The old version of dom_ucast_eq in AInvs is not useful, because the
necessary constants are not available yet in AInvs.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Collect all operator lifting lemmas in one place under
hoare_vcg_op_lift. (Moved from Refine)
Move the lifting lemmas that were still in AInvs up to lib.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
With adjustment of ARMMMU_improve_cases, the decode functions can all
be done in a single crunch invocation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
These have either already been resolved, are trivial moves within one
theory, or they are questions that the rest of the proof has now
answered.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Main progress is in VSpace_R, with some fallout in ArchAcc_R, ADT_R, and
Schedule_R for invariant and spec changes.
General obj_at preservation for setVMRoot does not hold and is relegated
to something more specific in Schedule_R
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This concept no longer makes sense on AARCH64, we will either need to
know that certain addresses are in user_region (which implies
canonical_user, which is more strict than canonical), or we will need
to know they are in the kernel_window, which is also more strict than
canonical. We'll only find out for sure in CRefine.
Both cases are liftable from valid_vspace_uses and
pspace_in_kernel_window from AInvs, so instead of a new invariant, the
plan is to use Haskell assertions to transport the relevant info to
CRefine when needed.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The (no_asm) for corres goals is now properly enforced, which means
it is now really necessary to provide terminal corres rules in their
proper form.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also renames most of the corres* methods to corresK* methods,
including corressimp -> corresKsimp.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Demonstrates use of corres_cases and corres_cases_both. Main intended
benefit is less thinking about safety of schematics, fewer mentions
of goal parameter names, and fewer manual guard instantiations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- rename corres_pre set in CRefine to ccorres_pre
- rename internal corres_pre method in Corres_Method to corres_pre'
- use corres_pre instead of old wp_pre in refine
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>