74adb7a283
SELFOUR-444: Avoid unnecessary cache clears.
...
Adjust both specs and propagate the changes.
2016-11-02 11:19:09 +11:00
7ebefa69ab
SELFOUR-444: Work on untyped zero invariant.
...
The invariant just proves that the ghost field is up to date.
2016-11-02 11:19:09 +11:00
6ad456ca03
SELFOUR-444: Adjust Haskell, new ghost data.
...
The new ghost data is saved in the design spec when Untyped caps
are modified and will be used by CRefine.
2016-11-02 11:19:09 +11:00
69f7be9917
SELFOUR-444: Initial updates to capDL spec.
2016-11-02 11:19:09 +11:00
d765a64b81
SELFOUR-444: Haskell implementation, begin refine.
...
First attempt at a haskell implementation of preemptible retyping
and the refinement proof to abstract.
2016-11-02 11:19:08 +11:00
f32e2ca0f5
SELFOUR-444: Abstract implementation.
...
Abstract implementation of preemptible retyping.
2016-11-02 11:19:08 +11:00
1a6e362598
x64: added more machine definitions
2016-10-26 16:42:50 +11:00
b8048726a6
X64: added dummy VMPML4E to vm_page_entry.
...
needs to be reviewed
2016-10-19 10:52:46 +11:00
0b4372e98b
x64: Removed unnecessary ASID from PageMap invocation
2016-10-14 16:44:42 +11:00
991dd30173
x64: port device-untyped from ARM
2016-10-10 13:26:40 +11:00
aafe4b92ce
x64: port MCP from ARM
2016-10-10 13:24:08 +11:00
256e241770
merge master into x64
2016-10-06 19:57:55 +11:00
7989fa4ff1
x64: more progress in ArchVSpace_AI
2016-10-05 18:04:47 +11:00
1edc9ced5f
x64: commented out some IOSpace stuff, added machine op definitions.
2016-10-05 12:02:46 +11:00
a3714e8190
SELFOUR-276: Finish proofs for maximum controlled priority (MCP)
...
To finish the proof of refinement to C, the specification for checkPrio
needed strengthening: the checkPrio spec now takes a machine word
argument. In the spec, priorities are still stored as 8-bit quantities,
however. Once the spec was strenthened, it was possible to remove some
redundant checks and mask operations from the C code.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
b352769016
SELFOUR-276: Prove refinement to Haskell for MCP
...
Also includes fixes to specs and invariants, and initial progress
towards C refinement.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
20539620f9
SELFOUR-276: Add MCP to specs and invariants
...
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
2016-10-05 02:43:41 +11:00
8d4a8eb238
SELFOUR-421: fix coding style
2016-09-22 19:23:28 +10:00
8f3a4dee31
SELFOUR-421: merge with master, fix wholesystem proofs
2016-09-22 19:23:19 +10:00
113315d9a6
SELFOUR-421: merge and fix up to ArmConfidentiality proof
2016-09-22 19:21:56 +10:00
e00e4c4e64
SELFOUR-421: add device bit in UntypedCap and FrameCap in capdl
2016-09-22 19:11:37 +10:00
328846ee1a
SELFOUR-421: crefine builds
2016-09-22 19:11:37 +10:00
c3be923ca0
SELFOUR-421: a defend version before wild changes
2016-09-22 19:11:36 +10:00
ec57875566
SELFOUR-421: new haskell spec after UserDataDevice changes
2016-09-22 19:11:36 +10:00
765d8aa88e
SELFOUR-421: fixed Refine after merge with master
2016-09-22 19:11:36 +10:00
78bd770240
SELFOUR-421: retranslate haskell after merge with master
2016-09-22 19:11:36 +10:00
9617e22ce6
SELFOUR-421: random uncommitted stuff before merge
2016-09-22 19:11:36 +10:00
773684bcd1
SELFOUR-421: retranslate haskell for fixed range check
2016-09-22 19:11:36 +10:00
df877769fc
SELFOUR-421: refine done
2016-09-22 19:11:36 +10:00
3c223b42fe
SELFOUR-421: AInvs done, no added invariants yet
2016-09-22 19:11:29 +10:00
5e16ec5617
SELFOUR-421: first attempt at abstract spec
2016-09-22 19:11:16 +10:00
4c23410f6c
Haskell translator: can keep type constructors.
...
A skeleton line of the form
\#INCLUDE_SETTINGS keep_constructor=asidpool
now ensures that the asidpool type constructor is actually created in
subsequent #INCLUDE_HASKELL declarations. It turns out this feature was already
available, and already used for asidpools, this change just makes it externally
adjustable.
2016-08-25 15:33:19 +10:00
7a5f569a10
x64 invariants: extract word-len-specific parts of update_cap_data (CSpace_A)
2016-08-24 13:39:30 +10:00
5880a317f2
x64 invariants: CSpace_AI checking
...
Includes some changes to the abstract spec:
- replace magic numbers with definitions.
- add missing IOPortCap cases to some definitions.
There is one sorry proof, which I think blast could solve if we
gave it enough time. Will need a more subtle approach.
2016-08-23 07:40:47 +10:00
5b19e2c284
merge master into x64-split
...
This resurrects the ARM architecture on the x64-split branch.
It also brings X64 up-to-date with progress on arch_split.
2016-08-09 18:58:37 +10:00
6b6b8786e8
arch_split: move kernel_base and idle_thread_ptr to arch-specific theories
2016-08-03 14:46:48 +10:00
f9f160ed14
arch_split: replace some fixed word sizes with type aliases
...
Changed some instances of word32 to machine_word, and "10 word" to irq.
Also introduce a type_synonym for "machine_word_len".
2016-08-03 14:46:23 +10:00
975c21054d
x64: remove "isDevice" flags from Haskell specification
...
We will return these when the device-untyped patch is verified and integrated
with the ARM proofs. For now, we want to be able to keep the proofs for the ARM
architecture checking in the x64 branch.
2016-08-02 17:47:58 +10:00
ff3b9be933
x64: reinstate maxIRQ check
...
This was accidentally removed from the Haskell and executable specifications.
2016-08-02 17:20:28 +10:00
bbfc1df601
x64 abstract spec: add some missing cases in ArchVSpace_A unmap operations
...
These had been undefined, causing some crunch commands to fail.
2016-07-27 12:26:53 +10:00
68de1729cd
x64: spec: replaced magic numbers with word_size_bits
2016-07-26 15:37:58 +10:00
574e287cab
x64: spec: reverted bits changes from last commit, was originally correct
2016-07-25 16:49:09 +10:00
c2fa704d9b
add workaround for building documents with TeX Live 2016 [VER-622]
...
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
2016-07-22 07:48:08 +10:00
58153f923c
rerun haskell translator, fix design spec
2016-07-22 01:10:29 +10:00
d0d10fa7f3
x64: fixed magic word length number in ArchVSpaceAcc_A
2016-07-21 16:18:17 +10:00
dd73a2c819
run haskell translator
2016-07-21 15:54:49 +10:00
e2c55aa544
run haskell translator
2016-07-20 18:16:23 +10:00
93adccc141
license-tool: missing license headers + .licenseignore [VER-551]
2016-07-14 16:34:31 +10:00
b3c809983b
arch_split: invariants: split Ipc_AI [VER-572]
2016-06-27 17:19:11 +10:00
9c608c62dc
arch_split: Schedule_AI [VER-565]
2016-06-02 14:20:06 +10:00
61d0de297b
x64: arch-ified machine word size to allow substitution for type variables
2016-06-01 13:27:24 +10:00
02824d7599
x64: add x64 haskell code from seL4 repository
2016-06-01 11:52:27 +10:00
9d58764b93
x64: Invariants_AI now processes, removed some arch-specific types
2016-06-01 11:14:43 +10:00
d4f54686f2
x64: ArchInvariants_AI passes except 1 sorried lemma - valid_arch_objs_alt
2016-06-01 11:14:43 +10:00
b95f452ad0
x64: progress in ArchInvariants_AI, up to valid_arch_objs_alt
2016-06-01 11:14:43 +10:00
f2cf12c345
x64: updated ASpec for WordSetup arch-split
2016-06-01 11:14:43 +10:00
8baa7c34ed
x64: retranslate haskell after rebase
2016-06-01 11:12:55 +10:00
21fd88309f
x64: up to lemmas in ArchInvariants_AI
2016-06-01 11:12:55 +10:00
1bc374fbaa
x64 invs: up to vs_refs_pages
2016-06-01 11:12:55 +10:00
73b731562c
x64: add arch_split'd x64 spec with IOMMU stuff
2016-06-01 11:12:55 +10:00
9ccdbfa21e
arch_split: move locale setup to generic theory
2016-05-31 15:14:40 +10:00
40570bc4fe
regression: add test to check theory import paths
...
This commit also fixes all bad imports reported by the test script.
Jira issue VER-560
2016-05-27 16:17:13 +10:00
225a2dbe79
haskell: add .PHONY makefile entries
2016-05-24 16:31:03 +10:00
6ae8d712ec
haskell: reconstruct lost comment from galois-domains merge
2016-05-24 16:31:03 +10:00
3409a92eca
haskell: document the package version constraints
2016-05-24 16:31:03 +10:00
858733c318
haskell: add GHC config var to makefile
...
This allows people with multiple GHCs to select the correct one (7.8).
2016-05-24 16:31:03 +10:00
218f6ccbf3
haskell: add license tag to util script
2016-05-24 16:31:03 +10:00
37fa2f359a
haskell: revert minimum cabal-version
...
GHC 7.8 ships with Cabal 1.18 but the .cabal file asks for >=1.20,
which seems to be unnecessary. This commit reverts to >=1.18.
2016-05-24 14:53:00 +10:00
c71fb4da54
regression: add test for building Haskell kernel
...
Currently requires GHC 7.8.x.
2016-05-24 14:52:51 +10:00
ebc7cbe584
haskell: move Haskell kernel into spec/
2016-05-24 14:18:13 +10:00
6a2692abc6
lib: fix theory includes for arch-splitted WordSetup
2016-05-20 12:31:10 +10:00
80456aa2c7
abstract: reduce syntax ambiguity
2016-05-16 21:11:40 +10:00
322f1023f5
word_lib: adjust theory dependencies
2016-05-16 21:11:40 +10:00
2a6df7a9a3
capDL: remove duplicate wordbits
2016-05-16 21:11:40 +10:00
445efb7c29
lib: closure for Word_Lib and own session
2016-05-16 21:11:40 +10:00
f0faa90f8a
lib/spec/proof/tools: fix word change fallout
2016-05-16 21:11:40 +10:00
7e37215bd2
arch_split: add extend_locale to base import
2016-05-06 18:37:16 +10:00
bb0644beaa
arch_split: merge master
2016-05-06 16:44:43 +10:00
56b226a608
arch_split: CRefine: use requalify instead of shadow
2016-05-06 08:59:33 +10:00
9ceed1eb12
arch_split: fix proofs after removing shadow and unqualify commands and adding fix for crunch. Checks up to DPolicy.
2016-05-04 15:14:41 +10:00
670d1c118d
arch_split: added optional definition override for crunch. Reduced qualification commands to minimal required set.
2016-05-04 15:14:41 +10:00
a2135ca8ce
arch_split: Refine checking, including Orphanage
2016-04-30 16:25:20 +10:00
0c3a12771d
arch_split: merge master
2016-04-28 14:36:43 +10:00
0e5ffd1ea0
arch_split: requalify abstract theories
2016-04-27 18:46:16 +10:00
1d20b393c0
arch_split: replaced sublocale with global_naming
2016-04-27 14:32:38 +10:00
8ab955984f
arch_split: CSpec checking
2016-04-26 13:45:59 +10:00
3191c485d5
arch_split: added ARM_A and ARM_H locales
2016-04-20 17:31:45 +10:00
04362dba27
arch_split: some quick and dirty arch_splitting by selectively interpreting the ARM locale (with FIXMEs)
2016-04-07 17:05:14 +10:00
72337faa7b
arch_split: added namespacing to ExecSpec
2016-04-01 15:17:17 +11:00
144778e8eb
arch_split: avoid caching file_defs in translator to make CONTEXT environment function as expected
2016-04-01 15:09:34 +11:00
d0a29887ff
arch_split: checkpoint for namespacing haskell
2016-04-01 15:09:34 +11:00
f89279e381
arch_split: reworking predicates about arch objects and types
2016-03-24 17:24:14 +11:00
f2cc8d7c0f
arch_split: invariants: progress in ArchADT_AI
2016-03-18 13:08:26 +11:00
7e9b8224ee
Factor out bitfield proof text into Eisbach lib.
...
There's a lot of proof text quoted into the source of the bitfield generator
(../seL4/tools/bitfield_gen.py). Optimising that requires even more complex
proof scripts. Instead of quoting them there, this introduces
lib/BitFieldProofsLib.thy which creates Eisbach methods for discharging some
relevant proof obligations. These can be tweaked without adjusting the
bitfield generator.
This approach could be taken a lot further to simplify the bitfield generator
further.
2016-03-17 15:54:24 +11:00
d7fd88727a
SELFOUR-420: Verification of maxIRQ check in handle_interrupt.
2016-03-17 11:20:52 +11:00
b679b00f97
arch_split: initial attempt at redefining invariants to avoid changing too many proofs
2016-03-04 19:03:45 +11:00
5e2f9a5e7c
arch_split: change caps_of_state to be explicit projection f caps_of_state
2016-03-04 19:03:45 +11:00
b88de8b2e2
arch_split: trivial fixup SpecCheck inconsistency
2016-03-03 16:01:15 +11:00
8042994eec
arch_split: fix namespacing for DSpec and SepTacticsExamples
2016-03-03 14:56:43 +11:00
8cc95bfb8e
arch_split: merge master into arch_split
2016-03-01 11:30:47 +11:00
3144c4d847
Remove time limits from Isabelle ROOT files.
2016-02-29 14:52:37 +11:00
6f6c58168c
SELFOUR-56: Remove diminish rights from IPC
2016-02-24 13:24:10 +11:00
d107cb6758
arch_split: halfway into KHeap_AI
2016-02-22 17:48:52 +11:00
5772559915
regression: bump timeouts further. All timeouts now multiples of 1hr.
2016-02-22 17:38:35 +11:00
84d2889d45
Isabelle2016: merge master into 2016
2016-02-19 16:17:26 +11:00
df8261c121
arch_split: split up Invariants_AI
2016-02-17 16:36:29 +11:00
91b9490d0a
l4v-sabre: regenerate haskell-spec
2016-02-17 11:18:03 +11:00
0d260252ff
l4v-sabre: rebase and fix proofs to infoflow
2016-02-17 11:18:02 +11:00
bc73b112bd
l4v-sabre: change type of irq to be 10 word
2016-02-17 11:18:02 +11:00
50fa257113
rebase and fix problems caused by new machine constants
2016-02-17 11:18:02 +11:00
c45f88745c
l4v-sabre: minor fix on dmo_ackInterrupt and foldME
2016-02-17 11:18:02 +11:00
bee4ba0052
l4v-sabre: fix refine
2016-02-17 11:18:02 +11:00
c1574f1f32
cspec: build: avoid re-entering isabelle via dash-0.5.8
2016-02-17 11:04:20 +11:00
c65e290a8b
Isabelle2016: merge master into 2016
2016-02-16 12:52:24 +11:00
1018d01b6f
arch_split: More namespacing progress and invariant splitting. Checks halfway into Invariants_AI
2016-02-05 17:00:06 +11:00
9718f1bda2
arch_split: progress on namespacing abstract spec
2016-02-05 16:59:18 +11:00
1d0366ac5e
msi: Restructure IOAPIC, MSI interrupts for x86, fix up ARM proofs for new API
2016-02-02 15:57:28 +11:00
253b04f6d9
regression: use CPU instead of real-time timeouts for all tests.
...
Also update and clarify test spec documentation.
2016-02-01 19:51:13 +11:00
b287127924
DRefine and DPolicy finished (includes a small change in ASpec)
2016-01-29 07:11:11 +11:00
0063075ba4
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-28 18:26:53 +11:00
671c5673bd
more fixes in DRefine: some changes in proofs involving uint / unat
2016-01-28 14:07:42 +11:00
a1f23e5b28
arch_split: DRefine now builds
2016-01-25 18:42:27 +11:00
080268851a
fix CRefine after shared_types got moved
2016-01-22 11:51:49 +11:00
c282969c54
Merge remote-tracking branch 'verification/master' into arch_split
2016-01-21 10:22:48 +11:00
b214ac035f
resurrected "defs" command for Isabelle2016-RC1
2016-01-18 15:10:47 +11:00
c0173e2e85
archirq: bump kernel version
2016-01-18 11:50:10 +11:00
cb4cb4201c
archirq: bump haskell kernel version
2016-01-18 10:30:24 +11:00
efb4c61816
archirq: Remove redundant invocation, renamed
...
arch_decode_interrupt_control.
2016-01-14 17:50:33 +11:00
fad2c6aae9
paramatrised abstract and haskell specs over L4V_ARCH
...
Haskell translator was modified to support multiple translations
of the haskell, with different build parameters.
2016-01-13 12:01:40 +11:00
7b1d4a12a6
SELFOUR-114: remove duplicated message_info struct
2016-01-11 14:13:13 +11:00
02cfe4d009
ASpec
2016-01-10 17:48:49 +11:00
d92666bc30
regression: remove forceful build options from CSpec makefiles. They don't seem to be needed.
2016-01-07 18:39:50 +11:00
3c4b566484
regression: fix tests.xml dependencies to be consistent with ROOTs.
2016-01-07 18:39:50 +11:00
1ccd4f5dcc
conversion: Rationalise standard types
2015-12-10 21:24:22 +11:00
043a69c81b
Fix Orphanage from array changes, refactor.
...
Some generalisation is done in finaliseSlot_invs'' to avoid
duplicating it in Orphanage and PageTableDuplicates.
Finally cleanup in haskell translation.
2015-12-02 09:15:32 +11:00
7e40646c48
Proof up to Fastpath_C.
...
The very last twist of this: the proof that resolveAddressBits can
be seen as functional needs to change, a lot, because it's now
sensitive to gsCNodes. Still working on that.
2015-12-02 09:07:49 +11:00
4fd43512bb
WIP on handling array assertions. Up to Retype_C.
...
This is quite a lot of work in the end. I've had to gut most of
Retype_C along the way. Nearly done there.
2015-12-02 09:06:06 +11:00
6fa0909124
Partial progress on using array assertions.
2015-12-02 09:05:04 +11:00
0f2d557679
terminology in comments: async ep -> notifications
2015-11-24 16:58:22 +13:00
00bfafe2f5
Wait -> Recv: update specs
2015-11-20 16:02:14 +11:00
8fb2dc2b15
Wait -> Recv: haskell update
2015-11-20 16:02:13 +11:00
457a55a831
add arch_tcb object to C, rename aep -> ntfn
2015-11-20 16:02:13 +11:00
05c6abc751
removed unused (and outdated) constants
2015-11-13 15:24:36 +11:00
d51402a5a2
Merge remote-tracking branch 'verification/master' into priority-bitmap
...
(seL4_NBWait)
2015-10-21 16:23:01 +11:00
e403eb8f0a
poll: added non blocking sync wait
2015-10-21 14:24:49 +11:00
d6f7579be7
poll: Added new syscall for polling async endpoints (non-blocking wait)
2015-10-21 14:24:49 +11:00
c1eb235105
Merge 'verification/master' into priority-bitmap
...
Green build except for:
CParserTest (WTF Duplicate fact declaration "dc_20081211.dc_20081211.test_modifies")
AutoCorresSEL4 (waiting on result)
There is still a carefully managed sorry in Schedule_R, waiting on the C
parser FNSPEC+DONT_TRANSLATE fix.
2015-10-21 06:19:20 +11:00
2a9d3022f2
priority-bitmap: Update abstract->Haskell refinement
...
Added word_log2 and word_clz (inline for now, will migrate them out to
lib later).
Proved most important properties of word_log2 and some basic
count leading zeros properties (word_clz). The former were painful.
Thanks to Thomas, we have a nice tactic for dealing with complicated
obj_at' predicates in conclusion: normalise_obj_at'
2015-10-20 23:40:44 +11:00
d28994d860
Consistently use /usr/bin/env to invoke python
2015-10-13 16:42:53 +11:00
1060eb664a
fix typo in Syscall_A.thy documentation
2015-10-13 16:41:04 +11:00
c8d0692008
sys-init now checks
2015-09-22 12:14:27 +10:00
dab3914e95
change sending on a bound async ipc to avoid revoke_cap
2015-09-21 17:18:37 +10:00
1ae434b9d5
aep-binding: attempted progress on Bisim, 1 sorry remains
...
assumptions include aep_obj aep = IdleAEP and aep_bound_tcb aep = Some
x, which I guess is probably a contradiction, but I don't know how to
prove that.
2015-09-17 17:55:57 +10:00
8467425906
aep-binding: fixed ASepSpec
2015-09-16 15:30:19 +10:00
f117c99903
aep-binding: updated AInvs, Access, Refine for new decodeBindAEP
2015-09-15 16:31:14 +10:00
5babd2ce21
aep-binding: restructured decode_bind_aep for infoflow
2015-09-15 16:31:13 +10:00
0fb88ea01c
Merge branch 'master' into aep-merge
...
This commit should at least remove merge conflict markers, and the idea
is that at least refine, crefine, drefine, and infoflow (with sorrys)
build. Subsequent commits may be required to fix build issues that I
have not picked up.
2015-09-10 17:06:45 +10:00
d88a931ec7
history squashed patch for aep-binding
2015-09-02 15:43:39 +10:00
3372cd32a8
SELFOUR-220: When calling handleWait, only delete the
...
TCB's ReplyCap when actually waiting on a synchronous
endpoint.
2015-07-23 14:45:17 +10:00
b5f796184a
Repair spec/refine, I think.
2015-07-15 17:25:47 +10:00
b7bb3666f4
Update haskell for proving WCET annotations.
2015-07-14 14:23:29 +10:00
ca4391881c
WIP on WCET annotations.
2015-07-14 14:23:29 +10:00
9882205e15
Most recent version of subgoal focus tools
2015-07-08 15:44:33 +10:00
80897b5bbc
spec: tabs -> spaces
2015-05-28 14:03:53 +10:00
cfec9ea0db
Merge branch 'master' into 2015
2015-05-28 11:45:13 +10:00
bd0f0c29d1
small fixes on haskell translator and haskell spec templates
2015-05-28 11:30:22 +10:00
7b6ddc5212
updated translated haskell spec
2015-05-28 11:30:22 +10:00
002cf370bb
Updated proof with new fastpath changes removing setCurrentASID and armv_contextSwitch_fp
2015-05-28 11:30:22 +10:00
ca88de6611
Merge from master.
2015-05-26 07:47:54 +10:00
221cb74dd5
Fix: Description of `SORRY_BITFIELD_PROOFS` in cspec README.
...
The kernel's Makefile expects this value to be `1` and will incorrectly detect
`yes` as a directive *not* to sorry these proofs.
2015-05-19 12:27:37 +10:00
e09f88d2e7
2015 update for CBaseRefine
2015-05-17 10:42:15 +10:00
12fa86863a
fewer warnings
2015-05-16 19:52:49 +10:00
e4b54fea78
capDL spec: fewer warnings
2015-05-09 13:05:01 +02:00
277ecdf2bb
remove syntax ambiguity
2015-05-09 13:04:11 +02:00
17826f9b49
more Isabelle2015 update; AInvs up to (excluding) Syscall_AI
...
also includes some global replacements
2015-04-18 21:51:26 +01:00
190e7c38d6
start work on Isabelle 2015 update
2015-04-17 16:19:32 +01:00
22af66555c
remove even arch calls from separation kernel setup
...
(patch by Simon Winwood)
2015-04-10 17:39:24 +10:00
a221a52350
Added new proofcount tool to "tools" and removed old one from "lib".
...
Removed reference to old proof_counting from proof/ROOT and spec/ROOT
2015-02-11 17:46:34 +11:00
2b23652b5e
cspec: Check CPP exists and fallback on native CPP if possible.
2015-01-22 13:36:53 +11:00
7e7d39c24e
enable XN in abstract spec; update AInvs and Refine
2014-11-28 08:58:57 +11:00
21e7e33878
import Haskell version of XN patch
2014-11-28 08:58:57 +11:00
e4d8fb5dba
GHC 7.8 update (bitSize -> finiteBitSize)
2014-11-28 08:58:57 +11:00
fe14c7c456
Make toPAddr and fromPAddr input abbreviations (not abbreviations).
...
This stops every instance of "id" becoming "fromPAddr" in goals.
2014-10-24 16:26:19 +11:00
3fb7f99d55
make-spec: Avoid generating unnecessary whitespace in instance proofs.
2014-10-21 21:36:27 +11:00
7521fa080b
spec: Remove excessive strings of newlines.
2014-10-21 10:42:43 +11:00
8e427dcb3b
Renovate StaticFun a bit.
...
The functor is gone, and instead StaticFun exports two more general
operators, one for defining a partial map by a tree, and one for
extracting the theorems from an existing partial map definition.
The extraction process uses simplification in a more conservative
manner than before, and is guaranteed to produce exactly the
expected theorems.
2014-09-23 14:40:31 +10:00
0c004d2a93
Merge branch 'master' into 'isabelle-2014'.
...
Conflicts:
proof/drefine/Arch_DR.thy
proof/drefine/Finalise_DR.thy
proof/drefine/StateTranslation_D.thy
sys-init/DuplicateCaps_SI.thy
sys-init/Proof_SI.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-23 14:31:33 +10:00
ea58753cd7
Merge branch 'cdl_page_map_cancel'
...
Merge in the setting of registers and the starting of threads in the system initialser.
2014-09-18 17:21:17 +10:00
2b7b258997
sys-init: Prove the starting of threads is done correctly.
...
We no longer assume the starting of threads, but prove it correct
(assuming the behaviour of the scheduler).
2014-09-18 12:30:04 +10:00
cf0d1abce6
Merge 'master' into 'isabelle-2014'.
...
Conflicts:
proof/crefine/Fastpath_C.thy
proof/drefine/KHeap_DR.thy
proof/infoflow/Noninterference.thy
spec/design/version
sys-init/DuplicateCaps_SI.thy
sys-init/InitTCB_SI.thy
sys-init/Proof_SI.thy
tools/asmrefine/SimplExport.thy
tools/autocorres/tests/examples/SchorrWaite.thy
2014-09-17 14:21:13 +10:00
0199c5c19c
Fix seL4_TCB_Resume
2014-09-12 15:28:47 +10:00
5015f53d95
fix seL4_TCB_WriteRegisters
2014-09-10 17:30:35 +10:00
47662af345
fix DSpecProofs
2014-09-09 15:57:52 +10:00
7167ea42ac
CapDL: Made IRQ Nodes a new object type, not a small CNode.
...
IRQ Nodes are now their own object type in capDL. This makes it much easier
to distinguish between "real" CNodes and IRQ Nodes.
Updated:
* the capDL refinement,
* the access proofs, and
* the system initialiser.
2014-09-09 14:07:50 +10:00
77dd554227
page_map_unmap_cancel : cdl spec changed and drefine fixed.
2014-09-05 14:48:22 +10:00
7693e1fadc
TakeGrant: Rename a couple of constants to make things clearer.
...
has_at_least => cap_in_caps
has_at_most => caps_dominated_by
2014-09-04 14:13:46 +10:00
a5f2cab271
Merge branch 'master' into ioapic
2014-09-02 11:13:55 +10:00
8fa6226ecc
ioapic: fixed specs for change to 14 bit FSR
2014-09-01 16:41:33 +10:00
caf0529c7f
Move burden of 'halt' proof, use less modifies.
...
In detail:
- add a general user-specified exception to c_exntype
(for use in tools like Substitute)
- wrap calls to 'halt' in Guard {}, making it clearer that
halt is never called, simplifying asmrefine
- repair halt changes in crefine
- avoid use of some suspicious 'modifies' properties in crefine
which were generated by the parser for functions where inline
ASM blocks have been elided, and which may be inaccurate.
2014-08-29 13:57:28 +10:00
b3e2eb1f9d
ioapic: finished up to InfoFlowC
2014-08-28 15:56:26 +10:00
8d11a22f5b
ioapic: first abstract spec
2014-08-22 16:24:40 +10:00
f1d808c96a
integrate separation kernel config proofs
...
Hooked up into build system and regression test; added READMEs
2014-08-13 22:08:46 +10:00
3556bee2dc
github import of static cap config proofs
2014-08-13 15:31:21 +10:00
12b1b0d16f
move isAligned to HaskellLib
...
Isabelle2014 doesn't like defs to be less general than the consts declaration.
2014-08-09 15:59:24 +10:00
1af1d2b67b
some of the global Isabelle2014 renames
...
option_case -> case_option
sum_case -> case_sum
prod_case -> case_prod
Option.set -> set_option
Option.map -> map_option
option_rel -> rel_option
list_all2_def -> list_all2_iff
map.simps -> list.map
tl.simps -> list.sel(2-3)
the.simps -> option.sel
2014-08-09 15:39:20 +10:00
954492534c
ported ASpec to Isabelle2014-RC0
2014-08-09 15:00:18 +10:00
ef7ba847c0
bump API version
2014-07-28 11:10:47 +02:00
71ad3eed07
Update a comment in the capDL spec.
2014-07-28 17:45:50 +10:00
0fb7a8084d
misc: Proofing and formatting of README.md files.
...
Attempt to improve readability of the files when viewed as plain ASCII;
proof-read and fix minor issues.
2014-07-28 13:15:48 +10:00
4326d30cdc
the other README files for spec/
2014-07-22 19:11:43 -04:00
fc4200f845
README files for spec/
2014-07-22 19:10:10 -04:00
50dda7708c
comment cleanup
2014-07-22 18:10:20 +02:00
acf0abe16a
Cleanup of a number of definitions of the separation algebra for capDL.
...
* The definitions of the separation "arrows" is slightly nicer and more consistent.
- We have a nicer correspondence between sep_map_c and sep_map_s.
- sep_map_irq now specifies exactly what the IRQ table contains
(that it *only* has one entry, not that it contains at least that entry).
- Nicer LaTeX output for the arrows.
* A number of minor renaming of constants and types.
- cdl_component => cdl_component_id
- sep_entity => cdl_component
- state_sep_projection => sep_state_projection
- obj_to_sep_state => object_to_sep_state
* Removed a few unused lemmas.
2014-07-22 14:37:37 +10:00
36588c4359
Minor cleanup of proofs in the Take/Grant security model.
2014-07-22 14:36:53 +10:00
1273b8aac8
fix haskell version generation
2014-07-21 11:18:14 +02:00
9d9a325032
Updates for getpaddr system call (by Joel Beeren)
2014-07-18 17:21:34 +02:00
84595f4233
release cleanup
2014-07-17 18:22:50 +02:00
2a03e81df4
Import release snapshot.
2014-07-14 21:32:44 +02:00
Thomas Sewell
Joel Beeren
Matthew Brecknell
Sophie Taylor
Xin,Gao
Matthew Brecknell
Rafal Kolanski
Corey Richardson
Alejandro Gomez-Londono
Japheth Lim
Gerwin Klein
Daniel Matichuk
Sophie Taylor
Miki Tanaka
Xin Gao
Corey Richardson
Nickolai Zeldovich
Ramana Kumar
Gao Xin
Matthew Fernandez
Andrew Boyton
David Greenaway
Gao Xin
Corey Lewis