Rewrite associative array usage as a function lookup.
OSX users do not have access to a non-ancient /bin/bash by default and
complain that our use of associative arrays (declare -A) does not work.
Tags: VER-802
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
Modifies proofs now include a preprocessing step which breaks programs
into parts before passing goals to the VCG. This means there are more
calls to the VCG, but the VCG only sees individual Basic and Spec
commands, and procedure calls.
This avoids performance issues in some pathological cases. In
particular, long sequences of updates to arrays via pointer-to-struct
previously seemed to be exponential in the number of updates.
These are copied verbatim from ARM as the word and pointer sizes are
identical.
These could be auto-generated by a Makefile, but a Makefile is not
invoked when building CKernel.
(copied from ARM)
Per-plaform CPP configuration for spec-check and make-spec.
The configuration is still duplicated between the two scripts, but now
the translation/check for ARM_HYP will use correct CPP settings.
The 'success' messages in the modifies proof were being produced as
soon as Goal.prove_future returned, which is pretty much right away.
Instead produce messages once the forked proof is finished.
Unify some tracing features that didn't go through the Feedback structure.
Add config to isar_install allowing Feedback to be traced to a file in real
time as well as to standard Isabelle output channels.
* Consistently use the c-parser 'addr' type alias for pointer values.
* Include word abstraction and polish for 64-bit integral types.
* Include all current c-parser platforms in release packaging scripts.
More work is required to properly abstract AutoCorres tests across
architectures. The tests currently pass for both ARM and X64. However,
in a number of tests, we exploit the coincidences that 'int' is the same
size on both platforms (32 bits), and that 'long' is the same as the
pointer size on each platform (32 bits and 64 bits, respectively).
This creates an issue because "unat x < 1" is reduced to "unat x = 0"
by the simplifier, meaning the unat_mono tactic doesn't get to operate on
it. The fix is pretty easy. Also includes some extra investigation material.
- replace ARM-specific constants and types with aliases which can be
instantiated separately for each architecture.
- expand lib with lemmas used in X64 proofs.
- simplify some proofs.
Also-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
Some lemmas that were specific instances of more general lemmas have
been removed from the library. In most cases, broken references could
simply be replaced with the more general fact.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
Adds an additional analysis option to the external C parser. This
will report about any asm statements that were encountered and could
not be properly handled.
[NO_PROOF]
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
* commit '8d4a8eb238090999b4b41f588d5fa63453d58ae8':
SELFOUR-421: fix coding style
SELFOUR-421: fix drefine
SELFOUR-421: add device bit in UntypedCap and FrameCap in capdl
SELFOUR-421: infoflow and infoflow_c builds
SELFOUR-421: crefine builds
SELFOUR-421: commit before change abstract again
SELFOUR-421: fix refine
SELFOUR-421: a defend version before wild changes
SELFOUR-421: new haskell spec after UserDataDevice changes
SELFOUR-421: broken crefine after conversation with gerwin
SELFOUR-421: up to VSpace_C done
SELFOUR-421: temp work in CSpace_C
SELFOUR-421: fixed Refine after merge with master
SELFOUR-421: retranslate haskell after merge with master
SELFOUR-421: random uncommitted stuff before merge
SELFOUR-421: retranslate haskell for fixed range check
SELFOUR-421: refine done
SELFOUR-421: added check to decoding asid control invocations and stole an asid bit from the high bits not the low ones
SELFOUR-421: AInvs done, no added invariants yet
SELFOUR-421: first attempt at abstract spec
Architecture names follow L4V_ARCH-style naming conventions ('ARM', 'FAKE64').
However, the standalone parser does not make use of the L4V_ARCH environment
variable.
The standalone-parser Makefile builds all architectures at once, producing
binaries at 'ARM/c-parser', 'FAKE64/c-parser', and similarly for the tokenizer.
There are also wrapper scripts 'c-parser' and 'tokenizer' in the
standalone-parser directory, which take an architecture on the command line.
The make_munge.sh script calls the appropriate binary parser directly.
This is apparently valid C:
enum {
One,
Two = One + 1,
};
It's easy to support this by using the partially modified enum
environment in evaluation of the following right hand sides.
A skeleton line of the form
\#INCLUDE_SETTINGS keep_constructor=asidpool
now ensures that the asidpool type constructor is actually created in
subsequent #INCLUDE_HASKELL declarations. It turns out this feature was already
available, and already used for asidpools, this change just makes it externally
adjustable.
CParseTools was triggering a race condition by removing a mistakenly
added license header on CSpec.grm.sig while (potentially) the CParser
session was still being build by Isabelle, thus causing all sessions
depending on CParser to rebuild (At the same time!).
Give the standalone c-parser the facility to dump out its internal AST. Only
half finished, I got bored writing serialisers for the many syntax datatypes.
There has been some discussion about how to check whether an seL4 change
impacts verification. My thought was that the obvious thing to check is the
C-parser's AST. If this is unchanged, then further analyses must be unchanged.
The “statistics” output has been disabled for some time, and the
print_stats option has never been part of the publicly documented
interface, so hopefully this removal will go unnoticed.
Some of the terms measured by the stats code are available through
the recently-added trace_* options (but not all).
This is the “last” step of the Jira VER-517/VER-522 refactoring
(still does not support pausing between phases, but the relevant
infrastructure is there now).
Ought to pass AutoCorresTest suite now.
Brain fart: the corres proofs still have recursive assumptions,
even if the final function does not use them. This means that
attempting to split groups prior to definitions is doomed to fail.
The topology of recursive function groups can change due to dead code
elimination. This used to be handled (buggily, after define stages) by
the old code. This commit attempts to handle it properly (between convert
and define stages), using a new variant of the Seq data structure.
(Still not done for TS, though.)
Also (literally) fixes many free variables that used to be unhygienic.
Also makes the L2,HL,WA dataflow more uniform (but not yet refactored).
Heap lifting is annoying because we need to join all intermediate L2 results
before defining the lifted heap and proving heap lemmas.
This has been refactored into a new prepare_heap_lift stage that runs between
L2 conversion and HL proper.
With this we move away from a global mutable fn_info; instead we will
use a table of persistent (lazy) entries for each phase.
Function call metadata is also now either stored locally or recomputed
on-demand for each stage (with a few TODOs).
Specification of file to emit to is via command-line switch. Take the
opportunity to make comand-line processing be done via GetOpt library.
JIRA VER-473
This removes some modifications that the theories make to the simpset
and other global context, which slightly reduces breakage when importing
AutoCorres into other theories.
Unfortunately, some of the tests/examples seem to rely on specific
modifications to simp and wp, so removing those will be harder.
Also some simplification stages still seem to use the global simpset
instead of AUTOCORRES_SIMPSET; need to debug later.
* commit 'ecbb860532b4c576fc4726a805802f16bcf5302c': (29 commits)
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
Add license tags for autocorres-crefine files
crefine: refactor AutoCorresTest a bit
autocorres-crefine: remove local debugging imports
Fix InfoFlowC to accommodate corres_underlying changes.
Fix DRefine to accommodate corres_underlying changes.
autocorres-crefine: experiment with manually translating a function (clzl).
autocorres-crefine: experiment with translating bitfield_gen specs.
autocorres-crefine: start a test case for function calls.
autocorres-crefine: update example proofs to work with no_c_termination, which does not require proving termination for the C spec.
autocorres: add user option "no_c_termination" for previous patch.
Making termination proof optional for AutoCorres.
WIP: autocorres: hacky proof of concept for incremental translation.
autocorres: add some missing WordAbstract rules.
autocorres-crefine: fix some comments in work theory.
autocorres-crefine: prove modifies and (simple) terminates specs.
autocorres-crefine: experiment with generating modifies proofs
autocorres-crefine: run autocorres in kernel_all_substitute locale
autocorres-crefine: update another corres_UL that snuck in before rebasing.
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...
- the symbol table constant had a hard map to word32 instead of the addr
alias
- when cast to integers, the parser believed pointers gave rise to 32
bit values. This latter required the TargetNumbers signature to get a
smidge wider, with a new ptr_t entry where the intptr type gets
listed.
This ignores issues that would need getting right in a real x64
specification (signedness of char, endianness, perhaps others), but can
be used as a test vehicle.
Demo in tests/examples/Incremental. Note that changing autocorres options
between invocations will probably just fail ungracefully.
Meant for issue VER-518 but not yet tested on CKernel.
Thomas Sewell
Joel Beeren
Matthew Brecknell
Joel Beeren
Alejandro Gomez-Londono
Rafal Kolanski
Alejandro Gomez-Londono
Miki Tanaka
Daniel Matichuk
Gerwin Klein
Thomas Sewell
Sophie Taylor
Xin Gao
Michael Norrish
Corey Richardson
Japheth Lim
Matthew Brecknell
Daniel Matichuk
agomezl