to fail in decode_page_invocation
2017-01-09 17:12:34 +11:00
7dce5dd7c4
x64: defined a bunch of machine ops that were previously unspecified
2017-01-05 15:38:06 +11:00
db13ff19bb
Isabelle2016-1: configure c-parser with faster string comparisons
2017-01-05 14:27:44 +11:00
b5158e31bc
Isabelle2016-1: fix proofs involving UNION
...
SUPREMUM changed from a definition to an abbreviation.
A number of proofs that previously used blast, fastforce or auto to
solve goals involving UNION, now either fail or loop. This commit
includes various ad-hoc workarounds.
2017-01-05 14:27:33 +11:00
30122b5d80
Isabelle2016-1: update to new ML API
...
Update references to renamed ML constants; supply default arguments to
functions with additional parameters; etc.
2017-01-05 14:26:14 +11:00
511c6b2d3a
Isabelle2016-1: rename free variables to avoid capture
2017-01-05 14:24:36 +11:00
41d4aa4f1d
Isabelle2016-1: update references to renamed constants and facts
2017-01-05 14:23:05 +11:00
0b039a0735
Isabelle2016-1: syntax: use semantic markup instead of "header"
2017-01-05 14:22:24 +11:00
a1ab2d90b1
x64: fix up ArchIPC_AI
2016-12-13 10:17:28 +11:00
25a6354859
AInvs: remove references to arch specific stuff in Ipc_AI
2016-12-13 10:15:53 +11:00
73a08160a1
merge master into x64-split
2016-11-30 12:08:32 +11:00
b07d971a08
x64: machine: move word_size_bits definition to MachineTypes.
...
Furthermore, create generic library of word lemmas that require
the Arch context to prove, but can be proven with the same proof in
all architectures. These lemmas can then be used safely in generic
theory files. This library is in spec/machine/WordExports.thy
2016-11-25 15:30:36 +11:00
b4fe96ee67
CSpec: New import locations
...
types.bf and shared_types.bf were merged and moved to 32/mode/api,
imports in KernelInc_C.thy were updated accordingly
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:55 +11:00
ab6b9baebb
ExecSpec: Changes to the haskell to better reflect ASpec
...
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
* arch_tcb is now correctly imported as a datatype not as a type
synonym
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:55 +11:00
f9c7c855d0
Haskell: Changes to the haskell to better reflect ASpec
...
* atcbContextGet and atcbContextSet where added (just as in ASpec)
* asUser is now defined in terms of atcbContext{Get,Set}
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:55 +11:00
99bcebda87
ASpec: arch-specific faults + VMFault -> ArchFault + ReservedIRQ
...
* fixing name space for arch_tcb and tcb_context
* arch_fault added
* changing name space for arch_tcb
- as_user, set_mrs, get_mrs, copyRegsToArea, and copyRegsToArea are
moved to the ARM_HYP directory. This breaks the proofs in
refinement, etc., mostly in tcb related files.
* removed a duplicate range check definition
* fixes ARM for arch_tcb
* adding arch_thread_get/set
* add ReserveIRQ
- initInterruptController is not added yet.
* add arch_fault
- arch_fault and related functions are added.
* arch-parametrising arch-specific extra registers
- ArchDefaultExtraRegisters is the common interface that refers to the
arch-specific data (ARMNoExtraRegisters for ARM/ARM_HYP)
* Adding accesors for tcb_context
- Despite the fact that tcb_context has an arch-specific definition,
it is reasonable to assume that some form of tcb_context will be
available in any architecture, thus the need for accesors to handle
updates.
* as_user updated to use tcb_context accesors
* set_mrs and get_mrs updated to use tcb_context accesors
- Several function on ArchTcb_A and ArchTcbAcc_A (both theories where
removed) can be defined in a general context by using the
tcb_context accesors
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:49 +11:00
6dad6a1c75
ExecSpec: arch-specific faults + VMFault -> ArchFault + ReservedIRQ
...
* skeletons, adding new constructs (arch_tcb, arch_fault)
* adjusting skeletons for ReserveIRQ + small change in haskell (ARM)
Changes in: spec/haskell/src/SEL4/Object/Interrupt/ARM.lhs:37:21
Due to "Defined but not used: ‘irq’"
* arch-splitting faults in skeletons (ARM)
* fix arch_tcb and asUser namespace issues in skeletons (ARM)
* checking in current generated files
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:42 +11:00
c92baf746d
Haskell: arch-specific faults + split VMFault -> ArchFault + ReservedIRQ
...
Hypervisor extensions add extra fault types which are entirely
arch-specific. While the concept of a VM fault exists on all platforms,
these faults are also arch-specific.
This change adds an ArchFault datatype and constructor to the generic
Faults and Failures, and moves VMFault into ArchFault for the ARM
platform.
NOTE: fault indices have changed (generic goes before arch) as per
the changes needed for SELFOUR-413, which is the seL4 C equivalent of
this commit.
* add arch faults and failures to SEL4.cabal
* introduce and handle IRQReserved
On ARM this does nothing, but on other platforms reserved IRQs are
actually used.
* split TCB into ArchTCB (userContext)
* changing ArchFault to make haskell-translator to work
tags: [VER-623][SELFOUR-413]
2016-11-25 13:05:15 +11:00
d7450607a8
SELFOUR-553: rebase and fix styles and comments
2016-11-21 20:47:15 +11:00
a2d707d17e
SELFOUR-553: update rpidrurw in TCBConfigure for simpler Infoflow proofs.
2016-11-18 16:27:26 +11:00
f8f88c6952
SELFOUR-553: Change Spec according to C code and fix ASpec and AInvs
2016-11-18 16:19:14 +11:00
9769f73888
changed callKernel to conditionally call hooks
2016-11-18 16:19:14 +11:00
2553371a14
SELFOUR-64: Remove general Recycle operation
...
This removes the RecycleCap CNodeInvocation, whilst
retaining recycle behaviour for Endpoints -- now renamed
CNodeCancelBadgedSends.
2016-11-18 14:11:12 +11:00
72349f81fd
Revert SELFOUR-242: invert bitfield scheduler and optimise fast path
...
This reverts:
- a67b443ca5f704cf0404
2016-11-16 14:02:50 +11:00
f704cf0404
SELFOUR-242: invert bitfield scheduler and optimise fast path
...
* Reverse the level 2 of the bitmap scheduler to move the highest priority
threads' level 2 entries into the same cache line as the level 1.
* Use the bitfield scheduler to make the fast path a more common occurrence.
* Change possibleSwitchTo to not invoke scheduler when the fast path would not
invoke it either (using implicit assumptions about the current thread being
the highest priority schedulable thread)
2016-11-15 09:20:31 +11:00
c1c636a24f
Simplify obj_bits to not check well_formed_cnode_n
2016-11-11 16:24:37 +11:00
ff7ca60df7
ADT: add kernel entry/exit constraints on domain time left
...
These changes to the automatons are required by:
SELFOUR-242: invert bitfield scheduler and optimise fast path
Details:
When we enter the kernel, the domain time left (ksDomainTime) is never zero.
If we entered on a timer interrupt, we may decrement it to zero before the
scheduler runs. If we do so, we set the scheduler state to choose_new_thread.
When choosing a new thread, the scheduler switches to a new domain if the
present one is required, and sets the new domain time left from domain_list
(ksDomSchedule).
When entering the kernel on a non-interrupt event, we never touch the domain
time left, which trivially preserves the new constraints.
To prove these, we had to ban a transition from kernel entry to kernel being
preempted when handling an interrupt event in InfoFlow. This is fine, as by
design handling interrupts is not meant to be preempted by interrupts.
2016-11-11 06:01:30 +11:00
3b679b0ce3
SELFOUR-444: fix DSpecProofs and SysInit
2016-11-02 11:19:10 +11:00
dcd7fd8c17
SELFOUR-444: Refine proof with ghost invariant.
2016-11-02 11:19:09 +11:00
74adb7a283
SELFOUR-444: Avoid unnecessary cache clears.
...
Adjust both specs and propagate the changes.
2016-11-02 11:19:09 +11:00
7ebefa69ab
SELFOUR-444: Work on untyped zero invariant.
...
The invariant just proves that the ghost field is up to date.
2016-11-02 11:19:09 +11:00
6ad456ca03
SELFOUR-444: Adjust Haskell, new ghost data.
...
The new ghost data is saved in the design spec when Untyped caps
are modified and will be used by CRefine.
2016-11-02 11:19:09 +11:00
69f7be9917
SELFOUR-444: Initial updates to capDL spec.
2016-11-02 11:19:09 +11:00
d765a64b81
SELFOUR-444: Haskell implementation, begin refine.
...
First attempt at a haskell implementation of preemptible retyping
and the refinement proof to abstract.
2016-11-02 11:19:08 +11:00
f32e2ca0f5
SELFOUR-444: Abstract implementation.
...
Abstract implementation of preemptible retyping.
2016-11-02 11:19:08 +11:00
1a6e362598
x64: added more machine definitions
2016-10-26 16:42:50 +11:00
b8048726a6
X64: added dummy VMPML4E to vm_page_entry.
...
needs to be reviewed
2016-10-19 10:52:46 +11:00
0b4372e98b
x64: Removed unnecessary ASID from PageMap invocation
2016-10-14 16:44:42 +11:00
991dd30173
x64: port device-untyped from ARM
2016-10-10 13:26:40 +11:00
aafe4b92ce
x64: port MCP from ARM
2016-10-10 13:24:08 +11:00
256e241770
merge master into x64
2016-10-06 19:57:55 +11:00
7989fa4ff1
x64: more progress in ArchVSpace_AI
2016-10-05 18:04:47 +11:00
1edc9ced5f
x64: commented out some IOSpace stuff, added machine op definitions.
2016-10-05 12:02:46 +11:00
a3714e8190
SELFOUR-276: Finish proofs for maximum controlled priority (MCP)
...
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
b352769016
SELFOUR-276: Prove refinement to Haskell for MCP
...
Also includes fixes to specs and invariants, and initial progress
towards C refinement.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
20539620f9
SELFOUR-276: Add MCP to specs and invariants
...
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
8d4a8eb238
SELFOUR-421: fix coding style
2016-09-22 19:23:28 +10:00
8f3a4dee31
SELFOUR-421: merge with master, fix wholesystem proofs
2016-09-22 19:23:19 +10:00
113315d9a6
SELFOUR-421: merge and fix up to ArmConfidentiality proof
2016-09-22 19:21:56 +10:00
e00e4c4e64
SELFOUR-421: add device bit in UntypedCap and FrameCap in capdl
2016-09-22 19:11:37 +10:00
328846ee1a
SELFOUR-421: crefine builds
2016-09-22 19:11:37 +10:00
c3be923ca0
SELFOUR-421: a defend version before wild changes
2016-09-22 19:11:36 +10:00
ec57875566
SELFOUR-421: new haskell spec after UserDataDevice changes
2016-09-22 19:11:36 +10:00
765d8aa88e
SELFOUR-421: fixed Refine after merge with master
2016-09-22 19:11:36 +10:00
78bd770240
SELFOUR-421: retranslate haskell after merge with master
2016-09-22 19:11:36 +10:00
9617e22ce6
SELFOUR-421: random uncommitted stuff before merge
2016-09-22 19:11:36 +10:00
773684bcd1
SELFOUR-421: retranslate haskell for fixed range check
2016-09-22 19:11:36 +10:00
df877769fc
SELFOUR-421: refine done
2016-09-22 19:11:36 +10:00
3c223b42fe
SELFOUR-421: AInvs done, no added invariants yet
2016-09-22 19:11:29 +10:00
5e16ec5617
SELFOUR-421: first attempt at abstract spec
2016-09-22 19:11:16 +10:00
4c23410f6c
Haskell translator: can keep type constructors.
...
A skeleton line of the form
\#INCLUDE_SETTINGS keep_constructor=asidpool
now ensures that the asidpool type constructor is actually created in
subsequent #INCLUDE_HASKELL declarations. It turns out this feature was already
available, and already used for asidpools, this change just makes it externally
adjustable.
2016-08-25 15:33:19 +10:00
7a5f569a10
x64 invariants: extract word-len-specific parts of update_cap_data (CSpace_A)
2016-08-24 13:39:30 +10:00
5880a317f2
x64 invariants: CSpace_AI checking
...
Includes some changes to the abstract spec:
- replace magic numbers with definitions.
- add missing IOPortCap cases to some definitions.
There is one sorry proof, which I think blast could solve if we
gave it enough time. Will need a more subtle approach.
2016-08-23 07:40:47 +10:00
5b19e2c284
merge master into x64-split
...
This resurrects the ARM architecture on the x64-split branch.
It also brings X64 up-to-date with progress on arch_split.
2016-08-09 18:58:37 +10:00
6b6b8786e8
arch_split: move kernel_base and idle_thread_ptr to arch-specific theories
2016-08-03 14:46:48 +10:00
f9f160ed14
arch_split: replace some fixed word sizes with type aliases
...
Changed some instances of word32 to machine_word, and "10 word" to irq.
Also introduce a type_synonym for "machine_word_len".
2016-08-03 14:46:23 +10:00
975c21054d
x64: remove "isDevice" flags from Haskell specification
...
We will return these when the device-untyped patch is verified and integrated
with the ARM proofs. For now, we want to be able to keep the proofs for the ARM
architecture checking in the x64 branch.
2016-08-02 17:47:58 +10:00
ff3b9be933
x64: reinstate maxIRQ check
...
This was accidentally removed from the Haskell and executable specifications.
2016-08-02 17:20:28 +10:00
bbfc1df601
x64 abstract spec: add some missing cases in ArchVSpace_A unmap operations
...
These had been undefined, causing some crunch commands to fail.
2016-07-27 12:26:53 +10:00
68de1729cd
x64: spec: replaced magic numbers with word_size_bits
2016-07-26 15:37:58 +10:00
574e287cab
x64: spec: reverted bits changes from last commit, was originally correct
2016-07-25 16:49:09 +10:00
c2fa704d9b
add workaround for building documents with TeX Live 2016 [VER-622]
...
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
2016-07-22 07:48:08 +10:00
58153f923c
rerun haskell translator, fix design spec
2016-07-22 01:10:29 +10:00
d0d10fa7f3
x64: fixed magic word length number in ArchVSpaceAcc_A
2016-07-21 16:18:17 +10:00
dd73a2c819
run haskell translator
2016-07-21 15:54:49 +10:00
e2c55aa544
run haskell translator
2016-07-20 18:16:23 +10:00
93adccc141
license-tool: missing license headers + .licenseignore [VER-551]
2016-07-14 16:34:31 +10:00
b3c809983b
arch_split: invariants: split Ipc_AI [VER-572]
2016-06-27 17:19:11 +10:00
9c608c62dc
arch_split: Schedule_AI [VER-565]
2016-06-02 14:20:06 +10:00
61d0de297b
x64: arch-ified machine word size to allow substitution for type variables
2016-06-01 13:27:24 +10:00
02824d7599
x64: add x64 haskell code from seL4 repository
2016-06-01 11:52:27 +10:00
9d58764b93
x64: Invariants_AI now processes, removed some arch-specific types
2016-06-01 11:14:43 +10:00
d4f54686f2
x64: ArchInvariants_AI passes except 1 sorried lemma - valid_arch_objs_alt
2016-06-01 11:14:43 +10:00
b95f452ad0
x64: progress in ArchInvariants_AI, up to valid_arch_objs_alt
2016-06-01 11:14:43 +10:00
f2cf12c345
x64: updated ASpec for WordSetup arch-split
2016-06-01 11:14:43 +10:00
8baa7c34ed
x64: retranslate haskell after rebase
2016-06-01 11:12:55 +10:00
21fd88309f
x64: up to lemmas in ArchInvariants_AI
2016-06-01 11:12:55 +10:00
1bc374fbaa
x64 invs: up to vs_refs_pages
2016-06-01 11:12:55 +10:00
73b731562c
x64: add arch_split'd x64 spec with IOMMU stuff
2016-06-01 11:12:55 +10:00
9ccdbfa21e
arch_split: move locale setup to generic theory
2016-05-31 15:14:40 +10:00
40570bc4fe
regression: add test to check theory import paths
...
This commit also fixes all bad imports reported by the test script.
Jira issue VER-560
2016-05-27 16:17:13 +10:00
225a2dbe79
haskell: add .PHONY makefile entries
2016-05-24 16:31:03 +10:00
6ae8d712ec
haskell: reconstruct lost comment from galois-domains merge
2016-05-24 16:31:03 +10:00
3409a92eca
haskell: document the package version constraints
2016-05-24 16:31:03 +10:00
858733c318
haskell: add GHC config var to makefile
...
This allows people with multiple GHCs to select the correct one (7.8).
2016-05-24 16:31:03 +10:00
218f6ccbf3
haskell: add license tag to util script
2016-05-24 16:31:03 +10:00
37fa2f359a
haskell: revert minimum cabal-version
...
GHC 7.8 ships with Cabal 1.18 but the .cabal file asks for >=1.20,
which seems to be unnecessary. This commit reverts to >=1.18.
2016-05-24 14:53:00 +10:00
c71fb4da54
regression: add test for building Haskell kernel
...
Currently requires GHC 7.8.x.
2016-05-24 14:52:51 +10:00
ebc7cbe584
haskell: move Haskell kernel into spec/
2016-05-24 14:18:13 +10:00
6a2692abc6
lib: fix theory includes for arch-splitted WordSetup
2016-05-20 12:31:10 +10:00
80456aa2c7
abstract: reduce syntax ambiguity
2016-05-16 21:11:40 +10:00
322f1023f5
word_lib: adjust theory dependencies
2016-05-16 21:11:40 +10:00
2a6df7a9a3
capDL: remove duplicate wordbits
2016-05-16 21:11:40 +10:00
445efb7c29
lib: closure for Word_Lib and own session
2016-05-16 21:11:40 +10:00
f0faa90f8a
lib/spec/proof/tools: fix word change fallout
2016-05-16 21:11:40 +10:00
7e37215bd2
arch_split: add extend_locale to base import
2016-05-06 18:37:16 +10:00
bb0644beaa
arch_split: merge master
2016-05-06 16:44:43 +10:00
56b226a608
arch_split: CRefine: use requalify instead of shadow
2016-05-06 08:59:33 +10:00
9ceed1eb12
arch_split: fix proofs after removing shadow and unqualify commands and adding fix for crunch. Checks up to DPolicy.
2016-05-04 15:14:41 +10:00
670d1c118d
arch_split: added optional definition override for crunch. Reduced qualification commands to minimal required set.
2016-05-04 15:14:41 +10:00
a2135ca8ce
arch_split: Refine checking, including Orphanage
2016-04-30 16:25:20 +10:00
0c3a12771d
arch_split: merge master
2016-04-28 14:36:43 +10:00
0e5ffd1ea0
arch_split: requalify abstract theories
2016-04-27 18:46:16 +10:00
1d20b393c0
arch_split: replaced sublocale with global_naming
2016-04-27 14:32:38 +10:00
8ab955984f
arch_split: CSpec checking
2016-04-26 13:45:59 +10:00
3191c485d5
arch_split: added ARM_A and ARM_H locales
2016-04-20 17:31:45 +10:00
04362dba27
arch_split: some quick and dirty arch_splitting by selectively interpreting the ARM locale (with FIXMEs)
2016-04-07 17:05:14 +10:00
72337faa7b
arch_split: added namespacing to ExecSpec
2016-04-01 15:17:17 +11:00
144778e8eb
arch_split: avoid caching file_defs in translator to make CONTEXT environment function as expected
2016-04-01 15:09:34 +11:00
d0a29887ff
arch_split: checkpoint for namespacing haskell
2016-04-01 15:09:34 +11:00
f89279e381
arch_split: reworking predicates about arch objects and types
2016-03-24 17:24:14 +11:00
f2cc8d7c0f
arch_split: invariants: progress in ArchADT_AI
2016-03-18 13:08:26 +11:00
7e9b8224ee
Factor out bitfield proof text into Eisbach lib.
...
There's a lot of proof text quoted into the source of the bitfield generator
(../seL4/tools/bitfield_gen.py). Optimising that requires even more complex
proof scripts. Instead of quoting them there, this introduces
lib/BitFieldProofsLib.thy which creates Eisbach methods for discharging some
relevant proof obligations. These can be tweaked without adjusting the
bitfield generator.
This approach could be taken a lot further to simplify the bitfield generator
further.
2016-03-17 15:54:24 +11:00
d7fd88727a
SELFOUR-420: Verification of maxIRQ check in handle_interrupt.
2016-03-17 11:20:52 +11:00
b679b00f97
arch_split: initial attempt at redefining invariants to avoid changing too many proofs
2016-03-04 19:03:45 +11:00
5e2f9a5e7c
arch_split: change caps_of_state to be explicit projection f caps_of_state
2016-03-04 19:03:45 +11:00
b88de8b2e2
arch_split: trivial fixup SpecCheck inconsistency
2016-03-03 16:01:15 +11:00
8042994eec
arch_split: fix namespacing for DSpec and SepTacticsExamples
2016-03-03 14:56:43 +11:00
8cc95bfb8e
arch_split: merge master into arch_split
2016-03-01 11:30:47 +11:00
3144c4d847
Remove time limits from Isabelle ROOT files.
2016-02-29 14:52:37 +11:00
6f6c58168c
SELFOUR-56: Remove diminish rights from IPC
2016-02-24 13:24:10 +11:00
d107cb6758
arch_split: halfway into KHeap_AI
2016-02-22 17:48:52 +11:00
5772559915
regression: bump timeouts further. All timeouts now multiples of 1hr.
2016-02-22 17:38:35 +11:00
84d2889d45
Isabelle2016: merge master into 2016
2016-02-19 16:17:26 +11:00
df8261c121
arch_split: split up Invariants_AI
2016-02-17 16:36:29 +11:00
91b9490d0a
l4v-sabre: regenerate haskell-spec
2016-02-17 11:18:03 +11:00
0d260252ff
l4v-sabre: rebase and fix proofs to infoflow
2016-02-17 11:18:02 +11:00
bc73b112bd
l4v-sabre: change type of irq to be 10 word
2016-02-17 11:18:02 +11:00
50fa257113
rebase and fix problems caused by new machine constants
2016-02-17 11:18:02 +11:00
c45f88745c
l4v-sabre: minor fix on dmo_ackInterrupt and foldME
2016-02-17 11:18:02 +11:00
bee4ba0052
l4v-sabre: fix refine
2016-02-17 11:18:02 +11:00
c1574f1f32
cspec: build: avoid re-entering isabelle via dash-0.5.8
2016-02-17 11:04:20 +11:00
c65e290a8b
Isabelle2016: merge master into 2016
2016-02-16 12:52:24 +11:00
1018d01b6f
arch_split: More namespacing progress and invariant splitting. Checks halfway into Invariants_AI
2016-02-05 17:00:06 +11:00
9718f1bda2
arch_split: progress on namespacing abstract spec
2016-02-05 16:59:18 +11:00
1d0366ac5e
msi: Restructure IOAPIC, MSI interrupts for x86, fix up ARM proofs for new API
2016-02-02 15:57:28 +11:00
253b04f6d9
regression: use CPU instead of real-time timeouts for all tests.
...
Also update and clarify test spec documentation.
2016-02-01 19:51:13 +11:00
b287127924
DRefine and DPolicy finished (includes a small change in ASpec)
2016-01-29 07:11:11 +11:00
0063075ba4
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-28 18:26:53 +11:00
671c5673bd
more fixes in DRefine: some changes in proofs involving uint / unat
2016-01-28 14:07:42 +11:00
a1f23e5b28
arch_split: DRefine now builds
2016-01-25 18:42:27 +11:00
080268851a
fix CRefine after shared_types got moved
2016-01-22 11:51:49 +11:00
c282969c54
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-21 10:22:48 +11:00
b214ac035f
resurrected "defs" command for Isabelle2016-RC1
2016-01-18 15:10:47 +11:00
c0173e2e85
archirq: bump kernel version
2016-01-18 11:50:10 +11:00
cb4cb4201c
archirq: bump haskell kernel version
2016-01-18 10:30:24 +11:00
efb4c61816
archirq: Remove redundant invocation, renamed
...
arch_decode_interrupt_control.
2016-01-14 17:50:33 +11:00
fad2c6aae9
paramatrised abstract and haskell specs over L4V_ARCH
...
Haskell translator was modified to support multiple translations
of the haskell, with different build parameters.
2016-01-13 12:01:40 +11:00
7b1d4a12a6
SELFOUR-114: remove duplicated message_info struct
2016-01-11 14:13:13 +11:00
02cfe4d009
ASpec
2016-01-10 17:48:49 +11:00
d92666bc30
regression: remove forceful build options from CSpec makefiles. They don't seem to be needed.
2016-01-07 18:39:50 +11:00
3c4b566484
regression: fix tests.xml dependencies to be consistent with ROOTs.
2016-01-07 18:39:50 +11:00
1ccd4f5dcc
conversion: Rationalise standard types
2015-12-10 21:24:22 +11:00
043a69c81b
Fix Orphanage from array changes, refactor.
...
Some generalisation is done in finaliseSlot_invs'' to avoid
duplicating it in Orphanage and PageTableDuplicates.
Finally cleanup in haskell translation.
2015-12-02 09:15:32 +11:00
7e40646c48
Proof up to Fastpath_C.
...
The very last twist of this: the proof that resolveAddressBits can
be seen as functional needs to change, a lot, because it's now
sensitive to gsCNodes. Still working on that.
2015-12-02 09:07:49 +11:00
4fd43512bb
WIP on handling array assertions. Up to Retype_C.
...
This is quite a lot of work in the end. I've had to gut most of
Retype_C along the way. Nearly done there.
2015-12-02 09:06:06 +11:00
6fa0909124
Partial progress on using array assertions.
2015-12-02 09:05:04 +11:00
0f2d557679
terminology in comments: async ep -> notifications
2015-11-24 16:58:22 +13:00
00bfafe2f5
Wait -> Recv: update specs
2015-11-20 16:02:14 +11:00
8fb2dc2b15
Wait -> Recv: haskell update
2015-11-20 16:02:13 +11:00
457a55a831
add arch_tcb object to C, rename aep -> ntfn
2015-11-20 16:02:13 +11:00
05c6abc751
removed unused (and outdated) constants
2015-11-13 15:24:36 +11:00
d51402a5a2
Merge remote-tracking branch 'verification/master' into priority-bitmap
...
(seL4_NBWait)
2015-10-21 16:23:01 +11:00
e403eb8f0a
poll: added non blocking sync wait
2015-10-21 14:24:49 +11:00
d6f7579be7
poll: Added new syscall for polling async endpoints (non-blocking wait)
2015-10-21 14:24:49 +11:00
c1eb235105
Merge 'verification/master' into priority-bitmap
...
Green build except for:
CParserTest (WTF Duplicate fact declaration "dc_20081211.dc_20081211.test_modifies")
AutoCorresSEL4 (waiting on result)
There is still a carefully managed sorry in Schedule_R, waiting on the C
parser FNSPEC+DONT_TRANSLATE fix.
2015-10-21 06:19:20 +11:00
2a9d3022f2
priority-bitmap: Update abstract->Haskell refinement
...
Added word_log2 and word_clz (inline for now, will migrate them out to
lib later).
Proved most important properties of word_log2 and some basic
count leading zeros properties (word_clz). The former were painful.
Thanks to Thomas, we have a nice tactic for dealing with complicated
obj_at' predicates in conclusion: normalise_obj_at'
2015-10-20 23:40:44 +11:00
d28994d860
Consistently use /usr/bin/env to invoke python
2015-10-13 16:42:53 +11:00
1060eb664a
fix typo in Syscall_A.thy documentation
2015-10-13 16:41:04 +11:00
c8d0692008
sys-init now checks
2015-09-22 12:14:27 +10:00
dab3914e95
change sending on a bound async ipc to avoid revoke_cap
2015-09-21 17:18:37 +10:00
1ae434b9d5
aep-binding: attempted progress on Bisim, 1 sorry remains
...
assumptions include aep_obj aep = IdleAEP and aep_bound_tcb aep = Some
x, which I guess is probably a contradiction, but I don't know how to
prove that.
2015-09-17 17:55:57 +10:00
8467425906
aep-binding: fixed ASepSpec
2015-09-16 15:30:19 +10:00
f117c99903
aep-binding: updated AInvs, Access, Refine for new decodeBindAEP
2015-09-15 16:31:14 +10:00
5babd2ce21
aep-binding: restructured decode_bind_aep for infoflow
2015-09-15 16:31:13 +10:00
0fb88ea01c
Merge branch 'master' into aep-merge
...
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
2015-09-10 17:06:45 +10:00
d88a931ec7
history squashed patch for aep-binding
2015-09-02 15:43:39 +10:00
3372cd32a8
SELFOUR-220: When calling handleWait, only delete the
...
TCB's ReplyCap when actually waiting on a synchronous
endpoint.
2015-07-23 14:45:17 +10:00
b5f796184a
Repair spec/refine, I think.
2015-07-15 17:25:47 +10:00
b7bb3666f4
Update haskell for proving WCET annotations.
2015-07-14 14:23:29 +10:00
ca4391881c
WIP on WCET annotations.
2015-07-14 14:23:29 +10:00
9882205e15
Most recent version of subgoal focus tools
2015-07-08 15:44:33 +10:00
80897b5bbc
spec: tabs -> spaces
2015-05-28 14:03:53 +10:00
cfec9ea0db
Merge branch 'master' into 2015
2015-05-28 11:45:13 +10:00
bd0f0c29d1
small fixes on haskell translator and haskell spec templates
2015-05-28 11:30:22 +10:00
7b6ddc5212
updated translated haskell spec
2015-05-28 11:30:22 +10:00
002cf370bb
Updated proof with new fastpath changes removing setCurrentASID and armv_contextSwitch_fp
2015-05-28 11:30:22 +10:00
ca88de6611
Merge from master.
2015-05-26 07:47:54 +10:00
221cb74dd5
Fix: Description of `SORRY_BITFIELD_PROOFS` in cspec README.
...
The kernel's Makefile expects this value to be `1` and will incorrectly detect
`yes` as a directive *not* to sorry these proofs.
2015-05-19 12:27:37 +10:00
e09f88d2e7
2015 update for CBaseRefine
2015-05-17 10:42:15 +10:00
12fa86863a
fewer warnings
2015-05-16 19:52:49 +10:00
e4b54fea78
capDL spec: fewer warnings
2015-05-09 13:05:01 +02:00
277ecdf2bb
remove syntax ambiguity
2015-05-09 13:04:11 +02:00
17826f9b49
more Isabelle2015 update; AInvs up to (excluding) Syscall_AI
...
also includes some global replacements
2015-04-18 21:51:26 +01:00
190e7c38d6
start work on Isabelle 2015 update
2015-04-17 16:19:32 +01:00
22af66555c
remove even arch calls from separation kernel setup
...
(patch by Simon Winwood)
2015-04-10 17:39:24 +10:00
a221a52350
Added new proofcount tool to "tools" and removed old one from "lib".
...
Removed reference to old proof_counting from proof/ROOT and spec/ROOT
2015-02-11 17:46:34 +11:00
2b23652b5e
cspec: Check CPP exists and fallback on native CPP if possible.
2015-01-22 13:36:53 +11:00
7e7d39c24e
enable XN in abstract spec; update AInvs and Refine
2014-11-28 08:58:57 +11:00
21e7e33878
import Haskell version of XN patch
2014-11-28 08:58:57 +11:00
e4d8fb5dba
GHC 7.8 update (bitSize -> finiteBitSize)
2014-11-28 08:58:57 +11:00
fe14c7c456
Make toPAddr and fromPAddr input abbreviations (not abbreviations).
...
This stops every instance of "id" becoming "fromPAddr" in goals.
2014-10-24 16:26:19 +11:00
3fb7f99d55
make-spec: Avoid generating unnecessary whitespace in instance proofs.
2014-10-21 21:36:27 +11:00
7521fa080b
spec: Remove excessive strings of newlines.
2014-10-21 10:42:43 +11:00
8e427dcb3b
Renovate StaticFun a bit.
...
The functor is gone, and instead StaticFun exports two more general
operators, one for defining a partial map by a tree, and one for
extracting the theorems from an existing partial map definition.
The extraction process uses simplification in a more conservative
manner than before, and is guaranteed to produce exactly the
expected theorems.
2014-09-23 14:40:31 +10:00
0c004d2a93
Merge branch 'master' into 'isabelle-2014'.
...
Conflicts:
proof/drefine/Arch_DR.thy
proof/drefine/Finalise_DR.thy
proof/drefine/StateTranslation_D.thy
sys-init/DuplicateCaps_SI.thy
sys-init/Proof_SI.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-23 14:31:33 +10:00
ea58753cd7
Merge branch 'cdl_page_map_cancel'
...
Merge in the setting of registers and the starting of threads in the system initialser.
2014-09-18 17:21:17 +10:00
2b7b258997
sys-init: Prove the starting of threads is done correctly.
...
We no longer assume the starting of threads, but prove it correct
(assuming the behaviour of the scheduler).
2014-09-18 12:30:04 +10:00
cf0d1abce6
Merge 'master' into 'isabelle-2014'.
...
Conflicts:
proof/crefine/Fastpath_C.thy
proof/drefine/KHeap_DR.thy
proof/infoflow/Noninterference.thy
spec/design/version
sys-init/DuplicateCaps_SI.thy
sys-init/InitTCB_SI.thy
sys-init/Proof_SI.thy
tools/asmrefine/SimplExport.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-17 14:21:13 +10:00
0199c5c19c
Fix seL4_TCB_Resume
2014-09-12 15:28:47 +10:00
5015f53d95
fix seL4_TCB_WriteRegisters
2014-09-10 17:30:35 +10:00
47662af345
fix DSpecProofs
2014-09-09 15:57:52 +10:00
7167ea42ac
CapDL: Made IRQ Nodes a new object type, not a small CNode.
...
IRQ Nodes are now their own object type in capDL. This makes it much easier
to distinguish between "real" CNodes and IRQ Nodes.
Updated:
* the capDL refinement,
* the access proofs, and
* the system initialiser.
2014-09-09 14:07:50 +10:00
77dd554227
page_map_unmap_cancel : cdl spec changed and drefine fixed.
2014-09-05 14:48:22 +10:00
7693e1fadc
TakeGrant: Rename a couple of constants to make things clearer.
...
has_at_least => cap_in_caps
has_at_most => caps_dominated_by
2014-09-04 14:13:46 +10:00
a5f2cab271
Merge branch 'master' into ioapic
2014-09-02 11:13:55 +10:00
8fa6226ecc
ioapic: fixed specs for change to 14 bit FSR
2014-09-01 16:41:33 +10:00
caf0529c7f
Move burden of 'halt' proof, use less modifies.
...
In detail:
- add a general user-specified exception to c_exntype
(for use in tools like Substitute)
- wrap calls to 'halt' in Guard {}, making it clearer that
halt is never called, simplifying asmrefine
- repair halt changes in crefine
- avoid use of some suspicious 'modifies' properties in crefine
which were generated by the parser for functions where inline
ASM blocks have been elided, and which may be inaccurate.
2014-08-29 13:57:28 +10:00
b3e2eb1f9d
ioapic: finished up to InfoFlowC
2014-08-28 15:56:26 +10:00
8d11a22f5b
ioapic: first abstract spec
2014-08-22 16:24:40 +10:00
f1d808c96a
integrate separation kernel config proofs
...
Hooked up into build system and regression test; added READMEs
2014-08-13 22:08:46 +10:00
3556bee2dc
github import of static cap config proofs
2014-08-13 15:31:21 +10:00
12b1b0d16f
move isAligned to HaskellLib
...
Isabelle2014 doesn't like defs to be less general than the consts declaration.
2014-08-09 15:59:24 +10:00
1af1d2b67b
some of the global Isabelle2014 renames
...
option_case -> case_option
sum_case -> case_sum
prod_case -> case_prod
Option.set -> set_option
Option.map -> map_option
option_rel -> rel_option
list_all2_def -> list_all2_iff
map.simps -> list.map
tl.simps -> list.sel(2-3)
the.simps -> option.sel
2014-08-09 15:39:20 +10:00
954492534c
ported ASpec to Isabelle2014-RC0
2014-08-09 15:00:18 +10:00
ef7ba847c0
bump API version
2014-07-28 11:10:47 +02:00
71ad3eed07
Update a comment in the capDL spec.
2014-07-28 17:45:50 +10:00
0fb7a8084d
misc: Proofing and formatting of README.md files.
...
Attempt to improve readability of the files when viewed as plain ASCII;
proof-read and fix minor issues.
2014-07-28 13:15:48 +10:00
4326d30cdc
the other README files for spec/
2014-07-22 19:11:43 -04:00
fc4200f845
README files for spec/
2014-07-22 19:10:10 -04:00
50dda7708c
comment cleanup
2014-07-22 18:10:20 +02:00
acf0abe16a
Cleanup of a number of definitions of the separation algebra for capDL.
...
* The definitions of the separation "arrows" is slightly nicer and more consistent.
- We have a nicer correspondence between sep_map_c and sep_map_s.
- sep_map_irq now specifies exactly what the IRQ table contains
(that it *only* has one entry, not that it contains at least that entry).
- Nicer LaTeX output for the arrows.
* A number of minor renaming of constants and types.
- cdl_component => cdl_component_id
- sep_entity => cdl_component
- state_sep_projection => sep_state_projection
- obj_to_sep_state => object_to_sep_state
* Removed a few unused lemmas.
2014-07-22 14:37:37 +10:00
36588c4359
Minor cleanup of proofs in the Take/Grant security model.
2014-07-22 14:36:53 +10:00
1273b8aac8
fix haskell version generation
2014-07-21 11:18:14 +02:00
9d9a325032
Updates for getpaddr system call (by Joel Beeren)
2014-07-18 17:21:34 +02:00
84595f4233
release cleanup
2014-07-17 18:22:50 +02:00
2a03e81df4
Import release snapshot.
2014-07-14 21:32:44 +02:00
Rafal Kolanski
Joel Beeren
Matthew Brecknell
Gerwin Klein
Miki Tanaka
Xin,Gao
Gerwin Klein
Alejandro Gomez-Londono
Ramana Kumar
Thomas Sewell
Sophie Taylor
Matthew Brecknell
Corey Richardson
Japheth Lim
Daniel Matichuk
Sophie Taylor
Xin Gao
Corey Richardson
Nickolai Zeldovich
Gao Xin
Matthew Fernandez
Andrew Boyton
David Greenaway
Gao Xin
Corey Lewis