diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0f4d979450f8b2e1c8e21994903d77596fe69853..518d58d5d46c76f3f6e8517934b74c3fb3f0c648 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,14 @@ lemma.
* Make the `inG` instances for `libG` fields local, so they are only used inside
the library that defines the `libG`.
+**Changes in `iris_heap_lang`:**
+
+* Changed the `num_laters_per_step` of `heap_lang` to `λ n, n`, signifying that
+ each step of the weakest precondition strips `n` laters, where `n` is the
+ number of steps taken so far. This number is tied to ghost state in the state
+ interpretation, which is exposed, updated, and used with new lemmas
+ `wp_lb_init`, `wp_lb_update`, and `wp_step_fupdN_lb`. (by Jonas Kastberg Hinrichsen)
+
## Iris 3.6.0 (2022-01-22)
The highlights and most notable changes of this release are:
diff --git a/iris/program_logic/total_adequacy.v b/iris/program_logic/total_adequacy.v
index a8d0f5f09f6ae1a2c011c54bf6072c58b40dbee6..0e6dd10e749d30247a128ab429b7bb9c442ff6a8 100644
--- a/iris/program_logic/total_adequacy.v
+++ b/iris/program_logic/total_adequacy.v
@@ -116,22 +116,27 @@ Proof.
Qed.
End adequacy.
-Theorem twp_total Σ Λ `{!invGpreS Σ} s e σ Φ :
+Theorem twp_total Σ Λ `{!invGpreS Σ} s e σ Φ n :
(∀ `{Hinv : !invGS Σ},
⊢ |={⊤}=> ∃
- (stateI : state Λ → list (observation Λ) → nat → iProp Σ)
- (fork_post : val Λ → iProp Σ),
+ (stateI : state Λ → nat → list (observation Λ) → nat → iProp Σ)
+ (** We abstract over any instance of [irisG], and thus any value of
+ the field [num_laters_per_step]. This is needed because instances
+ of [irisG] (e.g., the one of HeapLang) are shared between WP and
+ TWP, where TWP simply ignores [num_laters_per_step]. *)
+ (num_laters_per_step : nat → nat)
+ (fork_post : val Λ → iProp Σ)
+ state_interp_mono,
let _ : irisGS Λ Σ :=
- IrisG _ _ Hinv (λ σ _, stateI σ) fork_post (λ _, 0)
- (λ _ _ _ _, fupd_intro _ _)
+ IrisG _ _ Hinv stateI fork_post num_laters_per_step state_interp_mono
in
- stateI σ [] 0 ∗ WP e @ s; ⊤ [{ Φ }]) →
+ stateI σ n [] 0 ∗ WP e @ s; ⊤ [{ Φ }]) →
sn erased_step ([e], σ). (* i.e. ([e], σ) is strongly normalizing *)
Proof.
intros Hwp. apply (soundness (M:=iResUR Σ) _ 1); simpl.
apply (fupd_plain_soundness ⊤ ⊤ _)=> Hinv.
- iMod (Hwp) as (stateI fork_post) "[Hσ H]".
- iApply (@twptp_total _ _ (IrisG _ _ Hinv (λ σ _, stateI σ) fork_post _ _)
- _ 0 with "Hσ").
+ iMod (Hwp) as (stateI num_laters_per_step fork_post stateI_mono) "[Hσ H]".
+ set (iG := IrisG _ _ Hinv stateI fork_post num_laters_per_step stateI_mono).
+ iApply (@twptp_total _ _ iG _ n with "Hσ").
by iApply (@twp_twptp _ _ (IrisG _ _ Hinv _ fork_post _ _)).
Qed.
diff --git a/iris_heap_lang/adequacy.v b/iris_heap_lang/adequacy.v
index 42814e06e6ed009146c21a9cd4faf7187639c751..9d4ad1e7ff8b381d819fcff35361d453167d142e 100644
--- a/iris_heap_lang/adequacy.v
+++ b/iris_heap_lang/adequacy.v
@@ -1,4 +1,5 @@
From iris.algebra Require Import auth.
+From iris.base_logic.lib Require Import mono_nat.
From iris.proofmode Require Import proofmode.
From iris.program_logic Require Export weakestpre adequacy.
From iris.heap_lang Require Import proofmode notation.
@@ -9,23 +10,42 @@ Class heapGpreS Σ := HeapGpreS {
heapGpreS_heap :> gen_heapGpreS loc (option val) Σ;
heapGpreS_inv_heap :> inv_heapGpreS loc (option val) Σ;
heapGpreS_proph :> proph_mapGpreS proph_id (val * val) Σ;
+ heapGS_step_cnt :> mono_natG Σ;
}.
Definition heapΣ : gFunctors :=
- #[invΣ; gen_heapΣ loc (option val); inv_heapΣ loc (option val); proph_mapΣ proph_id (val * val)].
+ #[invΣ; gen_heapΣ loc (option val); inv_heapΣ loc (option val);
+ proph_mapΣ proph_id (val * val); mono_natΣ].
Global Instance subG_heapGpreS {Σ} : subG heapΣ Σ → heapGpreS Σ.
Proof. solve_inG. Qed.
+(* TODO: The [wp_adequacy] lemma is insufficient for a state interpretation
+with a non-constant step index function. We thus use the more general
+[wp_strong_adequacy] lemma. The proof below replicates part of the proof of
+[wp_adequacy], and it hence would make sense to see if we can prove a version
+of [wp_adequacy] for a non-constant step version. *)
Definition heap_adequacy Σ `{!heapGpreS Σ} s e σ φ :
(∀ `{!heapGS Σ}, ⊢ inv_heap_inv -∗ WP e @ s; ⊤ {{ v, ⌜φ v⌠}}) →
adequate s e σ (λ v _, φ v).
Proof.
- intros Hwp; eapply (wp_adequacy _ _); iIntros (? κs) "".
+ intros Hwp.
+ apply adequate_alt; intros t2 σ2 [n [κs ?]]%erased_steps_nsteps.
+ eapply (wp_strong_adequacy Σ _); [|done].
+ iIntros (Hinv).
iMod (gen_heap_init σ.(heap)) as (?) "[Hh _]".
iMod (inv_heap_init loc (option val)) as (?) ">Hi".
iMod (proph_map_init κs σ.(used_proph_id)) as (?) "Hp".
- iModIntro. iExists
- (λ σ κs, (gen_heap_interp σ.(heap) ∗ proph_map_interp κs σ.(used_proph_id))%I),
- (λ _, True%I).
- iFrame. iApply (Hwp (HeapGS _ _ _ _ _)). done.
+ iMod (mono_nat_own_alloc) as (γ) "[Hsteps _]".
+ iDestruct (Hwp (HeapGS _ _ _ _ _ _ _) with "Hi") as "Hwp".
+ iModIntro. iExists s.
+ iExists (λ σ ns κs nt, (gen_heap_interp σ.(heap) ∗
+ proph_map_interp κs σ.(used_proph_id) ∗
+ mono_nat_auth_own γ 1 ns))%I.
+ iExists [(λ v, ⌜φ vâŒ%I)], (λ _, True)%I, _ => /=.
+ iFrame.
+ iIntros (es' t2' -> ? ?) " _ H _".
+ iApply fupd_mask_intro_discard; [done|]. iSplit; [|done].
+ iDestruct (big_sepL2_cons_inv_r with "H") as (e' ? ->) "[Hwp H]".
+ iDestruct (big_sepL2_nil_inv_r with "H") as %->.
+ iIntros (v2 t2'' [= -> <-]). by rewrite to_of_val.
Qed.
diff --git a/iris_heap_lang/primitive_laws.v b/iris_heap_lang/primitive_laws.v
index 0af58af239b8cc83a7b465365026f62d84e440fb..e51974e0260253e43b896516f27d21a55571d937 100644
--- a/iris_heap_lang/primitive_laws.v
+++ b/iris_heap_lang/primitive_laws.v
@@ -3,6 +3,7 @@ the Iris lifting lemmas. *)
From iris.proofmode Require Import proofmode.
From iris.bi.lib Require Import fractional.
+From iris.base_logic.lib Require Import mono_nat.
From iris.base_logic.lib Require Export gen_heap proph_map gen_inv_heap.
From iris.program_logic Require Export weakestpre total_weakestpre.
From iris.program_logic Require Import ectx_lifting total_ectx_lifting.
@@ -15,16 +16,60 @@ Class heapGS Σ := HeapGS {
heapGS_gen_heapGS :> gen_heapGS loc (option val) Σ;
heapGS_inv_heapGS :> inv_heapGS loc (option val) Σ;
heapGS_proph_mapGS :> proph_mapGS proph_id (val * val) Σ;
+ heapGS_step_name : gname;
+ heapGS_step_cnt : mono_natG Σ;
}.
+Local Existing Instance heapGS_step_cnt.
-Global Instance heapGS_irisGS `{!heapGS Σ} : irisGS heap_lang Σ := {
+Section steps.
+ Context `{!heapGS Σ}.
+
+ Local Definition steps_auth (n : nat) : iProp Σ :=
+ mono_nat_auth_own heapGS_step_name 1 n.
+
+ Definition steps_lb (n : nat) : iProp Σ :=
+ mono_nat_lb_own heapGS_step_name n.
+
+ Local Lemma steps_lb_valid n m :
+ steps_auth n -∗ steps_lb m -∗ ⌜m ≤ nâŒ.
+ Proof.
+ iIntros "Hauth Hlb".
+ by iDestruct (mono_nat_lb_own_valid with "Hauth Hlb") as %[_ Hle].
+ Qed.
+
+ Local Lemma steps_lb_get n :
+ steps_auth n -∗ steps_lb n.
+ Proof. apply mono_nat_lb_own_get. Qed.
+
+ Local Lemma steps_auth_update n n' :
+ n ≤ n' → steps_auth n ==∗ steps_auth n' ∗ steps_lb n'.
+ Proof. intros Hle. by apply mono_nat_own_update. Qed.
+
+ Local Lemma steps_auth_update_S n :
+ steps_auth n ==∗ steps_auth (S n).
+ Proof.
+ iIntros "Hauth".
+ iMod (mono_nat_own_update with "Hauth") as "[$ _]"; [lia|done].
+ Qed.
+
+ Lemma steps_lb_le n n' :
+ n' ≤ n → steps_lb n -∗ steps_lb n'.
+ Proof. intros Hle. by apply mono_nat_lb_own_le. Qed.
+
+End steps.
+
+Global Program Instance heapGS_irisGS `{heapGS Σ} : irisGS heap_lang Σ := {
iris_invGS := heapGS_invGS;
- state_interp σ _ κs _ :=
- (gen_heap_interp σ.(heap) ∗ proph_map_interp κs σ.(used_proph_id))%I;
+ state_interp σ step_cnt κs _ :=
+ (gen_heap_interp σ.(heap) ∗ proph_map_interp κs σ.(used_proph_id) ∗
+ steps_auth step_cnt)%I;
fork_post _ := True%I;
- num_laters_per_step _ := 0;
- state_interp_mono _ _ _ _ := fupd_intro _ _
+ num_laters_per_step n := n;
}.
+Next Obligation.
+ iIntros (?? σ ns κs nt) "/= ($ & $ & H)".
+ by iMod (steps_auth_update_S with "H") as "$".
+Qed.
(** Since we use an [option val] instance of [gen_heap], we need to overwrite
the notations. That also helps for scopes and coercions. *)
@@ -68,6 +113,61 @@ Implicit Types σ : state.
Implicit Types v : val.
Implicit Types l : loc.
+Lemma wp_lb_init s E e Φ :
+ TCEq (to_val e) None →
+ (steps_lb 0 -∗ WP e @ s; E {{ v, Φ v }}) -∗
+ WP e @ s; E {{ Φ }}.
+Proof.
+ (** TODO: We should try to use a generic lifting lemma (and avoid [wp_unfold])
+ here, since this breaks the WP abstraction. *)
+ rewrite !wp_unfold /wp_pre /=. iIntros (->) "Hwp".
+ iIntros (σ1 ns κ κs m) "(Hσ & Hκ & Hsteps)".
+ iDestruct (steps_lb_get with "Hsteps") as "#Hlb".
+ iDestruct (steps_lb_le _ 0 with "Hlb") as "Hlb0"; [lia|].
+ iSpecialize ("Hwp" with "Hlb0"). iApply ("Hwp" $! σ1 ns κ κs m). iFrame.
+Qed.
+
+Lemma wp_lb_update s n E e Φ :
+ TCEq (to_val e) None →
+ steps_lb n -∗
+ WP e @ s; E {{ v, steps_lb (S n) -∗ Φ v }} -∗
+ WP e @ s; E {{ Φ }}.
+Proof.
+ (** TODO: We should try to use a generic lifting lemma (and avoid [wp_unfold])
+ here, since this breaks the WP abstraction. *)
+ rewrite !wp_unfold /wp_pre /=. iIntros (->) "Hlb Hwp".
+ iIntros (σ1 ns κ κs m) "(Hσ & Hκ & Hsteps)".
+ iDestruct (steps_lb_valid with "Hsteps Hlb") as %?.
+ iMod ("Hwp" $! σ1 ns κ κs m with "[$Hσ $Hκ $Hsteps]") as "[%Hs Hwp]".
+ iModIntro. iSplit; [done|].
+ iIntros (e2 σ2 efs Hstep).
+ iMod ("Hwp" with "[//]") as "Hwp".
+ iIntros "!> !>". iMod "Hwp" as "Hwp". iIntros "!>".
+ iApply (step_fupdN_wand with "Hwp").
+ iIntros "Hwp". iMod "Hwp" as "(($ & $ & Hsteps)& Hwp & $)".
+ iDestruct (steps_lb_get with "Hsteps") as "#HlbS".
+ iDestruct (steps_lb_le _ (S n) with "HlbS") as "#HlbS'"; [lia|].
+ iModIntro. iFrame "Hsteps".
+ iApply (wp_wand with "Hwp"). iIntros (v) "HΦ". by iApply "HΦ".
+Qed.
+
+Lemma wp_step_fupdN_lb s n E1 E2 e P Φ :
+ TCEq (to_val e) None →
+ E2 ⊆ E1 →
+ steps_lb n -∗
+ (|={E1∖E2,∅}=> |={∅}▷=>^(S n) |={∅,E1∖E2}=> P) -∗
+ WP e @ s; E2 {{ v, P ={E1}=∗ Φ v }} -∗
+ WP e @ s; E1 {{ Φ }}.
+Proof.
+ iIntros (He HE) "Hlb HP Hwp".
+ iApply wp_step_fupdN; [done|].
+ iSplit; [|by iFrame].
+ iIntros (σ ns κs nt) "(? & ? & Hsteps)".
+ iDestruct (steps_lb_valid with "Hsteps Hlb") as %Hle.
+ iApply fupd_mask_intro; [set_solver|].
+ iIntros "_". iPureIntro. rewrite /num_laters_per_step /=. lia.
+Qed.
+
(** Recursive functions: we do not use this lemmas as it is easier to use Löb
induction directly, but this demonstrates that we can state the expected
reasoning principle for recursive functions, without any visible â–·. *)
@@ -87,16 +187,20 @@ Lemma wp_fork s E e Φ :
▷ WP e @ s; ⊤ {{ _, True }} -∗ ▷ Φ (LitV LitUnit) -∗ WP Fork e @ s; E {{ Φ }}.
Proof.
iIntros "He HΦ". iApply wp_lift_atomic_head_step; [done|].
- iIntros (σ1 ns κ κs nt) "Hσ !>"; iSplit; first by eauto with head_step.
- iIntros "!>" (v2 σ2 efs Hstep); inv_head_step. by iFrame.
+ iIntros (σ1 ns κ κs nt) "(?&?&Hsteps) !>"; iSplit; first by eauto with head_step.
+ iIntros "!>" (v2 σ2 efs Hstep); inv_head_step.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
+ by iFrame.
Qed.
Lemma twp_fork s E e Φ :
WP e @ s; ⊤ [{ _, True }] -∗ Φ (LitV LitUnit) -∗ WP Fork e @ s; E [{ Φ }].
Proof.
iIntros "He HΦ". iApply twp_lift_atomic_head_step; [done|].
- iIntros (σ1 ns κs nt) "Hσ !>"; iSplit; first by eauto with head_step.
- iIntros (κ v2 σ2 efs Hstep); inv_head_step. by iFrame.
+ iIntros (σ1 ns κs nt) "(?&?&Hsteps) !>"; iSplit; first by eauto with head_step.
+ iIntros (κ v2 σ2 efs Hstep); inv_head_step.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
+ by iFrame.
Qed.
(** Heap *)
@@ -224,13 +328,14 @@ Lemma twp_allocN_seq s E v n :
(l +ₗ (i : nat)) ↦ v ∗ meta_token (l +ₗ (i : nat)) ⊤ }]].
Proof.
iIntros (Hn Φ) "_ HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>"; iSplit; first by destruct n; auto with lia head_step.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>"; iSplit; first by destruct n; auto with lia head_step.
iIntros (κ v2 σ2 efs Hstep); inv_head_step.
iMod (gen_heap_alloc_big _ (heap_array _ (replicate (Z.to_nat n) v)) with "Hσ")
as "(Hσ & Hl & Hm)".
{ apply heap_array_map_disjoint.
rewrite replicate_length Z2Nat.id; auto with lia. }
- iModIntro; do 2 (iSplit; first done). iFrame "Hσ Hκs". iApply "HΦ".
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
+ iModIntro; do 2 (iSplit; first done). iFrame "Hσ Hκs Hsteps". iApply "HΦ".
iApply big_sepL_sep. iSplitL "Hl".
- by iApply heap_array_to_seq_mapsto.
- iApply (heap_array_to_seq_meta with "Hm"). by rewrite replicate_length.
@@ -263,10 +368,11 @@ Lemma twp_free s E l v :
[[{ RET LitV LitUnit; True }]].
Proof.
iIntros (Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2 σ2 efs Hstep); inv_head_step.
iMod (gen_heap_update with "Hσ Hl") as "[$ Hl]".
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iModIntro. iSplit; first done. iSplit; first done. iFrame. by iApply "HΦ".
Qed.
Lemma wp_free s E l v :
@@ -281,10 +387,12 @@ Lemma twp_load s E l dq v :
[[{ l ↦{dq} v }]] Load (Val $ LitV $ LitLoc l) @ s; E [[{ RET v; l ↦{dq} v }]].
Proof.
iIntros (Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2 σ2 efs Hstep); inv_head_step.
- iModIntro; iSplit=> //. iSplit; first done. iFrame. by iApply "HΦ".
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
+ iModIntro. iSplit; [done|]. iSplit; [done|]. iFrame.
+ by iApply "HΦ".
Qed.
Lemma wp_load s E l dq v :
{{{ ▷ l ↦{dq} v }}} Load (Val $ LitV $ LitLoc l) @ s; E {{{ RET v; l ↦{dq} v }}}.
@@ -298,9 +406,10 @@ Lemma twp_store s E l v' v :
[[{ RET LitV LitUnit; l ↦ v }]].
Proof.
iIntros (Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2 σ2 efs Hstep); inv_head_step.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iMod (gen_heap_update with "Hσ Hl") as "[$ Hl]".
iModIntro. iSplit; first done. iSplit; first done. iFrame. by iApply "HΦ".
Qed.
@@ -317,9 +426,10 @@ Lemma twp_xchg s E l v' v :
[[{ RET v'; l ↦ v }]].
Proof.
iIntros (Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2 σ2 efs Hstep); inv_head_step.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iMod (gen_heap_update with "Hσ Hl") as "[$ Hl]".
iModIntro. iSplit; first done. iSplit; first done. iFrame. by iApply "HΦ".
Qed.
@@ -337,10 +447,11 @@ Lemma twp_cmpxchg_fail s E l dq v' v1 v2 :
[[{ RET PairV v' (LitV $ LitBool false); l ↦{dq} v' }]].
Proof.
iIntros (?? Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2' σ2 efs Hstep); inv_head_step.
rewrite bool_decide_false //.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iModIntro; iSplit; first done. iSplit; first done. iFrame. by iApply "HΦ".
Qed.
Lemma wp_cmpxchg_fail s E l dq v' v1 v2 :
@@ -358,11 +469,12 @@ Lemma twp_cmpxchg_suc s E l v1 v2 v' :
[[{ RET PairV v' (LitV $ LitBool true); l ↦ v2 }]].
Proof.
iIntros (?? Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ v2' σ2 efs Hstep); inv_head_step.
rewrite bool_decide_true //.
iMod (gen_heap_update with "Hσ Hl") as "[$ Hl]".
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iModIntro. iSplit; first done. iSplit; first done. iFrame. by iApply "HΦ".
Qed.
Lemma wp_cmpxchg_suc s E l v1 v2 v' :
@@ -379,10 +491,11 @@ Lemma twp_faa s E l i1 i2 :
[[{ RET LitV (LitInt i1); l ↦ LitV (LitInt (i1 + i2)) }]].
Proof.
iIntros (Φ) "Hl HΦ". iApply twp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κs nt) "[Hσ Hκs] !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
+ iIntros (σ1 ns κs nt) "(Hσ & Hκs & Hsteps) !>". iDestruct (gen_heap_valid with "Hσ Hl") as %?.
iSplit; first by eauto with head_step.
iIntros (κ e2 σ2 efs Hstep); inv_head_step.
iMod (gen_heap_update with "Hσ Hl") as "[$ Hl]".
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iModIntro. do 2 (iSplit; first done). iFrame. by iApply "HΦ".
Qed.
Lemma wp_faa s E l i1 i2 :
@@ -399,9 +512,10 @@ Lemma wp_new_proph s E :
{{{ pvs p, RET (LitV (LitProphecy p)); proph p pvs }}}.
Proof.
iIntros (Φ) "_ HΦ". iApply wp_lift_atomic_head_step_no_fork; first done.
- iIntros (σ1 ns κ κs nt) "[Hσ HR] !>". iSplit; first by eauto with head_step.
+ iIntros (σ1 ns κ κs nt) "(Hσ & HR & Hsteps) !>". iSplit; first by eauto with head_step.
iIntros "!>" (v2 σ2 efs Hstep). inv_head_step.
rename select proph_id into p.
+ iMod (steps_auth_update_S with "Hsteps") as "Hsteps".
iMod (proph_map_new_proph p with "HR") as "[HR Hp]"; first done.
iModIntro; iSplit; first done. iFrame. by iApply "HΦ".
Qed.
@@ -458,20 +572,22 @@ Proof.
(* TODO we should try to use a generic lifting lemma (and avoid [wp_unfold])
here, since this breaks the WP abstraction. *)
iIntros (A He) "Hp WPe". rewrite !wp_unfold /wp_pre /= He. simpl in *.
- iIntros (σ1 ns κ κs nt) "[Hσ Hκ]".
+ iIntros (σ1 ns κ κs nt) "(Hσ & Hκ & Hsteps)".
destruct κ as [|[p' [w' v']] κ' _] using rev_ind.
- - iMod ("WPe" $! σ1 ns [] κs nt with "[$Hσ $Hκ]") as "[Hs WPe]". iModIntro. iSplit.
+ - iMod ("WPe" $! σ1 ns [] κs nt with "[$Hσ $Hκ $Hsteps]") as "[Hs WPe]".
+ iModIntro. iSplit.
{ iDestruct "Hs" as "%". iPureIntro. destruct s; [ by apply resolve_reducible | done]. }
iIntros (e2 σ2 efs step). exfalso. apply step_resolve in step; last done.
inv_head_step. match goal with H: ?κs ++ [_] = [] |- _ => by destruct κs end.
- rewrite -assoc.
- iMod ("WPe" $! σ1 0 _ _ nt with "[$Hσ $Hκ]") as "[Hs WPe]". iModIntro. iSplit.
+ iMod ("WPe" $! σ1 ns _ _ nt with "[$Hσ $Hκ $Hsteps]") as "[Hs WPe]". iModIntro. iSplit.
{ iDestruct "Hs" as %?. iPureIntro. destruct s; [ by apply resolve_reducible | done]. }
iIntros (e2 σ2 efs step). apply step_resolve in step; last done.
inv_head_step; simplify_list_eq.
iMod ("WPe" $! (Val w') σ2 efs with "[%]") as "WPe".
{ by eexists [] _ _. }
- iModIntro. iNext. iModIntro. iMod "WPe" as ">[[$ Hκ] WPe]".
+ iModIntro. iNext. iMod "WPe" as "WPe". iModIntro.
+ iApply (step_fupdN_wand with "WPe"); iIntros "> [($ & Hκ & $) WPe]".
iMod (proph_map_resolve_proph p' (w',v') κs with "[$Hκ $Hp]") as (vs' ->) "[$ HPost]".
iModIntro. rewrite !wp_unfold /wp_pre /=. iDestruct "WPe" as "[HΦ $]".
iMod "HΦ". iModIntro. by iApply "HΦ".
diff --git a/iris_heap_lang/total_adequacy.v b/iris_heap_lang/total_adequacy.v
index a0389c87f65d1b4b0dc8a9a6605f81f89f981617..f947da923faec7dc30a5c7e9bc61e88cada29131 100644
--- a/iris_heap_lang/total_adequacy.v
+++ b/iris_heap_lang/total_adequacy.v
@@ -1,4 +1,5 @@
From iris.proofmode Require Import proofmode.
+From iris.base_logic.lib Require Import mono_nat.
From iris.program_logic Require Export total_adequacy.
From iris.heap_lang Require Export adequacy.
From iris.heap_lang Require Import proofmode notation.
@@ -12,9 +13,12 @@ Proof.
iMod (gen_heap_init σ.(heap)) as (?) "[Hh _]".
iMod (inv_heap_init loc (option val)) as (?) ">Hi".
iMod (proph_map_init [] σ.(used_proph_id)) as (?) "Hp".
+ iMod (mono_nat_own_alloc 0) as (γ) "[Hsteps _]".
iModIntro.
iExists
- (λ σ κs _, (gen_heap_interp σ.(heap) ∗ proph_map_interp κs σ.(used_proph_id))%I),
- (λ _, True%I); iFrame.
- iApply (Hwp (HeapGS _ _ _ _ _)). done.
+ (λ σ ns κs _, (gen_heap_interp σ.(heap) ∗
+ proph_map_interp κs σ.(used_proph_id) ∗
+ mono_nat_auth_own γ 1 ns)%I),
+ id, (λ _, True%I), _; iFrame.
+ by iApply (Hwp (HeapGS _ _ _ _ _ _ _)).
Qed.