Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MCS: merge master into rt #680

Merged
merged 207 commits into from
Oct 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
207 commits
Select commit Hold shift + click to select a range
2545aa0
github: add manual triggers for testing
lsf37 Mar 30, 2023
59bf9d9
docs: style: right- vs left-wrapping of operators
Xaphiosis Jan 20, 2023
0794e0a
run_tests: enable BaseRefine for AARCH64
Xaphiosis May 3, 2023
1483554
aarch64 refine: first attempt at Invariants_H
Xaphiosis May 5, 2023
01575f2
aarch64 refine: copy InvariantUpdates_H from RISCV64
Xaphiosis May 5, 2023
1404b9c
aarch64 refine: add StateRelation
Xaphiosis May 8, 2023
96851e8
aarch64 ainvs: fix typo
lsf37 May 8, 2023
44fc3ec
aarch64 refine: copy LevityCatch from RISCV64
lsf37 May 8, 2023
0b0b3b3
aarch64 refine: iteration on Invariants_H
lsf37 May 8, 2023
394f74b
aarch64 aspec: sync vmid bit width with Haskell+C
lsf37 May 10, 2023
9f25a4e
aarch64 haskell: use ppn concept for PageTablePTEs
lsf37 May 10, 2023
55a01f1
aarch64 refine: complete StateRelation
lsf37 May 10, 2023
61bce83
aarch64 refine: copy Corres.thy from RISCV64
lsf37 May 10, 2023
bf3929b
aarch64 refine: adjust Bits_R from RISCV64
lsf37 May 10, 2023
7cdb85f
aarch64 refine: copy EmptyFail from RISCV64
lsf37 May 10, 2023
555bff6
aarch64 refine: copy SubMonad_R from RISCV64
lsf37 May 10, 2023
b882216
aarch64 refine: copy Machine_R from RISCV64
lsf37 May 10, 2023
38a65fd
aarch64 refine: adjust KHeap_R from RISCV64
lsf37 May 10, 2023
b426654
aarch64 refine: use ptTranslationBits for indices
lsf37 May 11, 2023
3b5a983
aarch64 refine: first pass through ArchAcc_R
lsf37 May 11, 2023
e0114ee
aarch64 refine: add CSpace_I and CSpace1_R
Xaphiosis May 15, 2023
a93a626
aarch64 refine: copy RAB_FN from RISCV64
Xaphiosis May 16, 2023
18d76ef
aarch64 refine: add vcpuBits_def to objBits_defs
Xaphiosis May 16, 2023
2b543da
aarch64 refine: add CSpace_R
Xaphiosis May 16, 2023
cb03631
aarch64 refine: add TcbAcc_R and ArchMove_R
Xaphiosis May 16, 2023
059afc8
aarch64 refine: add InterruptAcc_R
Xaphiosis May 16, 2023
97ebd07
aarch64 refine: start on VSpace_R
Xaphiosis May 16, 2023
0f11a7a
aarch64 refine: progress in ArchAcc
lsf37 May 16, 2023
a79e06f
aarch64 refine: first run through VSpace_R
Xaphiosis May 17, 2023
9040568
aarch64 refine: add state_hyp_refs_of' to valid_state'
Xaphiosis May 18, 2023
044a97e
aarch64 refine: first run through Schedule_R
Xaphiosis May 18, 2023
3a77d09
aarch64 refine: first pass through IpcCancel_R
Xaphiosis May 18, 2023
e508693
aarch64 refine: first pass through Retype_R
Xaphiosis May 18, 2023
a4536a1
aarch64 refine: first pass through Detype_R
Xaphiosis May 18, 2023
5601abc
aarch64 refine: fill in VSpaceObject cases in Retype_R
lsf37 May 19, 2023
f4c12a6
aarch64 refine: remove kernel_mappings in Retype/Detype
lsf37 May 19, 2023
0a7eaec
aarch64 refine: copy over Invocations_R from RISCV64
lsf37 May 19, 2023
be22c7b
aarch64 refine: set up Untyped_R from RISCV64, add hyp/vcpu
lsf37 May 19, 2023
4dfb6f8
aarch64 refine: first pass through Finalise_R
Xaphiosis May 19, 2023
865facf
aarch64 refine: first pass through Ipc_R
lsf37 May 19, 2023
835d82c
aarch64 refine: first pass through Interrupt_R
lsf37 May 19, 2023
4834c25
aarch64 refine: first pass through CNodeInv_R
lsf37 May 19, 2023
f3bbd47
aarch64 haskell: prefer fail over error
lsf37 May 19, 2023
a88bf41
aarch64 refine: remove 1 sorry
lsf37 May 19, 2023
20fad5b
aarch64 refine: update vmattributes_map for devices
Xaphiosis May 21, 2023
8de1430
aarch64 refine: first pass through Tcb_R
lsf37 May 22, 2023
7cea1dc
aarch64 aspec: attribs_from_word used wrong bits
Xaphiosis May 22, 2023
7ed8476
aarch64 haskell: update decodeARMASIDPoolInvocation
Xaphiosis May 22, 2023
226c2f6
aarch64 refine: first pass through Arch_R
Xaphiosis May 21, 2023
59d303b
aarch64 refine: first pass through Syscall_R
lsf37 May 22, 2023
ee346ba
aarch64 refine: first pass though Init_R
Xaphiosis May 23, 2023
72dfb53
aarch64 refine: copy IncKernelLemmas+InitLemmas from RISCV64
Xaphiosis May 23, 2023
c58c007
aarch64 refine: copy KernelInit_R from RISCV64
Xaphiosis May 24, 2023
a4f944d
aarch64 refine: copy PageTableDuplicates from RISCV64
lsf37 May 22, 2023
e0ae44a
aarch64 haskell+design: record PT types in ghost state
lsf37 May 24, 2023
064d102
aarch64 ainvs+refine: proof updates for PT type ghost state
lsf37 May 24, 2023
d24d2f8
aarch64 refine: first pass through ADT_H
lsf37 May 24, 2023
aa2eb9a
design: fix ExecSpec for other architectures
lsf37 May 24, 2023
9298456
refine: update other architectures for ghost state change
lsf37 May 25, 2023
c4dee68
aarch64: update Init_R+PageTableDuplicates for PT ghost state
Xaphiosis May 25, 2023
7154cc9
aarch64 refine: remove final mention of vs_valid_duplicates'
Xaphiosis May 25, 2023
81d382e
aarch64 refine: first pass through Refine (sorry-free)
Xaphiosis May 25, 2023
2f3e333
aarch64 refine: first pass through EmptyFail_H (sorry-free)
Xaphiosis May 25, 2023
7b73a18
run_tests: enable Refine (quick_and_dirty) for AARCH64
Xaphiosis May 25, 2023
496f70f
run_tests: fix QUICK_AND_DIRTY handling
Xaphiosis May 25, 2023
7cdd203
aarch64 refine: first run through Orphanage
Xaphiosis May 25, 2023
381ad05
run_tests: enable RefineOrphanage for AARCH64
Xaphiosis May 25, 2023
1e61943
proof/ROOT: RefineOrphanage: add quick and dirty option
Xaphiosis May 25, 2023
971be5f
haskell: constrain run_tests to current L4V_ARCH
lsf37 May 31, 2023
7c422d7
cspec: introduce L4V_PLAT
lsf37 Jun 2, 2023
c4d673b
cspec: Use L4V_PLAT in build export script
mbrcknl Jun 2, 2023
fc44f65
aspec+haskell: add accessor names for scheduler_action datatype
michaelmcinerney Mar 21, 2023
6da2d97
run_tests: echo L4V_FEATURES and L4V_PLAT
lsf37 Jun 6, 2023
290b7c7
run_tests: update outdated comment
lsf37 Jun 6, 2023
9752444
run_tests: REFINE_QUICK_AND_DIRTY already set in Makefile
lsf37 Jun 6, 2023
443706f
github: distinguish proof PR checks from deployment run
lsf37 Jun 6, 2023
9fe1676
github: auto-rebase platform branches
lsf37 Jun 5, 2023
6f2ea86
github: push to -rebased branch first
lsf37 Jun 6, 2023
ea62a6c
lib: docs + 2nd predicate-type guard for wpc
lsf37 Jun 13, 2023
0e30162
lib+proof: proof updates for wpc change
lsf37 Jun 13, 2023
29873da
lib: split out WP_Pre.pre_tac for wp_pre
lsf37 Jun 9, 2023
f75a348
lib+refine+crefine: disambiguate corres_pre
lsf37 Jun 9, 2023
db44def
arm-hyp crefine: use monadic_rewrite_pre
lsf37 Jun 15, 2023
f72702f
lib: monadic rewrite: improve bound name retention
Xaphiosis Jun 13, 2023
ec907bf
lib: add test for monadic rewrite
Xaphiosis Jun 13, 2023
18cbdae
infoflow: update for monadic rewrite changes
Xaphiosis Jun 13, 2023
460d99b
haskell: upgrade to lts-20.25 and ghc 9.2.8
lsf37 Jun 18, 2023
dc093ca
github: use explicit token to enable push triggers
lsf37 Jun 21, 2023
722cd25
github: use correct secret
lsf37 Jun 21, 2023
5abb456
lib: add corres_cases method
lsf37 Jun 22, 2023
168d3aa
crefine: remove obsolete corres wpc setup
lsf37 Jun 22, 2023
59759ed
arm refine: deploy corres_cases in some examples
lsf37 Jun 23, 2023
163b9fe
crefine: remove some duplicated lemmas
corlewis Jun 26, 2023
0edd68f
lib: cong rules for ccorres_underlying
corlewis Jun 19, 2023
1f06802
crefine: update for new ccorres cong rules
corlewis Jun 19, 2023
c1fe4ad
lib+refine: rename Corres_Method to CorresK_Method
lsf37 Jun 26, 2023
865df55
lib: add new corres method
lsf37 Jun 26, 2023
445a8e4
lib: cleanup in Corres_UL and around liftM in Monads
lsf37 Jun 27, 2023
691c9e2
lib: some remarks on corres_mapM*
lsf37 Jun 29, 2023
fad4b70
refine: make corres method available in Refine
lsf37 Jun 26, 2023
01a4216
riscv refine: example corres method use
lsf37 Jun 29, 2023
a0be68c
clib+crefine: add no_name_eta to crefine tactics
corlewis Jun 30, 2023
d87f5e1
crefine: update for no_name_eta
corlewis Jun 30, 2023
fa484da
monads: synchronise with rt branch
corlewis Jul 4, 2023
c9dc6d2
docs/setup: add step for installing cabal
corlewis Jul 18, 2023
26f41e1
lib/monads: rename OptionMonad to Reader_Option_Monad
corlewis Jul 7, 2023
9b90b9e
lib+spec+proof+autocorres: update for renamed Reader_Option_Monad
corlewis Jul 7, 2023
9b9e613
lib/monads: move different monads to subdirectories
corlewis Jul 7, 2023
2c8f9ee
lib+spec+proof+autocorres: consistent Nondet filename prefix
corlewis Jul 18, 2023
67946d4
lib: consistent Trace filename prefix
corlewis Jul 18, 2023
aa8b108
lib/monads: reorder files in ROOT
corlewis Jul 19, 2023
0e0e0ca
lib/monads: add select_wp and alternative_wp to wp set for Nondet monad
corlewis Aug 1, 2023
0211681
proof+autocorres: update for select_wp and alternative_wp
corlewis Aug 1, 2023
f6eaad5
arm abstract+design: reorder object_type enum
lsf37 Aug 11, 2023
f7c3ee5
drefine: adjust for object_type enum reorder
lsf37 Aug 11, 2023
71dc79a
arm crefine: proof updates for object_type enum reorder
lsf37 Aug 11, 2023
540bb64
arm-hyp abstract+design: object_type enum reorder
lsf37 Aug 11, 2023
4d97b26
arm-hyp crefine: proof update for object_type enum reorder
lsf37 Aug 11, 2023
631bc30
lib/monads: move lifting/splitting section earlier in Nondet_VCG
corlewis Aug 9, 2023
fde22d7
lib/monads: minor cleanup and restyle in nondet monad
corlewis Aug 9, 2023
a084de4
refine: update for changes to nondet monad
corlewis Aug 14, 2023
477e8d2
lib/monads: restyle Trace_Monad.thy
corlewis Jul 19, 2023
380520c
lib/monads: refactor trace monad theories
corlewis Jul 19, 2023
6dbcf40
lib/monads: split content out into Trace_RG and Trace_No_Trace
corlewis Aug 14, 2023
4a44874
lib/monads: restyle and reorder trace monad files
corlewis Aug 14, 2023
917fff5
lib: update for trace monad refactor
corlewis Aug 14, 2023
1482841
lib: add a breakpoint for corres_cleanup
lsf37 Jun 30, 2023
51ebfd6
lib: enforce simp (no_asm) in Corres_Method
lsf37 Jun 30, 2023
7595c02
riscv refine: adjust for (no_asm) in Corres_Method
lsf37 Jul 1, 2023
f80d7f8
lib: on the use of corres_liftM_simp rules
lsf37 Aug 30, 2023
0969196
lib: factor out is_safe_wp method
lsf37 Aug 30, 2023
c4369f5
lib: add docs and test for Corres_Method
lsf37 Aug 30, 2023
deade60
crefine: change misleading proof step in CSpace_RAB_C
Xaphiosis Sep 14, 2023
322f4f9
aarch64 refine: remove pspace_canonical'
lsf37 Jun 6, 2023
6e57667
aarch64 refine: invariant update lemmas
lsf37 Sep 27, 2023
7ae4e55
aarch64 refine: ArchAcc_R sorry free
lsf37 Jun 6, 2023
c77d649
aarch64 aspec: sync with Haskell
lsf37 Jun 7, 2023
d16b4fd
aarch64 ainvs: new invariant on vmid_table
lsf37 Jul 3, 2023
345818d
aarch64 aspec: cleanByVA_PoU in perform_pg_inv_map
lsf37 Jul 4, 2023
7713dff
aarch64 ainvs: updates for spec change
lsf37 Jul 4, 2023
438e27a
aarch64 aspec: fix do_flush spec bug
lsf37 Jul 5, 2023
c628181
aarch64 aspec+ainvs: add valid_asid_map invariant
lsf37 Jul 4, 2023
d16d35e
aarch64 refine: VSpace_R sorry-free
lsf37 Jul 3, 2023
f14217e
aarch64 refine: progress in Retype_R
lsf37 Jul 17, 2023
e74d5fe
aarch64 refine: progress in Retype_R
lsf37 Jul 18, 2023
4913aa8
aarch64 haskell: tweak createNewCaps definition
lsf37 Jul 18, 2023
2ec696f
aarch64 refine: Retype_R sorry-free
lsf37 Jul 18, 2023
1ea097a
aarch64 refine: Untyped_R sorry-free
lsf37 Jul 18, 2023
1f60044
aarch64 refine: Schedule_R sorry-free
lsf37 Jul 19, 2023
73ba0ce
aarch64 refine: IpcCancel_R sorry-free
lsf37 Jul 20, 2023
522cef1
aarch64 refine: Finalise_R sorry-free
lsf37 Jul 21, 2023
0e8048b
aarch64 aspec+ainvs: sync user_vtop check with C
lsf37 Jul 23, 2023
d849c0b
aarch64 haskell: fix syscall arg error reporting
lsf37 Jul 23, 2023
e2355c7
aarch64 haskell: check cap type in checkVSpaceRoot
lsf37 Jul 23, 2023
1fb96c7
aarch64 ainvs: mark addrFromPPtr_mask_ipa
lsf37 Jul 23, 2023
c745d4e
aarch64 aspec: fix flush type in decode_vspace_invocation
lsf37 Jul 23, 2023
da76bca
aarch64 refine: Arch_R sorry-free
lsf37 Jul 23, 2023
1f05109
aarch64 refine: Ipc_R sorry-free
lsf37 Jul 26, 2023
a0311bd
aarch64 refine: Interrupt_R sorry-free
lsf37 Jul 26, 2023
ffd038f
aarch64 refine: ADT_H sorry-free
lsf37 Jul 27, 2023
1fde048
aarch64 refine: progress in Detype_R
lsf37 Jul 28, 2023
8f2710d
aarch64 refine: Detype_R sorry-free
lsf37 Aug 9, 2023
2e3c97d
aarch64 refine: Orphanage sorry-free
Xaphiosis Aug 10, 2023
cf0e636
aarch64 refine: resolve trivial FIXMEs
lsf37 Aug 22, 2023
43c0759
aarch64 refine: leave comment instead of FIXME
lsf37 Aug 22, 2023
6bfdecd
aarch64 refine: defer some FIXMEs to CRefine
lsf37 Aug 22, 2023
c263749
aarch64 refine: consolidate dmo_invs_no_cicd' lemmas
lsf37 Aug 23, 2023
62618fc
aarch64 refine: improve decode invariance crunch
lsf37 Aug 23, 2023
4c69a42
lib: fix ML warning
lsf37 Aug 24, 2023
6793a94
lib: move lemmas from refine/AARCH64/ArchAcc
lsf37 Aug 24, 2023
5f74194
aarch64 refine: move lemmas to lib
lsf37 Aug 24, 2023
9f7e8f8
word_lib: anti-monotonicity of shiftr
lsf37 Aug 24, 2023
fe3ebf0
lib: lemmas moved from aarch64 refine
lsf37 Aug 24, 2023
dc4955d
aarch64 refine: lemma moved to Word_Lib
lsf37 Aug 24, 2023
2251bf8
aarch64 refine: lemmas moved to lib
lsf37 Aug 24, 2023
26a3a6e
aarch64 refine: lemmas moved to aarch64 ainvs
lsf37 Aug 24, 2023
a24ddbe
aarch64 refine: move lemmas internally
lsf37 Aug 24, 2023
de50741
lib+aarch64 refine: move lemmas to lib
lsf37 Aug 24, 2023
0369a4b
lib+ainvs+aarch64 refine: move+consolidate vcg_op_lift lemmas
lsf37 Aug 24, 2023
dcf6ee4
aarch64 ainvs+refine: move lemmas from Refine
lsf37 Aug 28, 2023
5497666
aarch64 ainvs+refine: remove unused dom_ucast_eq
lsf37 Aug 28, 2023
df31523
lib/monads: more cleanup and restyle in nondet monad
corlewis Aug 18, 2023
7999632
proof: update for changes to nondet monad
corlewis Aug 18, 2023
d66ac95
lib/monads/trace: copy in definitions and rules from nondet
corlewis Aug 24, 2023
0aac7ac
lib/monads/trace: update definitions and rules taken from nondet
corlewis Aug 24, 2023
293b97c
lib/monads/trace: prove more lemmas connecting valid and validI
corlewis Aug 24, 2023
3333395
lib/monads: improve style of nondet and trace
corlewis Oct 5, 2023
34038fc
lib/monads/nondet: remove uses of _tac methods
corlewis Sep 20, 2023
6680297
lib/monads: add no_fail_ex_lift and no_fail_grab_asm
michaelmcinerney Oct 5, 2023
e7cca6a
lib: improve corres_underlying rules for whileLoop
michaelmcinerney Oct 5, 2023
6721c7a
lib: sync Word_Lib with AFP
lsf37 Sep 1, 2023
3f66cb0
lib/Eisbach_Tools: morphism type changed in Isabelle2023
lsf37 Sep 1, 2023
eeae2af
lib: Isabelle2023 update
lsf37 Sep 1, 2023
286278d
misc: goto-error jEdit macro: update for 2023
Xaphiosis Sep 6, 2023
450234e
aspec: mapsto syntax update for Isabelle2023
lsf37 Sep 13, 2023
83fc513
c-parser: sync Simpl from AFP for Isabelle2023
lsf37 Sep 15, 2023
be44fad
c-parser: update to Isabelle2023 maps-to syntax
lsf37 Sep 15, 2023
26807f7
c-parser: adapt standalone parser to Isabelle2023
lsf37 Sep 18, 2023
f88d2d4
clib: update to Isabelle2023 mapsto syntax
lsf37 Sep 16, 2023
3141584
proof: update to Isabelle2023 mapsto syntax
lsf37 Sep 16, 2023
f7768ee
sep-capDL: update to Isabelle2023 mapsto syntax
lsf37 Sep 16, 2023
4c0b3df
capdDL-api: update to Isabelle2023 mapsto syntax
lsf37 Sep 16, 2023
0f99a75
autocorres: update to Isabelle2023
lsf37 Sep 16, 2023
0d984f3
camkes: update to Isabelle2023 mapsto syntax
lsf37 Sep 16, 2023
ad24d95
word lib: fix broken style introduced from AFP
lsf37 Oct 6, 2023
3036f22
Merge branch 'master' into rt
corlewis Oct 11, 2023
3308a0b
rt proof: update for merge
corlewis Oct 11, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 2 additions & 0 deletions .github/workflows/external.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ name: External
on:
schedule:
- cron: '1 15 1,15 * *' # 15:01 UTC on 1st and 15th of month
# for testing:
workflow_dispatch:

jobs:
proofs:
Expand Down
31 changes: 31 additions & 0 deletions .github/workflows/proof-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ on:
repository_dispatch:
types:
- manifest-update
# for testing:
workflow_dispatch:

jobs:
code:
Expand Down Expand Up @@ -74,3 +76,32 @@ jobs:
with:
token: ${{ secrets.PRIV_REPO_TOKEN }}
tag: "l4v/proof-deploy/${{ github.event_name }}"

rebase:
name: Rebase platform branches
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
branch: [imx8-fpu-ver, exynos5-ver]
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ matrix.branch }}
path: l4v-${{ matrix.branch }}
fetch-depth: 0
# needed to trigger push actions on the -rebased branch
# (implict GITHUB_TOKEN does not trigger further push actions).
token: ${{ secrets.PRIV_REPO_TOKEN }}
- name: Rebase
run: |
cd l4v-${{ matrix.branch }}
git config --global user.name "seL4 CI"
git config --global user.email "[email protected]"
git rebase origin/master
git status
- name: Push
run: |
cd l4v-${{ matrix.branch }}
git push -f origin HEAD:${{ matrix.branch }}-rebased
2 changes: 1 addition & 1 deletion .github/workflows/proof.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# SPDX-License-Identifier: BSD-2-Clause

name: Proofs
name: Proof PR

on:
push:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
- rt
- aarch64
pull_request:
# for testing:
workflow_dispatch:

jobs:
check:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/weekly-clean.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ name: Weekly Clean
on:
schedule:
- cron: '1 15 * * 6' # 15:01 UTC every Sat = 1:01 am Syd every Sun
# for testing:
workflow_dispatch:

jobs:
proofs:
Expand Down
2 changes: 1 addition & 1 deletion camkes/cdl-refine/Eval_CAMKES_CDL.thy
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,7 @@ lemma Collect_asid_high__eval_helper:
section \<open>Assorted helpers\<close>
lemma fun_upds_to_map_of[THEN eq_reflection]:
"Map.empty = map_of []"
"(map_of xs(k \<mapsto> v)) = map_of ((k, v) # xs)"
"((map_of xs)(k \<mapsto> v)) = map_of ((k, v) # xs)"
by auto

lemma subst_eqn_helper:
Expand Down
132 changes: 132 additions & 0 deletions docs/Style.thy
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,138 @@ lemma test_lemma3:
case_tac h; simp)
done

section \<open>Right vs left operator-wrapping\<close>

text \<open>
When a term is too long, there is a general consensus to wrap it at operators. However, consensus
has never emerged on whether the operator should then end up at the end of the line (right
operator wrapping), or start of the next one (left operator wrapping).
Some people have a tendency towards right-wrapping, others towards left-wrapping. They
each have advantages in specific contexts, thus both appear in the l4v proofs and are permitted
style.\<close>

term \<open>A \<and> B \<longrightarrow> C \<and> D\<close> \<comment> \<open>no wrapping when A..D are small terms\<close>

term \<open>A \<and>
B \<longrightarrow>
C \<and>
D\<close> \<comment> \<open>right-wrapping when A..D are large terms\<close>

term \<open>A
\<and> B
\<longrightarrow> C
\<and> D\<close> \<comment> \<open>left-wrapping when A..D are large terms\<close>

text \<open>
While both styles are permitted, do not mix them in the same lemma. If a lemma already uses
one style and you aren't doing a major rewrite, stick to the existing style.\<close>

lemma
shows "\<lbrakk> A; B; C\<rbrakk> \<Longrightarrow>
D" \<comment> \<open>right-wrapping OK\<close>
and "\<lbrakk> A; B; C\<rbrakk>
\<Longrightarrow> D" \<comment> \<open>left-wrapping OK\<close>
oops \<comment> \<open>mixing styles: NOT OK\<close>

text \<open>
Some operators and syntax only have ONE style. As seen in other sections:
* the `|` in `case` never appears on the right
* `;` is always on the right when wrapping lists of assumptions
* `shows .. and ... and` wraps with `and` on the left
* `|` in method invocations always goes on the left
* commas and (semi)colons, owing to our natural language origins, always end up on the right\<close>

lemma
shows
"\<lbrakk> A
; B \<rbrakk> \<comment> \<open>wrong: always on right\<close>
\<comment> \<open>ok: \<Longrightarrow> can be either left or right\<close>
\<Longrightarrow> C" and \<comment> \<open>wrong: `shows/and` only on left!\<close>
"D"
and "E" \<comment> \<open>ok: on left\<close>
proof -
have "True \<and> True"
by (rule conjI,
blast,
blast) \<comment> \<open>ok\<close>
have "True \<and> True"
by (rule conjI
, blast
, blast) \<comment> \<open>NOT OK: commas go on right\<close>
have "True \<and> True"
by (rule conjI;
blast) \<comment> \<open>ok\<close>
have "True \<and> True"
by (rule conjI
; blast) \<comment> \<open>NOT OK: semicolons go on right\<close>
have "True \<and> True"
by (rule conjI
| blast)+ \<comment> \<open>ok\<close>
have "True \<and> True"
by (rule conjI |
blast)+ \<comment> \<open>NOT OK: `|` goes on the left\<close>
oops

text \<open>
The general principle of "nothing indented less than what it belongs to" is in effect for both
wrapping styles. Remember, the goal of the exercise is to make it as clear to read for others as
you can. Sometimes, scanning the left side of the screen to see the overall term can help,
while other times putting @{text \<Longrightarrow>} on the right will save space and prevent subsequent lines
from wrapping.\<close>

text \<open>
Inner-syntax indentation is not automatable in the general case, so our goal is to help
ease of comprehension as much as possible, i.e.
@{term "A \<and> B \<or> C \<longrightarrow> D \<or> E \<and> F"} is bearable if A..F are short, but if they are large terms,
please avoid doing either of these:\<close>

term "
A \<and>
B \<or>
C \<longrightarrow>
D \<or>
E \<and>
F" \<comment> \<open>avoid: requires building a parse tree in one's head\<close>

term "
A
\<and> B
\<or> C
\<longrightarrow> D
\<or> E
\<and> F" \<comment> \<open>can be marginally easier to scan, but still avoid due to mental parsing difficulty\<close>

text \<open>Instead, help out the reader like this:\<close>

term "
A \<and>
B \<or>
C \<longrightarrow>
D \<or>
E \<and>
F"

term "
A
\<and> B
\<or> C
\<longrightarrow> D
\<or> E
\<and> F"

text \<open>AVOID indentation that misrepresents the parse tree and confuses the reader:\<close>

term "
A
\<and> B
\<or> C" \<comment> \<open>NOT OK: implies this parses as @{text "A \<and> (B \<or> C)"}\<close>

term "
A \<and>
B \<longrightarrow>
B \<or>
A" \<comment> \<open>NOT OK: implies this parses as @{text "((A \<and> B) \<longrightarrow> B) \<or> A"}\<close>

section \<open>Other\<close>

text \<open>
Expand Down
5 changes: 3 additions & 2 deletions docs/setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,13 @@ pip3 install --user sel4-deps

After installing [haskell-stack](https://docs.haskellstack.org/en/stable/)
(already included in the packages above on Mac and Ubuntu), make sure you've
adjusted your `PATH` to include `$HOME/.local/bin`, and that you're running an
up-to-date version:
adjusted your `PATH` to include `$HOME/.local/bin`, that you're running an
up-to-date version, and that you have installed cabal:

```bash
stack upgrade --binary-only
which stack # should be $HOME/.local/bin/stack
stack install cabal-install
```

## Checking out the repository collection
Expand Down
10 changes: 5 additions & 5 deletions lib/BCorres_UL.thy
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

theory BCorres_UL
imports
Monads.NonDetMonadVCG
Monads.Nondet_VCG
Crunch_Instances_NonDet
begin

Expand All @@ -17,12 +17,12 @@ definition bcorres_underlying where
"bcorres_underlying t f g \<equiv> \<forall>s. s_bcorres_underlying t f g s"

lemma wpc_helper_bcorres:
"bcorres_underlying t f g \<Longrightarrow> wpc_helper (P, P') (Q, Q') (bcorres_underlying t f g)"
by (simp add: wpc_helper_def)
"bcorres_underlying t f g \<Longrightarrow> wpc_helper P Q (bcorres_underlying t f g)"
by (simp add: wpc_helper_def split: prod.split)

lemma wpc_helper_s_bcorres:
"s_bcorres_underlying t f g s \<Longrightarrow> wpc_helper (P, P') (Q, Q') (s_bcorres_underlying t f g s)"
by (simp add: wpc_helper_def)
"s_bcorres_underlying t f g s \<Longrightarrow> wpc_helper P Q (s_bcorres_underlying t f g s)"
by (simp add: wpc_helper_def split: prod.split)

wpc_setup "\<lambda>f. bcorres_underlying t f g" wpc_helper_bcorres
wpc_setup "\<lambda>f. s_bcorres_underlying t f g s" wpc_helper_bcorres
Expand Down
10 changes: 5 additions & 5 deletions lib/Bisim_UL.thy
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@

theory Bisim_UL
imports
Monads.NonDetMonadVCG
Monads.Nondet_VCG
Corres_UL
Monads.Empty_Fail
Monads.Nondet_Empty_Fail
begin

(* This still looks a bit wrong to me, although it is more or less what I want \<emdash> we want to be
Expand Down Expand Up @@ -159,7 +159,7 @@ lemma bisim_split_handle:

(* Set up wpc *)
lemma wpc_helper_bisim:
"bisim_underlying SR r Q Q' f f' \<Longrightarrow> wpc_helper (P, P') (Q, {s. Q' s}) (bisim_underlying SR r P (\<lambda>s. s \<in> P') f f')"
"bisim_underlying SR r Q Q' f f' \<Longrightarrow> wpc_helper (P, P', P'') (Q, Q', Q'') (bisim_underlying SR r P P' f f')"
apply (clarsimp simp: wpc_helper_def)
apply (erule bisim_guard_imp)
apply simp
Expand Down Expand Up @@ -342,7 +342,7 @@ lemmas dets_to_det_on [wp] = det_det_on [OF det_gets] det_det_on [OF return_det]

(* Set up wpc *)
lemma wpc_helper_det_on:
"det_on Q f \<Longrightarrow> wpc_helper (P, P') (Q, Q') (det_on P f)"
"det_on Q f \<Longrightarrow> wpc_helper (P, P', P'') (Q, Q', Q'') (det_on P f)"
apply (clarsimp simp: wpc_helper_def det_on_def)
done

Expand Down Expand Up @@ -426,7 +426,7 @@ lemma not_empty_gets [wp]:

(* Set up wpc *)
lemma wpc_helper_not_empty:
"not_empty Q f \<Longrightarrow> wpc_helper (P, P') (Q, Q') (not_empty P f)"
"not_empty Q f \<Longrightarrow> wpc_helper (P, P', P'') (Q, Q', Q'') (not_empty P f)"
apply (clarsimp simp: wpc_helper_def not_empty_def)
done

Expand Down
16 changes: 8 additions & 8 deletions lib/CorresK/CorresK_Lemmas.thy
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@

theory CorresK_Lemmas
imports
"Lib.Corres_Method"
"Lib.CorresK_Method"
"ExecSpec.Syscall_H"
"ASpec.Syscall_A"
begin

lemma corres_throwError_str [corres_concrete_rER]:
lemma corres_throwError_str [corresK_concrete_rER]:
"corres_underlyingK sr nf nf' (r (Inl a) (Inl b)) r \<top> \<top> (throwError a) (throw b)"
"corres_underlyingK sr nf nf' (r (Inl a) (Inl b)) r \<top> \<top> (throwError a) (throwError b)"
by (simp add: corres_underlyingK_def)+
Expand Down Expand Up @@ -41,7 +41,7 @@ lemma mapME_x_corresK_inv:
show ?case
apply (simp add: mapME_x_def sequenceE_x_def)
apply (fold mapME_x_def sequenceE_x_def dc_def)
apply (corressimp corresK: x IH wp: y)
apply (corresKsimp corresK: x IH wp: y)
done
qed
done
Expand Down Expand Up @@ -141,7 +141,7 @@ lemma corresK_mapM_list_all2:
lemma corresK_discard_rv:
assumes A[corresK]: "corres_underlyingK sr nf nf' F r' P P' a c"
shows "corres_underlyingK sr nf nf' F dc P P' (do x \<leftarrow> a; return () od) (do x \<leftarrow> c; return () od)"
by corressimp
by corresKsimp

lemma corresK_mapM_mapM_x:
assumes "corres_underlyingK sr nf nf' F r' P P' (mapM f as) (mapM f' cs)"
Expand All @@ -163,12 +163,12 @@ lemma corresK_subst_both: "g' = f' \<Longrightarrow> g = f \<Longrightarrow>

lemma if_fun_true: "(if A then B else (\<lambda>_. True)) = (\<lambda>s. (A \<longrightarrow> B s))" by simp

lemmas corresK_whenE [corres_splits] =
lemmas corresK_whenE [corresK_splits] =
corresK_if[THEN
corresK_subst_both[OF whenE_def[THEN meta_eq_to_obj_eq] whenE_def[THEN meta_eq_to_obj_eq]],
OF _ corresK_returnOk[where r="f \<oplus> dc" for f], simplified, simplified if_fun_true]

lemmas corresK_head_splits[corres_splits] =
lemmas corresK_head_splits[corresK_splits] =
corresK_split[where d="return", simplified]
corresK_splitE[where d="returnOk", simplified]
corresK_split[where b="return", simplified]
Expand All @@ -192,7 +192,7 @@ lemmas [corresK] =
corresK_Id[where nf'=True and r="(=)", simplified]
corresK_Id[where nf'=True, simplified]

lemma corresK_unit_rv_eq_any[corres_concrete_r]:
lemma corresK_unit_rv_eq_any[corresK_concrete_r]:
"corres_underlyingK sr nf nf' F r P P' f f' \<Longrightarrow>
corres_underlyingK sr nf nf' F
(\<lambda>(x :: unit) (y :: unit). x = y) P P' f f'"
Expand All @@ -201,7 +201,7 @@ lemma corresK_unit_rv_eq_any[corres_concrete_r]:
apply simp
done

lemma corresK_unit_rv_dc_any[corres_concrete_r]:
lemma corresK_unit_rv_dc_any[corresK_concrete_r]:
"corres_underlyingK sr nf nf' F r P P' f f' \<Longrightarrow>
corres_underlyingK sr nf nf' F
(\<lambda>(x :: unit) (y :: unit). dc x y) P P' f f'"
Expand Down
Loading