4601f2a1ab
This patch adds a generic "post_cap_deletion" step that is called by finalise_slot. Previous to this, the only caps which had actions required at this stage were IRQHandlerCaps -- it was required that the IRQ bitmap be updated after the cap itself was removed (as the invariants state that for any existing IRQHandlerCap, the corresponding bit in the IRQ bitmap must be set). By genericising this, we add the capacity for new, arch-specific post cap deletion actions to occur in the future. |
||
|---|---|---|
| .. | ||
| ARM | ||
| ARM_HYP | ||
| X64 | ||
| README.md | ||
README.md
C Refinement Proof
This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.
The approach used for the proof is described in the TPHOLS '09 [paper][5].
Building
To build from the l4v/proof directory, run:
make CRefine
If you wish to build for a specific architecture other than the default, set
your L4V_ARCH environment variable accordingly, as documented for the C code
translation.
Important Theories
The top-level theory where the refinement statement is established over
the entire kernel is Refine_C; the state-relation that
relates the state-spaces of the two specifications is defined in
StateRelation_C.
Note that this proof deals with two C-level semantics of seL4: one
produced directly by the C parser from the kernel's C code, and another
produced by the C spec's Substitute
theory. These proofs largely operate on the latter, proving that it
corresponds to the design spec. Refinement between the two C-level specs
is proved in the CToCRefine theory.
The top-level Refine_C theory quotes both refinement
properties.