adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/crefine
History
Gerwin Klein f0faa90f8a lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
..
ADT_C.thy arch_split: CRefine checking 2016-05-04 15:07:51 +10:00
Arch_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
BuildRefineCache_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
CACHE.ML Import release snapshot. 2014-07-14 21:32:44 +02:00
CLevityCatch.thy arch_split: CRefine checking up to StoreWord_C 2016-05-01 13:35:49 +10:00
CREGRESSION_S.ML Import release snapshot. 2014-07-14 21:32:44 +02:00
CSpaceAcc_C.thy conversion: Rationalise standard types 2015-12-10 21:24:22 +11:00
CSpace_All.thy Further work on array assertions. 2015-12-02 09:07:15 +11:00
CSpace_C.thy lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
CSpace_RAB_C.thy conversion: Rationalise standard types 2015-12-10 21:24:22 +11:00
Cache.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Delete_C.thy lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
DetWP.thy arch_split: CRefine checking up to StoreWord_C 2016-05-01 13:35:49 +10:00
Detype_C.thy arch_split: fix crefine up to Interrupt_C 2016-01-20 14:42:36 +11:00
Fastpath_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
Finalise_C.thy arch_split: CRefine checking up to Recycle_C 2016-05-03 14:01:20 +10:00
Include_C.thy Import release snapshot. 2014-07-14 21:32:44 +02:00
Init_C.thy abstract Haskell init parameters into constants 2014-11-06 18:48:36 +11:00
Interrupt_C.thy arch_split: CRefine checking 2016-05-04 15:07:51 +10:00
Invoke_C.thy arch_split: CRefine checking 2016-05-04 15:07:51 +10:00
IpcCancel_C.thy SELFOUR-56: Remove diminish rights from IPC 2016-02-24 13:24:10 +11:00
Ipc_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
Machine_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
Move.thy Further work on array assertions. 2015-12-02 09:07:15 +11:00
PSpace_C.thy Partial progress on using array assertions. 2015-12-02 09:05:04 +11:00
README.md misc: Proofing and formatting of README.md files. 2014-07-28 13:15:48 +10:00
Recycle_C.thy lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
Refine_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
Refine_nondet_C.thy abstract Haskell init parameters into constants 2014-11-06 18:48:36 +11:00
Retype_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
SR_lemmas_C.thy arch_split: CRefine checking up to StoreWord_C 2016-05-01 13:35:49 +10:00
Schedule_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
StateRelation_C.thy trivial: add a FIXME comment 2016-05-09 16:21:34 +10:00
StoreWord_C.thy crefine: 2015 update up to Tcb_C 2015-05-18 09:11:43 +10:00
SyscallArgs_C.thy arch_split: CRefine checking up to Recycle_C 2016-05-03 14:01:20 +10:00
Syscall_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
TcbAcc_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
TcbQueue_C.thy arch_split: fix crefine up to Interrupt_C 2016-01-20 14:42:36 +11:00
Tcb_C.thy lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00
VSpace_C.thy arch_split: CRefine: use requalify instead of shadow 2016-05-06 08:59:33 +10:00
Wellformed_C.thy lib/spec/proof/tools: fix word change fallout 2016-05-16 21:11:40 +10:00

README.md

C Refinement Proof

This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.

The approach used for the proof is described in the TPHOLS '09 [paper][5].

Building

To build from the l4v/proof directory, run:

make CRefine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine_C; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation_C.

Note that this proof deals with two C-level semantics of seL4: one produced directly by the C parser from the kernel's C code, and another produced by the C spec's Substitute theory. These proofs largely operate on the latter, proving that it corresponds to the design spec. Refinement between the two C-level specs is proved in the CToCRefine theory. The top-level Refine_C theory quotes both refinement properties.