@@ -231,18 +231,18 @@ The purpose of the adequacy statement is to show that our notion of weakest prec
...
@@ -231,18 +231,18 @@ The purpose of the adequacy statement is to show that our notion of weakest prec
The most general form of the adequacy statement is about proving properties of an arbitrary program execution.
The most general form of the adequacy statement is about proving properties of an arbitrary program execution.
\begin{thm}[Adequacy]
\begin{thm}[Adequacy]
Assume we are given some $\expr_0$, $\state_0$, $\vec\obs$, $\tpool_1$, $\state_1$ such that $([\expr_0], \state_0)\tpsteps[\vec\obs](\tpool_1, \state_1)$, and we are also given a \emph{meta-level} property $\metaprop$ that we want to show.
Assume we are given some $\expr_1$, $\state_1$, $\vec\obs$, $\tpool_2$, $\state_2$ such that $([\expr_1], \state_1)\tpsteps[\vec\obs](\tpool_2, \state_2)$, and we are also given a \emph{meta-level} property $\metaprop$ that we want to show.
To verify that $\metaprop$ holds, it is sufficient to show the following Iris entailment:
To verify that $\metaprop$ holds, it is sufficient to show the following Iris entailment:
The $\hat\metaprop$ here arises because we need a way to talk about $\metaprop$ inside Iris.
The $\hat\metaprop$ here arises because we need a way to talk about $\metaprop$ inside Iris.
To this end, we assume that the signature $\Sig$ contains some assertion $\hat{\metaprop}$:
To this end, we assume that the signature $\Sig$ contains some assertion $\hat{\metaprop}$:
...
@@ -259,15 +259,15 @@ In other words, to show that $\metaprop$ holds, we have to prove an entailment i
...
@@ -259,15 +259,15 @@ In other words, to show that $\metaprop$ holds, we have to prove an entailment i
\begin{itemize}
\begin{itemize}
\item the initial state interpretation,
\item the initial state interpretation,
\item a weakest-precondition,
\item a weakest-precondition,
\item and a view shift showing the desired $\hat\metaprop$ under the extra assumption $\consstate(\tpool_1, \state_1)$.
\item and a view shift showing the desired $\hat\metaprop$ under the extra assumption $\consstate(\tpool_2, \state_2)$.
\end{itemize}
\end{itemize}
Notice that the state interpretation and the postconditions are chosen \emph{after} doing a fancy update, which allows them to depend on the names of ghost variables that are picked in that initial fancy update.
Notice that the state interpretation and the postconditions are chosen \emph{after} doing a fancy update, which allows them to depend on the names of ghost variables that are picked in that initial fancy update.
This gives us a chance to allocate some ``global'' ghost state that state interpretation and postcondition can refer to.
This gives us a chance to allocate some ``global'' ghost state that state interpretation and postcondition can refer to.
\item The final thread-pool $\tpool_1$ contains the final state of the main thread $\expr_1$, and any number of additional forked threads in $\tpool_1'$.
\item The final thread-pool $\tpool_2$ contains the final state of the main thread $\expr_2$, and any number of additional forked threads in $\tpool_2'$.
\item If this is a stuck-free weakest precondition, then all threads in the final thread-pool are either values or are reducible in the final state $\state_1$.
\item If this is a stuck-free weakest precondition, then all threads in the final thread-pool are either values or are reducible in the final state $\state_2$.
\item The state interpretation $\stateinterp$ holds for the final state.
\item The state interpretation $\stateinterp$ holds for the final state.
\item If the main thread reduced to a value, the post-condition $\pred$ of the weakest precondition holds for that value.
\item If the main thread reduced to a value, the post-condition $\pred$ of the weakest precondition holds for that value.
\item If any other thread reduced to a value, the forked-thread post-condition $\pred_F$ holds for that value.
\item If any other thread reduced to a value, the forked-thread post-condition $\pred_F$ holds for that value.
As an example for how to use this adequacy theorem, let us say we wanted to prove that a program $\expr_0$ for which we derived a $\NotStuck$ weakest-precondition cannot get stuck:
As an example for how to use this adequacy theorem, let us say we wanted to prove that a program $\expr_1$ for which we derived a $\NotStuck$ weakest-precondition cannot get stuck:
\begin{cor}[Stuck-freedom]
\begin{cor}[Stuck-freedom]
Assume we are given some $\expr_0$ such that the following holds:
Assume we are given some $\expr_1$ such that the following holds:
To prove the conclusion of this corollary, we assume some $\state_0, \vec\obs, \tpool_1, \state_1$ and $([\expr_0], \state_0)\tpsteps[\vec\obs](\tpool_1, \state_1)$, and we instantiate the main theorem with this execution and $\metaprop\eqdef\All\expr\in\tpool_1. \toval(\expr)\neq\bot\lor\red(\expr, \state_1)$.
To prove the conclusion of this corollary, we assume some $\state_1, \vec\obs, \tpool_2, \state_2$ and $([\expr_1], \state_1)\tpsteps[\vec\obs](\tpool_2, \state_2)$, and we instantiate the main theorem with this execution and $\metaprop\eqdef\All\expr\in\tpool_2. \toval(\expr)\neq\bot\lor\red(\expr, \state_2)$.
We can then show the premise of adequacy using the Iris entailment that we assumed in the corollary and:
We can then show the premise of adequacy using the Iris entailment that we assumed in the corollary and:
This proof, just like the following, also exploits that we can freely swap between meta-level universal quantification ($\All x. \TRUE\proves\prop$) and quantification in Iris ($\TRUE\proves\All x. \prop$).
This proof, just like the following, also exploits that we can freely swap between meta-level universal quantification ($\All x. \TRUE\proves\prop$) and quantification in Iris ($\TRUE\proves\All x. \prop$).
~\par
~\par
Similarly we could show that the postcondition makes adequate statements about the possible final value of the main thread:
Similarly we could show that the postcondition makes adequate statements about the possible final value of the main thread:
\begin{cor}[Adequate postcondition]
\begin{cor}[Adequate postcondition]
Assume we are given some $\expr_0$ and a set $V \subseteq\Val$ such that the following holds (assuming we can talk about sets like $V$ inside the logic):
Assume we are given some $\expr_1$ and a set $V \subseteq\Val$ such that the following holds (assuming we can talk about sets like $V$ inside the logic):
\[
\[
\TRUE\proves\All\state_0, \vec\obs. \pvs[\top]\Exists\stuckness, \stateinterp, \pred_F. \stateinterp(\state_0,\vec\obs,0)*\wpre[\stateinterp;\pred_F]{\expr_0}[\stuckness;\top]{x.\; x \in V}
\TRUE\proves\All\state_1, \vec\obs. \pvs[\top]\Exists\stuckness, \stateinterp, \pred_F. \stateinterp(\state_1,\vec\obs,0)*\wpre[\stateinterp;\pred_F]{\expr_1}[\stuckness;\top]{x.\; x \in V}
\]
\]
Then it is the case that:
Then it is the case that:
\[
\[
\All\state_0, \vec\obs, \val_1, \tpool_1, \state_1. ([\expr_0], \state_0)\tpsteps[\vec\obs]([\ofval(\val_1)]\dplus\tpool_1, \state_1)\Ra\val_1\in V
\All\state_1, \vec\obs, \val_2, \tpool_2, \state_2. ([\expr_1], \state_1)\tpsteps[\vec\obs]([\ofval(\val_2)]\dplus\tpool_2, \state_2)\Ra\val_2\in V
\]
\]
\end{cor}
\end{cor}
To show this, we assume some $\state_0, \vec\obs, \val_1, \tpool_1, \state_1$ such that $([\expr_0], \state_0)\tpsteps[\vec\obs]([\ofval(\val_1)]\dplus\tpool_1, \state_1)$, and we instantiate adequacy with this execution and $\metaprop\eqdef\val_1\in\Val$.
To show this, we assume some $\state_1, \vec\obs, \val_2, \tpool_2, \state_2$ such that $([\expr_1], \state_1)\tpsteps[\vec\obs]([\ofval(\val_2)]\dplus\tpool_2, \state_2)$, and we instantiate adequacy with this execution and $\metaprop\eqdef\val_2\in\Val$.
As a final example, we could use adequacy to show that the state $\state$ of the program is always in some set $\Sigma\subseteq\State$:
As a final example, we could use adequacy to show that the state $\state$ of the program is always in some set $\Sigma\subseteq\State$:
\begin{cor}[Adequate state interpretation]
\begin{cor}[Adequate state interpretation]
Assume we are given some $\expr_0$ and a set $\Sigma\subseteq\State$ such that the following holds (assuming we can talk about sets like $\Sigma$ inside the logic):
Assume we are given some $\expr_1$ and a set $\Sigma\subseteq\State$ such that the following holds (assuming we can talk about sets like $\Sigma$ inside the logic):
\[
\[
\TRUE\proves\All\state_0, \vec\obs. \pvs[\top]\Exists\stuckness, \stateinterp, \pred, \pred_F. \stateinterp(\state_0,\vec\obs,0)*\wpre[\stateinterp;\pred_F]{\expr_0}[\stuckness;\top]{\pred}*(\All\state_1, m. \stateinterp(\state_1,(),m)\!\vs[\top][\emptyset]\state_1\in\Sigma)
\TRUE\proves\All\state_1, \vec\obs. \pvs[\top]\Exists\stuckness, \stateinterp, \pred, \pred_F. \stateinterp(\state_1,\vec\obs,0)*\wpre[\stateinterp;\pred_F]{\expr_1}[\stuckness;\top]{\pred}*(\All\state_2, m. \stateinterp(\state_2,(),m)\!\vs[\top][\emptyset]\state_2\in\Sigma)
To show this, we assume some $\state_0, \vec\obs, \tpool_1, \state_1$ such that $([\expr_0], \state_0)\tpsteps[\vec\obs](\tpool_1, \state_1)$, and we instantiate adequacy with this execution and $\metaprop\eqdef\state_1\in\Sigma$.
To show this, we assume some $\state_1, \vec\obs, \tpool_2, \state_2$ such that $([\expr_1], \state_1)\tpsteps[\vec\obs](\tpool_2, \state_2)$, and we instantiate adequacy with this execution and $\metaprop\eqdef\state_2\in\Sigma$.
Then we have to show:
Then we have to show:
\[
\[
(\All\state_1, m. \stateinterp(\state_1,(),m)\!\vs[\top][\emptyset]\state_1\in\Sigma)\proves\consstate^{\stateinterp;\pred;\pred_F}_{\stuckness}(\tpool_1, \state_1)\vs[\top][\emptyset]\state_1\in\Sigma
(\All\state_2, m. \stateinterp(\state_2,(),m)\!\vs[\top][\emptyset]\state_2\in\Sigma)\proves\consstate^{\stateinterp;\pred;\pred_F}_{\stuckness}(\tpool_2, \state_2)\vs[\top][\emptyset]\state_2\in\Sigma
