Explain that these are not nice simp rules, what one should do instead,
and why we leave them as is despite all that.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The new corres method is similar to the corresK method and calculus,
but much less ambitious. Its main purpose is to automate boilerplate
proof steps in corres proofs and is specifically not trying to fully
automate corres proofs (although some few might be solved).
The idea is that the method will make some progress with obvious steps
and leave over a proof state the user can operate on further.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factor out pre_tac such that we can have separate theorem sets and
methods for wp_pre, monadic_rewrite_pre, corres_pre, and potentially
others in the future.
Leave everything in wp_pre that we expect to use wp or wpsimp on, in
particular no_fail.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since the creation of these constants the sum type has been updated to
come with its own discriminators and selectors. We use these, but keep
our longer names as abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Treatment of fail/assert/stateAssert when you don't have to prove non-failure
of the concrete side, and lemmas for switching between nf and ¬nf for the
abstract side when no_fail is already proved separately.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Add two new tactics/methods which can fix common painful problems with
schematic variables.
Method datatype_schem improves unification outcomes, by making judicious use of
selectors like fst/snd/the/hd to bring variables into scope, and also using a
wrapper to avoid singleton constants like True being captured needlessly by
unification.
Method wpfix uses strengthen machinery to instantiate rogue postcondition
schematics to True and to split precondition schematics that are shared across
different sites.
Notably useful is hoare_vcg_lift_imp' which generates an implication
rather than a disjunction.
Monadic rewrite rules should be modified to preserve bound variable
names, as demonstrated by monadic_rewrite_symb_exec_l'_preserve_names.
Addressing this more comprehensively is left as a TODO item for the
future (see VER-554).
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
* commit 'ecbb860532b4c576fc4726a805802f16bcf5302c': (29 commits)
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
Add license tags for autocorres-crefine files
crefine: refactor AutoCorresTest a bit
autocorres-crefine: remove local debugging imports
Fix InfoFlowC to accommodate corres_underlying changes.
Fix DRefine to accommodate corres_underlying changes.
autocorres-crefine: experiment with manually translating a function (clzl).
autocorres-crefine: experiment with translating bitfield_gen specs.
autocorres-crefine: start a test case for function calls.
autocorres-crefine: update example proofs to work with no_c_termination, which does not require proving termination for the C spec.
autocorres: add user option "no_c_termination" for previous patch.
Making termination proof optional for AutoCorres.
WIP: autocorres: hacky proof of concept for incremental translation.
autocorres: add some missing WordAbstract rules.
autocorres-crefine: fix some comments in work theory.
autocorres-crefine: prove modifies and (simple) terminates specs.
autocorres-crefine: experiment with generating modifies proofs
autocorres-crefine: run autocorres in kernel_all_substitute locale
autocorres-crefine: update another corres_UL that snuck in before rebasing.
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...
The idea of this file is to allow users to determine how the simpset,
cong set, intro set, wp sets, etc. have changed from an old version of
the repository to a new version.
The process is as follows:
1. A user runs "save_attributes" on an old, working version of the
theory.
2. This tool will write out a ".foo.attrib_trace" file for each
theory processed.
3. The user modifies imports statements as required, possibly
breaking the proof.
4. The user can now run "diff_attributes" to determine what
commands they should run to restore the simpset / congset /etc
to something closer to the old version.
The tool is not complete, in that it won't always suggest the full set
of "simp add", "simp del", etc commands. Nor does it know that a rule
added to the simpset is causing a problem. It merely lists
a hopefully-sensible set of differences.
Michael McInerney
Gerwin Klein
Corey Lewis
Rafal Kolanski
Florian Haftmann
Corey Lewis
Gerwin Klein
Rafal Kolanski
Michael McInerney
Rafal Kolanski
Thomas Sewell
Alejandro Gomez-Londono
Gerwin Klein
Japheth Lim
David Greenaway