Simpler syncer specs
This simplifies the syncer specs. The sequential syncer only is slightly improved, by changing
Definition synced R (f' f: val) :=
(□ ∀ P Q (x: val), ({{ R ★ P x }} f x {{ v, R ★ Q x v }}) →
({{ P x }} f' x {{ v, Q x v }}))%I.such that P, Q don't factor in a dependency on x any more. Since all three are quantified at the same time, the two specs are equivalent -- and the one where P is not a predicate and Q is exactly the postcondition is arguably simpler:
Definition synced R (f f': val) :=
(□ ∀ P Q (x: val), ({{ R ★ P }} f x {{ v, R ★ Q v }}) →
({{ P }} f' x {{ Q }}))%I.For the atomic spec, the changes are deeper. The currying on some location l is entirely removed. is_atomic_syncer better mirrors is_syncer from the sequential version. And finally, we use "original" atomic triples and not some modified version thereof (so atomic_triple_base is killed).
TODO: Fix atomic_pcas.v, it relied on the location currying done by atomic_sync.v. However, I don't entirely grok that file. @zhangz could you give that a look?
Merge request reports
Merged by
(Jun 13, 2025 9:06pm UTC)
Activity
Notice that there still is a subtle difference between
is_syncerandis_atomic_syncer: The former quantifies overxonce, and lifts the spec forx"pointwise". The latter demands that the sequential spec holds for allxbefore proving the atomic spec for allx. That's strictly weaker, and I think there is no reason to make it weaker like that. We could then probably even remove the dependency of \alpha, \beta onxas they would all be quantified at the same place.I'll look into that tomorrow.
66 iIntros (f) "%". 67 iApply wp_wand_r. 68 iSplitR; first iApply "Hsyncer". 69 iIntros (f') "#Hsynced". 70 iExists γ. iFrame. 71 iIntros (x). iAlways. 72 iIntros (P Q) "#Hvss". 73 iSpecialize ("Hsynced" $! P Q x). 74 iIntros "!# HP". iApply wp_wand_r. iSplitL "HP". 58 iIntros (s) "#Hsyncer". iApply "HΦ". 59 iSplitL "Hg2"; first done. iIntros "!#". 60 iIntros (f). iApply wp_wand_r. iSplitR; first by iApply "Hsyncer". 61 iIntros (f') "#Hsynced {Hsyncer}". 62 iIntros (α β) "#Hseq". 63 iIntros (x P Q) "#Hvss !# HP". 64 (* TODO: Why can't I iApply "Hsynced"? *) Because the post-condition
Qin goalWP f' x {{ v, ∃ x0 : A, Q x0 v }}in goal doesn't look like the assumption we have from syncer spec:"Hsynced" : ∀ (P0 : uPred (iResUR Σ)) (Q0 : language.val heap_lang → uPred (iResUR Σ)) (x0 : val), {{ (∃ g : A, ϕ g ★ gHalf γ g) ★ P0 }} f x0 {{ v, (∃ g : A, ϕ g ★ gHalf γ g) ★ Q0 v }} → {{ P0 }} f' x0 {{ v, Q0 v }}?
But it looks like if we drop the
xargument ofQas @robbertkrebbers proposed in the mail, this should be more elegant-
Indeed simplifying the atomic triple did not help.
@robbertkrebbers could you have a look at the iApply-related TODO in
atomic_sync.v? Looks to me as if iApply transparently stripping boxes doesn't work here, or maybe sth. else is going on.
Added 1 commit:
- 531ed2a1 - simplify atomic triples as suggested by Robbert
Mentioned in commit 8d5768cb
