#
c4dc578b |
|
17-Sep-2018 |
Edward Pierzchalski <ed.pierzchalski@data61.csiro.au> |
Fix up proofs after word lemma moves
|
#
8173a37c |
|
13-Aug-2018 |
Mitchell Buckley <mitchell.buckley@data61.csiro.au> |
Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM.
|
#
6b9d9d24 |
|
09-Jun-2018 |
Gerwin Klein <gerwin.klein@data61.csiro.au> |
Isabelle2018: new "op x" syntax; now is "(x)" (result of "isabelle update_op -m <dir>")
|
#
9523eea0 |
|
01-Jul-2018 |
Thibaut Perami <thibaut.perami@data61.csiro.au> |
infoflow: Clean up infoflow, comment, wrap lines, ...
|
#
2d0baab4 |
|
13-Mar-2018 |
Corey Lewis <corey.lewis@data61.csiro.au> |
Proof update for crunch changes
|
#
0f38e200 |
|
25-Feb-2018 |
Thomas Sewell <Thomas.Sewell@data61.csiro.au> |
Many proof repairs.
|
#
652cbb96 |
|
14-Mar-2018 |
Thomas Sewell <Thomas.Sewell@data61.csiro.au> |
Initial proof updates for combinator changes.
|
#
4601f2a1 |
|
06-Feb-2018 |
Joel Beeren <joel.beeren@data61.csiro.au> |
Genericise deletion actions that occur after empty_slot This patch adds a generic "post_cap_deletion" step that is called by finalise_slot. Previous to this, the only caps which had actions required at this stage were IRQHandlerCaps -- it was required that the IRQ bitmap be updated after the cap itself was removed (as the invariants state that for any existing IRQHandlerCap, the corresponding bit in the IRQ bitmap must be set). By genericising this, we add the capacity for new, arch-specific post cap deletion actions to occur in the future.
|
#
2a1beffa |
|
26-Nov-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
arm: update for simple_ko getter/setter
|
#
796887d9 |
|
11-Jul-2017 |
Alejandro Gomez-Londono <alejandro.gomez@nicta.com.au> |
Removes all trailing whitespaces
|
#
7ad3ef3b |
|
13-Mar-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
wp: update the proofs for the new wp/wpc/wpsimp
|
#
b2f2034b |
|
21-Feb-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
Bisim / Access / InfoFlow: updates for Hypervisor stub
|
#
d7026b5b |
|
16-Feb-2017 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
Access and InfoFlow fix for prepare_thread_delete
|
#
47119bf4 |
|
13-Jan-2017 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
wp_cleanup: update proofs for new wp behaviour The things that usually go wrong: - wp fall through: add +, e.g. apply (wp select_wp) -> apply (wp select_wp)+ - precondition: you can remove most hoare_pre, but wpc still needs it, and sometimes the wp instance relies on being able to fit a rule to the current non-schematic precondition. In that case, use "including no_pre" to switch off the automatic hoare_pre application. - very rarely there is a schematic postcondition that interferes with the new trivial cleanup rules, because the rest of the script assumes some specific state afterwards (shouldn't happen in a reasonable proof, but not all proofs are reasonable..). In that case, (wp_once ...)+ should emulate the old behaviour precisely.
|
#
41d4aa4f |
|
25-Oct-2016 |
Matthew Brecknell <Matthew.Brecknell@data61.csiro.au> |
Isabelle2016-1: update references to renamed constants and facts
|
#
4905a589 |
|
13-Nov-2016 |
Matthew Brecknell <Matthew.Brecknell@data61.csiro.au> |
trivial: remove some uses of find_theorems
|
#
1289f7bc |
|
09-Nov-2016 |
Alejandro Gomez-Londono <alejandro.gomez@nicta.com.au> |
Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes * tcb_context rephrasing to (tcb_context o tcb_arch) and respectively for set operations * unfolding of reserved_irq for trivially solving most lemmas * Changes to the inductive definition of integrity_obj to account for tcb_arch and tcb_context new location * Changes to the tcb examples in ExampleSystem to include tcb_arch * Rephrasing of domain_sep_inv to accommodate the ReservedIRQ case * Mostly rephrasing of tcb_context to (some form of) (tcb_context o tcb_arch) * Trivial unfolding of handle_reserved_irq for hoare rules * Examples in Example_Valid_State.thy were updated * Nothing remarkable, mostly rephrasing of tcb_context and ReservedIRQ handling * Fun fact, some proofs are now shorter tags: [VER-623][SELFOUR-413]
|
#
d7450607 |
|
21-Nov-2016 |
Xin,Gao <xin.gao@nicta.com.au> |
SELFOUR-553: rebase and fix styles and comments
|
#
a2d707d1 |
|
14-Aug-2016 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
SELFOUR-553: update rpidrurw in TCBConfigure for simpler Infoflow proofs.
|
#
2553371a |
|
06-Nov-2016 |
Joel Beeren <joel.beeren@nicta.com.au> |
SELFOUR-64: Remove general Recycle operation This removes the RecycleCap CNodeInvocation, whilst retaining recycle behaviour for Endpoints -- now renamed CNodeCancelBadgedSends.
|
#
0fa24719 |
|
17-Oct-2016 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
SELFOUR-444: Repair InfoFlow.
|
#
74adb7a2 |
|
05-Jun-2016 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
SELFOUR-444: Avoid unnecessary cache clears. Adjust both specs and propagate the changes.
|
#
a96346e3 |
|
26-May-2016 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
SELFOUR-444: Finished InfoFlow and DRefine.
|
#
a3714e81 |
|
03-Oct-2016 |
Matthew Brecknell <Matthew.Brecknell@data61.csiro.au> |
SELFOUR-276: Finish proofs for maximum controlled priority (MCP) To finish the proof of refinement to C, the specification for checkPrio needed strengthening: the checkPrio spec now takes a machine word argument. In the spec, priorities are still stored as 8-bit quantities, however. Once the spec was strenthened, it was possible to remove some redundant checks and mask operations from the C code. A thread's maximum controlled priority (MCP) determines the maximum thread priority or MCP it can assign to another thread (or itself).
|
#
252ce8df |
|
09-Aug-2016 |
Xin,Gao <xin.gao@nicta.com.au> |
SELFOUR-421: infoflow and infoflow_c builds
|
#
eb7f7b15 |
|
29-Jun-2016 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
arch-split: Tcb_AI.thy done
|
#
9ceed1eb |
|
03-May-2016 |
Daniel Matichuk <daniel.matichuk@nicta.com.au> |
arch_split: fix proofs after removing shadow and unqualify commands and adding fix for crunch. Checks up to DPolicy.
|
#
0e5ffd1e |
|
27-Apr-2016 |
Matthew Brecknell <Matthew.Brecknell@nicta.com.au> |
arch_split: requalify abstract theories
|
#
67ba864d |
|
23-Apr-2016 |
Matthew Brecknell <Matthew.Brecknell@nicta.com.au> |
arch_split: InfoFlow checking
|
#
d7fd8872 |
|
08-Feb-2016 |
Sophie Taylor <sophie.taylor@nicta.com.au> |
SELFOUR-420: Verification of maxIRQ check in handle_interrupt.
|
#
6f6c5816 |
|
09-Feb-2016 |
Miki Tanaka <miki.tanaka@nicta.com.au> |
SELFOUR-56: Remove diminish rights from IPC
|
#
7aaa8ed7 |
|
25-Jan-2016 |
Daniel Matichuk <daniel.matichuk@nicta.com.au> |
arch_split: Access and InfoFlow now build
|
#
ac632c5a |
|
10-Nov-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
Wait -> Recv: update proofs
|
#
457a55a8 |
|
01-Nov-2015 |
Joel Beeren <joel.beeren@nicta.com.au> |
add arch_tcb object to C, rename aep -> ntfn
|
#
7c3a06a8 |
|
28-Oct-2015 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
Minor adjustments caused by Strengthen changes.
|
#
e403eb8f |
|
20-Oct-2015 |
Joel Beeren <joel.beeren@nicta.com.au> |
poll: added non blocking sync wait
|
#
d6f7579b |
|
15-Oct-2015 |
Joel Beeren <joel.beeren@nicta.com.au> |
poll: Added new syscall for polling async endpoints (non-blocking wait)
|
#
d88a931e |
|
01-Sep-2015 |
Ramana Kumar <Ramana.Kumar@nicta.com.au> |
history squashed patch for aep-binding
|
#
3372cd32 |
|
15-Jul-2015 |
Joel Beeren <joel.beeren@nicta.com.au> |
SELFOUR-220: When calling handleWait, only delete the TCB's ReplyCap when actually waiting on a synchronous endpoint.
|
#
cba6a4f5 |
|
16-May-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
infoflow: minor cleanup
|
#
12fa8686 |
|
16-May-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
fewer warnings
|
#
b46bc4e7 |
|
16-May-2015 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
infoflow: 2015 update (apart from C refinement)
|
#
71e7dcc3 |
|
13-Aug-2014 |
Thomas Sewell <Thomas.Sewell@nicta.com.au> |
Fix Access, InfoFlow and DRefine.
|
#
9d9a3250 |
|
18-Jul-2014 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
Updates for getpaddr system call (by Joel Beeren)
|
#
2a03e81d |
|
14-Jul-2014 |
Gerwin Klein <gerwin.klein@nicta.com.au> |
Import release snapshot.
|