 13 Sep, 2019 28 commits


JacquesHenri Jourdan authored
The general idea is to first import/export modules which are further than the current one, and then import/export modules which are close dependencies. This commit tries to use the same order of imports for every file, and describes the convention in ProofGuide.md. There is one exception, where we do not follow said convention: in program_logic/weakestpre.v, using that order would break printing of texan triples (??).

 14 Mar, 2019 28 commits


Robbert Krebbers authored

 05 Mar, 2019 28 commits


Ralf Jung authored

 29 Oct, 2018 28 commits


JacquesHenri Jourdan authored

JacquesHenri Jourdan authored
We add a specific constructor to the type of expressions for injecting values in expressions. The advantage are :  Values can be assumed to be always closed when performing substitutions (even though they could contain free variables, but it turns out it does not cause any problem in the proofs in practice). This means that we no longer need the `Closed` typeclass and everything that comes with it (all the reflectionbased machinery contained in tactics.v is no longer necessary). I have not measured anything, but I guess this would have a significant performance impact.  There is only one constructor for values. As a result, the AsVal and IntoVal typeclasses are no longer necessary: an expression which is a value will always unify with `Val _`, and therefore lemmas can be stated using this constructor. Of course, this means that there are two ways of writing such a thing as "The pair of integers 1 and 2": Either by using the value constructor applied to the pair represented as a value, or by using the expression pair constructor. So we add reduction rules that transform reduced pair, injection and closure expressions into values. At first, this seems weird, because of the redundancy. But in fact, this has some meaning, since the machine migth actually be doing something to e.g., allocate the pair or the closure. These additional steps of computation show up in the proofs, and some additional wp_* tactics need to be called.

 13 Jan, 2018 28 commits


Robbert Krebbers authored

 25 Sep, 2017 28 commits


Robbert Krebbers authored
 Get rid of wp_finish, which was a hack.  Write the wp_ tactics for stateful steps in the same style as wp_pure, i.e. by taking the context into account.  Make use of the context K in wp_pure.

 05 Jan, 2017 28 commits


Ralf Jung authored

 03 Jan, 2017 28 commits


Ralf Jung authored
This patch was created using find name *.v  xargs L 1 awk i inplace '{from = 0} /^From/{ from = 1; ever_from = 1} { if (from == 0 && seen == 0 && ever_from == 1) { print "Set Default Proof Using \"Type*\"."; seen = 1 } }1 ' and some minor manual editing

 09 Dec, 2016 28 commits


Ralf Jung authored

Robbert Krebbers authored

 08 Dec, 2016 28 commits


Ralf Jung authored

 07 Dec, 2016 28 commits

 06 Dec, 2016 28 commits
 22 Nov, 2016 28 commits


Ralf Jung authored

 09 Nov, 2016 28 commits


Robbert Krebbers authored

 27 Oct, 2016 28 commits


Robbert Krebbers authored

 05 Aug, 2016 28 commits


Robbert Krebbers authored

Robbert Krebbers authored
This commit features:  A simpler model. The recursive domain equation no longer involves a triple containing invariants, physical state and ghost state, but just ghost state. Invariants and physical state are encoded using (higherorder) ghost state.  (Primitive) view shifts are formalized in the logic and all properties about it are proven in the logic instead of the model. Instead, the core logic features only a notion of raw view shifts which internalizing performing frame preserving updates.  A better behaved notion of mask changing view shifts. In particular, we no longer have sideconditions on transitivity of view shifts, and we have a rule for introduction of mask changing view shifts ={E1,E2}=> P with E2 ⊆ E1 which allows to postpone performing a view shift.  The weakest precondition connective is formalized in the logic using Banach's fixpoint. All properties about the connective are proven in the logic instead of directly in the model.  Adequacy is proven in the logic and uses a primitive form of adequacy for uPred that only involves raw views shifts and laters. Some remarks:  I have removed binary view shifts. I did not see a way to describe all rules of the new mask changing view shifts using those.  There is no longer the need for the notion of "frame shifting assertions" and these are thus removed. The rules for Hoare triples are thus also stated in terms of primitive view shifts. TODO:  Maybe rename primitive view shift into something more sensible  Figure out a way to deal with closed proofs (see the commented out stuff in tests/heap_lang and tests/barrier_client).

 20 Jul, 2016 28 commits


Robbert Krebbers authored

 19 Jul, 2016 28 commits


Robbert Krebbers authored
We reify to a representation of expressions that includes an explicit constructor for closed terms. Substitution can then be implemented as the identify, which enables us to perform it using computation.

 15 Jul, 2016 28 commits


Robbert Krebbers authored

 23 Jun, 2016 28 commits


Robbert Krebbers authored
This is more consistent with the proofmode, where we also call it pure.

 19 Apr, 2016 28 commits


Robbert Krebbers authored
Par is now defined as an expression of type [∀ X, expr X] (instead of a value) and we prove that it is stable under weakening and substitution.

Robbert Krebbers authored
That way, we do not have useless type annotations of the form "v : language.val heap_lang" cluttering about any goal. Note, that we could decide to eta expand everywhere (as we do for ∀ and ∃), and use the notation "WP e {{ Q }}" for "wp e ⊤ (λ _, Q)".

 20 Mar, 2016 28 commits


Ralf Jung authored

 15 Mar, 2016 28 commits


Robbert Krebbers authored
