FP_Eval is an Isabelle/ML tool for functional program rewriting.
It has similarities with the Isabelle simplifier, but is simpler and
more scalable for performing computations in the logic.
See FP_Eval_Tests for basic tests and examples.
- Add instructions for installing the `goto-error` macro in a place
where we might be able to find them.
- Mention the improved auto-indenter, in the hope that we will use it
when writing proofs.
Previously, the C kernel maintained a global pointer to the IRQ node.
This pointer was only initialised during boot, when the actual IRQ node
was dynamically allocated from untyped memory.
The C kernel now includes a statically allocated IRQ node, which is just
a suitably sized array of CTEs. This commit updates the proofs to verify
this change to the C kernel.
This is an explicit walkthrough about how one goes about doing a proof
in Isabelle/ML. The goal is that someone can run into such a proof, look
at this tutorial, and then at least be equipped to ask the right
questions about fixing the proof.
A common frustration is seeing a term `Ptr x :: foo ptr` and not being
able to inspect the inferred type `foo` (this is especially true when
`Ptr` occurs within another expression).
Copying the style of `UCAST`, this adds syntax rules for displaying `Ptr
x :: foo ptr` as `PTR(foo) x` and `ptr_coerce (bar :: a ptr) :: b ptr`
as `PTR_COERCE(a -> b) bar`.
Figuring out that you need to install an extra package _after_ waiting
three hours for CRefine to build isn't fun. Changes the installation
instructions to be like most other projects, i.e. "here is everything
you'll need for anything you'll want to do".
arm ainvs: cleanup
Abbreviate Hoare triples that do not care about the return value and
whose pre and post conditions are the same.
x64 ainvs: cleanup
ainvs: cleanup
x64 ainvs: cleanup
drefine: cleanup
Added set_object_wp_strong, which infers from a given hoare triple with
command set_object that the object of same type already exists in the
heap, and hoare_set_object_weaken_pre which does the same thing, but can
be applied on top of existing lemmas about set_object.
ainvs: improve proof of set_thread_state_runnable_valid_blocked
ainvs: change return value to a more general one
in_set_object has a return value that is empty '()', but the theorem
still holds true when replaced with a generic parameter 'rv' making it
easier to use this lemma.
ainvs: trivial - updated style of proof
ainvs: strengthen set_object_idle lemma
Add conditions imposed by valid_idle into precondition.
Thank you to Matt Brecknell for the help.
ainvs: abbreviated Hoare triples and proof fix
ainvs: restated set_object_wp_strong with auxiliary lemmas
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Move in a few set_object and set_aobject theorems from x64 theory files
as these theorems were architecture generic.
ainvs: update for new definition of set_object
ainvs: update for new definition of set_object
Removed update_object, which does the same thing as the new version of
set_object, and replaced it with set_object.
x64 ainvs: update for new definition of set_object
Rename legacy update_object definitions to set_object definitions and
remove related lemmas (to move up into architecture generic
KHeap_AI.thy). Remove simpler_defs as the set_object definitions are now
equivalent.
x64 ainvs: move x64 specific lemma back to ArchKHeap_AI
set_aobject_valid_arch move back after confirmation with Matt Brecknell
that it is x64 specific
x64 ainvs: update for new definition of set_object
Fixed some proofs a result of removing set_arch_obj_simps from the simp
set.
Move type checking assert from kernel object set functions to
set_object. This improves proofs by generic reasoning of set_object
instead of kernel object specific lemmas.
The main benefit of this is that everything in crunch is now ctrl clickable.
As an added benefit, supplied rules can now be modified by attributes when
needed.
Japheth Lim
Edward Pierzchalski
Matthew Brecknell
Victor Phan
Corey Lewis