Previously the parser rejected symbolic names in assembly specifiers
(the `[foo]` in `[foo]"r"(bar)`). Since the SIMPL semantics ignores the
body content of assembly, and since these specifiers only affect the
meaning of the body, this rejection was overcautious.
Previously, the parser rejected rval `"i"` and `"rK"` specifiers (which
indicate that the expression is to be used in some kind of immediate
mode). Again, this is out of scope for the SIMPL semantics, so we allow
it.
Previously, if a graph refine proof failed it would cause the ML block
defining the debug variable to be discarded; this prevented the user
from investigating the debug output. This change splits the ML block to
avoid the issue.
diminished takes two caps and asserts that one is equal to the other
except that one may have fewer rights. We remove this definition and all
references to it, replacing diminished with equality.
Miscellaneous changes to make instructions easier to follow, as well as
updating instructions for Haskell Stack (which is no longer available on
Debian Testing).
- Add HiFive.hs to replace Spike.hs, it's the same except for kdevBase
addition.
- Originally called KDEV_PPTR in the C Code, to be changed to KDEV_BASE
across all architectures.
- Add RISCVVSpaceDeviceWindow case for valid_uses_2 definition.
irqInvalid is manually requalified into Interrupt_R. If it's defined for all
architectures, then can be requalified instead in the more suitable
spec/machine/MachineExports.thy
Reimplement the following primrecs:
- arch_irq_control_inv_relation
- arch_irq_control_inv_valid'
- irq_control_inv_valid'
Add the following lemmas:
- arch_check_irq_corres
- crunches arch_check_irq, checkIRQ
- arch_check_irq_valid
- arch_check_irq_valid'
- no_fail_setIRQTrigger
- setIRQTrigger_corres
- dmo_setIRQTrigger_invs'
- Add setTrigger lemmas: setIRQTrigger_irq_masks, dmo_setIRQTrigger_invs
and no_irq_setIRQTrigger
- Modify primrec arch_irq_control_inv_valid_real to include similar
conditions to its equivalent in ARM, but with the minor chnage of irq !=
irqInvalid.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
These functions were originally doing throwError IllegalOperation or
returnOk (). Now they have been reimplemented to match the CSpec.
In arch_check_irq, an error is thrown if IRQ is greater than maxIRQ or
is equal to irqInvalid. The error that gets returned to the user however
is a RangeError from 1 to maxIRQ.
Instead of checking for alignment, mask out the bottom bits to force the
vptr stored in the cap into the correct alignment for the level to be mapped.
See also SELFOUR-2162
Edward Pierzchalski
Victor Phan
Gerwin Klein