adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/bisim
History
Joel Beeren 4601f2a1ab Genericise deletion actions that occur after empty_slot 
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).

By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
 		2018-02-23 09:12:55 +11:00
..
document Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
README.md terminology in comments: async ep -> notifications 2015-11-24 16:58:22 +13:00
Separation.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Syscall_S.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00

README.md

Separation Kernel Bisimilarity

This proof establishes that seL4, if configured fully statically with 1-level CSpaces and notification caps only, is bi-similar to a static separation kernel that has no other system calls than signalling notifications.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b Bisim

Important Theories

Theory Separation defines static configurations, and theory Syscall_S contains the proof that this is equivalent to a static kernel.

The definition of a static kernel API can be found in the spec directory under sep-abstract.