52b4ba5091
- add ghost state corresponding to gsPTTypes in Haskell and ASpec - add ghost type comments - style update for old definitions since we need to touch most of these - define vs/pt_array_len for use in C annotations - make NormalPT_T/VSRootPT_T names available for use in C annotations Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems> |
||
|---|---|---|
| .. | ||
| AARCH64 | ||
| ARM | ||
| ARM_HYP | ||
| RISCV64 | ||
| X64 | ||
| document | ||
| CSpaceAcc_A.thy | ||
| CSpace_A.thy | ||
| CapRights_A.thy | ||
| Decode_A.thy | ||
| Deterministic_A.thy | ||
| ExceptionTypes_A.thy | ||
| Exceptions_A.thy | ||
| Glossary_Doc.thy | ||
| Interrupt_A.thy | ||
| Intro_Doc.thy | ||
| InvocationLabels_A.thy | ||
| Invocations_A.thy | ||
| IpcCancel_A.thy | ||
| Ipc_A.thy | ||
| KHeap_A.thy | ||
| KernelInit_A.thy | ||
| MiscMachine_A.thy | ||
| README.md | ||
| Retype_A.thy | ||
| Schedule_A.thy | ||
| Structures_A.thy | ||
| Syscall_A.thy | ||
| TcbAcc_A.thy | ||
| Tcb_A.thy | ||
| VMRights_A.thy | ||
README.md
The Abstract Specification of seL4
l4v/spec/abstract/
This directory contains the main Isabelle sources of the seL4 abstract
specification. The specification draws in additional interface files from
design and machine.
The specification is written in monadic style. See
l4v/lib/Monads/NonDetMonad for the definition of this monad.
Top-Level Theory
The top-level theory file that draws the whole specification together is
Syscall_A, the top-level function in that theory is call_kernel.
This top-level function defines in-kernel behaviour. Later in the proof,
in particular in invariant-abstract, this function is further wrapped
in an automaton that describes system behaviour.
Entry Points
Two useful entry points for browsing the abstract specification are the
theories Structures_A and ARM_Structs_A. They define the state space
of the kernel model, including what capabilities and kernel objects are.
The theories Invocations_A and ArchInvocation_A define datatypes for
the capability invocations/operations the kernel understands.
Most theories are named after the subsystem of the kernel they specify.
Building
The corresponding Isabelle session is ASpec. It is set up to build a
human-readable PDF document. Glossary_Doc contains definitions of common
seL4 terms.
To build, run in directory l4v/:
L4V_ARCH=ARM ./run_test ASpec
Remarks
-
Note that this specification is actually an extensible family of specifications, with predefined extension points. These points can either be left generic, as for most of the abstract invariant proofs, or they can be instantiated to more precise behaviour, such as in the theory
Deterministic_A, which is used for the information flow proofs. -
The theory
Init_Adoes not define real kernel initialisation. Instead it is a dummy initial state for the kernel to demonstrate non-emptiness of abstract kernel invariants. -
KernelInit_Ais a paused project and not currently included in the rest of the specification.