This adds translation rules for bitwise operators, along with suitable
guards. Note that the guard for signed `shiftl` follows the C standard,
rather than the incorrect c-parser guard (see VER-509).
There was no standard instance of `nat :: bit_operations` for unsigned
abstraction, so we also add one. It should be merged with the
(incomplete) HaskellLib instance later.
Closes Jira VER-1122.
* Consistently use the c-parser 'addr' type alias for pointer values.
* Include word abstraction and polish for 64-bit integral types.
* Include all current c-parser platforms in release packaging scripts.
More work is required to properly abstract AutoCorres tests across
architectures. The tests currently pass for both ARM and X64. However,
in a number of tests, we exploit the coincidences that 'int' is the same
size on both platforms (32 bits), and that 'long' is the same as the
pointer size on each platform (32 bits and 64 bits, respectively).
Some lemmas that were specific instances of more general lemmas have
been removed from the library. In most cases, broken references could
simply be replaced with the more general fact.
This removes some modifications that the theories make to the simpset
and other global context, which slightly reduces breakage when importing
AutoCorres into other theories.
Unfortunately, some of the tests/examples seem to rely on specific
modifications to simp and wp, so removing those will be harder.
Also some simplification stages still seem to use the global simpset
instead of AUTOCORRES_SIMPSET; need to debug later.
* commit 'ecbb860532b4c576fc4726a805802f16bcf5302c': (29 commits)
autocorres-crefine: specialise corres_no_failI for compatibility with Refine
Add license tags for autocorres-crefine files
crefine: refactor AutoCorresTest a bit
autocorres-crefine: remove local debugging imports
Fix InfoFlowC to accommodate corres_underlying changes.
Fix DRefine to accommodate corres_underlying changes.
autocorres-crefine: experiment with manually translating a function (clzl).
autocorres-crefine: experiment with translating bitfield_gen specs.
autocorres-crefine: start a test case for function calls.
autocorres-crefine: update example proofs to work with no_c_termination, which does not require proving termination for the C spec.
autocorres: add user option "no_c_termination" for previous patch.
Making termination proof optional for AutoCorres.
WIP: autocorres: hacky proof of concept for incremental translation.
autocorres: add some missing WordAbstract rules.
autocorres-crefine: fix some comments in work theory.
autocorres-crefine: prove modifies and (simple) terminates specs.
autocorres-crefine: experiment with generating modifies proofs
autocorres-crefine: run autocorres in kernel_all_substitute locale
autocorres-crefine: update another corres_UL that snuck in before rebasing.
autocorres-crefine: working ccorres for handleYield (modulo some white lies).
...
Previously, these functions were unsatisfyingly translated to “fail”.
By default, functions are wrapped in the constructs AC_call_simpl
and L1_call_simpl.
The restriction in corresTA_L2_call (?ex was always unified to "id")
caused corresTA_L2_call' (which produces uglier output) to be used
in situations where the first rule should have sufficed.
Reported by Lars Noschinski.
Japheth Lim
Gerwin Klein
Matthew Brecknell
Japheth Lim
Gerwin Klein
Lars Noschinski