#
ab259704 |
|
30-Oct-2018 |
Santiago Bautista <santiago.bautista@data61.csiro.au> |
access+infoflow+drefine: update for new definition of `idle_tcb_at` * Context : We would like to prove that, for ARM_HYP architecture, the current vcpu is always the vcpu associated to the current thread. See issue https://jira.csiro.au/browse/VER-770 and PR 291 http://bitbucket.keg.ertos.in.nicta.com.au/projects/SEL4/repos/l4v/pull-requests/291 In this process, we changed the definition of `idle_tcb_at` * In this commit : Update some proofs in access, infoflow and drefine to take the new definition of `idle_tcb_at` into account.
|
#
08027d4a |
|
24-Jun-2018 |
Gerwin Klein <gerwin.klein@data61.csiro.au> |
Isabelle2018: Access
|
#
6b9d9d24 |
|
09-Jun-2018 |
Gerwin Klein <gerwin.klein@data61.csiro.au> |
Isabelle2018: new "op x" syntax; now is "(x)" (result of "isabelle update_op -m <dir>")
|
#
166af9e5 |
|
01-Aug-2018 |
Japheth Lim <Japheth.Lim@data61.csiro.au> |
access, infoflow: cleanup from previous commit; some style cleanup
|
#
a6c11a2b |
|
31-Jul-2018 |
Japheth Lim <Japheth.Lim@data61.csiro.au> |
access-control, infoflow: use generic relation for pasDomainAbs This patch generalises the mapping between authority labels and scheduler domains, so that the access-control integrity property still holds when labels are not partitioned into domains. This lets us use the integrity result on systems that don't use the domain scheduler. The information flow proofs still rely on the domain partitioning, hence we add constraints on the label-domain mapping for the info-flow results to hold. Jira VER-945
|
#
2d0baab4 |
|
13-Mar-2018 |
Corey Lewis <corey.lewis@data61.csiro.au> |
Proof update for crunch changes
|
#
0f38e200 |
|
25-Feb-2018 |
Thomas Sewell <Thomas.Sewell@data61.csiro.au> |
Many proof repairs.
|
#
652cbb96 |
|
14-Mar-2018 |
Thomas Sewell <Thomas.Sewell@data61.csiro.au> |
Initial proof updates for combinator changes.
|
#
4601f2a1 |
|
06-Feb-2018 |
Joel Beeren <joel.beeren@data61.csiro.au> |
Genericise deletion actions that occur after empty_slot This patch adds a generic "post_cap_deletion" step that is called by finalise_slot. Previous to this, the only caps which had actions required at this stage were IRQHandlerCaps -- it was required that the IRQ bitmap be updated after the cap itself was removed (as the invariants state that for any existing IRQHandlerCap, the corresponding bit in the IRQ bitmap must be set). By genericising this, we add the capacity for new, arch-specific post cap deletion actions to occur in the future.
|
#
2a1beffa |
|
26-Nov-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
arm: update for simple_ko getter/setter
|
#
3a22487c |
|
24-Nov-2017 |
Rafal Kolanski <rafal.kolanski@nicta.com.au> |
arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) Colloquially known as "invert-fastpath". Update verification efforts on ARM for the following seL4 changes: - scheduling decisions done in possibleSwitchTo are moved to the scheduler - possibleSwitchTo only checks whether the candidate is valid for a fast switch, not its priority, accepting possible candidates immmediately as a switch-to scheduler action - the scheduler checks the candidate against the current thread and against the bitmaps before making a decision - attemptSwitchTo and switchIfRequiredTo are gone - scheduler is now more complicated, and numerous proofs related to it are rewritten from scratch - fast path now checks ready queues via the scheduler bitmaps - L2 scheduler bitmap order reversed for better cache locality Many iterations between the kernel and verification teams were needed to get this right.
|
#
796887d9 |
|
11-Jul-2017 |
Alejandro Gomez-Londono <alejandro.gomez@nicta.com.au> |
Removes all trailing whitespaces
|
#
392d055e |
|
15-May-2017 |
Joel Beeren <joel.beeren@nicta.com.au> |
SELFOUR-748: rename tlb invalidation functions
|
#
b17a3293 |
|
19-May-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
arm access: ARM Access now builds on arm-hyp
|
#
d7026b5b |
|
16-Feb-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
Access and InfoFlow fix for prepare_thread_delete
|
#
47119bf4 |
|
13-Jan-2017 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
wp_cleanup: update proofs for new wp behaviour The things that usually go wrong: - wp fall through: add +, e.g. apply (wp select_wp) -> apply (wp select_wp)+ - precondition: you can remove most hoare_pre, but wpc still needs it, and sometimes the wp instance relies on being able to fit a rule to the current non-schematic precondition. In that case, use "including no_pre" to switch off the automatic hoare_pre application. - very rarely there is a schematic postcondition that interferes with the new trivial cleanup rules, because the rest of the script assumes some specific state afterwards (shouldn't happen in a reasonable proof, but not all proofs are reasonable..). In that case, (wp_once ...)+ should emulate the old behaviour precisely.
|
#
511c6b2d |
|
03-Nov-2016 |
Matthew Brecknell <Matthew.Brecknell@data61.csiro.au> |
Isabelle2016-1: rename free variables to avoid capture
|
#
41d4aa4f |
|
25-Oct-2016 |
Matthew Brecknell <Matthew.Brecknell@data61.csiro.au> |
Isabelle2016-1: update references to renamed constants and facts
|
#
2553371a |
|
06-Nov-2016 |
Joel Beeren <joel.beeren@nicta.com.au> |
SELFOUR-64: Remove general Recycle operation This removes the RecycleCap CNodeInvocation, whilst retaining recycle behaviour for Endpoints -- now renamed CNodeCancelBadgedSends.
|
#
411af12e |
|
23-May-2016 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
SELFOUR-444: Logic generalised; Access finished. Tweak AInvs proof for Untyped to be more reusable, finish integrity proofs.
|
#
252ce8df |
|
09-Aug-2016 |
Xin,Gao <xin.gao@nicta.com.au> |
SELFOUR-421: infoflow and infoflow_c builds
|
#
322f1023 |
|
18-Apr-2016 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
word_lib: adjust theory dependencies
|
#
0e5ffd1e |
|
27-Apr-2016 |
Matthew Brecknell <Matthew.Brecknell@nicta.com.au> |
arch_split: requalify abstract theories
|
#
14f75701 |
|
21-Apr-2016 |
Matthew Brecknell <Matthew.Brecknell@nicta.com.au> |
arch_split: Access checking
|
#
7aaa8ed7 |
|
25-Jan-2016 |
Daniel Matichuk <daniel.matichuk@nicta.com.au> |
arch_split: Access and InfoFlow now build
|
#
457a55a8 |
|
01-Nov-2015 |
Joel Beeren <joel.beeren@nicta.com.au> |
add arch_tcb object to C, rename aep -> ntfn
|
#
d88a931e |
|
01-Sep-2015 |
Ramana Kumar <Ramana.Kumar@nicta.com.au> |
history squashed patch for aep-binding
|
#
12fa8686 |
|
16-May-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
fewer warnings
|
#
177e5bf1 |
|
06-May-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
2015 update for access
|
#
71e7dcc3 |
|
13-Aug-2014 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
Fix Access, InfoFlow and DRefine.
|
#
fc6e5771 |
|
10-Aug-2014 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
Proof updates, working as far as AInvs.
|
#
9d9a3250 |
|
18-Jul-2014 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
Updates for getpaddr system call (by Joel Beeren)
|
#
2a03e81d |
|
14-Jul-2014 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
Import release snapshot.
|