History

Gerwin Klein 6418bda962 aarch64/riscv/x64: remove findVSpaceForASIDAssert findVSpaceForASIDAssert is needed for modeling the hardware ASID lookup on ARM. None of AARCH64, RISCV64, X64 use that mechanism and the function is unused. There are some proof about it, but those are unused as well. This commit removes all of these. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>		2022-04-20 09:16:19 +10:00
..
ARM	refine: speed up CSpace1_R+CSpace_R proofs	2022-04-19 15:27:44 +10:00
ARM_HYP	refine: speed up CSpace1_R+CSpace_R proofs	2022-04-19 15:27:44 +10:00
RISCV64	aarch64/riscv/x64: remove findVSpaceForASIDAssert	2022-04-20 09:16:19 +10:00
X64	aarch64/riscv/x64: remove findVSpaceForASIDAssert	2022-04-20 09:16:19 +10:00
base	refine: session directories for Isabelle2020	2020-10-27 15:52:31 +10:00
Move_R.thy	refine: move invariant field update lemmas	2021-03-11 10:42:49 +11:00
README.md	READMEs: fix publication links	2021-08-25 11:22:05 +10:00

README.md

Design Spec Refinement Proof

This proof establishes that seL4's design specification is a formal refinement (i.e. a correct implementation) of its abstract specification. This proof also interweaves the definition and proofs of the global invariant for the design specification, and builds on the Abstract Spec Invariant Proof. It is described in the TPHOLS '08 paper.

Building

Make sure that the L4V_ARCH environment variable is set to the desired target architecture. If in doubt, use L4V_ARCH=ARM.

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b Refine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation and the basic correspondence property proved over each kernel function is defined in Corres.