Monad improvements #759
Monad improvements #759
Conversation
corlewis
added
cleanup
proof engineering
| apply (rule_tac B="\<lambda>rv s. ?PRE s \<and> ksReadyQueues_asrt s \<and> ready_qs_runnable s | ||
| apply (rule_tac Q'="\<lambda>rv s. ?PRE s \<and> ksReadyQueues_asrt s \<and> ready_qs_runnable s | ||
| \<and> curdom = ksCurDomain s \<and> rv = ksReadyQueuesL1Bitmap s curdom" | ||
| in hoare_seq_ext) | ||
| in bind_wp) |
There was a problem hiding this comment.
This is an example of the second category of proof changes from the PR description; the conditions in the various bind_wp rules are now P, Q' and Q, instead of A, B and C.
| apply (rule hoare_seq_ext [OF _ gts_sp']) | ||
| apply (case_tac x, simp_all add: isTS_defs list_case_If) | ||
| apply (rule bind_wp [OF _ gts_sp']) | ||
| apply (case_tac rv, simp_all add: isTS_defs list_case_If) |
There was a problem hiding this comment.
This is an example of the third category of proof changes from the PR description; the bind_wp step now names the bound variable produced rv.
| apply (case_tac cap) | ||
| apply (simp_all add: Let_def isCap_simps) | ||
| apply wp | ||
| apply simp | ||
| done | ||
| by (case_tac cap; wpsimp simp: isCap_simps) |
There was a problem hiding this comment.
This is an example of the fourth category of proof changes from the PR description; many of the cases here were previously solved by simp, now they are all solved by wp.
|
This is great. It'll take some time to retrain muscle memory, but it is much more consistent and easier to remember now! |
corlewis
force-pushed
the
monad_improvements
branch
from
644b3e0 to
d4be2ce
Compare
|
The commit updating the proofs has now been split into two, one with just the lemma renamings and the second with the more manual changes. This will hopefully make it a bit easier to review. |
corlewis
force-pushed
the
monad_improvements
branch
from
d4be2ce to
8d98dd8
Compare
| \<comment> \<open>FIXME: remove?\<close> | ||
| lemma hoare_return_drop_var[iff]: | ||
| "\<lbrace>Q\<rbrace> return x \<lbrace>\<lambda>r. Q\<rbrace>" |
There was a problem hiding this comment.
For the following lemmas as well -- if they are unused, then yes we should definitely remove them. Of course the iff and intro ones might be used implicitly somewhere.
| lemma hoare_vcg_const_Ball_lift_R: | ||
| "\<lbrakk> \<And>x. x \<in> S \<Longrightarrow> \<lbrace>P x\<rbrace> f \<lbrace>Q x\<rbrace>,- \<rbrakk> \<Longrightarrow> \<lbrace>\<lambda>s. \<forall>x \<in> S. P x s\<rbrace> f \<lbrace>\<lambda>rv s. \<forall>x \<in> S. Q x rv s\<rbrace>,-" | ||
| unfolding validE_R_def validE_def | ||
| by (rule hoare_strengthen_post) | ||
| (fastforce intro!: hoare_vcg_const_Ball_lift split: sum.splits)+ | ||
|
|
||
| lemma hoare_vcg_const_Ball_lift_E_E: |
There was a problem hiding this comment.
Just confirming the naming between fooE, foo_R, and foo_E_E: is this the way we want it? (no underscore for the E wp variant and with underscore for the specialised forms)
There was a problem hiding this comment.
Good spotting, I missed that the first time through. I have some more improvements on the way that includes these lemmas; I have been trying to standardise on foo, fooE, fooE_R, and fooE_E.
There was a problem hiding this comment.
Cool, happy for that to go in a separate PR.
Signed-off-by: Corey Lewis <[email protected]>
This improves the structure and naming consistency of the various monad rule sets, for both the nondet and trace monads. Signed-off-by: Corey Lewis <[email protected]>
This involved the following sed commands, with care taken to avoid unnecessary rewrites in lib/Monads and lib/StateMonad.thy sed -i 's/hoare_post_taut/hoare_TrueI/g' **/*.thy sed -i 's/hoare_TrueI\s*\[where P=\\<top>\]/wp_post_taut/g' proof/**/*.thy sed -i 's/hoare_post_imp_R/hoare_strengthen_postE_R/g' **/*.thy sed -i 's/hoare_seq_ext\b/bind_wp/g' **/*.thy sed -i 's/bind_wp\s*\[rotated\]/bind_wp_fwd/g' **/*.thy sed -i 's/hoare_vcg_precond_imp/hoare_weaken_pre/g' **/*.thy sed -i 's/hoare_vcg_seqE/bindE_wp/g' **/*.thy sed -i 's/bindE_wp\s*\[rotated\]/bindE_wp_fwd/g' **/*.thy sed -i 's/validE_weaken/hoare_chainE/g' **/*.thy sed -i 's/validE_weaken/hoare_chainE/g' **/*.ML sed -i 's/seqE/bindE_wp_fwd/g' **/*.thy sed -i 's/bindE_wp_fwd\s*\[rotated\]/bindE_wp/g' **/*.thy sed -i 's/hoare_True_E_R/hoareE_R_TrueI/g' **/*.thy sed -i -e 's/hoareE_R_TrueI\[where P="\\<top>"\]/wp_post_tautE_R/g' **/*.thy sed -i "s/hoare_post_impErr'/hoare_strengthen_postE/g" **/*.thy sed -i 's/hoare_post_impErr/hoare_strengthen_postE/g' **/*.thy sed -i 's/hoare_vcg_all_lift_R/hoare_vcg_all_liftE_R/g' **/*.thy sed -i 's/hoare_seq_ext_skip/bind_wp_fwd_skip/g' **/*.thy sed -i 's/True_E_E/wp_post_tautE_E/g' **/*.thy sed -i 's/\bseq_ext/bind_wp_fwd/g' proof/**/*.thy Signed-off-by: Corey Lewis <[email protected]>
This mostly involved renamed variable names and one lemma being removed from the simp set. Signed-off-by: Corey Lewis <[email protected]>
Consistency is the main aim of all this and I'm not particularly attached to the specific names I've chosen, so if there are any that you think will be particularly confusing then please point them out. |
corlewis
force-pushed
the
monad_improvements
branch
from
8d98dd8 to
687b2c8
Compare
I don't have anything better. The main thing to re-learn on this one are the |
This improves the structure and naming consistency of the various monad rule sets, for both the nondet and trace monads. The main benefit is improved maintainability, in particular due to making sure that the nondet and trace monad rule sets are in sync.
There are 4 main categories of changes that were visible in the proofs:
PandQfor preconditions and postconditionsbindis now alwaysrvinstead of sometimesrorx. In the couple of cases where this caused confusion I added arename_tacand fixed a useful name, but in general I kept this PR simple and just updated the uses of the bound variables.hoare_True_E_R: : "⦃P⦄ f ⦃λ_ s. True⦄, -"was removed from thesimpset due to being unsafe, withwp_post_tautE_R: ⦃λ_. True⦄ f ⦃λ_ _. True⦄being added as awprule instead. This meant that some proof steps were changed fromsimptowp, and that some proofs no longer needed to locally delete it from thesimpset.The lemma renamings needed in the proofs are listed in the third commit message. I have made comments in this PR showing examples of the other categories.