Skip to content

Files

Latest commit

lsf37lsf37
arm-hyp crefine: use monadic_rewrite_pre
Jun 15, 2023
db44def · Jun 15, 2023

History

History
This branch is 630 commits behind seL4/l4v:master.

crefine

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ARM
ARM
Jun 15, 2023
ARM_HYP
ARM_HYP
Jun 15, 2023
RISCV64
RISCV64
Jun 15, 2023
X64
X64
Jun 15, 2023
autocorres-test
autocorres-test
Feb 9, 2023
base
base
Oct 27, 2020
intermediate
intermediate
Oct 27, 2020
lib
lib
Jun 15, 2023
Move_C.thy
Move_C.thy
Feb 9, 2023
README.md
README.md
Mar 30, 2023

README.md

C Refinement Proof

This proof establishes that seL4's C code, once translated into Isabelle/HOL using Michael Norrish's C parser, is a formal refinement (i.e. a correct implementation) of its design specification and, transitively (using the results of the Design Spec Refinement Proof) seL4's C code is also a formal refinement of its abstract specification. In other words, this proof establishes that seL4's C code correctly implements its abstract specification.

The approach used for the proof is described in the TPHOLS '09 [paper][5].

Building

To build for the ARM architecture from the l4v/ directory, run:

L4V_ARCH=ARM ./run_tests CRefine

Important Theories

The top-level theory where the refinement statement is established over the entire kernel is Refine_C; the state-relation that relates the state-spaces of the two specifications is defined in StateRelation_C.

Note that this proof deals with two C-level semantics of seL4: one produced directly by the C parser from the kernel's C code, and another produced by the C spec's Substitute theory. These proofs largely operate on the latter, proving that it corresponds to the design spec. Refinement between the two C-level specs is proved in the CToCRefine theory. The top-level Refine_C theory quotes both refinement properties.