[WIP] Opinionated deployment of enhanced Requalify capabilities on AInvs #791
Conversation
Xaphiosis
added
enhancement
proof performance
lsf37
added
the
arch-split
| context begin interpretation Arch . | ||
| lemma delete_objects_invs[wp]: | ||
| (* generic consequence of architecture-specific details *) | ||
| lemma (in Arch) delete_objects_invs[wp]: | ||
| "\<lbrace>(\<lambda>s. \<exists>slot. cte_wp_at ((=) (cap.UntypedCap dev ptr bits f)) slot s |
There was a problem hiding this comment.
This one is less weird than I originally thought. It's in an Arch file and usually would be inside the big context Arch block that spans the entire file, but here it needed to be after the interpretation part that comes above. So it's mostly a "usual" Arch lemma that is getting exported and requalified.
Looks all good to me, and the new handling of the wp attribute is better.
There was a problem hiding this comment.
The issue here is that the qualified name of delete_objects_invs becomes Arch.delete_objects_invs, instead of what we normally would do via global_prefix (AARCH64.delete_objects_invs). In this case that should be ok, because it's immediately requalified into the theory context (and also tagged [wp] for that context), but it's still a bit of a finicky policy to try canonise.
There was a problem hiding this comment.
Got it. We don't seem to have many of these, and for exceptional cases I think this is Ok.
There was a problem hiding this comment.
Would the 'canonical' approach be to export enough facts so that this can be proved in a generic file outside of Arch?
There was a problem hiding this comment.
Yeah, I think exporting enough facts would be the right idea. Alternatively, this entire lemma could be made an assumption.
I think someone took a shortcut here, but I'm not clear on why exactly.
| (* FIXME arch_split: is there any way to optimise this interpretation out? we can't nest contexts *) | ||
| interpretation Arch . |
There was a problem hiding this comment.
This is a bit funky. Either retype_region_proofs is supposed to be generic or not. There is retype_region_proofs_arch just above, so you'd think retype_region_proofs is the generic one, in which case it shouldn't do interpretation Arch and the lemmas should instead be inside retype_region_proofs_arch.
Changing it probably breaks something down the line, but it looks like an abstraction violation to me. Definitely good to put a FIXME here.
There was a problem hiding this comment.
This one is beyond me, I think I'll leave it as a FIXME.
| context Arch begin arch_global_naming | ||
|
|
||
| crunch arch_post_cap_deletion | ||
| for (bcorres) bcorres[wp]: truncate_state | ||
|
|
||
| end |
There was a problem hiding this comment.
Kinda neat that we can do this now in generic files, but also a little bit dangerous. Then again, it does remove duplication.
There was a problem hiding this comment.
It is a travesty, I agree. However, what we had before (context begin interpretation Arch .) was just as bad, and a lot slower :/
There was a problem hiding this comment.
I don't think it's worth doing with the BCorres files already being a bit of a mess of dependencies, but would our current preference be to assume this in a locale and move the proof to the arch file?
There was a problem hiding this comment.
Yes, absolutely. I think this is an example of "no one likes BCorres, so it doesn't get the nice new toys". It got the worst approach. Then the next approach was the "Pre" thing, which also wasn't great, and then someone discovered the locale assumptions approach which I think is the one we should go with in any new proofs, barring maybe esoteric moments in Invariants-like files.
| context begin interpretation Arch . | ||
| lemma free_index_update_test_function_stuff[simp]: | ||
| (* FIXME arch_split: exports properties of functions that are not necessarily in global context, | ||
| and then they get placed in the global simpset *) | ||
| lemma (in Arch) free_index_update_test_function_stuff[simp]: |
There was a problem hiding this comment.
This is the slightly stranger case. We probably should avoid this kind of Arch lemma inside generic files. Then again, it has the same kind of remove-duplication benefit as the crunch (bcorres) we had elsewhere, so maybe we don't need to be too strict.
Thumbs up to making the name available so it can be removed from [simp] again if needed.
There was a problem hiding this comment.
I think this is a result of the early approaches and "Pre" tech, I think we would try to avoid this in new files.
There was a problem hiding this comment.
This is pretty neat, and I really like the speed-up. I agree with the opinionated choices in here, and green light from my side to deploy it to the other architectures.
I don't think the missing global_naming parts were intentional. Most likely just forgotten and things happened to work anyway. I would add arch_global_naming.
Yay. Glad to hear it. Added the missing |
| arch_requalify_consts (A) | ||
| empty_context | ||
| init_A_st | ||
|
|
||
| arch_requalify_consts | ||
| ptable_lift |
There was a problem hiding this comment.
Hmm, I hadn't considered that the new approach of not doing the interpretation means that when requalifying we need to be more specific about the naming. I guess this would fix itself if we were consistent, which the new arch_global_naming helps with. Either way, it's still a trade-off that seems worth making.
There was a problem hiding this comment.
It is a bit annoying. I thought about ways to work around it, but then it turns out that I like the aesthetic of knowing whether something came from ASpec/ExecSpec or the proofs. With a bunch of work we could make the command be able to take the (A/H) on a per-id level, e.g. arch_requalify_consts empty_context (A) ptable_lift init_A_st (A) or something, but I'm not sure about how beneficial that would be.
There was a problem hiding this comment.
Ah right, I hadn't stopped to realise that the A/H is only on things from the specs. That's not as bad as I first thought then, I was thinking it was due to us not being consistent with naming.
There was a problem hiding this comment.
Still a bit annoying but I agree, probably not worth making the command more complicated to handle it.
| (* There are multiple arch-dependent acap_rights_update_id, one for wellformed_acap, | ||
| one for valid_arch_cap. Prefer the latter. *) |
There was a problem hiding this comment.
Not as part of this PR, but this sounds like something we should fix.
There was a problem hiding this comment.
I'll take a look, you're right, something is off here.
There was a problem hiding this comment.
I like this, the improved consistency and performance is definitely very nice! I generally agree with all of the existing FIXMEs and comments.
Currently, my remaining questions are around when requalifications need to be in Arch files, and when we're ok with Arch proofs in generic files. For the latter, it sort of seems like a sign that we've gotten the abstraction wrong, and should be exporting whatever else is needed from Arch so that the proof could be properly generic.
| context begin interpretation Arch . | ||
| requalify_consts post_retype_invs_check | ||
| end | ||
| arch_requalify_consts post_retype_invs_check |
There was a problem hiding this comment.
Requalification in an Arch file
There was a problem hiding this comment.
Unavoidable: const introduced in Arch locale that needs to be referenced generically in this theory.
| context begin interpretation Arch . | ||
| requalify_consts region_in_kernel_window | ||
| end | ||
| arch_requalify_consts region_in_kernel_window |
There was a problem hiding this comment.
Requalification in an Arch file
There was a problem hiding this comment.
Unavoidable: const introduced in Arch locale that needs to be referenced generically in this theory.
| context begin interpretation Arch . | ||
| requalify_consts replaceable_or_arch_update | ||
| end | ||
| arch_requalify_consts replaceable_or_arch_update |
There was a problem hiding this comment.
Requalification in an Arch file
There was a problem hiding this comment.
Unavoidable: const introduced in Arch locale that needs to be referenced generically in this theory.
Xaphiosis
force-pushed
the
arch_split_ainvs
branch
from
eebe890 to
03122cd
Compare
Xaphiosis
force-pushed
the
arch_split_ainvs
branch
from
03122cd to
8ff01b8
Compare
|
I think I addressed everything I could for the AARCH64 test run of rolling out these strategies. Next steps will be documentation update, then deployment to other arches, possibly involving other PRs that are cross-platform. |
i.e. 's/AI_asms/AI_assms/g' and same for Pre_asms
("asms" is rarely expected outside of ML code)
Signed-off-by: Rafal Kolanski <[email protected]>
* add warnings when exporting a name that already exists in theory context, suppressable by `(aliasing)` option * add `arch` variants of requalify commands that implicitly add the value of L4V_ARCH before whatever you give them, with optional suffixes for abstract (A) and Haskell (H) spec global naming. * write hopefully-understandable documentation with commented examples Signed-off-by: Rafal Kolanski <[email protected]>
Also document that requalify commands will issue warnings. Signed-off-by: Rafal Kolanski <[email protected]>
Stops namespace pollution, allows us to use Arch locale as example. Signed-off-by: Rafal Kolanski <[email protected]>
Temporarily only dealing with AARCH64; want feedback before applying to other arches. * global_naming AARCH64 -> arch_global_naming * try get rid of `interpretation Arch .` (slow) in lieu of `(in Arch)` (faster) or proper requalifying (nearly instant) * get rid of requalifications that were already requalified, or were global (thanks to new warnings) TODO: some of these will turn out to be broken because they're not actually global/exported on other arches * put arch_global_naming on same line as `context Arch begin` * annotate requalifications in Arch theories that can be moved to generic * put FIXMEs on unusual global_naming practices Signed-off-by: Rafal Kolanski <[email protected]>
* get rid of `global_naming Arch`, this is no longer needed since we can requalify directly from `arch_global_naming` with `arch_requalify` commands * add missing `arch_global_naming` for `context Arch`, for consistency
Rename the wellformed_acap version to wf_acap_rights_update_id, and the valid_arch_cap version to valid_acap_rights_update_id. Signed-off-by: Rafal Kolanski <[email protected]>
* prevent duplication between arches by moving requalifications from
Arch theories to generic ones
* this strategy is not available for new constants that are introduced
in the Arch locale that need to be referenced in generic definitions
or locale instantiations
* prefer arch_global_naming * prefer arch_requalify commands over interpretation * indicate consts might need to be requalified in Arch theories * explain (in Arch) + requalify pattern for generic consequences of arch-specific properties
Xaphiosis
force-pushed
the
arch_split_ainvs
branch
from
8ff01b8 to
f1270aa
Compare
|
Closed, full deployment now at: #805 |
🦆🦆🦆 Temporarily only dealing with AARCH64; want feedback before applying to other arches.
(look at the top relevant "[wip]" commits only for now! this is supposed to be on top of the requalify changes #788 that are not yet merged, but since I'm making these PRs from my fork I can't stack them, lesson learned).
This yields a performance improvement (possibly due to
context begin interpretation Arch .not being parallalisable by Isabelle):Here's what I changed:
interpretation Arch .(slow) in lieu of(in Arch)(faster) or proper requalifying (nearly instant)context Arch beginTracking TODOs for this stage:
FIXME arch_splittoFIXME arch-splitin entire repo to match github/project labelsFIXME arch_splitto PR linter to stop people reintroducing itArch-only parts and fix falloutdocs/arch-split.md