Enable use of "eval" and "value" for formulas that quantify over word
values. The code generator will exhaustively run all possible values.
For small word sizes, this works in very reasonable time. E.g. try
lemma "∀(x::8 word) y. x + y = (x AND y) + (x OR y)"
by eval
or
value "∀(x::4 word) y z. y mod z = 0 ⟶
(x * y) div z = x * (y div z)"
Note that as usual for "eval" and "value" terms have to be close, i.e.
you need to use object logic quantifiers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
A lemma set for the strengthen method to pull `invs` out of
implications. Together with simp and conj_cong, this can help avoid
proving `invs` multiple times (which tends to blow up the proof state).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- pull base-level empty_fail lemmas from AInvs into Monads.Empty_Fail
- apply consistent naming
- apply consistent [intro!, wp]
- make all non-conditional lemmas [simp]
- re-add context building to empty_fail rules, because the select_*
rules may need context to solve their side condition
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- merge EmptyFailLib into Monads.Empty_Fail
- group Empty_Fail lemmas so it is clear where to add new ones
- add [empty_fail] so not every lemma has to declare multiple attributes
- add instructions
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- apply modern style
- contract some proofs
- this commit includes some lemmas factored out from NonDetMonadVCG in
a previous commit
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- style and some proof contraction
- `in_monad` set remains unchanged for now (could now add additional
lemmas, but they might break things)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- factor out valid_NF definition and lemmas into NonDetMonad_Total
- apply modern style and (very) occasional proof contraction in both
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- factor out valid_exs definition and properties into NonDetMonad_Sat
- apply modern style to both of these and More_NonDetMonadVCG
- factor out one lemma into Monad_Lib
- better grouping of lemmas in NonDetMonadVCG
- occasional proof contraction
Should contain no real semantic differences, but might have subtle
wp set changes due to reordering (to be fixed up in a later commit).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This should allow wpfix to automatically fix up projl/projr proofs.
This was previously not possible without drawing in Lib, but will now
be picked up by Lib since theLeft/theRight are now abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Split up the material in NonDetMonadVCG into In_Monad, Det, Empty_Fail,
No_Fail, and No_Throw. Most of these can run concurrently and not all
applications need to include all of the material.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
During the work on verifying the MCS kernel, many definitions
and rules were added to lib. This commit collects all of these,
with style improvements and some proof improvements.
In particular, this adds several results to deal with while loops,
such as corres_whileLoop
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Factor out the bit0/bit1 setup for the vm_level type into its own file.
It doesn't really have anything to do with BCorres where it was before.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The projection operators should be definitions so that they are stable
under simp and case splits. This enables later projection stacks to
use abbreviations that remain stable.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We initially wanted to move ucast_ucast_ppn to Kernel_Config_Lemmas.
This doesn't work, because ppn is only defined in Arch_Structs_A, but
it turns out that ppn_len is exactly the term `ipa_size - pageBits`
that the lemma needs, so instead of moving the lemma up, we make its
proof generic by providing the symbolic form of `ppn_len` instead.
This still unfolds Kernel_Config.config_ARM_PA_SIZE_BITS_40, but it
does so only trivially and directly where ppn_len is defined.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- make kheap crunch for do_machine_op generic
- make None_Some_strg available generically in LevityCatch
- move word lemmas up into Word_Lib
- move wp lemmas up into lib + minor lib cleanup
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- minor style/whitespace cleanup
- resolve all smaller AARCH64-local FIXMEs
- move AARCH64-local lemmas
- fix up proof fallout from move (gained some automation in the move)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- move proof methods spec and bspec to Eisbach_Methods
- move general lemmas to Lib
- move word lemmas to Word_Lemmas_Internal
- update proof style
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Implementations for machine ops returning a value should have a _val
postfix. This commit brings vcpuHardwareRegVal in line.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit automatically renames bit0.*/bit1.* lemmas (depending on
the value of vm_level) to vm_level.*
The idea is that vm_level.* can now generically refer to the right
instance, so that the same proof text works without change for both an
even and odd number of page table levels.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The flush_type definition is an exact duplicate, so it makes sense
to directly re-use the Haskell definition in ASpec.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
michaelmcinerney
Gerwin Klein
Michael McInerney