Overhauled symbolic execution lemmas, improved genericity:
* monadic_rewrite_symb_exec_l' and r' are now main lemmas
* _F/_nF variants for LHS, E/nE variants for RHS
* non-apostrophied versions combine the above
* same for drop/known lemmas
Consolidated monadic_rewrite and corres lemmas:
* old monadic_rewrite_corres was never used except when rotated, so
monadic_rewrite_corres2 -> monadic_rewrite_corres
* monadic_rewrite_corres' unused and not needed -> removed
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The standard form for a hoare triple showing the function is
state-invariant is `f {| P |}`, and that's what we crunch in later
proofs.
Using this form allows `[OF whatever_inv]` to instantiate, while using
the `f {|(=) s|}` form does not.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Isabelle allows preservation of variable names across rules if the name
associated with a DeBruijn index matches. All forms of monadic symbolic
execution lemmas should therefore use some form of:
`f >== \<lambda>rv. g rv` and refer to `\<All>rv. some_prop_of rv` in
the assumptions, to expose the bound names in the proof, avoiding
unnecessary `rename_tac`.
The following lemmas have been renamed after multiple discussions:
* `monadic_rewrite_imp` -> `monadic_rewrite_guard_imp` (to match [c]corres)
* `monadic_rewrite_weaken` -> `monadic_rewrite_weaken_flags`
(people expected "weaken" rules to weaken the precondition, not flags)
* `monadic_rewrite_weaken2` -> `monadic_rewrite_weaken_flags'`
(same reason)
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Using named constructor arguments added to the datatype package allows
removal of the old way of writing them out explicitly.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The theory Value_Types is used without Value_Types_Test in the
AutoCorres release, which makes the @{file ..} antiquotation fail.
Including Value_Types_Test in the dependencies of Value_Types to
include it in the release doesn't work, because that would be a
circular dependency.
So to avoid manually enumerating release files, we make this a pure
@{text ..} antiquotation instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit weakens some assumptions in previous ArchAcc lemmas and
strengthens some requirements we make on later decode lemmas, hopefully
in a still provable way.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We previously made use of the fact that the table to be unmapped will
be a NormalPT_T. This is still true, but to avoid an unnecessary proof
obligation here, we take the pt_type provided by the cap instead, which
coincides with the pt_type the proof uses.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Generalise concept of proving word equality by splitting two words at
bit n and comparing the parts.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Clean up and consolidate further do_machine_op lemmas on AARCH64.
Includes enabling some crunches and lemmas that were blocked on
do_machine_op.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Clean up KHeap_AI. It turns out that almost all do_machine_op lemmas
proved here are crunchable, so move them all into on place.
This only proves lemmas originally already in KHeap_AI. It would likely
make sense to collect general do_machine_op lemmas from other places
in AInvs here as well.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
It was likely a mistake from the beginning to single out this machine
op for crunch ignore here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Includes some progress inside ArchVSpace_AI as well.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Introduce a locale similar to Arch_pspace_update_eq, but where also
`asid_table s` is preserved. This preserves most vspace predicates and
is much more widely applicable than the existing locale in the
hierarchy that demands all of `arch_state s` to be preserved.
Since this only makes sense for Arch functions, there is no generic
version of this locale and instantiation happens only in ArchBits_AI,
not in Invariants_AI.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- reduce assumptions of some of the no-loop helper lemmas
- factor out common reasoning for vs_lookup_table/pt_walk stitching
- close last sorry
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- includes cur_vcpu lemmas for set_asid_pool and store_pte that were
masked by the missing vmid_inv results.
- vmid_inv lemmas for the case where an entire asid pool entry is being
removed. In this case, the vmid entry will already have been reset.
- set_asid_pool unmap lemmas reformulated from map/set restriction to
single entry unmap, because the vmid lemmas don't make sense for sets.
The set version was only ever used for single entries anyway, so had
unnecessary generality.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The rule applies to anything that has `aobjs_of` in the abbreviation
stack, e.g. including asid_pools_of and vcpus_of, and is therefore too
eager for `[wp]`.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The pattern `(ucast high << asid_low_bits) || ucast low` occurs in
a few places in the proofs and `asid_of high low` is easier to read.
For example, it makes obvious that
`asid_low_bits_of (asid_of hi_bits lo_bits) = lo_bits`
should be a simp rule.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- project out the parts of the state that are needed
(asid_pools_of and asid_table) to remove need for lifting rules
- fix argument order (state first)
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- equality proof by focussing on the left side of an |>
- relationship between obind and opt_map
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Two key lemmas are vs_lookup_slot_unique_level and store_pte_valid_objs.
The latter needs the new concept of of valid_mapping_insert to preserve
valid_pt_range (which is part of valid_obj).
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This is a bit more involved than on RISCV64, but with treating
max_pt_level separately from the rest, most of the argument can be
recovered.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This includes a few hopefully useful lemmas about page table type
uniqueness.
Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The remaining interesting lemma (which is not proved) is
vs_lookup_non_PageTablePTE which needed two statement adjustments, one
to adjust the ptes_of update (certain that this is correct), and one to
add a new precondition valid_vspace_objs (speculative, but hopefully
enough to solve the lemma).
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>