The projection operators should be definitions so that they are stable
under simp and case splits. This enables later projection stacks to
use abbreviations that remain stable.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- make kheap crunch for do_machine_op generic
- make None_Some_strg available generically in LevityCatch
- move word lemmas up into Word_Lib
- move wp lemmas up into lib + minor lib cleanup
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- move proof methods spec and bspec to Eisbach_Methods
- move general lemmas to Lib
- move word lemmas to Word_Lemmas_Internal
- update proof style
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
While we do want to break up full OptionMonad terms in assumptions, we
do not usually want to break up projections.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
wp rules for most operators such as return, get, gets are named
return_wp, get_wp, etc. Then when, whenE, unless, unlessE operators had
an additional hoare_.. prefix that this commit removes for more
consistency.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Moving `Monad_Equations.thy` and `More_NonDetMonadVCG.thy` into Monads
session enables us to remove the Lib and CLib session dependencies in
AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This session currently contains only one theory (CLib), which we want
to include both in Lib and later independently in CParser/AutoCorres.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Remove Lib dependency. Introduce a new theory CLib which contains base
lemmas needed in LemmaBucket_C.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since most bitwise operations are now available by default for nat,
only word abstraction in AutoCorres depends on NatBitwise.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It has no other lib dependencies and over time should probably be
merged directly into umm theories. For now, move the entire file
and keep dependency structure.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The idea is to collect Eisbach extensions and things like Apply_Trace,
Apply_Debug etc here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
So that it is available together with the other empty_fail lemmas.
Eventually, these should go into their own theory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since the creation of these constants the sum type has been updated to
come with its own discriminators and selectors. We use these, but keep
our longer names as abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This enables a few more moves of remaining lemmas in
NonDetMonadLemmaBucket into the theories they belong thematically.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- organizes the material
- enables more concurrency
- allows us to pick and choose which parts to import
Currently NonDetMonadLemmaBucket still imports Lib to keep the overall
exports from this theory unchanged, but none of the factored-out
theories depend on Lib.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factors out definitions and lemmas that are used in monads from Lib.thy
into a separate theory Monad_Lib, which itself does not have further
dependencies.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
pred_conj, pred_disj, and pred_neg only worked for functions with a
single argument and did not have the standard boolean laws available.
This commit factors out these declarations into their own theory, so
they can be used independently. It generalises them to functions of
arbitrarily many arguments, using the existing instance of fun in class
boolean_algebra.
We also factor out top/bottom, but leave them as abbreviations for now,
because the impact of changing them to the type class is too large.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also moves ex_abs_underlying from Corres_Method.thy to
ExtraCorres.thy and adds a variant of corres_underlying_split
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
During deployment of these tactics, two problems appeared:
* monadic_rewrite_single_pass
* would try to step after the action completed, which sometimes worked,
yielding unpredictable results
* finalise was called on monadic_rewrite goals generated by action,
which was fine with the `solves <wpsimp>` default, but yielded
unpredictable results with user-supplied finalise methods
* monadic_rewrite_symb_exec
* did not schematise the precondition before attempting to apply the
rule, resulting in lack of progress when it was expected;
this now yields an extra subgoal in rare obvious-precondition
cases, but is more user-friendly in the general case
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In single-pass methods and symb_exec* methods, the finalise method
argument is optional, defaulting to solves<wpsimp> which is good enough
for most side-conditions and many WP goals.
`monadic_rewrite_symb_exec_l/r_known` methods internally supply the
instantiated theorem variable name, allowing specifying the
instantiation directly:
`monadic_rewrite_symb_exec_l cte_cap`
Symbolic execution removes no-name eta terms so that the actual variable
name in the monad is used, reducing need for rename_tac.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Gerwin Klein
Michael McInerney
Corey Lewis
Rafal Kolanski