Conversation
Xaphiosis
added
the
arch-split
|
Still checking the builds on my side, but not expecting CRefine to be affected. |
proof/refine/InterruptAcc_R.thy
Outdated
| assumes preemptionPoint_corres: | ||
| "corres (dc \<oplus> dc) \<top> \<top> preemption_point preemptionPoint" |
There was a problem hiding this comment.
It might not be worth it since the current proof just unfolds everything, but it feels like this should be able to be a generic lemma. I think the only arch-specific part of preemptionPoint is the doMachineOp (getActiveIRQ True), so it should be possible to have an interface lemma just for that.
There was a problem hiding this comment.
Done now, see new commit and comment below.
corlewis
left a comment
corlewis
left a comment
There was a problem hiding this comment.
It's a bit confusing that AARCH64 had so much more in InterruptAcc_R that could be removed, but this looks very good!
|
Followed @corlewis's advice and tried to make Please look over the extra commit, also @lsf37 |
Thinking more about this: if we were to move those somewhere else then there wouldn't be a need for ArchInterruptAcc_R since for non-AARCH64 they are empty now. |
| lemma exec_liftE_get: | ||
| "(liftE get >>=E f) x = f x x" |
There was a problem hiding this comment.
Will add. This is worth a moment of discussion of where to while we're here. exec_get is in NonDet_Lemmas.thy which don't see monad_eq yet. The earliest I think that does see monad_eq is ... uh... NonDetMonadLemmaBucket?
There was a problem hiding this comment.
Nondet_Monad_Equations is a good place, I think
That would be quite nice. What is left in AArch64 ArchInterruptAcc_R at this point? (hard to see in the diff) |
I like the new generic proof better than the old unfold+hammer proofs. At least there is now chance of figuring out what is going on. |
lsf37
left a comment
lsf37
left a comment
There was a problem hiding this comment.
Nice, I don't think we split the init proofs in AInvs, and there is really no reason not to. Also great that preemption point is generic now, I think that was worth it.
If we can eliminate ArchInterruptAcc entirely by moving AARCH64 lemmas I'm all for it (unless it's completely messy, but maybe we're in luck of a change).
This is done in latest commit, please check if it's acceptable. It undoes some of the earlier work (rename and update hierarch), which means when I squash it'll also end up as a single commit. |
Looks all good, ready to go from my side! |
Looks good to me as well! |
Mainly to split off the zeroed arch state definitions. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Make InterruptAcc_R generic-only, including: * make preemptionPoint_corres generic at the cost of being a bit longer than the unfold-everything approach * migrate AARCH64 VCPU lemmas to Interrupt_R and Arch_R as needed and, since these theories don't depend on each other, move the common dependency virqType_eq to ArchStateRelationLemmas. Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
|
Squashed and rebased. Ready to merge once tests pass. |
3 participants
These are small files, was able to get through them relatively quickly.
🦆🦆🦆 Init_R is mainly taking out the arch states into their own file with two wrapped lemmas, so I didn't bother with the whole PR diff-minimisation setup for it, but did the setup for InterruptAcc_R.
Instructions:
In real life, I did the usual addition of InterruptAcc_R, hierarchy update, arch-split and then update. However, since the arch-split part first splits AARCH64, then takes the AARCH64 version of InterruptAcc_R and only fixes what broke, we ended up with a small(er) diff there (again).
Please review commit-by commit with the following notes:
[squash] PR: copy AARCH64 version into ..._R- same as last time: stop..._Rlooking like a wall of green (no need to review)aarch64 refine: arch-split..._R` - this is the main bulk of the arch-split, dealing with AARCH64, as well as updates[squash] copy AARCH64 Arch..._R to other arches- wipes the body (not the header!) of other arches' Arch..._R with a copy of the AARCH64 version withAARCH64appropriately substituted - (mostly pointless to review)Reminder: DO NOT MERGE squashed version if it still says
aarch64 refine: arch-splitorAARCH64Stats: 31 files changed, 386 insertions(+), 1243 deletions(-)
Total: 857 lines removed