Isabelle2020 doesn't allow sharing session directories between the document
session and non-document session. Instead of duplicating things, this commit
pulls the document build back into the ASpec session, but changes the build
such that the git revision is read directly from LaTeX, removing the
superfluous re-build for every git revision change (even when no relevant spec
file changed).
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
- preemption in C is not associated to an irq
- updating aspec to reflect this so that we can have irq-independent
preemptions (needed in MCS)
- proof fix for the above: remove intr
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
PEP 394 expects that Python 3 installations provide a `python3` command,
but does not require a `python` command. Some distributions (including
Debian) are no longer providing a `python` command, but do provide
`python3`.
In this change, the `python3` interpreter is invoked via the existing
`#!` line in the `testspec.py` script.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This is like `ccorres_rewrite`, but for `hoarep`, and uses the same
infrastructure.
The interaction between the `simpl_rewrite` locale and the
`simpl_rewrite` method was confusing, and didn't work well with multiple
interpretations. We replace the locale with a simple anonymous context
block. Since that puts more things in the global namespace, we rename
many of them. The `simpl_rewrite` method is now parameterised by a `hom`
fact which determines the predicate under which we are rewriting.
This also includes a slight generalisation of `exec_eq_is_valid_eq`,
which allows a similar generalisation of `hoarep_rewrite`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The github CI runners are low on memory and might just get
through with a bit more time for ARM_HYP.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
It'd be nice to check for actual *.cabal changes, but the cache
action doesn't have access to the repo checkout yet.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This manually adds the HaskellKernel compile test, ASpecDoc, and
tests-xml-correct sessions, which together with the existing tests make
up the entire current MCS test suite apart from "Licenses" which is
already covered by other github CI.
This is a bit ad-hoc, ideally there should be a default "rest" session
to capture tests that will be added in the future. This will need a bit
of restructure in the CI action itself, though, so is postponed for now.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This adds support for indexing into user contexts when `register_t` is
smaller than a word type, e.g. `uint8_t`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This allows SimplExportAndRefine to handle some new heap update patterns
arising in MCS.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
`init_freemem` isn't verified (and therefore is low-priority for
translation validation). It also takes several hours to show refinement,
much longer than any other function. Until we need to validate it, we
should skip it to improve regression times.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Also cleans up some of the debug config setup and makes result reporting
more useful.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Initially the `Makefile` copied `umm_heap/ARM_HYP` from `umm_heap/ARM`,
and deleted `umm_heap/ARM_HYP` during `make clean`. However, the
contents of `umm_heap/ARM_HYP` have since been committed, so this is no
longer appropriate.
Reported-by: Michael Norrish <Michael.Norrish@data61.csiro.au>
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
We believe this commit fixes the issue described in the previous commit.
It also reverts that commit, since the proofs that the C state relation
is empty no longer work.
As the previous commit demonstrated, it is important to demonstrate the
non-triviality of properties. In this case, we should exhibit a witness
of the non-emptiness of the C state relation. We have not yet done that.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
As currently defined, the C state relation is empty, and consequently,
`ccorres` is trivially true for any pair of functions. This means that,
in a very technical sense, our C refinement proofs are meaningless.
The state relation is empty because several conjuncts in
`cstate_relation` form a contradiction:
- Two conjuncts claim that `intStateIRQNode_array_Ptr` points to a heap
object within the set of addresses `kernel_data_refs`.
- Another implies that all heap objects are within `domain`.
- Another claims that `kernel_data_refs = -domain`, forming the
contradiction.
This commit proves the contradiction, and also proves that `ccorres` is
trivially true for any pair of functions.
Fortunately, we never made any essential use of this contradiction, and
so the issue can be fixed fairly easily. The issue seems to have arisen
out of a conflation of two different concepts:
- `kernel_data_refs` is introduced in the intermediate specification,
and is intended to be the set of addresses containing global heap
objects that are not covered by capabilities.
- `domain` was introduced for binary verification, and was intended to
be the set of all addresses that may be used for heap objects.
The easiest fix seems to be to expand the meaning of `kernel_data_refs`
to include all addresses that are not covered by capabilities. If we
assert that `kernel_data_refs = -domain`, then this does not allow for
heap objects that are not covered by capabilities. If instead, we make a
weaker assertion that `-domain <= kernel_data_refs`, we can have heap
objects that are not covered by capabilities, such as the one pointed to
by `intStateIRQNode_array_Ptr`.
This fix will be performed in a subsequent commit.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The reason `CKernel` depends on `design-spec` is quite obscure, so we
add a comment to relevant `Makefile`s to help us avoid wasting time
trying to remove the dependency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
I previously updated the `#!` in `mk_umm_types.py` to use `python3`, but
forgot to remove the explicit `python` call from `kernel.mk`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Gerwin Klein
Miki Tanaka
Matthew Brecknell
Edward Pierzchalski