Highlights:
- new reserved IRQ and associated handler: VPPIEvent
- VPPI events are virtual interrupts we can forward to VMs; currently there is
only one event: virtual timer interrupt
- VGICMaintenance and VPPIEvent can both receive late interrupts from hardware,
which are now discarded instead of being delivered to current thread
- given only one possible VPPI event, simplifier tends to mop up more than it
should, making some proofs fragile w.r.t. adding a new VPPI event
- the order of some lemmas/specs needed shuffling, as now VCPU code needs some
interrupt code, which uses VCPU code
There is a special case for deriving Enum for datatypes with a single
constructor, but it should only fire when that constructor has exactly
one argument. Previously, one constructor with any other argument count
that one resulted in assertion failed.
Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Previously the parser rejected symbolic names in assembly specifiers
(the `[foo]` in `[foo]"r"(bar)`). Since the SIMPL semantics ignores the
body content of assembly, and since these specifiers only affect the
meaning of the body, this rejection was overcautious.
Previously, the parser rejected rval `"i"` and `"rK"` specifiers (which
indicate that the expression is to be used in some kind of immediate
mode). Again, this is out of scope for the SIMPL semantics, so we allow
it.
setIRQTrigger added but unimplemented because it's a machine op.
irqInvalid added, set to 0, since this is what's defined on the Spike
platform, may need to implement irqInvalid for other platforms if we
want generality for later proofs (Refine).
check, decode, perform IRQ control fully implemented to match the CSpec.
Adds a 'debug' configuration type to the main ProveSimplToGraphGoals
functions. Configuration lets the user control which functions will be
tested, and logs which functions fail testing.
Adds a 'single step' debug tactic for use in TestGraphRefine, and
demonstrates a few useful initial ML tactic for e.g. narrowing down
which subgoals are failing, and how to inspect a successful subgoal.
This adds translation rules for bitwise operators, along with suitable
guards. Note that the guard for signed `shiftl` follows the C standard,
rather than the incorrect c-parser guard (see VER-509).
There was no standard instance of `nat :: bit_operations` for unsigned
abstraction, so we also add one. It should be merged with the
(incomplete) HaskellLib instance later.
Closes Jira VER-1122.
Some code in the parser would incorrectly delete the source file
jiraver337.c, because the `Path` module now normalises the filename to
a different-looking name. This is fixed by adding a boolean flag for
whether the parsed file should be deleted or not.
Fixes Jira VER-1114.
Rafal Kolanski
Zoltan Kocsis
Gerwin Klein
Corey Lewis
Edward Pierzchalski
Victor Phan
Japheth Lim
Matthew Brecknell
Michael McInerney