The low-level specification roughly maps to the code generator and template
instantiation phases of CAmkES. At this point no address space objects exist
(excepting slight infidelity with respect to page directories). The address
space objects are introduced in the "extra" objects that we append, which map
roughly to the ELF derivation and CapDL filters.
Separating the two collections of objects gives us some nice preserved
properties that can be shown over generation from an abstract input. In
particular, we can phrase some provable properties that are resilient against
things like changes in compiler optimisation levels and allocation strategies.
These theories construct a locale with holes that are filled in by generated
code. Interpreting the locale manually is quite tedious and error prone, but we
entirely automate this process during code generation. For the details of this,
see the CAmkES 'architecture-semantics' and 'label-mapping' back ends.
This brings the architectural model in line with the current implementation by
making the following adjustments:
- Remove "trait" terminology and replace with "procedure." This was already
done in the datatypes, but had not been updated in the accompanying text.
- Remove both fixed size and NULL-terminated arrays and replace with the more
recent arbitrary sized arrays. Neither of the former are supported, but can
now be emulated if necessary.
- Remove references to `RPCEvent` and `DirectCall` connectors. `RPCEvent` no
longer exists and `DirectCall`, while still present, introduces complexities
that are not adequately explained in the context of this document.
- Remove legacy comments.
- Various typo fixes.
These kind of properties are required for future reasoning about glue code
marshalling and unmarshalling. However, almost any lemma we need about libsel4
is desirable for any user-level program on seL4. Nothing is particularly
compositional right now, which isn't too much of a problem for CAmkES where
we're generating proofs, but anyone else who wants to use this is stuck with
copy-and-paste.
JIRA: VER-159
The only major change is that "embed" is now a constant in HOL, removing
it from the set of valid names for free variables.
Have renamed uses of "embed" to "embed_data"; a better name could
probably be chosen by someone more familiar with the code.
Matthew Fernandez
David Greenaway
Gerwin Klein