`ccorres` rules for the reply functions #881

michaelmcinerney · 2025-04-01T13:10:23Z

config_set conditions are now wrapped in an inline function in C so that corresponding "if" statements are not automatically rewritten by ccorres. Adjust proofs accordingly. For most instances, we execute the inline function and call ccorres_rewrite to get the same proof state as before. We can then later add new specification and proof branches for these config options. Signed-off-by: Gerwin Klein <[email protected]>

lsf37 · 2025-04-01T22:00:19Z

To get rid of the link check failure, cherry-picking commit 9a28f50 should work.

proof/crefine/RISCV64/Machine_C.thy

proof/refine/RISCV64/Finalise_R.thy

proof/crefine/RISCV64/IpcCancel_C.thy

proof/crefine/RISCV64/Ipc_C.thy

lsf37

I realise this was still in draft, apologies for jumping in early with the comments. If we can resolve those instantiation chains, I think this is pretty much ready to go.

Xaphiosis · 2025-04-02T00:07:02Z

Minor question on commit (message are generally good and helpful, thank you):
In rt haskell+riscv refine+crefine: ccorres rules for reply, the tag is kind of confusing. @lsf37 ?

lsf37 · 2025-04-02T00:16:34Z

Minor question on commit (message are generally good and helpful, thank you): In rt haskell+riscv refine+crefine: ccorres rules for reply, the tag is kind of confusing. @lsf37 ?

It is trying to say generic Haskell and RISCV refine+crefine. Maybe in this case we should just shorten in to rt haskell+refine+crefine

proof/crefine/RISCV64/IpcCancel_C.thy

Xaphiosis · 2025-04-02T00:25:31Z

proof/crefine/RISCV64/IpcCancel_C.thy

+   apply (rule conseqPre, rule conseqPost)
+      apply assumption
+     apply clarsimp
+     apply (rule rev_bexI, rule updateSchedContext_eq)


clarsimp should discharge the assumption, then we have clarsimp, three simps, and a clarsimp... I think you can safely put a ; clarsimp simp: obj_at_simps at the end here and save some lines

(or clarsimp with a +)

These were just moved. I meant to write a nicer PR description before I marked this as ready for review. But these updateSchedContext_ccorres_* lemmas were just moved, along with schedContext_donate_ccorres and tcbReleaseRemove_ccorres

It's still a pretty easy compression if you're interested while we're here.

Xaphiosis

I think Gerwin already found the interesting issues. When he's happy with it, don't wait up for me. I definitely agree that postcondition instantiation pattern is not great for maintenance, and some way of automating our way out of it should be explored.

Xaphiosis · 2025-04-02T01:01:02Z

Minor question on commit (message are generally good and helpful, thank you): In rt haskell+riscv refine+crefine: ccorres rules for reply, the tag is kind of confusing. @lsf37 ?

It is trying to say generic Haskell and RISCV refine+crefine. Maybe in this case we should just shorten in to rt haskell+refine+crefine

Yeah I think we'd normally have two commits, one for spec changes and one for proof update. In this case, I'd probably go with your suggestion given the nature of the rt tag.

michaelmcinerney · 2025-04-03T01:04:27Z

I've pushed an update with the fix for the broken links, a commit that reduces the use of valid_objs' in CRefine, and another commit that removes the nasty hoare_post_imp chains that I had in the ccorres rules for the reply functions. The changes to get rid of valid_objs' were a bit larger than I was hoping for, but it should really make life easier in CRefine (apart from potentially having to add the assert to more new functions)

michaelmcinerney · 2025-04-03T02:18:16Z

I think I missed a few updates for the new asserts, so I'll run the proofs again locally and push an updated version soon.

Xaphiosis

Looks like you were on the right track with the valid_objs' crossing, and the proofs look neater now.

Signed-off-by: Gerwin Klein <[email protected]>

The replyTCB field of a reply points to a TCB, and so should use option_to_ctcb_ptr, rather than option_to_ptr. Additionally, from_bool is preferred to to_bool. Signed-off-by: Michael McInerney <[email protected]>

Signed-off-by: Michael McInerney <[email protected]>

lsf37 · 2025-04-04T00:34:14Z

 Installing seL4 python deps
    error: subprocess-exited-with-error

I'm coming to really dislike Python. Ok to ignore this here, it's some setup problem of the style checker.

lsf37

Agreed, the valid_objs' idea was good. We have a bit of the post condition instantiation moving into Refine, but now concentrated to just once and also in a nicer form. I like it.

This proves the ccorres rules for all functions which directly modify the reply objects, namely reply_pop, reply_push, reply_remove, and reply_remove_tcb. This refactors the Haskell definitions slightly: - the when statement in replyPop is removed, since replyPop is called only from replyRemove, which contains an explicit check for the condition in the when statement. - the call to cleanReply in replyPop is removed and replaced with an update of the replyPrev field to Nothing. This preserves semantics, since the replyNext field is set to Nothing earlier in the function. - updateSchedContext is preferred to setSchedContext. Signed-off-by: Michael McInerney <[email protected]>

Signed-off-by: Michael McInerney <[email protected]>

lsf37 · 2025-04-04T02:09:39Z

 Installing seL4 python deps
    error: subprocess-exited-with-error
I'm coming to really dislike Python. Ok to ignore this here, it's some setup problem of the style checker.

And it now works on the same OS and python version without anything having changed. Maybe it was a networking problem or something like that.

michaelmcinerney added the MCS related to `rt` branch and mixed-criticality systems label Apr 1, 2025

michaelmcinerney self-assigned this Apr 1, 2025