The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
Moves some unnecessary stuff out of the locale and now specifies the label type
as `string` rather than a locale parameter. The purpose of the latter is to
allow us to talk about concrete labels rather than continually falling back on
the user's projection, but it's not clear yet whether this is a big win.
These were phrased as slots containing NULL caps, but the translation of CapDL
specifications into Isabelle actually just restricts the domain of the
underlying capability map. This is much cleaner and we now have exact
equivalence.
This connection actually uses read/write caps on both sides because it is
implemented using Send and Wait. It may be worthwhile modelling seL4RPCCall
(which is implemented using Call and ReplyWait) as well. This would be a
trivial extension.
CAmkES deliberately skips over CSlot 0 when allocating caps to allow typos and
misallocations to be more easily detected. This commit captures this logic in
the generator function.
Previously, the CapDL-generating function assumed a CNode size of 12 bits for
each component instance, though this was known to be inaccurate. In the
implementation of CAmkES, the code generator calculates the minimum required
size of each CNode on the fly. This commit updates the formalised generator to
perform the same calculation. The calculation is currently written in terms of
the `LEAST` binder, which as it turns out is sometimes awkward to reason about.
It may be worthwhile rephrasing this in future.
The CapDL translation tools produce threads with an undefined intent, rather
than no intent. This commit modifies the CAmkES generation to do the same to
ease the correspondence proof.
Presumably this is only the case for when there are no assigned interrupts in
the system. These theories will need some tweaking to support systems with
interrupts.
Current example systems do not involve hardware interrupts, but each interrupt
in such a system is represented in CapDL as an empty single-slot CNode. We need
to note their existence or the final correspondence proof becomes tricky. This
commit adds support for (assumed empty) IRQ CNodes and pushes this through the
existing proofs. The generated label mapping will need some associated updates
following this.
This is a relatively straightforward property, but shows that CAmkES systems
fall into a constrained class of seL4 systems that it is easier to reason
about. In particular a lack of caps to more dynamic objects like untypeds
guarantees a tighter seL4 worst case execution time and an absence of many
possible dynamic behaviours.
We prove this property across all CapDL specifications produced by the high-
level generator, rather than on a concrete specification. In this way, we can
do the proof manually once and for all.
The low-level specification roughly maps to the code generator and template
instantiation phases of CAmkES. At this point no address space objects exist
(excepting slight infidelity with respect to page directories). The address
space objects are introduced in the "extra" objects that we append, which map
roughly to the ELF derivation and CapDL filters.
Separating the two collections of objects gives us some nice preserved
properties that can be shown over generation from an abstract input. In
particular, we can phrase some provable properties that are resilient against
things like changes in compiler optimisation levels and allocation strategies.
These theories construct a locale with holes that are filled in by generated
code. Interpreting the locale manually is quite tedious and error prone, but we
entirely automate this process during code generation. For the details of this,
see the CAmkES 'architecture-semantics' and 'label-mapping' back ends.
This brings the architectural model in line with the current implementation by
making the following adjustments:
- Remove "trait" terminology and replace with "procedure." This was already
done in the datatypes, but had not been updated in the accompanying text.
- Remove both fixed size and NULL-terminated arrays and replace with the more
recent arbitrary sized arrays. Neither of the former are supported, but can
now be emulated if necessary.
- Remove references to `RPCEvent` and `DirectCall` connectors. `RPCEvent` no
longer exists and `DirectCall`, while still present, introduces complexities
that are not adequately explained in the context of this document.
- Remove legacy comments.
- Various typo fixes.
Matthew Brecknell
Alejandro Gomez-Londono
Gerwin Klein
Thomas Sewell
Xin,Gao
Matthew Brecknell
Japheth Lim
Miki Tanaka
Joel Beeren
Matthew Fernandez