From Event-B to Verified C via HLL
It addresses the challenge of producing verified software from formal models for developers in safety-critical systems, though it appears incremental by building on existing translation and proof techniques.
This work tackles the problem of correctly translating Event-B models to verified C code by using an intermediate formal language, HLL, with proofs ensuring invariants and properties like deadlock-freeness, and generating C code automatically or manually with formal contracts.
This work addresses the correct translation of an Event-B model to C code via an intermediate formal language, HLL. The proof of correctness follows two main steps. First, the final refinement of the Event-B model, including invariants, is translated to HLL. At that point, additional properties (e.g., deadlock-freeness, liveness properties, etc.) are added to the HLL model. The proof of the invariants and additional properties at the HLL level guarantees the correctness of the translation. Second, the C code is automatically generated from the HLL model for most of the system functions and manually for the remaining ones; in this case, the HLL model provides formal contracts to the software developer. An equivalence proof between the C code and the HLL model guarantees the correctness of the code.