Also includes fixes to specs and invariants, and initial progress
towards C refinement.
A thread's maximum controlled priority (MCP) determines the maximum
thread priority or MCP it can assign to another thread (or itself).
This proof establishes that seL4's design specification
is a formal refinement (i.e. a correct implementation) of its
abstract specification. This proof also
interweaves the definition and proofs of the global invariant for the
design specification, and builds on the Abstract Spec Invariant
Proof. It is described in the TPHOLS '08
paper.
Building
To build from the l4v/ directory, run:
./isabelle/bin/isabelle build -d . -v -b Refine
Important Theories
The top-level theory where the refinement statement is established over
the entire kernel is Refine; the state-relation that
relates the state-spaces of the two specifications is defined in
StateRelation and the basic correspondence
property proved over each kernel function is defined in
Corres.