prove spsc example with queue graph spec
1 unresolved thread
1 unresolved thread
Merge request reports
Activity
requested review from @haidang
93 | EmpDeqs_intro 94 (EMPS : 95 ∀ i x (XI : xs !! i = Some x), 96 ∃ xV, G.(Es) !! x = Some xV ∧ xV.(ge_event) = EmpDeq) 97 . 98 99 Local Hint Constructors Produced Consumed EmpDeqs : core. 100 101 (* [vl]: values that will be produced *) 102 Definition PCInv q γg γe γd γx vl : vProp := ∃ G es ds xs, 103 Q.(QueueInv) γg q G ∗ 104 Events γe (1/2) es ∗ (* enqueues ordered by po *) 105 Events γd (1/2) ds ∗ (* dequeues ordered by po *) 106 Events γx (1/2) xs ∗ (* empty deqeueus ordered by po *) 107 108 ⌜ seq 0 (length G.(Es)) ≡ₚ es ++ ds ++ xs ∧ changed this line in version 2 of the diff
I think the graph part is useful in the sense that it already tracks the history for you. Using only an abstract state spec you'd need more ghost state to track that history. This particular example needs both the abstract state and the history and their relation, that's why I thought the hybrid spec would be the most useful. Of course if the hybrid spec is not strong enough yet, we don't have to do it right now.
mentioned in commit e41906eb
Please register or sign in to reply