Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
Introduces F_all2, which allows us to have
a proper stateless precondition in corres_mapM_list_all2
(has access to all introduced goal parameters).
With it is the implicit assumption that the generated
condition can be phrased as a per-element property (although
it may talk about the list as a whole).
* rules for when the state relation is Id.
* rules for modify
* trivial return relations over units (i.e. = or dc)
are now always weakened into a schematic
This removes corres_choice in favour of making corres_rv smarter.
Now corres_rv can propagate a stateless condition, and the new
corres_rv method (called from corres) tries to push the generated
obligation into the appropriate place (stateless, left or right
precondition) based on which variables it discusses.
This avoids most cases where the corres_rv_wp_left/right or
corres_rv_defer rules needed to be specified manually.
The new "corres_choice_true" and "corres_choice_false" constants
represent a deferred choice for how to propagate a generated
stateless precondition. If possible, we would prefer to do so
via the outermost stateless precondition, since it has access
to all green variables. Importantly corres_rv_defer_left/right
are subsumed by the more general corres_rv_defer.
Also we introduce alternative wp_comb rules which introduce
a corres_inst_eq goal, rather than a raw meta-implication. This
is to avoid cases where the existing wp_comb methods would incorrectly
introduce schematic assumptions, resulting in unprovable goals. This
allows for more carefully controlling unification in cases where
the precondition of a hoare triple doesn't have access to all
necessary green variables.
Gerwin Klein
Daniel Matichuk