Filtering...

oracle-eval

books/tools/oracle-eval

Included Books

top
other
(in-package "ACL2")
include-book
(include-book "xdoc/top" :dir :system)
other
(defsection oracle-eval
  :parents (programming)
  :short "Evaluate a term and return its result, logically obtained by reading
the state's oracle."
  :long "<p>Note: for many purposes you may be able to use @(see
magic-ev-fncall) @('ev-fncall-w!') instead of @('oracle-eval').  Although
these alternatives are less flexible, they do not require trust tags.</p>

<p>General form:</p>
@({
    (oracle-eval term alist state) --> (mv error val state)
})

<p>NOTE: Oracle-eval will not operate as intended until the form
@('(ALLOW-REAL-ORACLE-EVAL)') is executed at the top level.  However, this
introduces a trust tag.  Ideally, functions should be coded so that
oracle-eval is used only heuristically, so that they can work even
without the correct operation of oracle-eval.</p>

<p>In the logic, this function reads from the ACL2 oracle twice, to obtain the
error message, if any, and the value.  In the execution, we instead evaluate
the term and return its result.  We believe this is sound.</p>

<p>The term can involve free variables that appear in the alist, and can also
take state, but it must return a single non-stobj value.  Therefore, it cannot
modify state.</p>

<p>Oracle-eval is a constrained function, and as such has no execution
semantics itself.  Instead, an executable version is attached to it
 (see @(see DEFATTACH)).  By default, this executable version doesn't do
anything interesting, because a trust tag is necessary to allow
oracle-eval to function as intended.  Running
@('(ALLOW-REAL-ORACLE-EVAL)') introduces a trust tag and an attachment
that runs the "real" oracle-eval.</p>

@(def oracle-eval)"
  (encapsulate (((oracle-eval * * state) => (mv * * state)))
    (local (defun oracle-eval
        (term alist state)
        (declare (ignore term alist)
          (xargs :guard t :stobjs state))
        (mv nil nil state)))
    (defthm state-p1-of-oracle-eval
      (implies (state-p1 state)
        (state-p1 (mv-nth 2 (oracle-eval term alist state)))))))
other
(defsection fake-oracle-eval
  :parents (programming)
  :short "@('fake-oracle-eval') is the function run by default when @(see
ORACLE-EVAL) is invoked."
  :long "<p>@('Oracle-eval') is a constrained function, and
@('fake-oracle-eval') is attached to it by default (see @(see DEFATTACH)).</p>

<p>Fake-oracle-eval doesn't do anything useful, but also doesn't require a
trust tag.  To allow oracle-eval to do something useful, run
@('(ALLOW-REAL-ORACLE-EVAL)'); this introduces a trust tag and attaches the
function real-oracle-eval to oracle-eval.</p>

<p>See @(see ORACLE-EVAL) for details.</p>"
  (defconst *fake-oracle-eval-msg*
    "See :DOC FAKE-ORACLE-EVAL")
  (defun fake-oracle-eval
    (term alist state)
    (declare (xargs :guard t :stobjs state)
      (ignore term alist))
    (mv *fake-oracle-eval-msg* nil state))
  (defattach oracle-eval fake-oracle-eval))
allow-real-oracle-evalmacro
(defmacro allow-real-oracle-eval
  nil
  '(progn (include-book "tools/oracle-eval-real" :dir :system)
    (defattach oracle-eval real-oracle-eval)))
other
(defpointer allow-real-oracle-eval oracle-eval)