4463e9750e
Fixes a case where a thread can go from Running->Inactive->Restart and use a restart PC that is out of date. An out of date restart PC occurs when a thread was transitioned to running after being in a blocked state, but was never scheduled and so did not execute the traps code that updates the restart PC. This also renames relevant register names for consistency across architectures (FaultIP and NextIP). |
||
|---|---|---|
| .. | ||
| ARM | ||
| ARM_HYP | ||
| X64 | ||
| lib | ||
| README.md | ||
README.md
C Refinement Proof
This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.
The approach used for the proof is described in the TPHOLS '09 [paper][5].
Building
To build from the l4v/proof directory, run:
make CRefine
If you wish to build for a specific architecture other than the default, set
your L4V_ARCH environment variable accordingly, as documented for the C code
translation.
Important Theories
The top-level theory where the refinement statement is established over
the entire kernel is Refine_C; the state-relation that
relates the state-spaces of the two specifications is defined in
StateRelation_C.
Note that this proof deals with two C-level semantics of seL4: one
produced directly by the C parser from the kernel's C code, and another
produced by the C spec's Substitute
theory. These proofs largely operate on the latter, proving that it
corresponds to the design spec. Refinement between the two C-level specs
is proved in the CToCRefine theory.
The top-level Refine_C theory quotes both refinement
properties.