Type punning for lookup/alter on values.
2015-01-30T00:30:50+01:00

mem_force no longer flattens the entire subobject for "unsigned char"
2015-01-29T16:32:43+01:00
The operation "mem_force Γ m a" used to apply the identify function to
pricisely the object "a", even in case "a" is an "unsigned char" address
refering to an individual byte. This caused the ctree substructure of the
entire subobject to disappear and had the undesired effect that:
mem_force Γ a m ⊑{Γ,true@Γm} m
Let the malloc expression non-deterministically yield NULL.
2015-01-27T21:33:30+01:00
* This behavior is "implementation defined" and can be turned on and off
using the Boolean field "alloc_can_fail" of the class "Env".
* The expression "EAlloc" is now an r-value of pointer type instead of an
l-value.
* The executable semantics for expressions is now non-deterministic. Hence,
More properties about conversions between natsets and Boolean lists.
2015-01-25T16:39:01+01:00

More separation properties, in particular about locking/unlocking.
2015-01-25T16:38:51+01:00

More lenient pointer equality.
2014-12-23T20:12:23+01:00
Pointer equality is now defined using absolute object offsets. The treatment
is similar to CompCert:
* Equality of pointers in the same object is defined provided the object has
not been deallocated.
* Equality of pointers in different objects is defined provided both pointers
have not been deallocated and both are strict (i.e. not end-of-array).
Thus, pointer equality is defined for all pointers that are not-end-of-array
and have not been deallocated. The following examples have defined behavior:
int x, y;
printf("%d\n", &x == &y);
int *p = malloc(sizeof(int)), *q = malloc(sizeof(int));
printf("%d\n", p == q);
struct S { int a; int b; } s, *r = &s;
printf("%d\n", &s.a + 1 == &(r->b));
The following not:
int x, y;
printf("%d\n", &x + 1 == &y);

Misc option stuff.
2014-12-18T00:42:16+01:00

Allow frozen pointer annotations to be refined.
2014-12-16T19:21:35+01:00
The refinement relation on addresses allows union references to be refined:
(β2 → β1) → RUnion i s β1 ⊆ RUnion i s β2
The result is that frozen values are below their unfrozen variant, which made
it possible to prove that constant propagation (see constant_propagation.v) can
be performed on the level of the memory model.

Remove duplicate None decider.
2014-11-23T14:55:38+01:00

More accurate formalization of integer ranks.
2014-11-15T14:51:12+01:00
Integers with the same size, are no longer supposed to have the same rank. As a
result, the C integer types (char, short, int, long, long long) are different
(and thus cannot alias) even if they have the same size. We now have to use a
more involved definition of integer promotions and usual arithmetic conversions.
However, this new definition follows the C standard literally.

Type class for [maybe_] deconstructors.
2014-11-06T22:37:26+01:00

Stronger completeness proof for the executable semantics.
2014-10-09T20:08:43-04:00
The proof now uses the stronger notion of memory permutation instead of a more
general memory refinement. We have also proven that memory permutations are
symmetric.

Allow memory refinements to behave like simple renaming.
2014-10-08T19:54:36-04:00
Memory refinements now carry a boolean parameter that has the following
meaning:
[false] : Behave like a simple renaming of memories that merely allows to
permute object identifiers. It does not allow to refine memories
into a more defined version.
[true] : Behave like before. Objects can be injected, and memory contents can
be refined into a more defined variant.
We make refinements parametric in these two variant to avoid code duplication,
and because the [false] variant is a special case of the [true] variant.
For completeness of the executable semantics, we now use the [false] variant.

Fix compilation with Coq 8.4pl4.
2014-10-06T21:52:26-04:00

Completeness of constant expression evaluation.
2014-10-02T22:56:24-04:00
Also better error messages if a constant expression is expected.

Handle storage specifiers property.
2014-09-30T16:18:44-04:00

Let simplify_equality perform injection less eagerly.
2014-09-30T16:17:41-04:00
Now it only performs injection on hypotheses of the shape f .. = f ..

Soundness of constant expression evaluation.
2014-09-25T00:16:24+02:00

Pretty printer for N and Z, fresh string generator.
2014-09-16T02:55:14+02:00

Improve errors now that we use strings for names.
2014-09-13T20:08:47+02:00

Use the ascii decider from the stdlib which is extracted correctly.
2014-09-12T23:40:17+02:00

Finite maps and finite sets over strings.
2014-09-12T15:23:02+02:00

Lemmas on Forall3 and tweak list tactics.
2014-09-06T14:20:17+02:00

Clean up ars.v.
2014-09-06T14:20:17+02:00

Add map_Forall3.
2014-09-06T14:20:17+02:00

Strengthen induction lemma for reflexive transitive closure.
2014-09-06T14:20:17+02:00

Make collection tactics work with guards.
2014-09-03T13:02:40+02:00

Repeat function on streams.
2014-09-03T13:02:20+02:00

Misc lemmas on option.
2014-09-03T13:02:05+02:00

Decider for empty listsets.
2014-09-03T13:01:38+02:00

Prove Forall3_app.
2014-09-03T13:01:19+02:00

Prove that lockset ⊆ dom memory.
2014-08-26T00:21:37+02:00

Modify typing judgments to depend on a description of the types of objects in
2014-08-22T10:10:16+02:00
memory instead of the whole memory itself.
This has the following advantages:
* Avoid parametrization in {addresses,pointers,pointer_bits,bits}.v
* Make {base_values,values}.v independent of the memory, this makes better
parallelized compilation possible.
* Allow small memories (e.g. singletons as used in separation logic) with
addresses to objects in another part to be typed.
* Some proofs become easier, because the memory environments are preserved
under many operations (insert, force, lock, unlock).
It also as the following disadvantages:
* At all kinds of places we now have explicit casts from memories to memory
environments. This is kind of ugly. Note, we cannot declare memenv_of as a
Coercion because it is non-uniform.
* It is a bit inefficient with respect to the interpreter, because memory
environments are finite functions instead of proper functions, so calling
memenv_of often (which we do) is not too good.

Make simplify_error_equality a bit faster.
2014-08-22T10:09:48+02:00
It is still rather slow, though.

Add error monad.
2014-08-09T03:03:57+02:00

Update README.
2014-08-07T21:59:10+02:00

Break at 80
2014-08-06T22:25:14+02:00

New syntax for types in frontend.
2014-08-06T20:00:59+02:00
This allows for constant expressions in array sizes and makes way for
future extensions.

Add monoid operation on option.
2014-08-04T15:22:47+02:00

Misc definitions/lemmas on finite maps/lists.
2014-07-10T15:11:08+02:00