Splits parts of step 4 of the SimplExport proof process, in order to
expose them to the test theory. Add some instructions on how to use
them.
Tags subgoals so that the user can identify which ones caused the
failure.
Consolidates ML setup code, and demarcates it to let uses ignore it.
Now that asmrefine targets several arches, it's useful to separate out
any intermediate artefacts by L4V_ARCH. For instance, this lets us use
the same directory to test two arches at once.
Using a shared ref for configuration reduces the understandability of
code. It turns out the contents of the `globals_swap` ref:
1. Was always the same.
2. Was only used in one spot.
3. Could be recreated at that one spot.
So we do that instead.
Adds a 'debug' configuration type to the main ProveSimplToGraphGoals
functions. Configuration lets the user control which functions will be
tested, and logs which functions fail testing.
Adds a 'single step' debug tactic for use in TestGraphRefine, and
demonstrates a few useful initial ML tactic for e.g. narrowing down
which subgoals are failing, and how to inspect a successful subgoal.
Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.
This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.
As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.
This patch permits the user to supply additional specs for functions
whose bodies were not imported (DONT_TRANSLATE or not present in parsed
C source). Those specs are exported by SimplExport.
The existing apparatus can import builtin functions like ctzl/clzl in C
sources by admitting them without bodies (DONT_TRANSLATE) and giving
them axiomatic Hoare triples (FNSPEC).
Translation validation then requires export of useful semantics. The user
can supply a made-up body, and show that it is a refinement of the body
that the parser created (derived from the FNSPEC and MODIFIES clauses).
The body must export out the graph language correctly. For ctzl/clzl etc
this is easy.
This creates an issue because "unat x < 1" is reduced to "unat x = 0"
by the simplifier, meaning the unat_mono tactic doesn't get to operate on
it. The fix is pretty easy. Also includes some extra investigation material.
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
The C-parser contains a full parser for __asm__ syntax but
up until now hasn't done anything with it. Instead we export
some semantics. It's unspecified exactly what these semantics
are but they are parametrised with the __asm__ semantics that
went in to them, so the translation validation has something
to reason about.
Tweak modifies proofs as a result, and add some more test files.
The existing code only captured a single Guard in the body of a while.
Replace it with some ML for capturing the intersection of all guards.
(Thomas typing on Xin's keyboard.)
Zoltan Kocsis
Edward Pierzchalski
Gerwin Klein
Japheth Lim
Matthew Brecknell
Thomas Sewell
Alejandro Gomez-Londono
Rafal Kolanski
Thomas Sewell
Japheth Lim
Joel Beeren
Gerwin Klein
Matthew Brecknell
Gao Xin