Suggestion: Val.of_bool and partial evaluation #625
Comments
|
Interesting. I can't literally change the definition of Val.of_bool, because Val is actually compcert.common.Values.Val.of_bool, and I can't change things inside CompCert. And I can't simply replace using Val.of_bool with some better definition of my choosing, because some of those uses may come directly from the CompCert Clight semantics. But what might be possible is to replace all the places where VST introduces an of_bool that did not come directly from CompCert, with the better definition. Perhaps worth an experiment. |
|
Ah, I didn't realize that |
This P.R. implements the suggestion in issue #625. It's an experiment, as in some cases it breaks existing VST proofs at `forward_if` and related tactics. The changes required in those proofs are generally positive (simplifies proof scripts). See further discussion at #625. closes #625 Incidentally and unrelated: closes #660
|
I have now implemented the thing I described above in my previous comment. You can find it in P.R. #661. In connection with this, I also improved the efficiency of the Because (in some cases) conditionals are cleaned up better than they were before, some user proofs may need to be modified. You can see examples here (in files other than in floyd/ and veric/ ). Is it worth merging this improvement, given the incompatibility? |
|
One option is to wait a few weeks and see of the AbsInt folks are interested in the change before deciding anything. |
|
That is not the difficulty. It doesn't matter that much whether CompCert uses Val.of_bool in its own Clight2 semantics, because it was not hard to adapt the Verifiable C proof rules to use a different (but provably equivalent) definition, and prove it sound. The only difficult is that it causes incompatibilities, in rare but real cases, that VST users will have to adapt to, if I merge the PR. |
|
If AbsInt were to change its definition of |
|
Well, yes, but that's not my point. In the PR, I have already done 90% of the work of adapting to that change. The question of whether we should ask VST users to adapt to this change is completely independent of whether AbsInt decides to change. That's what my PR demonstrates. So we are back to the pros and cons:
|
|
If the changes are not too burdensome (and perhaps they are not, the effects should be rather local) I guess the "con" isn't too bad - and we've occasionally asked users to adjust their proofs anyway as VST (or CompCert/Coq underneath) evolves. |
|
From my perspective this is similar to PR #242, where partial evaluation was unlocked for reptype in a similar way (by commuting match expressions inside branches to expose an |
|
Right. So, once I get my PR fully debugged, I'll go ahead and merge it. |
* Use (new) bool2val instead of Val.of_bool This P.R. implements the suggestion in issue #625. It's an experiment, as in some cases it breaks existing VST proofs at `forward_if` and related tactics. The changes required in those proofs are generally positive (simplifies proof scripts). See further discussion at #625. closes #625 Incidentally and unrelated: closes #660 * Adjustment for 32/64-bit portability * Fix memory blowup; bring verif_strlib up to date in 64-bit mode * Fix up a proof in tweetnacl * Bring mailbox up to date with bool2val * simplify_new_temp in fwd_result, in connection with new bool2val stuff * Flesh out simplify_new_temp hint DB; bring 32-bit examples up to date * Update CHANGES file
If
Val.of_bool bwere redefined asVint (if b then Int.one else Int.zero)or even betterVint (Int.repr (Z.b2z b)), then more partial evaluation could proceed because the constructorVintis exposed.I think this would be particularly helpful because (at least for me)
Val.of_boolends up occuring insideforce_val (both_intor similar such expressions when it appears, which can reduce away as long asVal.of_boolcan be reduced to aVint.The text was updated successfully, but these errors were encountered: