word_less_bit_eq turns `<` into a bitwise expression on abstract word
length to make it easier to reason about the relationship of < and bit
operations (boolean, but also shift etc).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The Eisbach method command doesn't seem to allow providing a doc
string. Instead at least place a comment right next to the definition
so that people can find that when they discover the method name with
print_methods.
Update doc string of word_bitwise to clarify where it is useful.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Adds generic (ring_bit_operations) relationships between boolean and
arithmetic operations. These automatically hold for word and int.
In particular:
x + y = (x OR y) + (x AND y)
x + y = (x XOR y) + 2 * (x AND y)
x XOR y = (x OR y) - (x AND y)
Similar laws for OR, AND, and -.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Provide sgn (sign, mapping to -1, 0, 1) and abs (absolute value)
functions for 'a word by instantiating the relevant type classes.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This rule allows us to prove correspondence in the case
where the result of a function call is assigned to a
global variable
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Terms of the form "(if P then None else Some _) = None" and all their
combinations can be simplified automatically. For the "Some" variants
we provide a safer form, e.g.:
((if P then Some x else None) = Some x) = P
because
((if P then Some x else None) = Some y) = (P /\ x = y)
adds an equation to the goal that the simplifier will pick up. That is
often wanted, but sometimes leads to non-termination.
Even the safer form can lead to non-termination if P is an equation, so
none of these are [simp] by default.
- `if_option_eq` is the safer set
- `if_option` is the less safe set that simplifies more
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Draw connection between conjugate wp in the literature and our
exs_valid definition.
Add exs_valid_alt lemma, which is one of the main rules that is
different between wp and conjugate wp (or vs and).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Enable use of "eval" and "value" for formulas that quantify over word
values. The code generator will exhaustively run all possible values.
For small word sizes, this works in very reasonable time. E.g. try
lemma "∀(x::8 word) y. x + y = (x AND y) + (x OR y)"
by eval
or
value "∀(x::4 word) y z. y mod z = 0 ⟶
(x * y) div z = x * (y div z)"
Note that as usual for "eval" and "value" terms have to be close, i.e.
you need to use object logic quantifiers.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- pull base-level empty_fail lemmas from AInvs into Monads.Empty_Fail
- apply consistent naming
- apply consistent [intro!, wp]
- make all non-conditional lemmas [simp]
- re-add context building to empty_fail rules, because the select_*
rules may need context to solve their side condition
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- merge EmptyFailLib into Monads.Empty_Fail
- group Empty_Fail lemmas so it is clear where to add new ones
- add [empty_fail] so not every lemma has to declare multiple attributes
- add instructions
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- apply modern style
- contract some proofs
- this commit includes some lemmas factored out from NonDetMonadVCG in
a previous commit
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- style and some proof contraction
- `in_monad` set remains unchanged for now (could now add additional
lemmas, but they might break things)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- factor out valid_NF definition and lemmas into NonDetMonad_Total
- apply modern style and (very) occasional proof contraction in both
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- factor out valid_exs definition and properties into NonDetMonad_Sat
- apply modern style to both of these and More_NonDetMonadVCG
- factor out one lemma into Monad_Lib
- better grouping of lemmas in NonDetMonadVCG
- occasional proof contraction
Should contain no real semantic differences, but might have subtle
wp set changes due to reordering (to be fixed up in a later commit).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This should allow wpfix to automatically fix up projl/projr proofs.
This was previously not possible without drawing in Lib, but will now
be picked up by Lib since theLeft/theRight are now abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Split up the material in NonDetMonadVCG into In_Monad, Det, Empty_Fail,
No_Fail, and No_Throw. Most of these can run concurrently and not all
applications need to include all of the material.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Michael McInerney
Corey Lewis
Gerwin Klein
michaelmcinerney