ab259704c7
* Context : We would like to prove that, for ARM_HYP architecture, the current vcpu is always the vcpu associated to the current thread. See issue https://jira.csiro.au/browse/VER-770 and PR 291 http://bitbucket.keg.ertos.in.nicta.com.au/projects/SEL4/repos/l4v/pull-requests/291 In this process, we changed the definition of `idle_tcb_at` * In this commit : Update some proofs in access, infoflow and drefine to take the new definition of `idle_tcb_at` into account. |
||
|---|---|---|
| .. | ||
| Arch_DR.thy | ||
| CNode_DR.thy | ||
| Corres_D.thy | ||
| Finalise_DR.thy | ||
| Include_D.thy | ||
| Intent_DR.thy | ||
| Interrupt_DR.thy | ||
| Ipc_DR.thy | ||
| KHeap_DR.thy | ||
| Lemmas_D.thy | ||
| MoreCorres.thy | ||
| MoreHOL.thy | ||
| README.md | ||
| Refine_D.thy | ||
| Schedule_DR.thy | ||
| StateTranslationProofs_DR.thy | ||
| StateTranslation_D.thy | ||
| Syscall_DR.thy | ||
| Tcb_DR.thy | ||
| Untyped_DR.thy | ||
README.md
CapDL Refinement Proof
This proof establishes that seL4's abstract specification is a formal refinement (i.e. a correct implementation) of its capDL specification. It is described as part of an ICFEM '13 paper.
Building
To build from the l4v/ directory, run:
./isabelle/bin/isabelle build -d . -v -b DRefine
Important Theories
The top-level theory where the refinement statement is established over
the entire kernel is Refine_D; the state-relation that
relates the state-spaces of the two specifications is defined in
StateTranslation_D and the basic
correspondence property proved over each kernel function is defined in
Corres_D.