The theory import order is important for name shadowing, including
default rules for induction and cases. This commit makes sure we
get the Word_Lib version by default, not the HOL.Word version.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The syntax OR for nondeterministic choice between two executions now
conflicts with the OR bit operation from the Isabelle distribution.
Since it was almost unused anyway, we remove it entirely and use only
the \<sqinter> symbol instead.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Terms of the form "of_nat x = 0" get rewritten into
"~x dvd 2^LENGTH('a)", which is almost never what you want for
concrete word sizes. This bundle makes it easy to remove those rules
locally.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Isabelle2021 uses lualatex by default, which chokes on the pdfglyph
setup. On the upside, it seems to be supporting the correct code for
searchable ligatures already by default, so we can remove this setup.
Signed-off-by: Gerwin Klein <kleing@unsw.edu.au>
The @{here} antiquotation position leads to overlapping position
information which confuses the Isabelle session manager.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This mostly refactors ML code to avoid non-exhaustive matches, restore
the (op infix) syntax that got lost in a previous Isabelle update, and
removes some unused functions/parameters.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Word_32 and Word_64 shouldn't be included at the same time, they
both define default word_size and other notions. This commit refactors
them to be usable independently and also makes the type names available
independently from all of the Word_x theories.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This includes a tweak to Word_Lib to simplify ucast(-1) which
is now a term that occurs more often.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
`register_t` only needs to be able to index into the TCB user context
array, which has 35 entries on RISC-V. Therefore `uint8_t` is
sufficient.
Using the smallest possible type for `register_t` helps with binary
verification. This shrinks static read-only data, which in turn reduces
the complexity of binary verification proof search.
This commit verifies the corresponding C kernel patch.
Co-authored-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
Signed-off-by: Mitchell Buckley <Mitchell.Buckley@data61.csiro.au>
Signed-off-by: Zoltan Kocsis <Zoltan.Kocsis@data61.csiro.au>
`cinit` and related methods are able to automatically abstract accesses
of Simpl state variables to Isabelle variables, provided they can prove
that the Simpl variable has not been modified up to the point it is
accessed. However, previously, the automation was unaware of exceptional
control flow. This limits the effectiveness of variable lifting in
situations like the following:
// `var` has not yet been modified.
if (condition) {
var = new_value;
// Here, `var` has been modified.
return;
}
// Has `var` been modified before the following access?
do_something(var);
Prior to this commit, the answer would be "yes": `cinit` would conclude
that `var` has been modified prior to the access for `do_something`, so
the variable access would not be abstracted.
With this commit, the answer is "no": `cinit` recognises the `return` in
the `if` block, and can abstract the variable access for `do_something`.
The new automation is enabled for `cinit`, `clift` and `ctac`. It is
currently disabled for `csymbr`, since the new behaviour breaks some
existing proofs.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
The `cinit` and `clift` methods already provided a way to abstract
accesses to specified local variables to Isabelle variables that do not
depend on the state, provided that the procedure does not write to those
variables. The proof methods included automation of proofs that the
values of variables being abstracted remain constant throughout the
procedure.
This commit adds support for abstracting accesses to *global* variables.
The additional challenge here is that calls to other procedures might
modify global variables. We use the `modifies` facts produced by the C
parser to determine (and prove) when variables of interest are preserved
across procedure calls.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Currently this just modifies the rule but not any of the proofs that use
it. The old version is kept for now but should be removed once all of
the proofs are updated.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
The lemma set `exception_set_finite` contained the members
`exception_set_finite_1` and `exception_set_finite_2`. The `_1`/`_2`
suffix clashes with the internal `(1)` suffix for lemma set references,
which in some code paths is internally represented as `_1`, leading to
an error message.
Curiously this error message only occurs when the proof is run
single-threaded, so it has gone unnoticed for quite some time.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
The file was not included anywhere so far and is referenced in ML_Goal,
which is part of the AutoCorres release (but the dependency
ML_Goal_Test will be missed if it's not included elsewhere).
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
In Isabelle2020, when isabelle jedit is started without a session
context, e.g. `isabelle jedit -l ASpec`, theory imports with path
references cause the isabelle process to hang.
Since sessions now declare directories, Isabelle can find those files
without path reference and we therefore remove all such path references
from import statements. With this, `jedit` and `build` should work with
and without explicit session context as before.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Isabelle2020 requires each session to declare it own set of directories that
may not overlap with other session's directories. This commit reorganises
files to comply with that requirement.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
This is like `ccorres_rewrite`, but for `hoarep`, and uses the same
infrastructure.
The interaction between the `simpl_rewrite` locale and the
`simpl_rewrite` method was confusing, and didn't work well with multiple
interpretations. We replace the locale with a simple anonymous context
block. Since that puts more things in the global namespace, we rename
many of them. The `simpl_rewrite` method is now parameterised by a `hom`
fact which determines the predicate under which we are rewriting.
This also includes a slight generalisation of `exec_eq_is_valid_eq`,
which allows a similar generalisation of `hoarep_rewrite`.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
Refactor crunch to separately specify whether crunch_simps or
crunch_wps might be useful instead of printing one combined message.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
Change crunch to only warn when crunch_simps or crunch_wps can make
progress on the first goal. Previously it would try on all remaining
subgoals, which led to spurious warnings when schematic postconditions
could be unified incorrectly.
Signed-off-by: Corey Lewis <Corey.Lewis@data61.csiro.au>
We already have find_goal, but the interface is a bit too unwieldy to
casually use frequently. This commit introduces (or moves from RISCV)
two methods on top of find_goal:
- `in_case x`: asserts the goal has an assumption `?t = x`
- `find_case x`: finds a goal such that `in_case x`
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Treatment of fail/assert/stateAssert when you don't have to prove non-failure
of the concrete side, and lemmas for switching between nf and ¬nf for the
abstract side when no_fail is already proved separately.
Signed-off-by: Gerwin Klein <gerwin.klein@data61.csiro.au>
Some improved ccorres lemmas, dealing with throw and catch, and usual
assortment of misc list/set/map lemmas.
Signed-off-by: Rafal Kolanski <rafal.kolanski@data61.csiro.au>
Sometimes we want to prove a fact, but the fact is painful or
error-prone to type out manually. In these cases, we'd like to construct
the goal fact using ML and then immediately enter a proof block.
Previously, we could achieve something like this through careful use of
`Thm.trivial` and `schematic_goal`, but this would clutter up the ML
namespace and wouln't handle meta conjuncts (`&&&`). The new `ML_goal`
command addresses both of these issues.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Adds `unfold` for constructing a list from a generating function, and
adds `range` for constructing a range of numbers.
Signed-off-by: Edward Pierzchalski <ed.pierzchalski@data61.csiro.au>
Hotfix for a7ed68e75d, which moved some lemmas from X64 Move_C.thy into
Lib. `eq_restrict_map_None` being in the simp set caused several
breakages across other arches.
Signed-off-by: Victor Phan <Victor.Phan@data61.csiro.au>
Crunch would print spurious warning messages when using a rule with multiple
premises. By default, crunch generates a rule like that when applied to
functions with multiple non-trivial patterns.
Create ArchMove_R.thy for transporting arch specific lemmas (and generic
lemmas that are used somewhat specifically by one architecture) to theory
files before Refine.
Create Move_R.thy as an arch generic Refine theory file for transporting
generic lemmas to theory files before Refine.
Also delete some lemmas that have existed earlier already or are not
needed.
Rename Move.thy in CRefine to Move_C.thy for consistency.
This allows us to explicitly record the bound variables from the subgoal so that
they can be more easily handled. We also now drop binders when constructing typ
instantiations.
unat_ucast_8_64 states that upcasting an 8 word to a 64 word does not
changes its value. We have a generic lemma for this which can be
specialised to this lemma: unat_ucast_up_simp[where 'a=8 and 'b=64,
simplified].
The main one is that crunch now uses wpsimp when determining whether a goal
can already be solved, instead of just wp. Crunch can also now use wps
when proving a goal and will now always ignore a constant if told to, even
if it is the top-level constant being crunched.
The main visible change is from wp_trace', 'wp_once' and 'wp_once_trace' to
'wp (trace)', 'wp (once)' and 'wp (once, trace)'. The option for printing a
warning for unused supplied wp rules has also been removed.
When extracting files for C parser and AutoCorres standalone releases,
we don't want Isabelle to fail a build when files referred to in
`@{file}` antiquotations no longer exist. Using `@{path}` avoids this
problem.
Previously, the method `datatype_schem` used a specific list of
hard-coded rules to "fix" datatypes in schematics. This adds an
attribute so users can add new datatype "lenses"/"accessors" as needed.
FP_Eval is an Isabelle/ML tool for functional program rewriting.
It has similarities with the Isabelle simplifier, but is simpler and
more scalable for performing computations in the logic.
See FP_Eval_Tests for basic tests and examples.
This is an explicit walkthrough about how one goes about doing a proof
in Isabelle/ML. The goal is that someone can run into such a proof, look
at this tutorial, and then at least be equipped to ask the right
questions about fixing the proof.
Ryan Barry
Corey Lewis
Gerwin Klein
Gerwin Klein
Gerwin Klein
Florian Haftmann
Mitchell Buckley
Corey Lewis
Mitchell Buckley
Matthew Brecknell
Robert Sison
Rafal Kolanski
Edward Pierzchalski
Victor Phan
Zoltan Kocsis
MiladKetabi
Japheth Lim
Michael McInerney