adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/spec/abstract
History
Michael McInerney 26fdedad4d ainvs, spec: changes to remove errors for Isabelle 2019 update 2019-06-13 16:22:33 +10:00
..
ARM ainvs, spec: changes to remove errors for Isabelle 2019 update 2019-06-13 16:22:33 +10:00
ARM_HYP ainvs, spec: changes to remove errors for Isabelle 2019 update 2019-06-13 16:22:33 +10:00
RISCV64 SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
X64 ainvs, spec: changes to remove errors for Isabelle 2019 update 2019-06-13 16:22:33 +10:00
document riscv aspec: implement abstract spec for RISCV64 2018-09-07 08:13:13 +10:00
CSpaceAcc_A.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
CSpace_A.thy aspec: avoid manual proof for rec_del definition 2018-12-18 14:50:54 +11:00
CapRights_A.thy aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
Decode_A.thy aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
Deterministic_A.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
ExceptionTypes_A.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Exceptions_A.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Glossary_Doc.thy manually adjust non-obvious cases of tab to space replacement 2017-10-20 14:22:36 +11:00
Interrupt_A.thy aspec: clean up comments + warnings 2018-10-25 12:54:02 +11:00
Intro_Doc.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
InvocationLabels_A.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
Invocations_A.thy aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
IpcCancel_A.thy SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
Ipc_A.thy aspec: Fix send_fault_ipc to call send_ipc with is_call at true 2018-12-10 20:01:37 +11:00
KHeap_A.thy aspec: move type checking assert to set_object 2019-04-18 14:32:08 +10:00
KernelInit_A.thy Isabelle2018: new "op x" syntax; now is "(x)" 2018-08-20 09:06:35 +10:00
MiscMachine_A.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
README.md lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
Retype_A.thy aspec: clean up comments + warnings 2018-10-25 12:54:02 +11:00
Schedule_A.thy aspec: clean up comments + warnings 2018-10-25 12:54:02 +11:00
Structures_A.thy aspec + arm ainvs: Update mask_rights to mask master reply caps 2018-12-10 20:01:37 +11:00
Syscall_A.thy aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
TcbAcc_A.thy Isabelle2018: new "op x" syntax; now is "(x)" 2018-08-20 09:06:35 +10:00
Tcb_A.thy aspec: Update ASpec for GrantReply (SELFOUR-6) 2018-12-10 20:01:37 +11:00
VMRights_A.thy aspec: move up mask_vm_rights, make arch independent 2018-08-06 11:22:50 +10:00

README.md

The Abstract Specification of seL4

l4v/spec/abstract/

This directory contains the main Isabelle sources of the seL4 abstract specification. The specification draws in additional interface files from design and machine.

The specification is written in monadic style. See l4v/lib/Monad_WP/NonDetMonad for the definition of this monad.

Top-Level Theory

The top-level theory file that draws the whole specification together is Syscall_A, the top-level function in that theory is call_kernel.

This top-level function defines in-kernel behaviour. Later in the proof, in particular in invariant-abstract, this function is further wrapped in an automaton that describes system behaviour.

Entry Points

Two useful entry points for browsing the abstract specification are the theories Structures_A and ARM_Structs_A. They define the state space of the kernel model, including what capabilities and kernel objects are.

The theories Invocations_A and ArchInvocation_A define datatypes for the capability invocations/operations the kernel understands.

Most theories are named after the subsystem of the kernel they specify.

Building

The corresponding Isabelle session is ASpec. It is set up to build a human-readable PDF document. Glossary_Doc contains definitions of common seL4 terms.

To build, run in directory l4v/spec:

make ASpec

Remarks

  • Note that this specification is actually an extensible family of specifications, with predefined extension points. These points can either be left generic, as for most of the abstract invariant proofs, or they can be instantiated to more precise behaviour, such as in the theory Deterministic_A, which is used for the information flow proofs.

  • The theory Init_A does not define real kernel initialisation. Instead it is a dummy initial state for the kernel to demonstrate non-emptiness of abstract kernel invariants.

  • KernelInit_A is a paused project and not currently included in the rest of the specification.