Instead of hardcoding basic C types, this passes most of them along as
uninterpreted strings. This allows typedefs such as time_t or ssize_t
to be used, without requiring the formal model to recognise them.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
This patch generalises the mapping between authority labels and
scheduler domains, so that the access-control integrity property still
holds when labels are not partitioned into domains. This lets us use
the integrity result on systems that don't use the domain scheduler.
The information flow proofs still rely on the domain partitioning,
hence we add constraints on the label-domain mapping for the info-flow
results to hold.
Jira VER-945
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
To restore some previous functionality, add a mechanism by which an __asm__
statement too complex to be translated can still be ignored (handled as an
empty statement). A demo file does this for a wrapper around "nop".
Also use this facility to support legacy camkes-glue proofs which assume
that the software interrupt operator "swi" doesn't break anything.
Isabelle LaTeX style files use old font commands \bf, \rm, \tt, etc.
However, newer versions of some LaTeX document classes (e.g. scrbook)
have removed support for these commands. This brings back those
commands for documents built with isabelle.sty.
Moves some unnecessary stuff out of the locale and now specifies the label type
as `string` rather than a locale parameter. The purpose of the latter is to
allow us to talk about concrete labels rather than continually falling back on
the user's projection, but it's not clear yet whether this is a big win.
These were phrased as slots containing NULL caps, but the translation of CapDL
specifications into Isabelle actually just restricts the domain of the
underlying capability map. This is much cleaner and we now have exact
equivalence.
This connection actually uses read/write caps on both sides because it is
implemented using Send and Wait. It may be worthwhile modelling seL4RPCCall
(which is implemented using Call and ReplyWait) as well. This would be a
trivial extension.
CAmkES deliberately skips over CSlot 0 when allocating caps to allow typos and
misallocations to be more easily detected. This commit captures this logic in
the generator function.
Previously, the CapDL-generating function assumed a CNode size of 12 bits for
each component instance, though this was known to be inaccurate. In the
implementation of CAmkES, the code generator calculates the minimum required
size of each CNode on the fly. This commit updates the formalised generator to
perform the same calculation. The calculation is currently written in terms of
the `LEAST` binder, which as it turns out is sometimes awkward to reason about.
It may be worthwhile rephrasing this in future.
The CapDL translation tools produce threads with an undefined intent, rather
than no intent. This commit modifies the CAmkES generation to do the same to
ease the correspondence proof.
Presumably this is only the case for when there are no assigned interrupts in
the system. These theories will need some tweaking to support systems with
interrupts.
Current example systems do not involve hardware interrupts, but each interrupt
in such a system is represented in CapDL as an empty single-slot CNode. We need
to note their existence or the final correspondence proof becomes tricky. This
commit adds support for (assumed empty) IRQ CNodes and pushes this through the
existing proofs. The generated label mapping will need some associated updates
following this.
This is a relatively straightforward property, but shows that CAmkES systems
fall into a constrained class of seL4 systems that it is easier to reason
about. In particular a lack of caps to more dynamic objects like untypeds
guarantees a tighter seL4 worst case execution time and an absence of many
possible dynamic behaviours.
We prove this property across all CapDL specifications produced by the high-
level generator, rather than on a concrete specification. In this way, we can
do the proof manually once and for all.
Japheth Lim
Gerwin Klein
Matthew Brecknell
Alejandro Gomez-Londono
Gerwin Klein
Thomas Sewell
Xin,Gao
Matthew Brecknell
Japheth Lim
Miki Tanaka
Joel Beeren
Matthew Fernandez