These combinator rules do something like what wp_pre does now.
They were helpful in the ancient past, but now that wp_pre exists it is
much better to just use automation.
The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+
- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.
- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.
Previously, these functions were unsatisfyingly translated to “fail”.
By default, functions are wrapped in the constructs AC_call_simpl
and L1_call_simpl.
Functions that are declared in the C file, called by other C functions,
but are never actually _defined_ are translated simply into a "fail"
monadic statement. This sometimes causes confusion to new users.
We update AutoCorres to instead emit a new constant:
FUNCTION_BODY_NOT_IN_INPUT_C_FILE
defined simply as "fail" for such functions.
Thomas Sewell
Gerwin Klein
Japheth Lim
Thomas Sewell
David Greenaway