adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/crefine
History
Thomas Sewell 9b01fada15 Refine working. 2014-08-11 18:51:04 +10:00
..
ADT_C.thy some of the global Isabelle2014 renames 2014-08-09 15:39:20 +10:00
Arch_C.thy Refine working. 2014-08-11 18:51:04 +10:00
BuildRefineCache_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
CACHE.ML Import release snapshot. 2014-07-14 21:32:44 +02:00
CLevityCatch.thy remove old levity and taint-mode comments 2014-07-22 18:10:28 +02:00
CREGRESSION_S.ML Import release snapshot. 2014-07-14 21:32:44 +02:00
CSpaceAcc_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
CSpace_All.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
CSpace_C.thy Refine working. 2014-08-11 18:51:04 +10:00
CSpace_RAB_C.thy comment cleanup 2014-07-22 18:10:20 +02:00
Cache.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Delete_C.thy Refine working. 2014-08-11 18:51:04 +10:00
DetWP.thy some of the global Isabelle2014 renames 2014-08-09 15:39:20 +10:00
Detype_C.thy Proof updates, working as far as AInvs. 2014-08-11 14:50:56 +10:00
Fastpath_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Finalise_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Include_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Init_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Interrupt_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Invoke_C.thy Refine working. 2014-08-11 18:51:04 +10:00
IpcCancel_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Ipc_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Machine_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Move.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
PSpace_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
README.md misc: Proofing and formatting of README.md files. 2014-07-28 13:15:48 +10:00
Recycle_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Refine_C.thy option_map_def -> map_option_case for 2014-RC0 2014-08-09 21:09:37 +10:00
Refine_nondet_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Retype_C.thy Refine working. 2014-08-11 18:51:04 +10:00
SR_lemmas_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Schedule_C.thy comment cleanup 2014-07-22 18:10:20 +02:00
StateRelation_C.thy some of the global Isabelle2014 renames 2014-08-09 15:39:20 +10:00
StoreWord_C.thy Proof updates, working as far as AInvs. 2014-08-11 14:50:56 +10:00
SyscallArgs_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Syscall_C.thy Refine working. 2014-08-11 18:51:04 +10:00
TcbAcc_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
TcbQueue_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Tcb_C.thy Refine working. 2014-08-11 18:51:04 +10:00
VSpace_C.thy Refine working. 2014-08-11 18:51:04 +10:00
Wellformed_C.thy some of the global Isabelle2014 renames 2014-08-09 15:39:20 +10:00
ccorres-underlying.ML Import release snapshot. 2014-07-14 21:32:44 +02:00

README.md

C Refinement Proof

This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.

The approach used for the proof is described in the TPHOLS '09 [paper][5].

Building

To build from the l4v/proof directory, run:

make CRefine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine_C; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation_C.

Note that this proof deals with two C-level semantics of seL4: one produced directly by the C parser from the kernel's C code, and another produced by the C spec's Substitute theory. These proofs largely operate on the latter, proving that it corresponds to the design spec. Refinement between the two C-level specs is proved in the CToCRefine theory. The top-level Refine_C theory quotes both refinement properties.