Conversation
In preparation for arch-split. Create KHeap_R.thy and update import hierarchy. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Notable observations: * X64 had pulled in a number of cross and related lemmas into KHeap_R that show up later for other arches. Isolating these shows they are not critical in ArchKHeap_R, but moving them will happen later in arch-split. * setObject_other_corres is requalified since it contains a free type variable, and locale interfaces cannot quantify over those * same goes for setObject and pspace_in_kernel_mappings' * drop diff_neg_mask[simp del] * drop if_cong[cong] * unify is_other_obj_relation_type_* assumptions, move to StateRelation * move a bunch of objBits lemmas to Bits_R * standardise a[a]_type_simps[simp] (on AARCH64/RISCV64 these are already in [simp]) Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Auto-complete session names and options for the main run_tests script. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Currently any vcg invocation produces a warning about a duplicate simp rule that is used internally. Set the context that is passed to the VCG tactic to internal so that such warnings about internal rules are suppressed. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Document the existing options of the install_C_file command. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Make a syntax bundle for the C separation logic notation and remove the notation in the top-level C parser file so that it is not exported. Users can re-enable the syntax with "unbundle C_seplog_syntax". Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add an option no_modifies to the install_C_file command that will skip the generation of modifies proofs. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Skip the generation of modifies proofs in the original kernel_all locale. This locale is not used for the C proofs, and we are proving a set of new modifies theorems anyway later in the CSpec session. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Show that the current FPU owner is always in the current domain. Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
Also add placeholder files for architectures that do not enable the FPU. Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
This theory was short and mostly generic. The arch-specific atcbContextSet proofs got interfaced in Bits_R. Unifying SubMonad_R in this manner uncovered issues with objBits_less_word_bits and objBits_pos_power2. These needed to be exported into the generic context, but contained free type variables so could not be placed in a locale. By using objBitsKO instead of objBits, we could avoid the free type variable, also migrating the resulting setup into Bits_R. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In preparation for arch-split. Create ArchAcc_R.thy and update import hierarchy. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Notes: * During X64 verification, a number of lemmas were moved to KHeap_R relative to other architectures and ended up in ArchKHeap_R during arch-split. To sync up the architectures, we pulled them back into ArchArchAcc_R Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
After discussion, `proof` block after [global_]interpretation should be indented as per autoindenter, as per style guide. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Describes disabiguation of fact names using `global./Arch.` prefix, and `named_theorems` caveat to fact name ordering. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Add example of disambiguating a constant that has the same name both within Arch and in the global context. Add examples of named_theorems causing an internal fact name reordering, resulting in the unqualified fact name being the arch-specific one despite the `global_naming global` requalification. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Add missing Isabelle update in debug ML code. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Using requalify_types (in Arch) inside the Arch locale has unexpected side effects such as switching global naming from AARCH64_H to Arch. Use outside the locale as intended. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
FNSPEC comments were re-using the C identifier spec for theorem names, which is too restrictive. For function specs where the function name starts with an underscore, the lemma name will need to contain the ' character, e.g. StrictC'_f_spec. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It's annoying when jumping between --l4v-arch-all and --l4v-arches when
re-using command history.
Introduce an --l4v-arch= option to make things more consistent, i.e.:
run_tests --l4v-arch=X64,RISCV64
run_tests --l4v-arch-all
Keep the old --l4v-arches as an alias for --l4v-arch for compatibility:
run_tests --l4v-arches=X64,RISCV64
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
When using the skip_proofs checkbox in our version of the JEdit Isabelle plugin and closing/killing JEdit, sometimes the skip_proofs setting is persistently set in ~/.isabelle/etc/preferences Running run_tests after that makes it look like everything worked when no proofs were checked. Caveat: Isabelle internally respects ISABELLE_BUILD_OPTIONS, which can contain skip_proofs, but `isabelle options -g skip_proofs` will ignore that and only print the etc/preferences setting. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
|
For reviewing purposes, the merge commit has been split into two, one with the merge conflicts left in and the second resolving them. I'm not sure how helpful it will be in this case, a lot of the conflicts were very large and difficult to resolve, but let me know if it makes reviewing any easier. These two commits will need to be squashed before this PR is merged. |
|
|
||
| lemmas objBits_defs = | ||
| tcbBlockSizeBits_def epSizeBits_def ntfnSizeBits_def cteSizeBits_def replySizeBits_def | ||
| minSchedContextBits_def |
There was a problem hiding this comment.
I am unsure whether moving minSchedContextBits_def out of bit_simps' and into objBits_defs was a good idea. It feels like it's more consistent with the other definitions and it made some proofs simpler, but it also made others more complicated when they expected minSchedContextBits to not be unfolded.
There was a problem hiding this comment.
See faffd13#diff-d8509b2fca55c1719ec4ad344c91ff883c66772f66f50932b3e28ec23f0de945R1749 as an example of this making a proof worse.
There was a problem hiding this comment.
I don't have strong feelings either way. Conceptually, it does make more sense to include in objBits_defs than in bit_simps' and I don't think the proof fixups are problematic. A mild preference for leaving it as you have it now.
corlewis
force-pushed
the
rt-merge
branch
2 times, most recently
from
d37a612 to
61c2e20
Compare
|
Proof tests aren't working here due to what we suspect is a GitHub problem, but I can confirm that all relevant tests pass. |
corlewis
force-pushed
the
rt-merge
branch
2 times, most recently
from
2065cba to
3d160c9
Compare
There was a problem hiding this comment.
Wow, that proof fixup was a massive amount of work, I am impressed. Also about 100k lines removed with importing the arch split is nice to see in this accumulated form.
I've reviewed the fixup commit closely and the conflict resolution a bit faster. I found the conflict resolution part useful to get an impression of what is going on and where the problem areas were, but if it is a huge hassle to produce/squash I can live without it (if it is easy, it is nice to have, though).
Overall looks good, I did not spot any problems.
Yeah, I was maybe a bit ambitious doing all of this in one merge. The changes are mostly orthogonal which is why I thought it was ok, but it ended up a lot bigger than I expected. |
Good to hear that it helps. It was easy to produce and I'm confident that it will be just as easy to squash, so shouldn't be any problem for future merges. I guess it's particularly useful in cases like this, where there was actually a fair bit of work involved in resolving the conflicts themselves. |
michaelmcinerney
left a comment
michaelmcinerney
left a comment
There was a problem hiding this comment.
Looks great! Goodness me that must have been a difficult process
proof/refine/RISCV64/ArchKHeap_R.thy
Outdated
| is_sc_obj_def) | ||
| done | ||
|
|
||
| lemmas sc_inv_state_eq' = getObject_sc_inv[THEN use_valid[rotated], rotated |
There was a problem hiding this comment.
Maybe we don't want to fix this now, but this has the highly illegal comma on a new line
proof/crefine/RISCV64/Refine_C.thy
Outdated
| "ccorres dc xfdc invs' UNIV [] | ||
| (liftE (maybeHandleInterrupt inKernel)) (Call checkInterrupt_'proc)" | ||
| "ccorres dc xfdc (invs' and (\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s)) UNIV [] | ||
| ((maybeHandleInterrupt inKernel)) (Call checkInterrupt_'proc)" |
| @@ -3061,7 +3053,7 @@ lemma setCTE_UntypedCap_corres: | |||
| apply (rename_tac abs conc conc' abs') | |||
|
|
|||
| (* FIXME RT: replace this with whatever comes out of VER-1248. *) | |||
There was a problem hiding this comment.
BTW: is this FIXME still relevant?
There was a problem hiding this comment.
I think so, it's not related to arch-split or anything that has been changed in master. It's to do with the extract_conjunct these proofs use: https://sel4.atlassian.net/browse/VER-1248.
| apply wp | ||
| apply (clarsimp simp add: pred_tcb_at_def obj_at_def simp del: fun_upd_apply) | ||
| apply (clarsimp simp: etcbs_of'_def etcb_at'_def etcb_of_def) | ||
| apply (clarsimp simp: etcb_at'_def etcb_of_def pred_map_simps vs_heap_simps) |
| apply (wpsimp wp: threadSet_iflive'T) | ||
| apply (fastforce simp: update_tcb_cte_cases) | ||
| apply fastforce | ||
| done |
There was a problem hiding this comment.
does this not work with only wpsimp like for tcbInReleaseQueue_update_iflive'? It should still work with one-lining these with wpsimp wp: threadSet_iflive'T; fastforce simp: update_tcb_cte_cases
There was a problem hiding this comment.
Funnily enough, if_live_then_nonz_cap' is about to be unceremoniously ripped out of rt. It wouldn't be hard to do the same thing to master.
| "valid_pspace' s \<Longrightarrow> pspace_bounded' s" | ||
| by fastforce | ||
|
|
||
| context Arch begin arch_global_naming |
There was a problem hiding this comment.
This arch locale actually already existed on master, it must have been removed from rt at some point. In my mind that meant it didn't need an additional FIXME, it should be handled properly once the arch-split process reaches this file.
| unfolding valid_pspace'_def | ||
| by wpsimp | ||
|
|
||
| end |
There was a problem hiding this comment.
I picked up the habit of commenting on which locale the ends are for. Here it's rather short, but something to consider.
Significant changes merged in that are visible to rt proofs: * refine: arch-split KHeap_R * refine: unify SubMonad_R * refine: arch-split ArchAcc_R * spec+proof: pptrBase, haveSetTrigger, numSGIs * spec+proof: maybe_handle_interrupt * refine: arch-split CSpace_I * refine: arch-split CSpace1_R * refine: arch-split CSpace_R * spec+proof: update for vcpu_flush * ainvs: add new AInvsToplevel_AI to AInvs session * refine: add IRQReserved to state relation * refine: arch-split TcbAcc_R * arm spec+proof: GICv3 now allows 32 bit targets * refine: arch-split VSpace_R * refine+crefine: make valid_arch_obj' stateless * refine: arch-split Retype_R
This mostly involves updates for arch-splitting InvariantUpdates_H and StateRelation. Note: new rt content has not been completely arch-split. Simple parts that easily follow patterns from master have been, but the rest has just been updated to continue working. They will be arch-split in a separate pass later. Some additional changes were also needed for maybe_handle_interrupt. Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
5 participants
Significant changes merged in that are visible to rt proofs: