adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/sys-init
History
Gerwin Klein 47119bf43e wp_cleanup: update proofs for new wp behaviour 
The things that usually go wrong:
  - wp fall through: add +, e.g.
      apply (wp select_wp) -> apply (wp select_wp)+

  - precondition: you can remove most hoare_pre, but wpc still needs it, and
    sometimes the wp instance relies on being able to fit a rule to the
    current non-schematic precondition. In that case, use "including no_pre"
    to switch off the automatic hoare_pre application.

  - very rarely there is a schematic postcondition that interferes with the
    new trivial cleanup rules, because the rest of the script assumes some
    specific state afterwards (shouldn't happen in a reasonable proof, but
    not all proofs are reasonable..). In that case, (wp_once ...)+ should
    emulate the old behaviour precisely.
 		2017-01-13 14:04:15 +01:00
..
CreateIRQCaps_SI.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
CreateObjects_SI.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
DuplicateCaps_SI.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
ExampleSpecIRQ_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
ExampleSpec_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
InitCSpace_SI.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
InitIRQ_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
InitTCB_SI.thy SELFOUR-421: fix coding style 2016-09-22 19:23:28 +10:00
InitVSpace_SI.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Makefile Import release snapshot. 2014-07-14 21:32:44 +02:00
ObjectInitialised_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
Proof_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
README.md misc: Proofing and formatting of README.md files. 2014-07-28 13:15:48 +10:00
ROOT Import release snapshot. 2014-07-14 21:32:44 +02:00
RootTask_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
StartThreads_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
SysInit_SI.thy capDL: remove duplicate wordbits 2016-05-16 21:11:40 +10:00
WellFormed_SI.thy Isabelle2016-1: update references to renamed constants and facts 2017-01-05 14:23:05 +11:00
tests.xml regression: bump timeouts further. All timeouts now multiples of 1hr. 2016-02-22 17:38:35 +11:00

README.md

CapDL User-level system initialiser

This contains a formalised algorithm and the proof of correctness of a user-level system initialiser that uses capDL to specify the state of the resultant system.

It builds on the CapDL API Proofs, and uses a separation logic defined for capDL.

The system initialiser and the proof are described in the ICFEM '13 paper and Andrew Boyton's PhD thesis.

Building

To build from the l4v/ directory, run:

make SysInit

To build the example capDL specifications, from the l4v/ directory, run:

make SysInitExamples

Important Theories

  • The specification for the algorithm of the system initialiser is in SysInit_SI.

  • The top-level statement of the correctness of the system-initialiser is found in Proof_SI.

  • The definition of what it means for an object to be initialised (object_initialised and (irq_initialised) is found in ObjectInitialised_SI.

  • Only "well-formed" capDL specifications can be initialised. The definition of well-formed is located in WellFormed_SI.

  • Two example capDL specifications that are "well-formed" are found in ExampleSpec_SI and ExampleSpecIRQ_SI. The former is a simple capDL spec, and the latter a more complicated specifications with IRQ support.