d735f9aca1
Was shadowing one I added to clib. |
||
---|---|---|
.. | ||
ADT_C.thy | ||
Arch_C.thy | ||
AutoCorresTest.thy | ||
AutoCorres_C.thy | ||
BuildRefineCache_C.thy | ||
CACHE.ML | ||
CLevityCatch.thy | ||
CSpaceAcc_C.thy | ||
CSpace_All.thy | ||
CSpace_C.thy | ||
CSpace_RAB_C.thy | ||
Cache.thy | ||
Delete_C.thy | ||
DetWP.thy | ||
Detype_C.thy | ||
Fastpath_C.thy | ||
Finalise_C.thy | ||
Include_C.thy | ||
Init_C.thy | ||
Interrupt_C.thy | ||
Invoke_C.thy | ||
IpcCancel_C.thy | ||
Ipc_C.thy | ||
Machine_C.thy | ||
Move.thy | ||
PSpace_C.thy | ||
README.md | ||
Recycle_C.thy | ||
Refine_C.thy | ||
Refine_nondet_C.thy | ||
Retype_C.thy | ||
SR_lemmas_C.thy | ||
Schedule_C.thy | ||
StateRelation_C.thy | ||
StoreWord_C.thy | ||
SyscallArgs_C.thy | ||
Syscall_C.thy | ||
TcbAcc_C.thy | ||
TcbQueue_C.thy | ||
Tcb_C.thy | ||
VSpace_C.thy | ||
Wellformed_C.thy |
README.md
C Refinement Proof
This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.
The approach used for the proof is described in the TPHOLS '09 [paper][5].
Building
To build from the l4v/proof
directory, run:
make CRefine
Important Theories
The top-level theory where the refinement statement is established over
the entire kernel is Refine_C
; the state-relation that
relates the state-spaces of the two specifications is defined in
StateRelation_C
.
Note that this proof deals with two C-level semantics of seL4: one
produced directly by the C parser from the kernel's C code, and another
produced by the C spec's Substitute
theory. These proofs largely operate on the latter, proving that it
corresponds to the design spec. Refinement between the two C-level specs
is proved in the CToCRefine
theory.
The top-level Refine_C
theory quotes both refinement
properties.