Since the creation of these constants the sum type has been updated to
come with its own discriminators and selectors. We use these, but keep
our longer names as abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This enables a few more moves of remaining lemmas in
NonDetMonadLemmaBucket into the theories they belong thematically.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- organizes the material
- enables more concurrency
- allows us to pick and choose which parts to import
Currently NonDetMonadLemmaBucket still imports Lib to keep the overall
exports from this theory unchanged, but none of the factored-out
theories depend on Lib.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factors out definitions and lemmas that are used in monads from Lib.thy
into a separate theory Monad_Lib, which itself does not have further
dependencies.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Fix missing quotes. It looks like this ROOT file worked with `isabelle
build` before, but it did not work interactively.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
pred_conj, pred_disj, and pred_neg only worked for functions with a
single argument and did not have the standard boolean laws available.
This commit factors out these declarations into their own theory, so
they can be used independently. It generalises them to functions of
arbitrarily many arguments, using the existing instance of fun in class
boolean_algebra.
We also factor out top/bottom, but leave them as abbreviations for now,
because the impact of changing them to the type class is too large.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The default (=first) Makefile target for the standalone parser was
`all`, which gains additional dependencies in the included Makefile.
We want `make` in this directory to just build the standalone parser,
so we set `stp_all` as the default.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also moves ex_abs_underlying from Corres_Method.thy to
ExtraCorres.thy and adds a variant of corres_underlying_split
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
At the point we call set_asid_pool, the pool we are writing is out
of date, because invalidate_asid_entry will have changed it. This
commit adds another read operation after invalidate_asid_entry to
perform a write that is similarly atomic as the corresponding C code.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
set_asid_pool_empty and delete_asid_empty_table_pt aren't used on
RISCV64 (despite being proved and declared [wp]). Hopefully these won't
be needed on AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
On HYP platforms with projections it's sometimes useful to be able to
grab the `arch_valid_obj` formulation for specific arch types like page
tables before the simplifier breaks them apart for you.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
For AARCH64 showing that valid_vspace_objs is preserved over a retype
operation via the retype_region_proofs_invs locale, it is not sufficient
to only know valid_vspace_objs. Since this locale already assumes invs,
use invs, which implies the other requirements for AARCH64.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
During deployment of these tactics, two problems appeared:
* monadic_rewrite_single_pass
* would try to step after the action completed, which sometimes worked,
yielding unpredictable results
* finalise was called on monadic_rewrite goals generated by action,
which was fine with the `solves <wpsimp>` default, but yielded
unpredictable results with user-supplied finalise methods
* monadic_rewrite_symb_exec
* did not schematise the precondition before attempting to apply the
rule, resulting in lack of progress when it was expected;
this now yields an extra subgoal in rare obvious-precondition
cases, but is more user-friendly in the general case
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In single-pass methods and symb_exec* methods, the finalise method
argument is optional, defaulting to solves<wpsimp> which is good enough
for most side-conditions and many WP goals.
`monadic_rewrite_symb_exec_l/r_known` methods internally supply the
instantiated theorem variable name, allowing specifying the
instantiation directly:
`monadic_rewrite_symb_exec_l cte_cap`
Symbolic execution removes no-name eta terms so that the actual variable
name in the monad is used, reducing need for rename_tac.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
`_symb_exec` rules now assume `monadic_rewrite` statement first, to allow
chaining and automation, by deferring WP goals to later
`_symb_exec_*_known*`: better use of invariance of executed statement
renamed `monadic_rewrite_rule` to `monadic_rewrite_l_method`, added
equivalent for RHS
renamed `monadic_rewrite_simple` to `monadic_rewrite_l`, and changed
action argument into a supplied rule (expected single-fire usage), and
added equivalent for RHS
renamed `lhs`->`l` and `rhs`->`r`
renamed `monadic_rewrite_pre_imp_refl` -> `_eq`
added: generic rules for rewriting under corres_underlying
* `monadic_rewrite_corres_l_generic`
* `monadic_rewrite_corres_r_generic`
added: `monadic_rewrite_if_r_True/False`
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>