2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * README, export-to-webpage

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added proof status smilies

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * more proofgen fixes

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * proofgen fixes for verbose proofs

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * deleted memory_read_list_next_state, Validate

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * removed most HT and XXX comments

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * removed some superfluous importings
        * generated dependency graphs

2008-05-14  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * removing fix_me

2008-05-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * readded Proofgen, which was lost in the merge (always merge with
          cvs up -d !!)

2008-05-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added ptab-sync-master.pvs to repository (for clean robin-final
          exports) 

2008-05-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * constants.pvs: deleted IA32_features

2008-05-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * deleted unclear (commented) converstions from conversion.pvs

2008-05-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * merged robin-final branch (see ChangeLog entries from me from
        the 2008-04-18)
        * deleted some more comments

2008-04-28  Marcus Vlp <voelp@os.inf.tu-dresden.de>

        * fixed outstanding proofs. 
          - the 3 remaining proofs are for 
            cpp_examples.spec_10 (while with loop invariants)
            expressions.div_impl_sign / _result 
              (div = floor(i/j) or ceiling(i/j))
            these lemmas are not required by other proofs. 

2008-04-24  Marcus Vlp <voelp@os.inf.tu-dresden.de>

        * fixed broken TCC proofs
        * pointer arithmetic had to be defined on the 
          const volatile pointer type to avoid additional TCC like proof
          obligations

2008-04-22  Marcus Vlp <voelp@os.inf.tu-dresden.de>

        * added lemma to simplify pointer arithmetric 
          (p + i) + j = p + (i + j)
        * fixed const / volatile formalisation
        * made someone happy who seems to regret that 
          screens have become wider than 80 chars ;)

        * To do / Missing:
          - proof TCCs and borken lemmas
          - in the proof of search_terminates, stmt_eval_if_ok_fstmt did
            not simplify automatically; find out why

2008-04-21  Marcus Vlp <voelp@os.inf.tu-dresden.de>

        * modified pointer arithmetic; pointer expressions to not 
          generate TCCs for the parameters; these will otherwise
          show up in each simplification step
        * replaced generic C++ supertype with a smaller supertype
          capturing only those types with integral base type;
          otherwise TCC like proof obligations will be spawned in
          every verification step
        * fixed some plain memory lemmas
        * verified search_terminate 
        * Extended_Real ops and conversions now have longer names

        * To do / Missing:
          - fix formalisation of dt volatile / dt const
          - proof TCCs and borken lemmas
          - in the proof of search_terminates, stmt_eval_if_ok_fstmt did
            not simplify automatically; find out why

2008-04-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * proofgen scripts added

2008-04-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * prepare for lst pretty printing
        * deleted old commented material

2008-04-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * removed constants-util and Interpreted_Data_Bit_Field

2008-04-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * cleaned importings, generated new hierarchies, fixed file list
          in Makefile

2008-04-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * search example TCC's
        * Validation 0 timeout, 0 broken, 16 fixed, 0 new proved
          14 stay broken, 0 new unfinished 

2008-04-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * deleted some superfluous proofs
        * Validation 0 timeout, 0 broken, 22 fixed, 1 new proved
          30 stay broken, 0 new unfinished 

2008-04-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * proofed all but the search example TCC's

2008-04-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * validate 0 timeout, 1 broken, 26 fixed, 2 new proved
          51 stay broken, 0 new unfinished 


2008-04-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * two naive, failed search example proof attempts

2008-04-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * cpp-examples indented

2008-04-16  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * merged allocation branch, hope I did not break anything,
          changes from the allocation branch are hereunder, indented
        * Validation: 0 timeout, 0 broken, 7 fixed, 109 new proved
          77 stay broken, 0 new unfinished 

        
    2008-03-07  Hendrik Tews  <tews@tandem.cs.ru.nl>

            * deleted superfluous importings

    2008-03-06  Hendrik Tews  <tews@tandem.cs.ru.nl>

            * change allocation points from set to list + adoptions 

    2008-03-06  Hendrik Tews  <tews@tandem.cs.ru.nl>

            * created allocation branch
            * lots of allocation development (with first top-level result:
              allocation_alloc) 
            * some graph theory extensions
            * memory.pvs: block_is_free expresses that some block is disjoint
              from all allocation points
            * plain_memory: plain mem lemmas for single-byte reads/writes
              + stays_unchanged expresses that a memory reagion stays constant
              + only_changes expresses that changes are restricted to a 
                certain area
              both are inspired somewhat from separation logic

2008-04-16  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * Validate: 0 timeout, 62 broken, 61 fixed, 7 new proved
          22 stay broken, 0 new unfinished 

2008-04-16  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * fixed linear blessing proofs
        * several TCCs are proven under the assumption that
            TCCs for predicative subtypes such as 
              interpreted_data_type?(pod) and
              extended_real?(n)
          from a clean state, these TCCs are not generated

2008-04-15  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * validate: -log option for reusing log, 
          print running time at end

2008-04-15  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * Validate: 10 timeout, 3 broken, 66 stay broken, 6 new unfinished
          1639 proved (0 fixed, 13 new proved)
        
        * removed challenge-stackmem
        * cleaned fix_me, keeping To_Proof, deleting all the
          remainder, introducing To_Typecheck, To_Decide
        * inluded everything that typechecks in Import_All, 
        

2008-04-09  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        robin-final branch:
        * unrolled abstract_data to contain a mask in the interpreted data
          type which is however, not yet used for writing and thus does
          not affect the other lemmas
        * fixed theories and proofs except linear blessing
        * made Cpp Examples and Search Example typecheck again
        * fixed paging data and linear memory to no longer rely on the
          unjustified axiom for paging-data type
          - unrolling the tree to a state where linear blessing worked
            turned out to be impractical. Since we need to fix the proofs
            anyway we can also fix the use of paging_type.
        * added conversions between PVS int and bool types to the
          respective C++ types (i.e., (range(int)), (range(bool)) ).
          These conversions are currently required to convert the results
          of the conditionals in if_else and loop statements as well as
          the result of the selection statement in switch.

        * Validate times out on 10 proofs and has 76 failed or untried
          proofs. Most of them in challenge linear (which I temporarily 
          removed from everything.pvs to speed up validate runs). 
        * Still open are the proofs for the Cpp Examples and the Search
          Example 

        !!! Missing: Merge changes back to head !!!

2008-02-28  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        a "jetlack" full of work later...
        * reduced number of open proofs to 9 broken + 6 untried 
          - the remaining open proofs are those of the plain memory
            properties for write data. Primarily they require to show 
            the additional case in which data is read (using read_list) 
            from memory prior to writing the masked result
          - prepared a bunch of lemmas in abstract read write for the 
            base case (write only)
        * added extended reals theory to correctly capture arithmetic 
          expressions this theory defines operations on numbers that
          behave identical to the number field ops when invoked on 
          number fields. However, they allow for +- oo, NATs, etc.
        * added counterpart to everything (fix_me.pvs) to refer to
          theories that have become broken and that are for validate
          performance reasons better not included in everything.
        
2008-02-18  Tjark Weber

        * minor changes to statements.pvs and ptab-sync-master-defs.pvs
          to make the latter typecheck again

2008-02-16  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * minor bug fixes in abstract_data, bits, types
        * removed linear memory from everyting to speed up validation
        * reduced below numbers; validate to come (in 5 hr?)

2008-02-15  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * validate takes almost 6 hours (was 28 minutes before)! 
          62 timeout, 92 broken, 14 fixed, 81 new proved
          31 stay broken, 158 new unfinished 

2008-02-14  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * abstract_data.pvs:
          - incorporated to_mask to interpreted_data_type? and write data
          - this breaks some of the plain memory proofs
        * bits.pvs
          - slight change to bit ops; bit ops for lists
        * challenge_linear.pvs / linear_memory.pvs / paging-data.pvs
          - fixed use of paging_data_type in theory; proofs are missing
        * statements.pvs / statement-rewrites.pvs 
          - removed duplicate while_unroll
        * types.pvs / expressions.pvs / conversions.pvs
          - polimorphic specification of expressions and conversions
          - make use of the generic Semantics_Cpp domain 
          - implementation of bit Ops ; value_bitmask is used to identify
            those bits that are affected by the bit OP (e.g., value bits
            and the sign bit on one implementation / value bits only on 
            another)
          - implemented pointer to member expressions; see open issues and
            discussion in the comments of this Theory
        * constants.pvs
          - fixed Memory_Address_4g
        * vfiasco-prelude.pvs
          - remove min/max_real; use finite_sets.min/max
          - added map2 which is a binary form of the unary map


2008-02-12  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * status update: 
        1 timeout, 0 broken, 0 fixed, 28 new proved, 
        50 stay broken, 0 new unfinished 

2008-02-12  Hendrik Tews  <tews@gromit>

        * more graph theory pieces, some vfiasco-prelude additions

2008-02-07  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * current validation info (after Marcus commit):

        1 timeout, 33 broken, 3 fixed, 174 new proved, 0 stay broken, 
        17 new unfinished 

        Nonterminating proofs (aborted by timeout):
            Linear_Memory_Properties.pm_memory_addr_TCC2
        
        * new options for validation script
          -timeout changes timeout for lemma proofs and typecheck (default
                   240 seconds)
          -old  do not backup timed-status and use old backup version
                (useful/mandatory for a second validation run between two
                 commits)
        * handle and print timeouts in validation scripts

2008-02-04  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * Interpreted_Data
          - added to_mask to support partial updates of bits in memory
            (e.g., as required for bit fields)
          - restrictions on to_mask (e.g., length(to_mask(...)) =
            length(to_byte(...))) are still missing
        * General
          - Changed address to take negative values as well. This
            is required to formalise IA32-64 where in kernel addresses
            are negative and helps simplify the pointer arithmetic.
          - to do: fix proofs that instantiate in_memory
        * Vfiasco Prelude
          - added operations for set lifting and min, max for finite,
            nonempty sets of reals. 
          - proofs to be done
        * types.pvs
          - implemented C++ data-type formalisation as discussed in
            the telcos (see Telco slides for details).
          - preliminary formalisation of dt_const(t) and 
            dt_volatile(t) as dt(t). The theory is prepared to handle
            dt_volatile and dt_const in a generic way for all 
            interpreted datatypes.
        * everything.pvs
          - removed the datatype models from import all 

2008-02-01  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * some little graph theory progress

2008-01-31  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * fixed head, tail
        * renamed lenght_{head,tail} lemmas, enhance validate with a proof
          counter 

2008-01-29  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * formalization of graphs in graph.pvs, moved graph code from
          vfiasco-prelude 
        * Summary: 0 broken, 0 fixed, 13 new proved, 
          10 stay broken, 0 new unfinished 
        
2008-01-29  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * Validate/make-status-diff produces the interesting differences
          between two validation runs (relaying on timed-status of the
          previous run)
        * updated status: 1 broken, 67 fixed, 128 new proved, 7 stay
          broken, 5 new unfinished  

2008-01-04  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * commented out part of the pointer theory; I'll fix it
        * comment Make_Transformer completely (can be removed)
        * hand interpreted datatype to with_new_stackvar so that we can 
          determine the size
        * implemented with_new_returnvar ; each function which returns a
          value gets passed a return address: ret_addr; this can be
          located on the stack (current implementation) or in some
          register
        * made ptab_sync_master typecheck (no TCCs proven yet) 
          the patch (see separate Email) includes comments on the
          parts to fix in the semantics compiler
        * made expressions polymorphic on the integral types for which
          they are defined. 
        * Adjusted Cpp_examples to new expression format

        * added comment to plain memory ; in the long run, we'll probably
          need two further sets of addresses to constrain the side effects
          of writing to blessed memory. These sets should also contain
          addresses which are not necessarily blessed (e.g., writing the
          RAM does not modify the "non-blessed" APIC registers)

2007-12-14  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * define expressions to operate on all fundamental 
          C++ types for which they are defined according to 
          the standard. Enumerations and pointers are still
          missing. Expressions now take an element of the 
          deep C++ type embedding (Cpp_Type) as parameter
        * modifed definition of C++ types to allow for 
          more generic expression definitions. Primarily we
          add the functions: 

            dt_pred(Arithmetic)           : subset of PRED[real]
            dt(Arithmetic)                : pod_data_type[(dt_pred(typ))]
            min- / max_values(Arithmetic) : real
            max_value_bits(Unsigned) (exponent up to which unsigned types
                                      are defined)

          and lemmas for unsigned modulo arithmetic. The expressions
          itself are not defined using modulo arithmetic but check the 
          result for inclusion in the predicate. To include modulo 
          arithmeric we need to define an additional Axiom which wraps
          results below 0 and above (2^max_value_bits(typ)) - 1.
        * defined semantics 
            return(pm, typ, addr)(ex)
        * removed cpp_examples from everything ; will fix this later

2007-12-05  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * removed data parameter from StmtResult
          consequently return does only handle the
          control flow but no longer carries the data
          returned from functions. Modelling return expr
          remains to be done.
        * the previous state can be accessed through 
          the CVS tag: before_ST_wo_data

2007-12-05  Marcus Vlp   <voelp@os.inf.tu-dresden.de>
        
        * added spec10 to have a simple while loop with invariant
        * lemma to derive read ok (+ states) from pm_q_prop_read
        * slight change to invariant
        * well-founded lemma for < [[nat, nat]]

2007-11-24  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * made while termination invariant a predicate on results
        * added example for-loop
        * cannot use pm_q_prop_read_ok__pm_q_prop_read_expr as this will
          create a cycle
        * moved while invariant definition to statements
        * 1st try on while rewriting rules

2007-11-23  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * added "halbzorniges" Lemma to prelude: 
            well_founded => no f | R(f(n+1), f(n))
            <= of Zorn's lemma is missing (not needed so far)
        * revived posnat induction theory 
          (currently not used but I did so during various tries)
        * added loop invariant forms
        * proved hoare rule for while
        * added while rewrite lemmas to the comment in cpp-examples

2007-11-19  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * fix the allocator empty memory block problem
        * work on graph results in vfiasco-prelude
        * moved theory More_Relations to import list lemmas

2007-11-16  Tjark Weber

        * various min/max constants for types (from the C standard) added
        * deep embedding (datatype) of C++ types added

2007-11-14  Marcus Vlp   

        * moved proof of search-example to separate file
        * removed assertion statement
        * added datatype predicate checks to expressions (e.g., n++ \in
          Semantics_int_pred)
        * fixed proofs for various lemmas and pvs 4.1

2007-11-08  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * -pvs option for validate to select the pvs version
        * status update (for pvs 4.1) + minor changes

2007-11-07  Marcus Vlp

        * minor changes in plain_memory_rewrites
        * proved all plain_memory_rewrite_lemmas

2007-11-05  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * deleted unused files
        builtin_models.pvs      \ 
        builtin_types.pvs       / old data type models with refinement
        challenge-execmem.pvs   \ 
        challenge-segmem.pvs     \ old challenge theories
        challenge-stackmem.pvs   /
        challenge-tlbmem.pvs    / 
        exec_memory.pvs        other old material
        fixed_data.pvs   
        flag-registers.pvs       
        ia32.pvs                 
        paging.pvs               
        register_memory.pvs      
        segmentation.pvs         
        segmented_memory.pvs     
        stack_memory.pvs         
        tlb_memory.pvs         

        * updated file and theory hierarchy
        

2007-10-30  Marcus Vlp

        *  fixed rewriting system. The performance seems promising for
           deeply nested loops. I expect better scalability for longer sequences:
           % 1  : 8:21
           % 2  : 17:00
           % 3  : 31.54
           % 5  : 81.43
           % 10 : 416 (7m)
           % 15 : 2034 (33m)
        * changed case and default definitions back to label form; wrapper
          no longer needed
        * fixed order of l=r in pm_q_prop_* lemmas ; now they are suitable
          for autorewrite

2007-10-29  Marcus Vlp

        * performance improvements in plain_memory_rewrites
          - combined preconditions into pm_q_props
          - added statement forms for plain_memory_q rewrites
        * changed random device to take underspecified function
        * design note on Tjarks underspecified splitting idea
        * right-to-left form of statement rewrites
        * modified composition lemmas to ensure right-to-left
          associativity
        * !!! Validate does not complete due to missing proofs for
          the changed rewriting rules. I'll fix this soon !!!

2007-10-26  Tjark Weber

        * formalization of integral promotions/conversions started

2007-10-25  Tjark Weber

        * split statements.pvs into statements.pvs and statement-rewrites.pvs
        * dummy definition for assembler statements

2007-10-15  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * proved search_example2: current < last => *current = value
          - the Tccs are currently unprovable because plain_memory?(pm)
            is not in the precondition and the postcondition does not
            check whether reading the pointers is OK? ; to be fixed soon!
        * fixed bug unaligned access side effect of random device

2007-10-11  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added pointer arithmetric
        * missing rewrites to remove lift(stmt) after 
          break / continue / default / switch
        * proved that the search terminates with current = last if
          the value does not exist in the array (proof is limited to int
          a[3] and takes currently 15min for the rewriting. The remaining
          goals are trivial instantiations of the precondition).

2007-10-09  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * proved plain_memory for random_device / device_memory 
        * simplified proof of unchanged_invariant_composition; 
          added unchanged_memory_invariant_composition lemmas that
          do not depend on plain memory
        * added new validation results

2007-10-08  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added lemma to assert existance of lists with arbitrary length
        * a few more has_next_state / expr_2_super lemmas
        * added random device
          - the device implements a memory access performance counter, 
            the value modulo uintmax is reported in a memory mapped register
          - a random value is computed by choosing deterministically from 
            a seed value (nat), this performance counter and a list of
            bytes of length size(uidt(dt_uint)). The latter is returned by
            the random function. Therefore, the device returns random
            output as long as any two states operate from differing seeds.
        * added device memory to ease in the definition of devices. Device
          memory only allows you to add side effects. Reads and writes are
          based on the underlying plain memory. 
        * proved random device memory to be plain memory based on the
          plain device memory. The proofs for the latter are still missing

2007-10-04  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * types.pvs : added +, -, addr operator to pointers
        * expressions.pvs : added type_asserion, 
          added implemenation of pointer expressions;
          Tjark: please change them as you see fit!
        * statements.pvs : renamed assert to asserions, added missing 
          lemmas for spec_08
        * memory.pvs : added composition lemma for side effects
        * cpp_examples.pvs : added search example
        * device_memory.pvs : added generic device memory
          This memory can have side effects and a non-memory device state. 
          Otherwise it behaves like the underlying memory.
        * random_device.pvs : started with random device
        * abstract_data.pvs : changed pods to have a positive size; 
          I used this to proof a TCC in Cpp_pointer which before 
          incorporating Tjark's changes were defined on pods.

2007-10-03  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added allocator formalisation, some allocator properterties are
          already proved (modulo the zero-sized block problem)
        * the inevitable bunch of new utility lemmas spread over various
          files
        * new theory More_Relations in vfiasco-prelude for binary
          relations viewed as directed graphs.
        

2007-10-01  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        Added statement rewriting rules to proof cpp-examples. Rules to
        verify loops which cannot be unrolled, returns and hanging while
        loops are still missing; the rest should work - in spec_07 I
        currenty expand hang_result by hand. The major change wrt the
        semantics compiler is that the body statements of case and default
        statements must be contained in these statements:

        switch(x) { 
          case 0: foo() ; break ; case 1: bar(); default: grr() ;break 
        }

        must be written as:

        switch(x, (: 0,1 :), 
               case(0)(foo() ## break) ## 
               case(1)(bar()) ## 
               default(grr() ## break))

        The brackets are required to prevent the first break from removing
        case(1) and default.

        Details:
        * state-transformer.pvs
          - added state transformers for stmt results
          - implemented _ok, _data, _state version of the comp_expr_expr /
            comp_stmt_expr lemmas we used to connect the postcondition to
            the program to verify. The others did not rewrite
            automatically.
          - removed State / StmtResult parameter from composition rules to
            make them generally applicable in the program to verify. 
          - some cleanup of the ok_result rewrites
        * statements.pvs
          - the bunch of rewriting rules for statements, conversions and
            expressions we simply expand. 
        * plain_memory.pvs / expressions.pvs / statements.pvs / 
          cpp-examples.pvs
          - added comment to contain the required auto-rewrite commands
        * cpp-examples.pvs / cpp-examples.prf
          - proved spec_1 .. spec_7
          - added spec_8 with true while loop 
        * a bunch of simple proofs for the rewriting lemmas
        * statements.prf 
          - added some examples to test the statement rewriting rules 
            without requiring the plain memory simplifications.
        * added new validation run: the missing 43 proofs stem from 
          types.pvs and spec_8 (no true loops yet; sorry).

2007-09-28  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * removed the allocator from Christop Haase, I will start again
          from scratch now

2007-09-04  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * types.pvs: fixed import
        * state-transformers.pvs, .prf: 
          - added exception result to stmt ## expr lift
          - lemmas to derive transformers_ok, transformer_invariant from 
            a single representative transformer
          - lemmas to preserve above invariants under composition
        * statements.pvs, .prf: preliminary work on statement -> expr rewrites
        * plain_memory.pvs: removed pm`states(s) precondition, no longer
          needed
        * memory.pvs, .prf
          - lemma to derive unchanged_memory_invariant from 
            a single representative transformer
        * linear_memory.pvs, .prf:
          - invoke functions with base type - this simplifies some proofs
            in challenge linear and makes instantiation easier
          - added judgement style lemmas to derive result types for more 
            specific types
        * challenge-linear.pvs:
          - added a few more helper functions
          - derive linear_resolve_transformer_invariant from unchanged
            results
        * challenge-linear.prf: 
          - fixed proofs for all lemmas, simplified several with 
            composition lemmas
        * new validation (time = 719s)

2007-08-22  Tjark Weber

        * statements.pvs: with_new_stackvar: comments updated

2007-08-13  Tjark Weber

        * hoare.pvs: comment added

2007-08-10  Tjark Weber

        * types.pvs: C++ references added

2007-08-10  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * memory proved again, plain_mem proofs adjusted
        * status update

2007-08-09  Marcus Vlp  

        * added min(S) = min(S(n + 1)) + 1 to prelude, required for
          for_termination_point
        * e2s - added exception case 
        * lemmas to rewrite do_while and for to a while statement
        * added while(max, ...), do_while(max, ...) and for(max, ...). 
          added rewrite lemmas to unroll these loops to while(max,...) and
          while(max, ...) to a sequence of max if_else statements and 
          while(...). Use these loop forms if the loop is likely to
          terminate soon. 

2007-08-08  Tjark Weber

        * types.pvs: axiom added: size(dt_uchar) = 1

2007-08-08  Tjark Weber

        * hoare.pvs, memory.pvs, state-transformer.prf, state-transformer.pvs,
          statements.pvs: systematic renaming of theories in
          state-transformer.pvs

2007-08-08  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * completed type change of expressions and statements
          to avoid lambda insertion
        * first example proofs automatically after applying 
          the e(state(e'(s))) to e ## e' lemma by hand

2007-08-07  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * added rewrite lemmas to handle spec_02
          * convert e2s(e) ## e' into e ## e'
          * eleminate skip, ok_result ## e
          * evaluate e ## lambda (res) f to e ## f(res) for expressions
          * evaluate ok_result ## lambda (res) f to f(res)
          * started changing the type of expressions / statements to 
            [State -> *Result] to avoid lambda (state) : e in the rewrites
        * made translate a physical_memory transformer should eliminate the 
          type confusion in challenge linear linear_unchanged_memory_invariant
        * started to simplify linear_memory proofs
          
2007-08-07  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * new lemmas: *_side_effect_super_transformers_mono, more access
        lemmas for plain_memory_transformers_*_side_effects_*

        * more against super transformers hassle: theory Memory_Change_3
          repeats some results for expr transformers

        * some more memory proofs

        * proof status in vfiasco_prelude, plain_memory,
          plain_memory_rewrites 

        * validation status with shostak in capitals

2007-08-06  Tjark Weber

        * Validate/validate: made PVS 4.0 capitalization of SHOSTAK the default

2007-08-06  Tjark Weber

        * hoare.pvs: verification program definitions removed again (they
          should not be needed)

2007-08-06  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * plain_memory: break overlong lines

2007-08-06  Tjark Weber

        * state-transformer.prf, state-transformer.pvs: composition of
          statements and expressions, rewrite lemma added

2007-08-06  Tjark Weber

        * cpp-examples.pvs: cosmetic

2007-08-06  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * eta transformation of linear_{read,write} + proof fixes

2007-08-06  Tjark Weber

        * hoare.pvs: cosmetic

2007-08-03  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * proof status lines in memory

        * work towards bridging the super_transformers - expr_transformers
          gap: 
          - overloaded has_next_state for *Result
          - lemmas connecting the various transformers
          - lemmas for expr_2_super(... ## ...)
          - lemmas expr_transformer_invariant_next_ok,
            expr_transformers_ok_ok 

        * simplified result_pred and other case distinctions with 
          has_next_state

        * moved theory Transformer_Super_Embedding, 
        
        * subset_equal, difference_disjoint_3 lemmas in vfiasco-prelude

        * adjusted proofs, however gave up on 
                linear_plain_unchanged_memory_invariant 
                linear_plain_unchanged_memory_invariant_write 
                linear_plain_unchanged_memory_write_invariant 

        * reproved lots of lemmas in memory.pvs (not finished yet)

        * added option -c to validate: run validate in a copy, 
          do: validate -c <dir>
          or: validate -c     # use /tmp/validate
        
2007-08-03 Marcus Vlp

        * changed postcondition to be a program, this way the composition
          rules (i.e., ##) can be applied to it.
        * we need in blessed memory preconditions for all addresses 
          and pm`states 
        * read_data may have side effects, thus read_data(s,..) =
          ok(s,...) cannot hold.

2007-08-02  Tjark Weber

        * Cxx_* renamed to Cpp_*

2007-08-02  Marcus Vlp

        * finished plain_memory proofs
        * modified preconditions in memory_change2 to better 
          suite plain memory proofs
        * monotonicy lemma for side effect content unchanged

2007-08-02  Tjark Weber

        * small C++ program examples

2007-08-01 16:38  weber

        * expressions.pvs: using datatype formalization; operations
          retricted to int for now

2007-07-31 14:32  weber

        * cplusplus.prf, cplusplus.pvs, types.pvs, types.prf: files
          renamed: cplusplus to types

2007-07-31  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * moved plain_memory rewrite lemmas to separate file
        * proved rewrite lemmas (removed some duplicates)

2007-07-30  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * fixed proofs in challenge phymem + paging data
        * unfinished are proofs in plain memory + memory change 2

2007-07-25 22:25  weber

        * expressions.pvs: class member access added

2007-07-25 21:56  weber

        * expressions.pvs: Cxx_Bool renamed to Cxx_bool

2007-07-25  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * completed proofs for linear_memory_blessing
        * included linear_blessing to everything
        * small bugfix in linear memory (xlat_idx)
        * removed Sarah's theorems

2007-07-19 14:48  weber

        * cplusplus.pvs: Cxx_longlong, Cxx_ulonglong added

2007-07-19  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * removed aligned_minus_rem (replace with "rem_def2")
        * changed side_effect_content_unchanged to take set of addresses
          and a single side effect transformer
        * some cleanups in challenge linear

2007-07-18 12:12  weber

        * Validate/validate: adapted for PVS 4.0 (which capitalizes
          SHOSTAK)

2007-07-18  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added validation runs in Validate subdir:
          - do Validate/validate to start a validation run
          - Validate/status contains the proof status without time
            information, cvs diff Validate/status to see what broke
          - Validate/timed-status contains timings - not useful for diffs
          - Validate/log is the unfiltered output of the validation run

          The validation run does a prove-import-chain on the only theory
          in everything.pvs (~7 min on my machine):
          - add importings in Import_All to incorporate theories in the
            validation run 
          - do not add another theory in everything.pvs

2007-07-17  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * added lemma for aligned(i)(n - rem(i)(n))
        * proved lemmas for linear_resolve of addresses within same page;
          needed to show that physical memory side effects operate on physical
          blessed addresses

2007-07-17  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added composition lemma for expression-forget-expression
        * more formatting in plain_memory
        * disabled invalid tcc proves in plain_memory

        * fixed line length in plain_memory

2007-07-17 13:21  weber

        * statements.pvs: return_unit renamed to return_void

2007-07-16 16:23  weber

        * conversions.pvs: BooleanConversions added

2007-07-13  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * added yet another missing list lemma (every T => every subtype
          of T)
        * extract side effect transformer invariances

2007-07-12  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * renamed every_conjunct to every_conjunct_left
        * added lemmas to extract side effect transformer ok from plain memory
        * more on challenge linear and linear memory

2007-07-11 16:49  weber

        * expressions.pvs: postfix expressions split into separate theories
          (because of unused theory parameters)

2007-07-11 16:47  weber

        * statements.pvs: for-init-stmt: type changed; return_unit:
          separate theory

2007-07-11 16:45  weber

        * cplusplus.pvs: theory Cxx_Types added, which imports every other
          theory in this file

2007-07-11  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * finished linear_resolve_unchanged_memory_invariant proof
        * lemmas showing that page table entries which differ only in the 
          reference bits are equal wrt. pt translation

2007-07-11 12:05  weber

        * state-transformer.pvs: composition for catch_return

2007-07-09  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * made memory side effect transformers expression transformers
          - to show side_effect_content_unchanged the transformers need to
            agree on both the state and the data. The latter is not the case
            for super transformers.
        * added another missing set + every lemma in vfiasco prelude
        * composition of unchanged memory invariant transformers fulfil the 
          unchanged memory invariant - used to simplify 
          unchanged linear resolve
        * added cr* datatypes in rudimentary fashion
        * defined segment selector data type
        * defined register size, needed to check a + length(bl) in memory
        * proved that datatype is valid iff from byte succeeds
        * backup of preliminary challenge linear results 

2007-07-09 14:51  weber

        * state-transformer.pvs, statements.pvs: declaration statements:
          initial version (still incomplete)

2007-06-29 17:49  weber

        * conversions.pvs: C++ conversions

2007-06-29 16:58  weber

        * expressions.pvs: theory imports updated (typechecks again)

2007-06-29 16:45  weber

        * statements.pvs: theory imports updated (typechecks again)

2007-06-29 16:31  weber

        * statements.pvs, expressions.pvs: catch_return moved to
          expressions.pvs

2007-06-29 16:29  weber

        * state-transformer.pvs: lift_destructor, ST, ET defined

2007-06-29  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * made everything typecheck again and fixed the proofs of some of
          the existing lemmas
        * changed memory access to reflect both the access type and
          generic access rights. In particular Write no longer implies
          Read and Execute is a separate right. I needed these to
          correctly encode the page fault error code (i.e., to distinguish
          between instruction fetch faults and data access faults). 
          - adjusted and proved paging-data models.
        * removed obsolete eval_if_ok construct for those parts where we
          have to run fix the proofs anyway.

2007-06-28  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * lift exceptional results to expression result (exception_result,
          fatal_result)
        * defined possible exceptions which may be raised by kernel code
        * removed accessed and privilege comparison - moved to
          Paging_type_helpers
        * made memory, plain_memory and abstract data typecheck again
          - read / write... are expressions, transformers have super type
        * major rework of paging-data / linear_memory
          - translate is a single level page-table lookup and works both
            at the page-table and page-directory level. Consequently we
            need a uniform type for both (Paging_type). Typechecking is
            done by comparing the read values with the types expected for
            this level (paging_type?(lvl, pe)). 
          - linear resolve calls translate for each level of the
            page-table; hopefully this split simplifies later proofs
          - proved TCCs for linear resolve
          - added uniform Paging_type to contain the PT datatypes for all
            levels. Update of paging-data_model is still pending.

2007-05-30 11:30  weber

        * state-transformer.pvs: comment about bug 969 removed (grind
          proves these theorems just fine)

2007-05-29  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * make memory.pvs typecheck again, still need to check and prove
          the contents

        * added Tjarks ChangeLog entries
        * added SuperResult, Super_Embedding to be used for transformer
        invariants that unify statement and expression transformers
        * some cleanup's: deleted Hash_Composition (single #)
        * separated the various ## compositions in separate theories (such
        that M-x show-expanded-sequent/show-expanded-form tells you which
        ## you got)
        * reformulation of transformer invariants for SuperResult

2007-05-25  Tjark Weber

        * proof status :-) added
        * right-associative composition

        
2007-04-28  Tjark Weber

        * Result renamed to ExprResult, StmtResult introduced, various
        related changes 
        
2007-04-17  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added more rewrite rules to eliminate eval_if_ok also from the
          middle
        * added rules to show that ok_result is in states and to eliminate
          it in hashes
        * introduced reads to CS, PDBR as other actions in underlying
          plain memory
        * parially proved some of the lemmas

2007-04-13  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * made challenge linear type check again (sorry)

2007-04-13  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added and proved some list lemmas in vfiasco-prelude
          - head tail; list length; floor on nat with base > 1
        * moved linear_resolve_*_write_read to challenge-linear
        * moved list split in own theory
        * added and proved some correctness lemmas and TCCs
        * removed register blessing for CS, PDBR, CR2 from linear_blessed?
        * added min page size, lifted floor to addresses

2007-04-13  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * merge More_Sets into More_Sets_Lemmas
        * changed head/tail to take n : below(length(l))

2007-04-12  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * removed eval_if_ok for Result, f - not needed anymore
        * finished splitting page crossing accesses; proofs are pending

2007-04-12  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * defined lemmas conclude form set membership to union membership
        * defined head tail for lists
        * defined eval_if_ok for (Result, f)
        * defined lemmas to extract further invariants from the plain
          memory definition.
        * changed side effects to take cross page flag which denotes
          whether the side effect is checked as part of a page-boundary
          crossing access.
        * initial work for splitting page crossing accesses.
        * lemmas and proofs to extract properties from is_linear_plain

2007-04-05  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * wrote condition when (I believe) linear memory is blessed
        * proved some tccs in linear memory blessing
        * proved some lemmas to extract individual conditions from 
          is_linear_plain_memory

2007-04-05  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * more cleaning in constants, state-transformers, vfiasco-prelude: 
          added missing proofs, deleted duplicated proofs

        * some cleanup: + added new files in Makefile, everything
        * moved two of Marcus new lemmas and simplified proofs
        * deleted some XXX
        * new dependency graphs

2007-04-04  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * XXX'es to not forget to clarify two of Marcus additions

2007-04-03  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * wrote condition when linear memory is blessed
        * proved lemmas to extract parts of this condition
        -> next: show plain memory properties

2007-04-03  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added and proved bit ops to add offsets to aligned base
          addresses
        * proved TCCs and lemmas in linear memory

2007-04-03  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * finished proof of construct and resolve data
        * added two more bit op to resolve addining to an aligned 
          address and cutting this offset. 
        * added rewrite lemma for offset add

2007-04-03  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * separated ok_result and rewrite lemmas into own theory
        * proved test examples
        * proved construct and resolve ok for 4MB lookups ; 
        * made final autorewrites working

2007-04-03  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * removed type_of
        * changed registers block disjoint to nat

2007-04-03  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * converted all tabs to spaces (assuming tab = 8 spaces)
          to end the tab/spaces conflict please do not commit any tabs
          expand tabs automatically with

        (add-hook
         'pvs-mode-hook
         '(lambda ()
            (add-hook 'write-contents-hooks 'untabify-buffer)
            ))

        (add-hook
         'change-log-mode-hook
         '(lambda ()
            (add-hook 'write-contents-hooks 'untabify-buffer)
            ))

        (defun untabify-buffer ()
          (interactive)
          (save-excursion
            (save-restriction
              (widen)
              (untabify (point-min) (point-max))
              nil)))
             
          in your .emacs or .pvsemacs

2007-04-02  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * long names for <= in mem_access, _privilege
        * fixed ad_hoc updates
        * use plain memory in linear memory 
        * removed max from in_blessed_memory
        * disabled auto rewrites for type resolution

2007-04-02  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * made rewrite lemmas to automatically simplify the test cases still 
          pending are:
          - the integration of the ad-hoc updates from the new_def theories
          - tccs and proofs for these lemmas.

2007-04-02  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added some lemmas for auto-rewriting the plain memory properties
        * moved Memory_access_util, Memory_privilege_util from 
          paging-data-models to result to make the <= operator accessible

2007-04-02  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * test commit message changes

2007-04-01  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * inserted some XXX 
        * proved paging-data, paging-data-models complete
        * segment data type still missing

2007-03-30  Hendrik Tews  <tews@gromit>

        * cleaned some prf files
        * proved TCC's in paging-data-models

2007-03-30  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added Address_Type_4G for 32 bit addresses, adopted max_linear
        definition 
        * use Address_Type_4G in various types
        * proof status update in some files

2007-03-29  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * typo in bits.pvs
        * adjusted paging-data-models (no proofs yet)

        * deleted parametrism in page directory data types;
          postpone this problem until available bits are needed
        * added page directory entry supertype
        * predicates for side effect transformers
        * added side effects to plain memory spec
        * include PF_EC_Model in everything

2007-03-29  Marcus Vlp   <voelp@os.inf.tu-dresden.de> 

        * modifed in_blessed_memory? to work with new address model
          * addr + size <= max_linear matches only for memory addresses
          * use instead in_memory(max_linear)(addr + size)
          * currently max <= max_linear (e.g., max = max_physical) does 
            not hold. Because of this plain memory is now parametric in
            the address size
        * proved some of the existing plain mem / memory and phy_mem 
          properties
        * made linear memory parametric on the underlying physical memory. 
          This way we can nest several phyiscal memory layers (e.g., adding
          devices).

2007-03-28  Marcus Vlp   <voelp@os.inf.tu-dresden.de> 

        * linear memory now reads page tables with read_data / write_data
        * proved TCCs for linear memory 
        * added address constructors (use e.g., write_data(..)(CS, ..)
          instread of write_data(..)((# id := CS, ofs := 0 #), ..)

2007-03-28  Marcus Vlp   <voelp@os.inf.tu-dresden.de> 

        * rolled back to byte-wise interface for memory
        * made "everyting.pvs" typecheck
        * changed address to [# RegisterId, nat #] ;(
          * PVS seems to dislike the type_of function - got stuck on grind, 
            sometimes exiting the pvs; 
          * tuples don't work either as they cannot be updated as a whole:
              mem With [(a) := x] -> mem With [(a`1, a`2) := x]
          * I therefore used a record types 
        * currently all unchanged lemmas work on a memory_*_list with side
          effects and are thus unprovable.

2007-03-27  Marcus Vlp   <voelp@os.inf.tu-dresden.de> [Tag - List_Based_Memory_Access]

        * the following elaborates on the design decision to use 
          list-based memory updates and why we discarded them:

        Starting from linear memory, some registers need to be modeled
        (PDBR + CR0, CR4 to check the processor mode). For these register
        accesses it is convenient to also use the read_data / write_data
        machinery rather than specifying individual state transformers to
        access specific registers. Thus both memory and registers need to
        be accessed with a list based. We therefore decided to use the
        same memory model for registers and main memory: 
        
          {Mem u Reg ID} x offset : nat -> Byte 
        
        where offset is bounded by an in_memory test that gives the size
        of memory and of registers.  

        One problem though is that writes to registers may have certain
        side effects. E.g., writing a 0 to the PG flag in CR0 disables
        protected mode. As valid? is only checked when reading a datatype
        but not when writing it, we needed some mechanism to cope with
        this. As registers are typically written as a whole and not
        bytewise, these side effects should be checked after the entire
        write which lead to the design decission to use a list-based
        interface to the individual memory models.
    
        After partially implementing this model in this version (Tag =
        List_Based_Memory_Access) we came to the conclusion that it is not
        very well suited.  
        * Firstly, linear memory needs to perform a byte-wise
          linear-to-physical address translation and to invoke the
          underlying memory model (e.g., phys_mem) byte wise. Otherwise
          complex logic to check and split up unaligned page-overlapping
          accesses would be required.
        
        * Secondly, all memory properties would have to be proven
          list-wise rather than byte-wise and only once for list-wise
          accesses for all concrete memory models.

        The next design we will try is the following: 

        * memory and registers are modeled as above, 

        * the concrete memory models (phys_mem, linear, ...) offer a
          byte-wise interface plus side effects

        * the common memory model (memory) lifts the byte-wise accesses to
          lists and offers an interface in which first (and in an "atomic
          fashion") the side effects 
            eff : [Address, Byte_List, State -> Result[State, Byte_List]] 

          of writing to a register or memory are invoked and then the
          register content is written list wise: 

               eff ## memory_write_list

          thereby the effect has the change to detect changes to the
          original register (as it is executed before the state is
          modified) and it has the chance to modify both the state and
          what is written to the register.

        * We aim to use side effects to 
          * check and let fail invalid, not modeled or misaligned memory
            accesses 
          * model memory mapped devices (such as the APIC) and their 
            side-effects
          * perform additional access checks at the user-interface level.
 
2007-03-27  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * addded segment register datatype according to what the VMCS
          reports 
        * adjusted length of registers to the size they occupy in the VMCS
        * initial (non typecheckable) version of linear memory

2007-03-27  Marcus Vlp   <voelp@os.inf.tu-dresden.de>

        * first steps to incorporate several changes to the memory model:
        * modeled memory and registers uniformly as Address -> Byte 
          where Address contains the id of the memory / register and
          an offset to its data. This allows to reuse the data type
          model for register accesses. 
        * changed memory structure to contain list-based transformers
        * added exception type. Exception contains the state during which
          the exception occured. It is expected that the cpu handler runs 
          next and constructs a stack frame for the software handler.
        * removed aligned address theory from constants-util and from 
          paging-data - no longer needed as address offsets have no upper 
          bound within the type.
        * removed read_data_raw macro from abstract_data
        * converted memory, plain_memory, phys_memory to use list-based
          memory transformers

        * Note, everything.pvs typechecks but does not c-p-i yet!


2007-03-26  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * added file, theorie hierarchies 
        * adjusted Makefile for hierarchies
        * added register id datatype in constants.pvs

2007-03-23  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * changed one comment

2007-01-09  Hendrik Tews  <tews@debian>

        * canonical pte datatype model finished

2007-01-08  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * polished status comments

        * canonical pde datatype finished

2006-12-28  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * slightly simplified abstract data axioms
        * added bitvector replacement in bits.pvs
        * constants util lemmas in constants-util.pvs
        * new approach for hardware data types: model them as data type
        * paging related data types in paging-data.pvs
        * models for paging data types in paging-data-models.pvs
        * file paging.pvs not used any longer
        * canonical pdbr data type finished
        * lots of new stuff in vfiasco-prelude.pvs

2006-10-12  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * challenge_phymem adopted and slightly generalized

        * plain memory clean up: renamed lemmas, 
          moved all material into plain_memory.pvs

2006-10-09  Hendrik Tews  <tews@tandem.cs.ru.nl>

        * packed plain mem into a structure
        * started to adopt theories
        * useful emacs code:

(defun update-prf-pm-struct ()
  (interactive)
  (goto-char (point-min))
  (while (re-search-forward "pm!\\([0-9]\\)\\([^`]\\)" nil t)
    (replace-match "pm!\\1`mem\\2"))
  (goto-char (point-min))
  (while (re-search-forward "states!\\([0-9]\\)" nil t)
    (replace-match "pm!\\1`states"))
  (goto-char (point-min))
  (while (re-search-forward "ro_addr!\\([0-9]\\)" nil t)
    (replace-match "pm!\\1`ro_addr"))
  (goto-char (point-min))
  (while (re-search-forward "rw_addr!\\([0-9]\\)" nil t)
    (replace-match "pm!\\1`rw_addr"))
  (goto-char (point-min))
  (while (re-search-forward "other_actions!\\([0-9]\\)" nil t)
    (replace-match "pm!\\1`other_actions"))
  (mapc
   (lambda (subst)
     (goto-char (point-min))
     (while (search-forward (car subst) nil t)
       (replace-match (cadr subst))))
   '(("write_block_transformers_ok" 
      "plain_memory_transformers_ok_write_block")
     ("read_block_transformers_ok" "plain_memory_transformers_ok_read_block")
     ("plain_invariant_write_data" "plain_memory_inv_pred_write_data")
     ("read_block_transformer_invariant" 
      "plain_memory_invariant_read_block")
     ("read_data_ok" "plain_memory_read_data_ok")
     ("write_block_transformer_invariant" "plain_memory_invariant_write_block")
     ("write_data_ok" "plain_memory_write_data_ok")
     ("write_data_valid" "plain_memory_write_data_valid")
     ("plain_mem_transformers_ok_write_data" 
      "plain_memory_transformers_ok_write_data")
     ("plain_mem_transformer_invariant_write_data" 
      "plain_memory_transformer_invariant_write_data")
     ("plain_mem_transformer_invariant_read_data"
      "plain_memory_transformer_invariant_read_data")
     ("plain_mem_unchanged_memory_invariant_write_data"
      "plain_memory_unchanged_memory_invariant_write_data")
     ("plain_memory_read_ro_rw_transformers_ok"
      "plain_memory_transformers_ok_read_ro_rw")
     ("plain_mem_unchanged_memory_invariant_read_data" 
      "plain_memory_unchanged_memory_invariant_read_data")
     ("read_data_q_ok" "plain_memory_read_data_q_ok")
     ("read_data_q_same" "plain_memory_read_data_q_same")
     ("read_write_ok" "plain_memory_read_write_ok")
     ("read_write_res" "plain_memory_read_write_res")
     ("read_write_other_ok" "plain_memory_read_write_other_ok")
     ("read_write_other_res" "plain_memory_read_write_other_res")
     ("read_read_ok" "plain_memory_read_read_ok")
     )
   ))

(defun update-pvs-pm-struct ()
  (interactive)
  (goto-char (point-min))
  (while (re-search-forward "\\<pm\\>" nil t)
    (replace-match "pm`mem"))
  (goto-char (point-min))
  (while (re-search-forward "states" nil t)
    (replace-match "pm`states"))
  (goto-char (point-min))
  (while (re-search-forward "ro_addr" nil t)
    (replace-match "pm`ro_addr"))
  (goto-char (point-min))
  (while (re-search-forward "rw_addr" nil t)
    (replace-match "pm`rw_addr"))
  (goto-char (point-min))
  (while (re-search-forward "other_actions" nil t)
    (replace-match "pm`other_actions")))
        

2006-04-20  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * showed blessing of entire physical memory
        * proved challenge phymem using the plain mem properties

2006-04-20  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added lemmas to show equivalence of unchanged_memory_invariant 
          and transformer_invariant wrt to_unit
        * finished read_read lemmas

2006-04-20  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * read_read lemmas almost finished (stupid to_unit problem
        remains) 

2006-04-19  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * finished proof of lemma unchanged_memory_invariant_read_list

2006-04-18  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * proved read other after write lemmas

        * two new lemmas towards read other after read

2006-04-13  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * read_data_q_same proved

        * plain_mem_q_read_list proved

        * added plain_mem_q_read_list

        * two new lemmas towards read_write and read_read

        * small progress in plain_mem_unchanged_memory_invariant_write_data

2006-04-13  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added disjoint_commutative to prelude
        * generalized plain_memory_unchanged_invariant to all addresses
          that are not written
        
2006-04-12  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * cleaned importings
        * simplified a few proofs
        * renamed in_memory? into in_blessed_memory and put it into a
          different theory

2006-04-12  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * added another combination of unchanged memory invariant
        * extracted transformer and unchanged properties of write data
          they are used in at least two of the read_write other lemmas
        

2006-04-12  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * finished plain memory read same, we need the precondition
          subject(address_block, blessed memory) because writes 
          outside blessed memory may also be ok
        * extracted data block preconditions to in_memory?
        * added plain memory read other 
        * showed write_list_ok implies address block is in linear memory
        * moved read_ok, write_ok, write_res to Plain_Mem_Data

2006-04-11  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * more material towards read_write_res

2006-04-11  Marcus Vlp  <voelp@os.inf.tu-dresden.de>

        * fixed unchanged memory precondition in plain_memory to also 
          cover read write addesses for read transformers
        * lifted unchanged memory invariant for rw_addr to the block
          level


2006-04-11  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * fixed bug in valid_in_mem (will break material in
          phymem_challenge) 
        * towards the plainmem challenge: more proofs and lemmas
        * reactivated More_Sets_Lemmas with some subset-union property
        

2006-04-10  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * new definition of plain memory in plain_memory.pvs
          (comments will be added later, hopefully)
        * new challenge challenge_plainmem

2006-02-17  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * challenge-phymem cleanup finished

2006-01-26  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * cleaned up: abstract_data, remainder of challenge-phymem

2006-01-11  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

        * project relaunched, goals:
          - make the number of bits in a byte undetermined
          - adopt the data type abstraction
          - adopt proofs to newest pvs
          - check sources, comment/delete unnecessary stuff

        * files vfiasco_prelude, constants, result,
          state-transformer finished
        * memory almost finished
          

2005-06-08  Hendrik Tews  <tews@ithif59.inf.tu-dresden.de>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

        I'll move the repository, so DO NOT SUBMIT TO OS ANY MORE

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
        
        * insert the additional Address type a few more times
        * add theories to everything

2003-11-20  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * revert the previous adjustments
        * adjusted all theories to the new Abstract Data type

2003-09-01  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added theory Abstract_Read_Unchanged:
           provides a number of useful lemmas over read_data when
           reading does not change the state
        * adapted linear_memory and segmented memory to above theory

2003-08-27  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * Result element Page_fault changed:
          It does not need a next_state because it is never used.
          The page fault handler always restores the state before the
          offending instruction.

2003-08-25  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added model for general-purpose registers

2003-08-22  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * ia32: added page fault handling, IRET must not be
                passed along when concatenating state transformers
        * added challenges for executable memory
        * minor bug fixes, comment corrections

2003-08-11  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * ia32: complete hardware interface without pagefault handling

2003-08-08  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * renamed hardware -> ia32
        * added register_memory
        * eflags moved to register_memory

2003-08-05  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * added newest patch to dot.pvs.lisp

2003-07-31  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * Completely restructured hardware part:
           - consistent naming
           - more independence between layers
             (in structure as well as in proving)
           - considerably simplified proofs
          (see CVS logs for particular changes) 

2003-07-29  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * Makefile change: added pvsclean rule

2003-07-24  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * Added privilege level check for privileged operations 

2003-07-23  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * Changed vmem_consistent_entry? that it can be used for
          an arbitrary physical memory
        * Proved word16_t to be a data_type
        Grand Totals: 581 proofs, 581 attempted, 571 succeeded

2003-07-21  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * moved one of the ## definitions in a theory with one type
          parameter less

2003-07-14  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * memory: added memory_read_list_next_ok, 
                        memory_read_list_ok_length

2003-07-10  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * grand renaming: all *_Coll theories into *_Coroll
        * added Executable_Memory_Coroll

2003-07-09  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * exec_memory: EFLAGS properly supported
        * added flag-registers.pvs

2003-07-07  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added challenge_stackmem (proved)
        * added theory Stack_Memory_Coll (proved)

2003-07-04  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * added ## for complex state transformers on Matthias request

2003-07-02  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added challenge_tlbmem : moved most proves from Tlb_Memory_Coll there
        * added challenge_segmem
        * added theory Segmented_Memory_Coll: 
          lemmas about next states of functions (proved)
        
2003-06-27  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added lemmas for flat segments

2003-06-26  Matthias Daum <md11@os.inf.tu-dresden.de>
        
        * vfiasco-prelude.pvs (More_List_Props): added make_list function (as
          found in vfiasco/doc/200305-types/Pvs/vfiasco-prelude.pvs)

2003-06-16  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * hardware.pvs: page fault handling (temporarily there)
        * segmentation, stack, exec: more instructions supported
        * Result_Transformer added

2003-05-28  Matthias Daum <md11@os.inf.tu-dresden.de>

        * Added theories Builtin_Char and Builtin_Wchar,
        * Added dt_[us]long for Builtin_[US]long.

2003-05-26  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * Virtual_memory: last open issuses (PDBR, reserved bits) modeled
        * further development of segmentation, stack, exec

2003-05-26  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * added strictly_ordered_list and no_overlap to vfiasco_prelude

2003-05-25  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * eval_if_ok adapted to standard state transformer format
        * added Transformer_State_Cast, Transformer_Result_State[_2]
          to simplify casting of state transformers
        * Tlb_memory: TLB invalidation for single 4-KByte-pages
        * Tlb_memory: proofs for TLB invalidation

2003-05-19  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * preliminary versions of segmentation, stack
          and execution layer

2003-05-16  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * new theory More_List_Props in vfiasco_prelude
          defining sublist(offs, len)

2003-05-16  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * TLB_memory: global bit handling
        * beautification for consistency:
           mword_vec -> Mword_vec, Pagefault_Flag -> Pagefault_flag
        * new datatypes: Word, Word_vec
        * new state transformers pass_transformer, eval_if_pf
        * added segmentation helper functions (segmentation.pvs)


2003-05-06  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * new theory Abstract_Data_2 (file abstract_data) describes when
        two pieces of data do not overlap in memory
        * added a few new utility lemmas at different places
        * PHY_MEM CHALLENGE PROVED COMPLETE
        * deleted old Phy_Mem_Properties_Old theory

2003-04-28  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * changes to properties of virtual_memory (to all to
          prove them for memory regions only)
        * proof in virtual memory now realy complete
        * very abstract version of TLB memory added
  
2003-04-19  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * proofs in Virtual_memory redone

2003-04-15  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * reordered theories in state_transformer
        * changed lemma unchanged_memory_read_list such that it applies to
          Unit state transformers (was Byte state transformers)

2003-04-10  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * theroy Pages moved to paging.pvs
        * rewrote Virtual_memory (needs proving again)
        * added Tlb_memory

2003-04-02  Michael Hohmuth  <hohmuth@require-re.de>

        * cplusplus.pvs (Cxx_Schar [and similarly, theories of other
          signed integrals]):
          - Splix axioms dt_char_sizes_equal into two: one for
            size(dt_char) and one for schar_bits.
          - Added comments about nonmodeled C++ features
          - Moved TYPE_ptr? attributes from Cxx_Integral to Cxx_Pointer

2003-04-02  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * Phy_Mem_Challenge_Read_Same proved complete

        * first version of Phy_Mem_Challenge_Read_Other, this will require
          some development before finishing the proofs 

2003-03-31  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * added fixes for #756 & #752 do dot.pvs.lisp 

2003-03-28  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * reserved_bit removed from Pagefault_type
          (reserved bits are simply fatal to virtual memory)

        * proofs in virtual_memory complete, more proofs in
          challenge-virtmem

2003-03-27  Michael Hohmuth  <hohmuth@require-re.de>

        * cplusplus.pvs: Modeled a comfortable subset of C++'s basic type
          subsystem, and proved all TCCs and lemmas.

2003-03-27  Hendrik Tews  <tews@debian>

        * reformulated transformer_invariant with predicate lifting

        * new theory Address_Util defines memory blocks for use with the
          various unchanged abstractions

        * proved unchanged_memory_read_list_write_list (and various
          utility lemmas) complete

2003-03-26  Michael Hohmuth  <hohmuth@require-re.de>

        * cplusplus.pvs: Started factoring out architecture-independent
          and compiler-independent knowledge about C++ into a set of
          theories of its own.  We will eventually use (and interpret) these
          theories in builtin_types.pvs.

        * plain_memory.pvs: More utility lemmas and partly-finished
          proofs.

        * builtin_types.pvs: Documented assumptions about our compiler and
          architecture.  Added types void, pointer, and many conversion
          functions.

        * constants.pvs (IA32): Mword_pred: new type predicate for Mword

2003-03-25  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added lemmas over virtual memory
  
        * moved Memory_access from plain_memory to Result
          for general use
   
        * changed Pagefault_Flag to better reflect the real one

2003-03-25  Hendrik Tews  <tews@debian>

        * unchanged_memory_read_list lemma proved complete

2003-03-24  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * add a new unchanged abstraction for arbitrary memories 
          (theory Memory_Change): unchanged_memory_invariant?

        * define invariants for state transformers 
          (theory Transformer_Invariant)

        * define disjoint data types in Abstract_Data_2 
          (not used yet)

        * new type between(min,max) in vfiasco_prelude.pvs

        * bit of restructuring in challenge_phymem: Properties independent
          from the data type are in theory Phy_Mem_Properties now
        
        * Add a lemmas connecting bvec0/1 and fill to vfiasco_prelude

2003-03-20  Michael Hohmuth  <hohmuth@require-re.de>

        * Continued working on plain_memory: Added more utility lemmas and
          proofs

2003-03-19  Michael Hohmuth  <hohmuth@require-re.de>

        * Introduced more lemmas that should eventually make working with
          blessings easier, and started to prove them.

2003-03-19  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * updated all files to new abstract_data interface

2003-03-17  Michael Hohmuth  <hohmuth@require-re.de>

        * plain_memory.pvs: Added and proved new lemmas
          memory_{read,write}{,_list}_ok, which hopefully will eventually
          help us proving lemma read_write.

2003-03-17  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * abstract_data desing change: The memory struct is an argument to
          all operations (was theory parameter). This solves several
          instanciation problems.

        * New theory Memory_Physical_Memory defines the memory struct for
          physical memory.

        * rename Physical_Memory_Struct.phy_pm into wrapped_phy_pm

        * dot.pvs.lisp contains a patch that fixes the auto_rewrite+/-
          problem. Copy (or link) this file to ~/.pvs.lisp to load the patch
          everytime you start PVS.
        * deleted bug workaround in virtual_memory

2003-04-16  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * theory Little_Endian_MWord_Vec proved

        * case consistent renaming in Result data type

2003-03-14  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * Theory Builtin_Bool_Model_Instance uses brand new theory
          interpretations to prove the consistency of Builtin_Bool.
          This looks nice, but is irrelevant as long as PVS does not
          implement interpretation chains (or proof chains) for axioms. 

        * first self defined strategy in file pvs-strategies:
          rewrite-actual to rewrite with a definition replacing also the
          theory actuals.

        * virtual_memory.pvs: 4 unproved TCC's (was 22)

2003-03-13  Michael Hohmuth  <hohmuth@require-re.de>

        * builtin_types.pvs: Added theories Builtin_Schar, Builtin_Ushort,
          Builtin_Sshort, Builtin_Signed -- similar in spirit to existing
          definitions.  
          Added theories Builtin_Ulong, Builtin_Slong, containing aliases
          for types Semantics_unsigned and Semantics_signed.
          Fixed type of Semantics_unsigned.

        * builtin_models.pvs: Added theories Builtin_Signed_Model,
          Builtin_Schar_Model, Builtin_Ushort_Model, Builtin_Sshort_Model
          
2003-04-12  Sarah Hoffmann  <sh18@os.inf.tu-dresden.de>

        * added virtual_memory.pvs, challenge-virtmem.pvs:
          virtual memory without TLB
        * added fixed type word_vec, a machine word as bitvector

2003-03-12  Michael Hohmuth  <hohmuth@require-re.de>

        * builtin_types.pvs, builtin_models.pvs: Added type definitions
          and models for unsigned char, unsigned int

2003-03-12  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * lemma Little_Endian_MWord.word_datatype proved complete

2003-03-11  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * renamed size_t to size (in abstract_data)
        * new modules builtin_types, builtin_models for the 
          semantics of builtin types
        * added semantics of bool 

2003-03-10  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * first physical memory challenge proved complete
        Grand Totals: 50 proofs, 50 attempted, 50 succeeded (49.37 s)

2003-03-07  Michael Hohmuth  <hohmuth@require-re.de>

        * plain_memory.pvs: Added more properties of plain memories.
          Proved that a simple test memory is indeed a plain memory.

2003-03-05  Michael Hohmuth  <hohmuth@inf.tu-dresden.de>

        * Added plain_memory.pvs: Properties of plain memory

2003-03-05  Michael Hohmuth  <hohmuth@inf.tu-dresden.de>

        * Renamed theory Plain_Memory to Memory, and files plain-memory.*
          to memory.*.  (The name ``plain memory'' is reserved for a memory
          with special properties.)

2003-03-05  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * increased proved score in challenge-phymem

        * added file everything to import everything in a single theory. 
          The soley purpose is to facilitate rerunning all proofs. 
          Please add all new theories to the importing of Import_All.
          
          I suggest the following convention: Lemmas that state false 
          things (which are sometimes included for testing) get the
          distinguished suffic _unprovable. This way one can easily wipe
          them out from a PVS Status buffer (and concentrate on failing
          proofs for true lemmas). I often use the following emacs
          function on a PVS Status buffer:

          (defun pvs-unprovable ()
            (interactive)
            (goto-char (point-min))
            (flush-lines "\\<complete\\>")
            (goto-char (point-min))
            (flush-lines "unprovable"))

          After that I search for dots to find faild proofs.    
        

2003-03-04  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * file physical_memory revived; did cleaned up
          (Sorry Sarah, I needed memory instance) 
        * file PhyMemChallenge revived as challenge-phymem

2003-03-03  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * new fixed_data defines fixed data types
          - first one is mword_t for 4 byte little endian words
        * defined eval_if_ok for composition of expressions 
          -- this is the simplest solution at the moment

2003-02-21  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * new file constants for basic types and constants
        * new file vfiasco-prelude for stuff missing from the standard
          prelude 
        * new file abstract_data for abstract data types
        * file plain revived as plain-memory
        * file transform revived as state-transformer
        * file typecheck.el revived

        * cleaned up state-transformer, plain-memory

2003-02-18  Hendrik Tews  <tews@ithif51.inf.tu-dresden.de>

        * start (almost) from scratch (old version has tag
          version-wei-wei) 
        * start changelog

