lsf37
commented
4 months ago An alternative would be to remove the behaviour part of DSpec entirely, remove all of DRefine, and directly prove capDL separation logic properties about the parts of the kernel API that are used by the initialiser. This would essentially fuse the refinement proof with the capDL-api proofs.
This would have the advantage that state that is currently invisible to the initialiser proof, such as TCB priorities, becomes accessible in that proof, because the full ASpec state is accessible.
The downside of this alternative is that it is a much larger proof change.
corlewis
Currently
DSpechas capDL behaviour for most operations in the kernel, including granting caps via IPC and other operations that the system initialiser does not use. Although we had more plans for capDL than that, the only current use forDSpecis the system initialiser and it seems unlikely that more will materialise, because user-level reasoning with actual kernel behaviour is more useful directly on theASpeclevel.One way to reduce proof size and maintenance overhead would be to replace specified behaviour in
DSpecfor these operations with non-determinism instead so that anyASpecbehaviour will still refineDSpecby trivial refinement, essentially removing that refinement proof. As a consequence, one would no longer be able to reason about such kernel invocations on the capDL level -- but if the system initialiser is the only use case, we never have to.We should investigate how much of the refinement proof in
DRefinethat would eliminate (= how many kernel invocations have a capDL specification, but are not used in the initialiser, and how much proof in DRefine those invocations correspond to).We should also investigate if there are any other use cases or planned system initialiser extensions that would need such behaviour before we remove any.