A common frustration is seeing a term `Ptr x :: foo ptr` and not being
able to inspect the inferred type `foo` (this is especially true when
`Ptr` occurs within another expression).
Copying the style of `UCAST`, this adds syntax rules for displaying `Ptr
x :: foo ptr` as `PTR(foo) x` and `ptr_coerce (bar :: a ptr) :: b ptr`
as `PTR_COERCE(a -> b) bar`.
Just because we *can* extend the core SML `List` signature, that doesn't
mean we *should*. It's a neat trick, but it makes it harder to find uses
of the new modules, and obfuscates definitions for very little gain.
The C parser tracks what short names a given long name corresponds to.
Change AutoCorres to use that information, instead of trying to demangle
the names 'manually'.
Previously, the C parser would define locals differently depending on
the order they appear in the source (the first instance got a short
name, the second etc. got a longer one). This would sometimes make
things break when source was reordered.
Now, the C parser emits the long name for _every_ local, and emits an
abbreviation for backwards-compatibility and convenience for common
variables (like loop indexes `int i`).
Adjusts the Simpl syntax modifiers to work with abbreviations.
Modifies the VCG tactic to try and convert long-name bound variables in
the goal to their abbreviated names.
Note that we have removed the LIB_FILES manifest and no longer intend
to maintain it manually. Instead, we just extract the entire Lib and
CLib sessions from the L4.verified repository. This means that the
next AutoCorres release will have some unneeded theories and a couple
of files with GPL licenses.
Some attributes attached to global variables weren't kept in
the AST if they appeared at the front of the declaration rather
than the back.
For instance, the aligned attribute was lost in this declaration:
int __attribute__((aligned(16))) x;
but kept if it appeared last:
int y __attribute__((aligned(16)));
Now fixed.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
Previously, everything was counted under session CParser, incl most of
Word_Lib. The dependency on Word_Lib thus revealed means Word_lib is the
better base image for session Simpl-VCG.
To prove that retyping a TCB establishes the state relation for TCBs,
it is necessary to prove that the C FPU null state is always equal to
the Haskell FPU null state. This commit therefore includes some
machinery for maintaining the state relation for the FPU null state,
and repairs many proofs.
The previous implementation of IOPortCaps has problems with revocability
and determining parency etc. This commit adds IOPortControlCaps which
behave identically to IRQControlCaps -- invoking the IOPortControlCap
allows one to create IOPortCaps with the supplied range.
There now exist invariants to show that there is only one
IOPortControlCap and that all IOPortCaps in the system do not overlap.
Furthermore there is a global record of which IO ports have been
allocated to prevent reissuing the same ports.
In particular, some intro! attributes for some wp rules are removed.
These previously caused auto/fastforce to play a really strange role
in some proofs.
These combinator rules do something like what wp_pre does now.
They were helpful in the ancient past, but now that wp_pre exists it is
much better to just use automation.
Abandon post-processing. There's some fragility somewhere that requires
process_stmt to see exactly the statements that go out, so it needs to run
last.
To handle initialiser elements, re-run process_stmt over the initialiser
statements that are created by process_decl. That's repeating some steps,
but it seems to work.
Waiting on input from Michael N about how crazy this is, but for now we're
pushing it to testing.
Two kinds of function calls were escaping the analysis. The first is simple,
the ReturnFnCall statement type, which was a silly omission from before.
Function calls inside initialiser statements are a more difficult problem.
The simplest solution was to move the VER-881 calculation into a
post-processing phase once those function calls have been moved to statement
positions.
This scans for statement-level function calls which will have complex
lvalue translations, either because their lvalues are compound
expressions or because their function return type will be promoted to
be stored. It treats them like expression-level function calls, with
an additional call statement added (saving to a ret_ variable) and
the complex lvalue step treated like an assignment.
When given a theorem, find_names finds other names the theorem appears
under, via matching on the whole proposition. It will not identify
unnamed theorems.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
This commit adds a method `ac_init`, which converts a ccorres goal into
a corres goal. It also adds an attribute `ac`, which converts a ccorres
fact into a corres fact, in a form suitable for solving goals produced
by `ac_init`.
* make_spec.sh was generating a `version` file regardless of the
outcome of the script, this was causing `make design` (in
spec/design) to always succeed when ran a second time, which in
was generating confusing (and semi-non-deterministic) error
messages when called through `./run-test`
tags: [NO_PROOF]
The C kernel build in cspec was changed to have a different directory structure and
build targets. This updates the make_munge.sh script to reflect those changes
tags: [NO_PROOF]
Removes files that were duplicated in cspec/$L4V_ARCH directories to exist directly in
the cspec directory and contain $L4V_ARCH switches where needed. This allows for a single
Makefile for building the C kernel and the KernelInc_C theory, which is different between
architectures, to still exist per L4V_ARCH.
As the build location of the C kernel, and the resulting kernel_all.c_pp artifact, is
moved this change needs to be reflected in all the theory files that refer to it.
This adds the lemma td_names_word64 to match existing lemmas
td_names_word32 and td_names_word8, allowing further simplification
using typ_heap_simps in CRefine.
Failing to do this can result in variables that haven't been
appropriately "munged", resulting in the wrong or no var_info being
associated with them in the AST.
JIRA VER-808
Gerwin Klein
Japheth Lim
Matthew Brecknell
Edward Pierzchalski
Thibaut Perami
Mitchell Buckley
Michael Norrish
Rafal Kolanski
Joel Beeren
Thomas Sewell
Luke Mondy
Alejandro Gomez-Londono
Pang Luo
Adrian Danis
Joel Beeren
Michael Norrish