History

Miki Tanaka 3841b6e8ba arm : add AEndpoint and ANTFN a_type simplification in addition to the a_type ATCB simplification, the following two are now in the simpset: "a_type (Endpoint x) = AEndpoint" "a_type (Notification v) = ANTFN"		2017-12-14 07:17:27 +11:00
..
ARM	arm : add AEndpoint and ANTFN a_type simplification	2017-12-14 07:17:27 +11:00
ARM_HYP	VER-849: abstractly declare a threads registers have changed	2017-12-13 12:13:36 +11:00
X64	VER-853: put arch_check_irq into the Arch locale, and update x64 to match C	2017-12-13 12:13:36 +11:00
README.md	move refine/* to refine/ARM/*, parametrise over $L4V_ARCH	2017-01-30 12:22:22 +11:00

README.md

Design Spec Refinement Proof

This proof establishes that seL4's design specification is a formal refinement (i.e. a correct implementation) of its abstract specification. This proof also interweaves the definition and proofs of the global invariant for the design specification, and builds on the Abstract Spec Invariant Proof. It is described in the TPHOLS '08 paper.

Building

Make sure that the L4V_ARCH environment variable is set to the desired target architecture. If in doubt, use L4V_ARCH=ARM.

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b Refine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation and the basic correspondence property proved over each kernel function is defined in Corres.