2c8f9eeff1
lib+spec+proof+autocorres: consistent Nondet filename prefix
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-08-09 12:07:06 +10:00
9b90b9e34a
lib+spec+proof+autocorres: update for renamed Reader_Option_Monad
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-08-09 12:07:06 +10:00
d87f5e13b5
crefine: update for no_name_eta
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-07-05 17:04:50 +10:00
a0be68c211
clib+crefine: add no_name_eta to crefine tactics
...
This leads to improved consistency and better names for bound variables.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-07-05 17:04:50 +10:00
01a42167f9
riscv refine: example corres method use
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-30 15:58:14 +10:00
fad4b70825
refine: make corres method available in Refine
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-30 15:58:14 +10:00
c1fe4ad10f
lib+refine: rename Corres_Method to CorresK_Method
...
This also renames most of the corres* methods to corresK* methods,
including corressimp -> corresKsimp.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-30 10:56:47 +10:00
1f06802350
crefine: update for new ccorres cong rules
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-06-30 10:14:57 +10:00
163b9fe58a
crefine: remove some duplicated lemmas
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-06-30 10:14:57 +10:00
59759edc42
arm refine: deploy corres_cases in some examples
...
Demonstrates use of corres_cases and corres_cases_both. Main intended
benefit is less thinking about safety of schematics, fewer mentions
of goal parameter names, and fewer manual guard instantiations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-26 16:20:33 +10:00
168d3aae3c
crefine: remove obsolete corres wpc setup
...
This setup didn't actually work. Replaced by corres_cases.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-26 16:20:33 +10:00
18cbdaeb7e
infoflow: update for monadic rewrite changes
...
The `tcb` that previously became an `x` now remains a `tcb`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-06-16 13:51:36 +10:00
db44def660
arm-hyp crefine: use monadic_rewrite_pre
...
Replace wp_pre with monadic_rewrite_pre in one manual proof instance.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-15 16:00:28 +10:00
f75a3481ae
lib+refine+crefine: disambiguate corres_pre
...
- rename corres_pre set in CRefine to ccorres_pre
- rename internal corres_pre method in Corres_Method to corres_pre'
- use corres_pre instead of old wp_pre in refine
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-15 10:46:39 +10:00
0e3016251f
lib+proof: proof updates for wpc change
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-06-15 09:52:15 +10:00
1e619439d2
proof/ROOT: RefineOrphanage: add quick and dirty option
...
Piggybacking off of REFINE_QUICK_AND_DIRTY as they are usually linked.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:49 +10:00
7cdd203136
aarch64 refine: first run through Orphanage
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:49 +10:00
2f3e333500
aarch64 refine: first pass through EmptyFail_H (sorry-free)
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:48 +10:00
81d382ec71
aarch64 refine: first pass through Refine (sorry-free)
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:48 +10:00
7154cc9d31
aarch64 refine: remove final mention of vs_valid_duplicates'
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:48 +10:00
c4dee689b0
aarch64: update Init_R+PageTableDuplicates for PT ghost state
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:48 +10:00
9298456475
refine: update other architectures for ghost state change
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:48 +10:00
d24d2f8397
aarch64 refine: first pass through ADT_H
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:47 +10:00
064d102047
aarch64 ainvs+refine: proof updates for PT type ghost state
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:47 +10:00
a4f944d094
aarch64 refine: copy PageTableDuplicates from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:47 +10:00
c58c007f94
aarch64 refine: copy KernelInit_R from RISCV64
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:47 +10:00
72dfb53e91
aarch64 refine: copy IncKernelLemmas+InitLemmas from RISCV64
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:46 +10:00
ee346ba108
aarch64 refine: first pass though Init_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:46 +10:00
59d303b020
aarch64 refine: first pass through Syscall_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:46 +10:00
226c2f6a95
aarch64 refine: first pass through Arch_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:46 +10:00
8de14306d4
aarch64 refine: first pass through Tcb_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:45 +10:00
20fad5b9fc
aarch64 refine: update vmattributes_map for devices
...
Page is cachable if not a device.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:45 +10:00
a88bf412a5
aarch64 refine: remove 1 sorry
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:45 +10:00
4834c2589a
aarch64 refine: first pass through CNodeInv_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:44 +10:00
835d82c253
aarch64 refine: first pass through Interrupt_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:44 +10:00
865facfde9
aarch64 refine: first pass through Ipc_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:44 +10:00
4dfb6f8ad3
aarch64 refine: first pass through Finalise_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:44 +10:00
be22c7bfcc
aarch64 refine: set up Untyped_R from RISCV64, add hyp/vcpu
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:44 +10:00
0a7eaece00
aarch64 refine: copy over Invocations_R from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:44 +10:00
f4c12a6d85
aarch64 refine: remove kernel_mappings in Retype/Detype
...
These do not exist on AARCH64
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:43 +10:00
5601abc530
aarch64 refine: fill in VSpaceObject cases in Retype_R
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:43 +10:00
a4536a17ce
aarch64 refine: first pass through Detype_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:43 +10:00
e508693534
aarch64 refine: first pass through Retype_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:43 +10:00
3a77d097c4
aarch64 refine: first pass through IpcCancel_R
...
needed some changes to Schedule_R and VSpace_R
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:43 +10:00
044a97ed1a
aarch64 refine: first run through Schedule_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:42 +10:00
904056868d
aarch64 refine: add state_hyp_refs_of' to valid_state'
...
Somehow we missed this on the first pass. Adjusted existing proofs.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:42 +10:00
a79e06f419
aarch64 refine: first run through VSpace_R
...
This required a lot of adaptation from ARM_HYP, rearranging, and fixing.
The VCPU lemmas are mostly now constrained to one area, making it
theoretically possible to make a VCPU theory in the future.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:42 +10:00
0f11a7a52a
aarch64 refine: progress in ArchAcc
...
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:42 +10:00
97ebd07298
aarch64 refine: start on VSpace_R
...
Up to and including handleVMFault_corres which needed a major overhaul.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:42 +10:00
059afc8743
aarch64 refine: add InterruptAcc_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
cb03631312
aarch64 refine: add TcbAcc_R and ArchMove_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
2b543da5f3
aarch64 refine: add CSpace_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
18d76ef54b
aarch64 refine: add vcpuBits_def to objBits_defs
...
The way we handle vcpuBits on AARCH64 is different to ARM_HYP.
This seems the most logical place to put vcpuBits_def to aid automation.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
a93a62641d
aarch64 refine: copy RAB_FN from RISCV64
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
e0114eef06
aarch64 refine: add CSpace_I and CSpace1_R
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-26 18:04:41 +10:00
3b5a983362
aarch64 refine: first pass through ArchAcc_R
...
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-26 18:04:40 +10:00
b42665460d
aarch64 refine: use ptTranslationBits for indices
...
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:18 +10:00
38a65fd453
aarch64 refine: adjust KHeap_R from RISCV64
...
Add VCPU/hyp lemmas from ARM_HYP, fix and update failing lemmas. Leave
1 sorry on pspace_canonical, which might not be needed for AARCH64.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
b882216086
aarch64 refine: copy Machine_R from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
555bff6f6c
aarch64 refine: copy SubMonad_R from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
7cdb85fad1
aarch64 refine: copy EmptyFail from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
bf3929b9d5
aarch64 refine: adjust Bits_R from RISCV64
...
Add VCPU/hyp material from ARM_HYP, fix up broken lemmas.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
61bce83518
aarch64 refine: copy Corres.thy from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:17 +10:00
55a01f1829
aarch64 refine: complete StateRelation
...
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:16 +10:00
0b0b3b32d5
aarch64 refine: iteration on Invariants_H
...
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.system>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:16 +10:00
44fc3ec8d5
aarch64 refine: copy LevityCatch from RISCV64
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:16 +10:00
96851e8b34
aarch64 ainvs: fix typo
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-05-25 19:34:16 +10:00
1404b9c0d0
aarch64 refine: add StateRelation
...
Only text replacement of RISCV64->AARCH64 for now.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-25 19:34:15 +10:00
01575f20d5
aarch64 refine: copy InvariantUpdates_H from RISCV64
...
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-25 19:34:15 +10:00
148355479f
aarch64 refine: first attempt at Invariants_H
...
Quite a few issues remain, notably validity of ASID maps and
relationship to ASID table is missing from valid_arch_state'
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-05-25 19:34:15 +10:00
ca589b635c
c-parser: add dom_lift_t_heap_update and lemmas for proj_d
...
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
2023-05-01 15:16:22 +09:30
ac5fe5bd59
refine: add obj_range'_disjoint
...
This also moves several lemmas required for obj_range'_disjoint
to Invariants_H
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
2023-05-01 10:52:50 +09:30
b8714328cb
word_lib+crefine: add and_one_neq_simps and adjust proofs
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-04-18 13:23:42 +10:00
68e33858e2
crefine: simp rules for true and false
...
These rules allow the simplifier to solve almost all existing goals that
involve the C constants true and false, without unfolding their
definitions.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-04-18 13:23:42 +10:00
ba241aac64
riscv+x64 crefine: remove unused lemma
...
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-04-18 13:23:42 +10:00
83ddb4def9
aarch64 ainvs: remove unused physBase lemmas ( #625 )
...
The condition `pptrBase < kernelELFBase` is not required on AArch64 in
hyp mode and was left over from the initial RISC-V setup.
Since this check does fail for some platforms (where physBase = 0 and
consequently pptrBase = kernelELFBase) we remove it here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-04-05 13:50:33 +10:00
0cf64b5498
READMEs: use run_tests consistently in READMEs ( #622 )
...
Avoid mixing `isabelle`, `make`, and `run_tests` invocations.
Standardise on `run_tests` and mention `L4V_ARCH` each time to
indicate that you can and should set `L4V_ARCH`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-30 13:59:18 +11:00
fc7a113286
riscv infoflow: physBase abstraction
...
- Distinguish between virtual and physical address for the shared page
in the example state.
- Reuse lemmas from ArchKernelInit to solve address translation proofs.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-03-29 11:05:27 +11:00
5fc1c13613
riscv machine+ainvs: physBase abstraction
...
Move physBase into Arch_Kernel_Config_Lemmas, and move basic lemmas
about kernel constants that do not directly unfold physBase into
ArchInvariants_AI.
Because Arch_Kernel_Config_Lemmas does not have all names available
yet, some of the lemmas are folded and shadowed later in
ArchInvariants_AI.
Also refactor translate_address_kernel_elf_window to have two helper
lemmas that can be used in infoflow.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-29 11:05:27 +11:00
662245c8cb
riscv machine+design+crefine: explicitly set pptrTop
...
Factor out pptrTop from the definition in kernelELFBase and define it
as a constant as on other platforms. Shadows the equivalent definition
in Haskell.
Also remove incorrect comment -- the term was not PADDR_TOP, but
PPTR_TOP in C.
Co-authored-by: Corey Lewis <corey.lewis@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-29 11:05:26 +11:00
6d7b540963
aarch64 machine+ainvs: physBase abstraction
...
Remove the only unfolding of Kernel_Config.physBase_def in
ArchKernelInit by removing an unused lemma. Move the remaining
unfolding in ArchAInvariants to Kernel_Config_Lemmas.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-29 11:05:26 +11:00
7514d9ee69
arm access+infoflow: physBase abstraction
...
The example valid state is changed to correctly use both the virtual
and physical address of the shared page, instead of just the virtual
address.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-03-29 11:05:26 +11:00
0fc9a0542c
arm+arm-hyp machine+ainvs+refine+crefine: physBase abstraction
...
physBase is reduced to be unfolded only in Arch_Kernel_Config_Lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-03-29 11:05:25 +11:00
27d838af86
lib+proof: rename bind_assoc_reverse to bind_assoc_return_reverse
...
This also improves the style of this lemma
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
2023-03-27 10:34:03 +10:30
3981e9a60e
lib+ainvs: make monadic_rewrite available in AInvs session
...
This also reduces the imports of MonadicRewrite
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
2023-03-21 18:22:34 +10:30
d5fa6043cb
proof: update (non-x64) for physBase-dependent defs
...
Co-authored-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-03-20 09:34:42 +11:00
d844d691cb
lib: move bind_assoc_reverse to lib
...
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
2023-03-10 16:53:08 +10:30
3ca3553cc6
aarch64 ainvs: avoid global [simp] for if_option_eq ( #608 )
...
Keep simp set more in line with other architectures.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-09 18:21:08 +11:00
56c1a7ca68
aarch64 ainvs: use new if_option_eq
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-09 10:34:00 +11:00
9d5c8be3dc
aarch64 ainvs: convert 2 FIXMEs into longer term issues ( #601 )
...
Both of these affect other architectures and need more discussion.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-03-08 17:04:37 +11:00
c2a9ec60a8
arm-hyp crefine: update for physBase-as-function
...
In order to parametrise the kernel's physical address in verification,
physBase becomes a function in C.
This updates the functional correctness proofs so that they work again.
Proper abstraction of physBase in the proof is forthcoming.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
2023-03-07 00:04:38 +11:00
a2ffb3b4f5
proof: remove is_thread_control and thread_control_target
...
Instead use discriminator and selector provided by the datatype
package.
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
2023-02-14 18:33:44 +11:00
e89813ecf2
proofs: updates for monad refactor
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:55 +11:00
409d780e07
x64 ainvs: resolve FIXME move
...
These lemmas are in the right place, they should not be moved.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:52 +11:00
91533a274e
ainvs: add invs_strengthen
...
A lemma set for the strengthen method to pull `invs` out of
implications. Together with simp and conj_cong, this can help avoid
proving `invs` multiple times (which tends to blow up the proof state).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:52 +11:00
a6dee7bf17
access: constrain auto
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:52 +11:00
2da61f7373
access: remove unused lemma
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:52 +11:00
8c1d67945d
crefine: NonDetMonad.valid -> NonDetMonadVCG.valid
...
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:51 +11:00
8791c1be22
proofs: hoare_pre_cont variable renamed
...
s/hoare_pre_cont[where a=/hoare_pre_cont[where f=/
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:51 +11:00
7b1e140912
proofs: valid_def moved to NonDetMonadVCG
...
NonDetMonad.valid_def -> NonDetMonadVCG.valid_def
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
2023-02-09 11:46:51 +11:00
Corey Lewis
Gerwin Klein
Rafal Kolanski
Michael McInerney