Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make hoare_seq_ext and hoare_vcg_seqE wp rules #748

Merged
merged 4 commits into from
Apr 22, 2024
Merged

Make hoare_seq_ext and hoare_vcg_seqE wp rules #748

merged 4 commits into from
Apr 22, 2024

Conversation

corlewis
Copy link
Member

hoare_seq_ext was previously made a wp rule in the middle of ainvs, which was surprising and could lead to different behaviour depending on which session a proof was inside of. This change makes it a wp rule in the base Monads setup, along with improving consistency by adding similar rules for validE and its variants.

@corlewis corlewis added cleanup proof engineering nicer, shorter, more maintainable etc proofs labels Apr 18, 2024
@corlewis corlewis self-assigned this Apr 18, 2024
lsf37
lsf37 approved these changes Apr 18, 2024
View reviewed changes
Copy link
Member

@lsf37 lsf37 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thank you for doing that. This should make the setup more consistent overall.

Surprising that it still did need a bunch of changes, but it looks like most of them actually made the proofs shorter, which is good.

@corlewis
Copy link
Member Author

Surprising that it still did need a bunch of changes, but it looks like most of them actually made the proofs shorter, which is good.

A couple of the changes were because of wp being more likely to apply other rules before hoare_seq_ext, due to it now being one of the first rules added to the wp set. Most of them, however, were because of me also making hoare_vcg_seqE a wp rule. It would have been easier to not do that but I do think this way is more consistent, and yes, once I worked out how to update the proofs it generally seems to have improved them.

Xaphiosis
Xaphiosis reviewed Apr 19, 2024
View reviewed changes
proof/access-control/ARM/ArchInterrupt_AC.thy
apply (wp whenE_throwError_wp hoare_vcg_imp_lift hoare_drop_imps
| strengthen aag_Control_owns_strg
| simp add: o_def del: hoare_True_E_R)+
apply (wpsimp wp: weak_if_wp)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you say something about what weak_if_wp is or when to use it? (not in the commits, but I've either not heard of it or completely forgot)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

⟦ ⦃P⦄ f ⦃Q⦄; ⦃P'⦄ f ⦃Q'⦄ ⟧ ⟹ ⦃P and P'⦄ f ⦃λr. if C r then Q r else Q' r⦄

In my mind it's for when there's an if in the postcondition where you don't need to know the if condition and don't want to lift it across the function for whatever reason.

From memory, my cases in this PR were generally if conditions on the return value that would have been painful to lift, and where the two branches were either roughly the same or one was a form of True. As an alternative I probably could have used the simplifier to handle the if, but this approach with weak_if_wp was the one I found first.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's awesome, I hope I won't forget it. It feels better than exciting combination of if_apply_def2 and hoare_drop_imps, and should work in more cases. It's interesting that this isn't achieved with a wp <some_rule>, but I guess it does need to shuffle the order.

Xaphiosis
Xaphiosis approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@Xaphiosis Xaphiosis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like bomb disarming footage. Thank you for digging into this.

@corlewis
lib/monads/nondet: make hoare_seq_ext and hoare_vcg_seqE wp rules
340cb56 
We want them as wp rules instead of wp_split rules so that they are used
with the correct priority and in combination with wp_comb rules when
necessary. This also adds new validE_R and validE_E variants, along with
rules for when bind appears inside a validE term.

Signed-off-by: Corey Lewis <[email protected]>
@corlewis
lib/monads/trace: update wp attributes to match nondet
fe1bbae 
Signed-off-by: Corey Lewis <[email protected]>
@corlewis
ainvs: remove hoare_seq_ext[wp] declaration
3ce8811 
This is no longer necessary now that the nondet monad setup already
makes it a wp rule.

Signed-off-by: Corey Lewis <[email protected]>
@corlewis
proof: update for changes to wp attributes
bf45b3d 
Signed-off-by: Corey Lewis <[email protected]>
@corlewis corlewis merged commit b7e4f59 into seL4:master Apr 22, 2024
11 of 13 checks passed
@corlewis corlewis deleted the hoare_seq_ext_wp branch April 22, 2024 04:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xaphiosis Xaphiosis Xaphiosis approved these changes

@lsf37 lsf37 lsf37 approved these changes

@michaelmcinerney michaelmcinerney Awaiting requested review from michaelmcinerney

Assignees

@corlewis corlewis

Labels
cleanup proof engineering nicer, shorter, more maintainable etc proofs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@corlewis @Xaphiosis @lsf37