auth.v 4.97 KB
Newer Older
Robbert Krebbers's avatar
Robbert Krebbers committed
1
From algebra Require Export auth.
2
From program_logic Require Export invariants ghost_ownership.
3
Import uPred.
4

5
6
7
8
9
10
Class AuthInG Λ Σ (i : gid) (A : cmraT) `{Empty A} := {
  auth_inG :> InG Λ Σ i (authRA A);
  auth_identity :> CMRAIdentity A;
  auth_timeless (a : A) :> Timeless a;
}.

11
12
(* TODO: Once we switched to RAs, it is no longer necessary to remember that a is
   constantly valid. *)
13
Definition auth_inv {Λ Σ A} (i : gid) `{AuthInG Λ Σ i A}
14
  (γ : gname) (φ : A  iPropG Λ Σ) : iPropG Λ Σ := ( a, (■✓a  own i γ ( a))  φ a)%I.
15
16
17
18
19
20
21
22
Definition auth_own {Λ Σ A} (i : gid) `{AuthInG Λ Σ i A}
  (γ : gname) (a : A) : iPropG Λ Σ := own i γ ( a).
Definition auth_ctx {Λ Σ A} (i : gid) `{AuthInG Λ Σ i A}
    (γ : gname) (N : namespace) (φ : A  iPropG Λ Σ) : iPropG Λ Σ :=
  inv N (auth_inv i γ φ).
Instance: Params (@auth_inv) 7.
Instance: Params (@auth_own) 7.
Instance: Params (@auth_ctx) 8.
23

24
Section auth.
25
  Context `{AuthInG Λ Σ AuthI A}.
26
  Context (φ : A  iPropG Λ Σ) {φ_proper : Proper (() ==> ()) φ}.
27
  Implicit Types N : namespace.
28
  Implicit Types P Q R : iPropG Λ Σ.
29
30
31
  Implicit Types a b : A.
  Implicit Types γ : gname.

32
33
  Lemma auth_alloc N a :
     a  φ a  pvs N N ( γ, auth_ctx AuthI γ N φ  auth_own AuthI γ a).
34
  Proof.
35
36
37
38
    intros Ha. rewrite -(right_id True%I ()%I (φ _)).
    rewrite (own_alloc AuthI (Auth (Excl a) a) N) //; [].
    rewrite pvs_frame_l. apply pvs_strip_pvs.
    rewrite sep_exist_l. apply exist_elim=>γ. rewrite -(exist_intro γ).
39
    transitivity ( auth_inv AuthI γ φ  auth_own AuthI γ a)%I.
40
    { rewrite /auth_inv -later_intro -(exist_intro a).
41
      rewrite const_equiv // left_id.
42
      rewrite [(_  φ _)%I]comm -assoc. apply sep_mono; first done.
43
44
      rewrite /auth_own -own_op auth_both_op. done. }
    rewrite (inv_alloc N) /auth_ctx pvs_frame_r. apply pvs_mono.
45
    by rewrite always_and_sep_l.
46
47
  Qed.

48
  Lemma auth_empty γ E : True  pvs E E (auth_own AuthI γ ).
49
50
  Proof. by rewrite own_update_empty /auth_own. Qed.

51
  Lemma auth_opened E a γ :
52
    ( auth_inv AuthI γ φ  auth_own AuthI γ a)
53
     pvs E E ( a', ■✓(a  a')   φ (a  a')  own AuthI γ ( (a  a')   a)).
Ralf Jung's avatar
Ralf Jung committed
54
  Proof.
55
    rewrite /auth_inv. rewrite later_exist sep_exist_r. apply exist_elim=>b.
56
57
58
    rewrite later_sep [((_  _))%I]pvs_timeless !pvs_frame_r. apply pvs_mono.
    rewrite always_and_sep_l -!assoc. apply const_elim_sep_l=>Hv.
    rewrite /auth_own [(▷φ _  _)%I]comm assoc -own_op.
59
60
    rewrite own_valid_r auth_validI /= and_elim_l sep_exist_l sep_exist_r /=.
    apply exist_elim=>a'.
61
    rewrite left_id -(exist_intro a').
Ralf Jung's avatar
Ralf Jung committed
62
    apply (eq_rewrite b (a  a')
63
64
              (λ x, ■✓x  ▷φ x  own AuthI γ ( x   a))%I).
    { by move=>n ? ? /timeless_iff ->. }
65
    { by eauto with I. }
66
    rewrite const_equiv // left_id comm.
Ralf Jung's avatar
Ralf Jung committed
67
68
69
    apply sep_mono; first done.
    by rewrite sep_elim_l.
  Qed.
Ralf Jung's avatar
Ralf Jung committed
70

71
72
  Lemma auth_closing E `{!LocalUpdate Lv L} a a' γ :
    Lv a   (L a  a') 
73
    ( φ (L a  a')  own AuthI γ ( (a  a')   a))
74
     pvs E E ( auth_inv AuthI γ φ  auth_own AuthI γ (L a)).
Ralf Jung's avatar
Ralf Jung committed
75
  Proof.
76
    intros HL Hv. rewrite /auth_inv /auth_own -(exist_intro (L a  a')).
77
    rewrite later_sep [(_  ▷φ _)%I]comm -assoc.
Ralf Jung's avatar
Ralf Jung committed
78
    rewrite -pvs_frame_l. apply sep_mono; first done.
79
    rewrite const_equiv // left_id -later_intro -own_op.
80
    by apply own_update, (auth_local_update_l L).
Ralf Jung's avatar
Ralf Jung committed
81
82
  Qed.

83
  (* Notice how the user has to prove that `b⋅a'` is valid at all
84
85
     step-indices. However, since A is timeless, that should not be
     a restriction.  *)
86
  Lemma auth_fsa {B C} (fsa : FSA Λ (globalF Σ) B) `{!FrameShiftAssertion fsaV fsa}
Ralf Jung's avatar
Ralf Jung committed
87
       L {Lv} {LU :  c:C, LocalUpdate (Lv c) (L c)} N E P (Q : B  iPropG Λ Σ) γ a :
88
    fsaV 
Ralf Jung's avatar
Ralf Jung committed
89
    nclose N  E 
90
    P  auth_ctx AuthI γ N φ 
91
92
93
    P  (auth_own AuthI γ a  ( a',
            (a  a')   φ (a  a') -
          fsa (E  nclose N) (λ x,
94
95
             c,  (Lv c a  (L c aa'))   φ (L c a  a') 
            (auth_own AuthI γ (L c a) - Q x)))) 
96
    P  fsa E Q.
Ralf Jung's avatar
Ralf Jung committed
97
  Proof.
98
99
    rewrite /auth_ctx=>? HN Hinv Hinner.
    eapply (inv_fsa fsa); eauto. rewrite Hinner=>{Hinner Hinv P}.
100
    apply wand_intro_l.
101
    rewrite assoc auth_opened !pvs_frame_r !sep_exist_r.
102
    apply (fsa_strip_pvs fsa). apply exist_elim=>a'.
103
    rewrite (forall_elim a'). rewrite [(_  _)%I]comm.
104
105
106
    (* Getting this wand eliminated is really annoying. *)
    rewrite [(_  _)%I]comm -!assoc [(▷φ _  _  _)%I]assoc [(▷φ _  _)%I]comm.
    rewrite wand_elim_r fsa_frame_l.
107
108
    apply (fsa_mono_pvs fsa)=> x. rewrite sep_exist_l. apply exist_elim=>c.
    rewrite comm -!assoc. apply const_elim_sep_l=>-[HL Hv].
109
    rewrite assoc [(_  (_ - _))%I]comm -assoc.
110
    rewrite auth_closing //; []. erewrite pvs_frame_l. apply pvs_mono.
111
    by rewrite assoc [(_  _)%I]comm -assoc wand_elim_l.
Ralf Jung's avatar
Ralf Jung committed
112
  Qed.
113
End auth.