The idea is to collect Eisbach extensions and things like Apply_Trace,
Apply_Debug etc here.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
So that it is available together with the other empty_fail lemmas.
Eventually, these should go into their own theory.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Since the creation of these constants the sum type has been updated to
come with its own discriminators and selectors. We use these, but keep
our longer names as abbreviations.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This enables a few more moves of remaining lemmas in
NonDetMonadLemmaBucket into the theories they belong thematically.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- organizes the material
- enables more concurrency
- allows us to pick and choose which parts to import
Currently NonDetMonadLemmaBucket still imports Lib to keep the overall
exports from this theory unchanged, but none of the factored-out
theories depend on Lib.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Factors out definitions and lemmas that are used in monads from Lib.thy
into a separate theory Monad_Lib, which itself does not have further
dependencies.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
pred_conj, pred_disj, and pred_neg only worked for functions with a
single argument and did not have the standard boolean laws available.
This commit factors out these declarations into their own theory, so
they can be used independently. It generalises them to functions of
arbitrarily many arguments, using the existing instance of fun in class
boolean_algebra.
We also factor out top/bottom, but leave them as abbreviations for now,
because the impact of changing them to the type class is too large.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This also moves ex_abs_underlying from Corres_Method.thy to
ExtraCorres.thy and adds a variant of corres_underlying_split
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
During deployment of these tactics, two problems appeared:
* monadic_rewrite_single_pass
* would try to step after the action completed, which sometimes worked,
yielding unpredictable results
* finalise was called on monadic_rewrite goals generated by action,
which was fine with the `solves <wpsimp>` default, but yielded
unpredictable results with user-supplied finalise methods
* monadic_rewrite_symb_exec
* did not schematise the precondition before attempting to apply the
rule, resulting in lack of progress when it was expected;
this now yields an extra subgoal in rare obvious-precondition
cases, but is more user-friendly in the general case
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In single-pass methods and symb_exec* methods, the finalise method
argument is optional, defaulting to solves<wpsimp> which is good enough
for most side-conditions and many WP goals.
`monadic_rewrite_symb_exec_l/r_known` methods internally supply the
instantiated theorem variable name, allowing specifying the
instantiation directly:
`monadic_rewrite_symb_exec_l cte_cap`
Symbolic execution removes no-name eta terms so that the actual variable
name in the monad is used, reducing need for rename_tac.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
`_symb_exec` rules now assume `monadic_rewrite` statement first, to allow
chaining and automation, by deferring WP goals to later
`_symb_exec_*_known*`: better use of invariance of executed statement
renamed `monadic_rewrite_rule` to `monadic_rewrite_l_method`, added
equivalent for RHS
renamed `monadic_rewrite_simple` to `monadic_rewrite_l`, and changed
action argument into a supplied rule (expected single-fire usage), and
added equivalent for RHS
renamed `lhs`->`l` and `rhs`->`r`
renamed `monadic_rewrite_pre_imp_refl` -> `_eq`
added: generic rules for rewriting under corres_underlying
* `monadic_rewrite_corres_l_generic`
* `monadic_rewrite_corres_r_generic`
added: `monadic_rewrite_if_r_True/False`
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Overhauled symbolic execution lemmas, improved genericity:
* monadic_rewrite_symb_exec_l' and r' are now main lemmas
* _F/_nF variants for LHS, E/nE variants for RHS
* non-apostrophied versions combine the above
* same for drop/known lemmas
Consolidated monadic_rewrite and corres lemmas:
* old monadic_rewrite_corres was never used except when rotated, so
monadic_rewrite_corres2 -> monadic_rewrite_corres
* monadic_rewrite_corres' unused and not needed -> removed
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The standard form for a hoare triple showing the function is
state-invariant is `f {| P |}`, and that's what we crunch in later
proofs.
Using this form allows `[OF whatever_inv]` to instantiate, while using
the `f {|(=) s|}` form does not.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Isabelle allows preservation of variable names across rules if the name
associated with a DeBruijn index matches. All forms of monadic symbolic
execution lemmas should therefore use some form of:
`f >== \<lambda>rv. g rv` and refer to `\<All>rv. some_prop_of rv` in
the assumptions, to expose the bound names in the proof, avoiding
unnecessary `rename_tac`.
The following lemmas have been renamed after multiple discussions:
* `monadic_rewrite_imp` -> `monadic_rewrite_guard_imp` (to match [c]corres)
* `monadic_rewrite_weaken` -> `monadic_rewrite_weaken_flags`
(people expected "weaken" rules to weaken the precondition, not flags)
* `monadic_rewrite_weaken2` -> `monadic_rewrite_weaken_flags'`
(same reason)
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
The theory Value_Types is used without Value_Types_Test in the
AutoCorres release, which makes the @{file ..} antiquotation fail.
Including Value_Types_Test in the dependencies of Value_Types to
include it in the release doesn't work, because that would be a
circular dependency.
So to avoid manually enumerating release files, we make this a pure
@{text ..} antiquotation instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- equality proof by focussing on the left side of an |>
- relationship between obind and opt_map
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Domain equality is nice to state and sometimes nice to prove, but it is
hard to use in automation (fastforce/auto). The new phrasing here is not
as nice to read, but useful in automation.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Carefully not disturbing the simpset, because too many things break
otherwise.
Similarly, if_option_Some2 is not included with if_option_Some, because
the latter is being declared globally [simp] at some stage and then
breaks things in too many random places.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
We so far have unfolded opt_map in these ... = None situations. Using
the new rule directly eliminates one of the cases (the Some case), so
is slightly more efficient when we stack them and get many of these.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
fwd_all and ALLGOALS_FWD act like `all`, but supplied method is applied
to goals in first-to-last order, taking into account goals solved and
generated.
fwd_all_new and FWD_ALL_NEW act like `;` and THEN_ALL_NEW, but with the
second method is applied to the results of the first in the order they
were produced, making it safe for WP reasoning.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
In `Rules_Tac`, add a `rules_tac` which is `rule_tac` but with the
ability to instantiate the same variable name in multiple theorems.
Also add the specialised `single_instantiate_tac` which allows using the
above mechanism to instantiate a specific variable name in a specific
set of theorems (e.g. "rv" in a set of symbolic-execution lemmas).
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow for pattern-matching on the conclusion and reacting to
whether the match succeeded.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
These allow selective eta-contraction in the goal based on the bound
variable's name. The `no_name_eta` method speficially targets
abstractions where the variable has no name, which can come up in
complicated unification scenarios.
These nameless abstractions can cause symbolic execution lemmas to no
longer pick up on the name of the bound variable in do-notation,
requiring multiple rename_tac invocations.
Co-authored-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Gerwin Klein
Michael McInerney
Corey Lewis
Rafal Kolanski