Commit 3ca48414 authored by Robbert Krebbers's avatar Robbert Krebbers

Merge branch 'master' of gitlab.mpi-sws.org:FP/iris-coq

parents d71cbe0f 04d3ee68
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
\subsection{COFE} \subsection{COFE}
This definition varies slightly from the original one in~\cite{catlogic}.
\begin{defn}[Chain] \begin{defn}[Chain]
Given some set $\cofe$ and an indexed family $({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \mathbb{N}}$ of equivalence relations, a \emph{chain} is a function $c : \mathbb{N} \to \cofe$ such that $\All n, m. n \leq m \Ra c (m) \nequiv{n} c (n)$. Given some set $\cofe$ and an indexed family $({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \mathbb{N}}$ of equivalence relations, a \emph{chain} is a function $c : \mathbb{N} \to \cofe$ such that $\All n, m. n \leq m \Ra c (m) \nequiv{n} c (n)$.
\end{defn} \end{defn}
...@@ -22,6 +23,8 @@ ...@@ -22,6 +23,8 @@
An element $x \in \cofe$ of a COFE is called \emph{discrete} if An element $x \in \cofe$ of a COFE is called \emph{discrete} if
\[ \All y \in \cofe. x \nequiv{0} y \Ra x = y\] \[ \All y \in \cofe. x \nequiv{0} y \Ra x = y\]
A COFE $A$ is called \emph{discrete} if all its elements are discrete. A COFE $A$ is called \emph{discrete} if all its elements are discrete.
For a set $X$, we write $\Delta X$ for the discrete COFE with $x \nequiv{n} x' \eqdef x = x'$
\end{defn} \end{defn}
\begin{defn} \begin{defn}
...@@ -30,6 +33,7 @@ ...@@ -30,6 +33,7 @@
It is \emph{contractive} if It is \emph{contractive} if
\[ \All n, x \in \cofe, y \in \cofe. (\All m < n. x \nequiv{m} y) \Ra f(x) \nequiv{n} f(x) \] \[ \All n, x \in \cofe, y \in \cofe. (\All m < n. x \nequiv{m} y) \Ra f(x) \nequiv{n} f(x) \]
\end{defn} \end{defn}
The reason that contractive functions are interesting is that for every contractive $f : \cofe \to \cofe$ with $\cofe$ inhabited, there exists a fixed-point $\fix(f)$ such that $\fix(f) = f(\fix(f))$.
\begin{defn} \begin{defn}
The category $\COFEs$ consists of COFEs as objects, and non-expansive functions as arrows. The category $\COFEs$ consists of COFEs as objects, and non-expansive functions as arrows.
...@@ -52,7 +56,31 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th ...@@ -52,7 +56,31 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th
\subsection{RA} \subsection{RA}
\ralf{Copy this from the paper, when that one is more polished.} \begin{defn}
A \emph{resource algebra} (RA) is a tuple \\
$(\monoid, \mval \subseteq \monoid, \mcore{-}:
\monoid \to \monoid, (\mtimes) : \monoid \times \monoid \to \monoid)$ satisfying
\begin{align*}
\All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{ra-assoc} \\
\All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{ra-comm} \\
\All \melt.& \mcore\melt \mtimes \melt = \melt \tagH{ra-core-id} \\
\All \melt.& \mcore{\mcore\melt} = \mcore\melt \tagH{ra-core-idem} \\
\All \melt, \meltB.& \melt \mincl \meltB \Ra \mcore\melt \mincl \mcore\meltB \tagH{ra-core-mono} \\
\All \melt, \meltB.& (\melt \mtimes \meltB) \in \mval \Ra \melt \in \mval \tagH{ra-valid-op} \\
\text{where}\qquad %\qquad\\
\melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{ra-incl}
\end{align*}
\end{defn}
\begin{defn}
It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if
\[ \All \melt_\f. \melt \mtimes \melt_\f \in \mval \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_\f \in \mval \]
We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$.
\end{defn}
\ralf{Copy the explanation from the paper, when that one is more polished.}
\subsection{CMRA} \subsection{CMRA}
...@@ -70,7 +98,8 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th ...@@ -70,7 +98,8 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th
\All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$\melt \in \mval_n \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\ \All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$\melt \in \mval_n \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\
&\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\ &\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\
\text{where}\qquad\qquad\\ \text{where}\qquad\qquad\\
\melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl} \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl}\\
\melt \mincl[n] \meltB \eqdef{}& \Exists \meltC. \meltB \nequiv{n} \melt \mtimes \meltC \tagH{cmra-inclN}
\end{align*} \end{align*}
\end{defn} \end{defn}
...@@ -117,7 +146,7 @@ This operation is needed to prove that $\later$ commutes with existential quanti ...@@ -117,7 +146,7 @@ This operation is needed to prove that $\later$ commutes with existential quanti
\begin{defn} \begin{defn}
It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if
\[ \All n, \melt_f. \melt \mtimes \melt_f \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_f \in \mval_n \] \[ \All n, \melt_\f. \melt \mtimes \melt_\f \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_\f \in \mval_n \]
We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$.
\end{defn} \end{defn}
......
This diff is collapsed.
...@@ -205,9 +205,64 @@ The following rules can be derived for Hoare triples. ...@@ -205,9 +205,64 @@ The following rules can be derived for Hoare triples.
\end{mathparpagebreakable} \end{mathparpagebreakable}
\paragraph{Lifting of operational semantics.} \paragraph{Lifting of operational semantics.}
We can derive some specialized forms of the lifting axioms for the operational semantics, as well as some forms that involve view shifts and Hoare triples. We can derive some specialized forms of the lifting axioms for the operational semantics.
\begin{mathparpagebreakable}
\infer[wp-lift-atomic-step]
{\atomic(\expr_1) \and
\red(\expr_1, \state_1) \and
\All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f)}
{\later\ownPhys{\state_1} * \later\All \val_2, \state_2, \expr_\f. \pred(\ofval(\val), \state_2, \expr_\f) \land \ownPhys{\state_2} \wand \prop[\val_2/\var] * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}}
\infer[wp-lift-atomic-det-step]
{\atomic(\expr_1) \and
\red(\expr_1, \state_1) \and
\All \expr'_2, \state'_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_2 = \state_2' \land \toval(\expr_2') = \val_2 \land \expr_\f = \expr_\f'}
{\later\ownPhys{\state_1} * \later(\ownPhys{\state_2} \wand \prop[\val_2/\var] * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE}) \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}}
\infer[wp-lift-pure-det-step]
{\toval(\expr_1) = \bot \and
\All \state_1. \red(\expr_1, \state_1) \and
\All \state_1, \expr_2', \state_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \expr_2 = \expr_2' \land \expr_\f = \expr_\f'}
{\later ( \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE}) \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}}
\end{mathparpagebreakable}
\ralf{Add these.} Furthermore, we derive some forms that directly involve view shifts and Hoare triples.
\begin{mathparpagebreakable}
\infer[ht-lift-step]
{\mask_2 \subseteq \mask_1 \and
\toval(\expr_1) = \bot \and
\red(\expr_1, \state_1) \and
\All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f) \\\\
\prop \vs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\prop' \and
\All \expr_2, \state_2, \expr_\f. \pred(\expr_2, \state_2, \expr_\f) * \ownPhys{\state_2} * \prop' \vs[\mask_2][\mask_1] \propB_1 * \propB_2 \\\\
\All \expr_2, \state_2, \expr_\f. \hoare{\propB_1}{\expr_2}{\Ret\val.\propC}[\mask_1] \and
\All \expr_2, \state_2, \expr_\f. \hoare{\propB_2}{\expr_\f}{\Ret\any. \TRUE}[\top]}
{ \hoare\prop{\expr_1}{\Ret\val.\propC}[\mask_1] }
\infer[ht-lift-atomic-step]
{\atomic(\expr_1) \and
\red(\expr_1, \state_1) \and
\All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f) \\\\
\prop \vs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\prop' \and
\All \expr_2, \state_2, \expr_\f. \hoare{\pred(\expr_2,\state_2,\expr_\f) * \prop}{\expr_\f}{\Ret\any. \TRUE}[\top]}
{ \hoare{\later\ownPhys{\state_1} * \later\prop}{\expr_1}{\Ret\val.\Exists \state_2, \expr_\f. \ownPhys{\state_2} * \pred(\ofval(\expr_2),\state_2,\expr_\f)}[\mask_1] }
\infer[ht-lift-pure-step]
{\toval(\expr_1) = \bot \and
\All\state_1. \red(\expr_1, \state_1) \and
\All \state_1, \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr_\f) \\\\
\All \expr_2, \expr_\f. \hoare{\pred(\expr_2,\expr_\f) * \prop}{\expr_2}{\Ret\val.\propB}[\mask_1] \and
\All \expr_2, \expr_\f. \hoare{\pred(\expr_2,\expr_\f) * \prop'}{\expr_\f}{\Ret\any. \TRUE}[\top]}
{ \hoare{\later(\prop*\prop')}{\expr_1}{\Ret\val.\propB}[\mask_1] }
\infer[ht-lift-pure-det-step]
{\toval(\expr_1) = \bot \and
\All\state_1. \red(\expr_1, \state_1) \and
\All \state_1, \expr_2', \state_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \expr_2 = \expr_2' \land \expr_\f = \expr_\f' \\\\
\hoare{\prop}{\expr_2}{\Ret\val.\propB}[\mask_1] \and
\hoare{\prop'}{\expr_\f}{\Ret\any. \TRUE}[\top]}
{ \hoare{\later(\prop*\prop')}{\expr_1}{\Ret\val.\propB}[\mask_1] }
\end{mathparpagebreakable}
\subsection{Global functor and ghost ownership} \subsection{Global functor and ghost ownership}
...@@ -282,6 +337,7 @@ We can now derive the following rules for this derived form of the invariant ass ...@@ -282,6 +337,7 @@ We can now derive the following rules for this derived form of the invariant ass
{\knowInv\namesp\prop \proves \propB \vs[\mask] \propC} {\knowInv\namesp\prop \proves \propB \vs[\mask] \propC}
\end{mathpar} \end{mathpar}
% TODO: These need syncing with Coq
% \subsection{STSs with interpretation}\label{sec:stsinterp} % \subsection{STSs with interpretation}\label{sec:stsinterp}
% Building on \Sref{sec:stsmon}, after constructing the monoid $\STSMon{\STSS}$ for a particular STS, we can use an invariant to tie an interpretation, $\pred : \STSS \to \Prop$, to the STS's current state, recovering CaReSL-style reasoning~\cite{caresl}. % Building on \Sref{sec:stsmon}, after constructing the monoid $\STSMon{\STSS}$ for a particular STS, we can use an invariant to tie an interpretation, $\pred : \STSS \to \Prop$, to the STS's current state, recovering CaReSL-style reasoning~\cite{caresl}.
...@@ -382,21 +438,21 @@ We can now derive the following rules for this derived form of the invariant ass ...@@ -382,21 +438,21 @@ We can now derive the following rules for this derived form of the invariant ass
% {\later\pred_\bot(a) \vs[\mask] \exists \iname \in \mask, \gname.\; \Auth(M, \pred, \gname, \iname) * \ownGhost{\gname}{\authfrag a : \auth{M}}} % {\later\pred_\bot(a) \vs[\mask] \exists \iname \in \mask, \gname.\; \Auth(M, \pred, \gname, \iname) * \ownGhost{\gname}{\authfrag a : \auth{M}}}
% \and % \and
% \axiomH{AuthOpen} % \axiomH{AuthOpen}
% {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_f.\; \later\pred_\bot(\melt \mtimes \melt_f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_f, \authfrag a:\auth{M}}} % {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_\f.\; \later\pred_\bot(\melt \mtimes \melt_\f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_\f, \authfrag a:\auth{M}}}
% \and % \and
% \axiomH{AuthClose} % \axiomH{AuthClose}
% {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_f) * \ownGhost{\gname}{\authfull a \mtimes \melt_f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} } % {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_\f) * \ownGhost{\gname}{\authfull a \mtimes \melt_\f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} }
% \end{mathpar} % \end{mathpar}
% These view shifts in turn can be used to prove variants of the invariant rules: % These view shifts in turn can be used to prove variants of the invariant rules:
% \begin{mathpar} % \begin{mathpar}
% \inferH{Auth} % \inferH{Auth}
% {\forall \melt_f.\; \hoare{\later\pred_\bot(a \mtimes \melt_f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_f) * Q}[\mask] % {\forall \melt_\f.\; \hoare{\later\pred_\bot(a \mtimes \melt_\f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_\f) * Q}[\mask]
% \and \physatomic{\expr}} % \and \physatomic{\expr}}
% {\Auth(M, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{\authfrag a:\auth{M}} * P}{\expr}{\Ret\val. \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q}[\mask \uplus \{\iname\}]} % {\Auth(M, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{\authfrag a:\auth{M}} * P}{\expr}{\Ret\val. \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q}[\mask \uplus \{\iname\}]}
% \and % \and
% \inferH{VSAuth} % \inferH{VSAuth}
% {\forall \melt_f.\; \later\pred_\bot(a \mtimes \melt_f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_f) * Q(\meltB)} % {\forall \melt_\f.\; \later\pred_\bot(a \mtimes \melt_\f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_\f) * Q(\meltB)}
% {\Auth(M, \pred, \gname, \iname) \vdash % {\Auth(M, \pred, \gname, \iname) \vdash
% \ownGhost{\gname}{\authfrag a:\auth{M}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}] % \ownGhost{\gname}{\authfrag a:\auth{M}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}]
% \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q(\meltB)} % \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q(\meltB)}
......
...@@ -86,13 +86,15 @@ ...@@ -86,13 +86,15 @@
\newcommand{\rs}{r} \newcommand{\rs}{r}
\newcommand{\rsB}{s} \newcommand{\rsB}{s}
\newcommand{\rss}{R}
\newcommand{\pres}{\pi} \newcommand{\pres}{\pi}
\newcommand{\wld}{w} \newcommand{\wld}{w}
\newcommand{\ghostRes}{g} \newcommand{\ghostRes}{g}
%% Various pieces of syntax %% Various pieces of syntax
\newcommand{\wsat}[4]{#1 \models_{#2} #3; #4} \newcommand{\wsat}[3]{#1 \models_{#2} #3}
\newcommand{\wsatpre}{\textdom{pre-wsat}}
\newcommand{\wtt}[2]{#1 : #2} % well-typed term \newcommand{\wtt}[2]{#1 : #2} % well-typed term
...@@ -114,6 +116,7 @@ ...@@ -114,6 +116,7 @@
\newcommand{\UPred}{\textdom{UPred}} \newcommand{\UPred}{\textdom{UPred}}
\newcommand{\mProp}{\textdom{Prop}} % meta-level prop \newcommand{\mProp}{\textdom{Prop}} % meta-level prop
\newcommand{\iProp}{\textdom{iProp}} \newcommand{\iProp}{\textdom{iProp}}
\newcommand{\iPreProp}{\textdom{iPreProp}}
\newcommand{\Wld}{\textdom{Wld}} \newcommand{\Wld}{\textdom{Wld}}
\newcommand{\Res}{\textdom{Res}} \newcommand{\Res}{\textdom{Res}}
...@@ -121,6 +124,7 @@ ...@@ -121,6 +124,7 @@
\newcommand{\cofeB}{U} \newcommand{\cofeB}{U}
\newcommand{\COFEs}{\mathcal{U}} % category of COFEs \newcommand{\COFEs}{\mathcal{U}} % category of COFEs
\newcommand{\iFunc}{\Sigma} \newcommand{\iFunc}{\Sigma}
\newcommand{\fix}{\textdom{fix}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% CMRA (RESOURCE ALGEBRA) SYMBOLS & NOTATION & IDENTIFIERS % CMRA (RESOURCE ALGEBRA) SYMBOLS & NOTATION & IDENTIFIERS
...@@ -136,6 +140,8 @@ ...@@ -136,6 +140,8 @@
\newcommand{\melts}{A} \newcommand{\melts}{A}
\newcommand{\meltsB}{B} \newcommand{\meltsB}{B}
\newcommand{\f}{\mathrm{f}} % for "frame"
\newcommand{\mcar}[1]{|#1|} \newcommand{\mcar}[1]{|#1|}
\newcommand{\mcarp}[1]{\mcar{#1}^{+}} \newcommand{\mcarp}[1]{\mcar{#1}^{+}}
\newcommand{\munit}{\varepsilon} \newcommand{\munit}{\varepsilon}
...@@ -221,7 +227,7 @@ ...@@ -221,7 +227,7 @@
\newcommand*{\knowInv}[2]{\boxedassert{#2}[#1]} \newcommand*{\knowInv}[2]{\boxedassert{#2}[#1]}
\newcommand*{\ownGhost}[2]{\boxedassert[densely dashed]{#2}[#1]} \newcommand*{\ownGhost}[2]{\boxedassert[densely dashed]{#2}[#1]}
\newcommand*{\ownGGhost}[1]{\boxedassert[densely dashed]{#1}} \newcommand*{\ownGGhost}[1]{\boxedassert[densely dashed]{#1}}
\newcommand{\ownM}[1]{\textlog{Own}(#1)}
\newcommand{\ownPhys}[1]{\textlog{Phy}(#1)} \newcommand{\ownPhys}[1]{\textlog{Phy}(#1)}
%% View Shifts %% View Shifts
...@@ -286,7 +292,7 @@ ...@@ -286,7 +292,7 @@
%% Some commonly used identifiers %% Some commonly used identifiers
\newcommand{\timeless}[1]{\textlog{timeless}(#1)} \newcommand{\timeless}[1]{\textlog{timeless}(#1)}
\newcommand{\physatomic}[1]{\textlog{$#1$ phys.\ atomic}} \newcommand{\physatomic}[1]{\textlog{atomic}($#1$)}
\newcommand{\infinite}{\textlog{infinite}} \newcommand{\infinite}{\textlog{infinite}}
\newcommand{\Prop}{\textlog{Prop}} \newcommand{\Prop}{\textlog{Prop}}
...@@ -321,13 +327,14 @@ ...@@ -321,13 +327,14 @@
% Agreement % Agreement
\newcommand{\agm}{\ensuremath{\textmon{Ag}}} \newcommand{\agm}{\ensuremath{\textmon{Ag}}}
\newcommand{\ag}{\textlog{ag}} \newcommand{\aginj}{\textlog{ag}}
% Fraction % Fraction
\newcommand{\fracm}{\ensuremath{\textmon{Frac}}} \newcommand{\fracm}{\ensuremath{\textmon{Frac}}}
% Exclusive % Exclusive
\newcommand{\exm}{\ensuremath{\textmon{Ex}}} \newcommand{\exm}{\ensuremath{\textmon{Ex}}}
\newcommand{\exinj}{\textlog{ex}}
% Auth % Auth
\newcommand{\authm}{\textmon{Auth}} \newcommand{\authm}{\textmon{Auth}}
......
...@@ -33,8 +33,8 @@ ...@@ -33,8 +33,8 @@
\endgroup\clearpage\begingroup \endgroup\clearpage\begingroup
\input{logic} \input{logic}
\endgroup\clearpage\begingroup \endgroup\clearpage\begingroup
%\input{model} \input{model}
%\endgroup\clearpage\begingroup \endgroup\clearpage\begingroup
\input{derived} \input{derived}
\endgroup\clearpage\begingroup \endgroup\clearpage\begingroup
\printbibliography \printbibliography
......
...@@ -7,7 +7,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions} ...@@ -7,7 +7,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions}
\end{mathpar} \end{mathpar}
\item There exists a \emph{primitive reduction relation} \[(-,- \step -,-,-) \subseteq \textdom{Expr} \times \textdom{State} \times \textdom{Expr} \times \textdom{State} \times (\textdom{Expr} \uplus \set{\bot})\] \item There exists a \emph{primitive reduction relation} \[(-,- \step -,-,-) \subseteq \textdom{Expr} \times \textdom{State} \times \textdom{Expr} \times \textdom{State} \times (\textdom{Expr} \uplus \set{\bot})\]
We will write $\expr_1, \state_1 \step \expr_2, \state_2$ for $\expr_1, \state_1 \step \expr_2, \state_2, \bot$. \\ We will write $\expr_1, \state_1 \step \expr_2, \state_2$ for $\expr_1, \state_1 \step \expr_2, \state_2, \bot$. \\
A reduction $\expr_1, \state_1 \step \expr_2, \state_2, \expr'$ indicates that, when $\expr_1$ reduces to $\expr$, a \emph{new thread} $\expr'$ is forked off. A reduction $\expr_1, \state_1 \step \expr_2, \state_2, \expr_\f$ indicates that, when $\expr_1$ reduces to $\expr$, a \emph{new thread} $\expr_\f$ is forked off.
\item All values are stuck: \item All values are stuck:
\[ \expr, \_ \step \_, \_, \_ \Ra \toval(\expr) = \bot \] \[ \expr, \_ \step \_, \_, \_ \Ra \toval(\expr) = \bot \]
\item There is a predicate defining \emph{atomic} expressions satisfying \item There is a predicate defining \emph{atomic} expressions satisfying
...@@ -16,7 +16,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions} ...@@ -16,7 +16,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions}
{\All\expr. \atomic(\expr) \Ra \toval(\expr) = \bot} \and {\All\expr. \atomic(\expr) \Ra \toval(\expr) = \bot} \and
{{ {{
\begin{inbox} \begin{inbox}
\All\expr_1, \state_1, \expr_2, \state_2, \expr'. \atomic(\expr_1) \land \expr_1, \state_1 \step \expr_2, \state_2, \expr' \Ra {}\\\qquad\qquad\qquad\quad~~ \Exists \val_2. \toval(\expr_2) = \val_2 \All\expr_1, \state_1, \expr_2, \state_2, \expr_\f. \atomic(\expr_1) \land \expr_1, \state_1 \step \expr_2, \state_2, \expr_\f \Ra {}\\\qquad\qquad\qquad\quad~~ \Exists \val_2. \toval(\expr_2) = \val_2
\end{inbox} \end{inbox}
}} }}
\end{mathpar} \end{mathpar}
...@@ -26,7 +26,7 @@ It does not matter whether they fork off an arbitrary expression. ...@@ -26,7 +26,7 @@ It does not matter whether they fork off an arbitrary expression.
\begin{defn} \begin{defn}
An expression $\expr$ and state $\state$ are \emph{reducible} (written $\red(\expr, \state)$) if An expression $\expr$ and state $\state$ are \emph{reducible} (written $\red(\expr, \state)$) if
\[ \Exists \expr_2, \state_2, \expr'. \expr,\state \step \expr_2,\state_2,\expr' \] \[ \Exists \expr_2, \state_2, \expr_\f. \expr,\state \step \expr_2,\state_2,\expr_\f \]
\end{defn} \end{defn}
\begin{defn}[Context] \begin{defn}[Context]
...@@ -35,9 +35,9 @@ It does not matter whether they fork off an arbitrary expression. ...@@ -35,9 +35,9 @@ It does not matter whether they fork off an arbitrary expression.
\item $\lctx$ does not turn non-values into values:\\ \item $\lctx$ does not turn non-values into values:\\
$\All\expr. \toval(\expr) = \bot \Ra \toval(\lctx(\expr)) = \bot $ $\All\expr. \toval(\expr) = \bot \Ra \toval(\lctx(\expr)) = \bot $
\item One can perform reductions below $\lctx$:\\ \item One can perform reductions below $\lctx$:\\
$\All \expr_1, \state_1, \expr_2, \state_2, \expr'. \expr_1, \state_1 \step \expr_2,\state_2,\expr' \Ra \lctx(\expr_1), \state_1 \step \lctx(\expr_2),\state_2,\expr' $ $\All \expr_1, \state_1, \expr_2, \state_2, \expr_\f. \expr_1, \state_1 \step \expr_2,\state_2,\expr_\f \Ra \lctx(\expr_1), \state_1 \step \lctx(\expr_2),\state_2,\expr_\f $
\item Reductions stay below $\lctx$ until there is a value in the hole:\\ \item Reductions stay below $\lctx$ until there is a value in the hole:\\
$\All \expr_1', \state_1, \expr_2, \state_2, \expr'. \toval(\expr_1') = \bot \land \lctx(\expr_1'), \state_1 \step \expr_2,\state_2,\expr' \Ra \Exists\expr_2'. \expr_2 = \lctx(\expr_2') \land \expr_1', \state_1 \step \expr_2',\state_2,\expr' $ $\All \expr_1', \state_1, \expr_2, \state_2, \expr_\f. \toval(\expr_1') = \bot \land \lctx(\expr_1'), \state_1 \step \expr_2,\state_2,\expr_\f \Ra \Exists\expr_2'. \expr_2 = \lctx(\expr_2') \land \expr_1', \state_1 \step \expr_2',\state_2,\expr_\f $
\end{enumerate} \end{enumerate}
\end{defn} \end{defn}
...@@ -54,9 +54,9 @@ For any language $\Lang$, we define the corresponding thread-pool semantics. ...@@ -54,9 +54,9 @@ For any language $\Lang$, we define the corresponding thread-pool semantics.
\cfg{\tpool'}{\state'}} \cfg{\tpool'}{\state'}}
\begin{mathpar} \begin{mathpar}
\infer \infer
{\expr_1, \state_1 \step \expr_2, \state_2, \expr' \and \expr' \neq ()} {\expr_1, \state_1 \step \expr_2, \state_2, \expr_\f \and \expr_\f \neq \bot}
{\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step {\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step
\cfg{\tpool \dplus [\expr_2] \dplus \tpool' \dplus [\expr']}{\state'}} \cfg{\tpool \dplus [\expr_2] \dplus \tpool' \dplus [\expr_\f]}{\state'}}
\and\infer \and\infer
{\expr_1, \state_1 \step \expr_2, \state_2} {\expr_1, \state_1 \step \expr_2, \state_2}
{\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step {\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step
...@@ -124,7 +124,7 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t ...@@ -124,7 +124,7 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t
\prop * \prop \mid \prop * \prop \mid
\prop \wand \prop \mid \prop \wand \prop \mid
\\& \\&
\MU \var:\type. \pred \mid \MU \var:\type. \term \mid
\Exists \var:\type. \prop \mid \Exists \var:\type. \prop \mid
\All \var:\type. \prop \mid \All \var:\type. \prop \mid
\\& \\&
...@@ -136,7 +136,7 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t ...@@ -136,7 +136,7 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t
\pvs[\term][\term] \prop\mid \pvs[\term][\term] \prop\mid
\wpre{\term}[\term]{\Ret\var.\term} \wpre{\term}[\term]{\Ret\var.\term}
\end{align*} \end{align*}
Recursive predicates must be \emph{guarded}: in $\MU \var. \pred$, the variable $\var$ can only appear under the later $\later$ modality. Recursive predicates must be \emph{guarded}: in $\MU \var. \term$, the variable $\var$ can only appear under the later $\later$ modality.
Note that $\always$ and $\later$ bind more tightly than $*$, $\wand$, $\land$, $\lor$, and $\Ra$. Note that $\always$ and $\later$ bind more tightly than $*$, $\wand$, $\land$, $\lor$, and $\Ra$.
We will write $\pvs[\term] \prop$ for $\pvs[\term][\term] \prop$. We will write $\pvs[\term] \prop$ for $\pvs[\term][\term] \prop$.
...@@ -170,8 +170,6 @@ We introduce additional metavariables ranging over terms and generally let the c ...@@ -170,8 +170,6 @@ We introduce additional metavariables ranging over terms and generally let the c
\] \]
\paragraph{Variable conventions.} \paragraph{Variable conventions.}
We often abuse notation, using the preceding \emph{term} meta-variables to range over (bound) \emph{variables}.
We omit type annotations in binders, when the type is clear from context.
We assume that, if a term occurs multiple times in a rule, its free variables are exactly those binders which are available at every occurrence. We assume that, if a term occurs multiple times in a rule, its free variables are exactly those binders which are available at every occurrence.
...@@ -538,7 +536,7 @@ This is entirely standard. ...@@ -538,7 +536,7 @@ This is entirely standard.
{\pvs[\mask_1][\mask_2] \pvs[\mask_2][\mask_3] \prop \proves \pvs[\mask_1][\mask_3] \prop} {\pvs[\mask_1][\mask_2] \pvs[\mask_2][\mask_3] \prop \proves \pvs[\mask_1][\mask_3] \prop}
\infer[pvs-mask-frame] \infer[pvs-mask-frame]
{}{\pvs[\mask_1][\mask_2] \prop \proves \pvs[\mask_1 \uplus \mask_f][\mask_2 \uplus \mask_f] \prop} {}{\pvs[\mask_1][\mask_2] \prop \proves \pvs[\mask_1 \uplus \mask_\f][\mask_2 \uplus \mask_\f] \prop}
\infer[pvs-frame] \infer[pvs-frame]
{}{\propB * \pvs[\mask_1][\mask_2]\prop \proves \pvs[\mask_1][\mask_2] \propB * \prop} {}{\propB * \pvs[\mask_1][\mask_2]\prop \proves \pvs[\mask_1][\mask_2] \propB * \prop}
...@@ -596,17 +594,19 @@ This is entirely standard. ...@@ -596,17 +594,19 @@ This is entirely standard.
{\mask_2 \subseteq \mask_1 \and {\mask_2 \subseteq \mask_1 \and
\toval(\expr_1) = \bot \and \toval(\expr_1) = \bot \and
\red(\expr_1, \state_1) \and \red(\expr_1, \state_1) \and
\All \expr_2, \state_2, \expr'. \expr_1,\state_1 \step \expr_2,\state_2,\expr' \Ra \pred(\expr_2,\state_2,\expr')} \All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f)}
{\pvs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\All \expr_2, \state_2, \expr'. \pred(\expr_2, \state_2, \expr') \land \ownPhys{\state_2} \wand \pvs[\mask_2][\mask_1] \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr'}[\top]{\Ret\var.\TRUE} {}\\\proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} { {\begin{inbox} % for some crazy reason, LaTeX is actually sensitive to the space between the "{ {" here and the "} }" below...
~~\pvs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\All \expr_2, \state_2, \expr_\f. \pred(\expr_2, \state_2, \expr_\f) \land {}\\\qquad\qquad\qquad\qquad\qquad \ownPhys{\state_2} \wand \pvs[\mask_2][\mask_1] \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} {}\\\proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}
\end{inbox}} }
\infer[wp-lift-pure-step] \infer[wp-lift-pure-step]
{\toval(\expr_1) = \bot \and {\toval(\expr_1) = \bot \and
\All \state_1. \red(\expr_1, \state_1) \and \All \state_1. \red(\expr_1, \state_1) \and
\All \state_1, \expr_2, \state_2, \expr'. \expr_1,\state_1 \step \expr_2,\state_2,\expr' \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr')} \All \state_1, \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr_\f)}
{\later\All \expr_2, \expr'. \pred(\expr_2, \expr') \wand \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr'}[\top]{\Ret\var.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} {\later\All \expr_2, \expr_\f. \pred(\expr_2, \expr_\f) \Ra \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}}
\end{mathpar} \end{mathpar}
Here we define $\wpre{\expr'}[\mask]{\Ret\var.\prop} \eqdef \TRUE$ if $\expr' = \bot$ (remember that our stepping relation can, but does not have to, define a forked-off expression). Here we define $\wpre{\expr_\f}[\mask]{\Ret\var.\prop} \eqdef \TRUE$ if $\expr_\f = \bot$ (remember that our stepping relation can, but does not have to, define a forked-off expression).
\subsection{Adequacy} \subsection{Adequacy}
......
This diff is collapsed.
...@@ -447,7 +447,7 @@ Proof. ...@@ -447,7 +447,7 @@ Proof.
end; auto with f_equal. end; auto with f_equal.
Qed. Qed.
Instance: Inj (=) (=) of_val. Instance of_val_inj : Inj (=) (=) of_val.
Proof. by intros ?? Hv; apply (inj Some); rewrite -!to_of_val Hv. Qed. Proof. by intros ?? Hv; apply (inj Some); rewrite -!to_of_val Hv. Qed.
Instance fill_item_inj Ki : Inj (=) (=) (fill_item Ki). Instance fill_item_inj Ki : Inj (=) (=) (fill_item Ki).
......
...@@ -25,16 +25,18 @@ Lemma wp_alloc_pst E σ e v Φ : ...@@ -25,16 +25,18 @@ Lemma wp_alloc_pst E σ e v Φ :
WP Alloc e @ E {{ Φ }}. WP Alloc e @ E {{ Φ }}.
Proof. Proof.
(* TODO RJ: This works around ssreflect bug #22. *) (* TODO RJ: This works around ssreflect bug #22. *)
intros. set (φ v' σ' ef := l, intros. set (φ (e' : expr []) σ' ef := l,
ef = None v' = LocV l σ' = <[l:=v]>σ σ !! l = None). ef = None e' = Loc l σ' = <[l:=v]>σ σ !! l = None).
rewrite -(wp_lift_atomic_step (Alloc e) φ σ) // /φ; rewrite -(wp_lift_atomic_step (Alloc e) φ σ) // /φ;
last by intros; inv_step; eauto 8. last (by intros; inv_step; eauto 8); last (by simpl; eauto).
apply sep_mono, later_mono; first done. apply sep_mono, later_mono; first done.
apply forall_intro=>e2; apply forall_intro=>σ2; apply forall_intro=>ef. apply forall_intro=>v2; apply forall_intro=>σ2; apply forall_intro=>ef.
apply wand_intro_l. apply wand_intro_l.
rewrite always_and_sep_l -assoc -always_and_sep_l. rewrite always_and_sep_l -assoc -always_and_sep_l.
apply const_elim_l=>-[l [-> [-> [-> ?]]]]. apply const_elim_l=>-[l [-> [Hl [-> ?]]]].
by rewrite (forall_elim l) right_id const_equiv // left_id wand_elim_r. rewrite (forall_elim l) right_id const_equiv // left_id wand_elim_r.
rewrite -(of_to_val (Loc l) (LocV l)) // in Hl. apply of_val_inj in Hl.
by subst.
Qed. Qed.
Lemma wp_load_pst E σ l v Φ : Lemma wp_load_pst E σ l v Φ :
...@@ -42,7 +44,7 @@ Lemma wp_load_pst E σ l v Φ : ...@@ -42,7 +44,7 @@ Lemma wp_load_pst E σ l v Φ :
( ownP σ (ownP σ - Φ v)) WP Load (Loc l) @ E {{ Φ }}. ( ownP σ (ownP σ - Φ v)) WP Load (Loc l) @ E {{ Φ }}.
Proof. Proof.
intros. rewrite -(wp_lift_atomic_det_step σ v σ None) ?right_id //; intros. rewrite -(wp_lift_atomic_det_step σ v σ None) ?right_id //;
last by intros; inv_step; eauto using to_of_val. last (by intros; inv_step; eauto using to_of_val); simpl; by eauto.
Qed. Qed.
Lemma wp_store_pst E σ l e v v' Φ : Lemma wp_store_pst E σ l e v v' Φ :
...@@ -51,7 +53,7 @@ Lemma wp_store_pst E σ l e v v' Φ : ...@@ -51,7 +53,7 @@ Lemma wp_store_pst E σ l e v v' Φ :
WP Store (Loc l) e @ E {{ Φ }}. WP Store (Loc l) e @ E {{ Φ }}.
Proof. Proof.
intros. rewrite -(wp_lift_atomic_det_step σ (LitV LitUnit) (<[l:=v]>σ) None) intros. rewrite -(wp_lift_atomic_det_step σ (LitV LitUnit) (<[l:=v]>σ) None)
?right_id //; last by intros; inv_step; eauto. ?right_id //; last (by intros; inv_step; eauto); simpl; by eauto.
Qed. Qed.
Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ : Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ :
...@@ -60,7 +62,8 @@ Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ : ...@@ -60,7 +62,8 @@ Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ :
WP CAS (Loc l) e1 e2 @ E {{ Φ }}. WP CAS (Loc l) e1 e2 @ E {{ Φ }}.
Proof. Proof.
intros. rewrite -(wp_lift_atomic_det_step σ (LitV $ LitBool false) σ None) intros. rewrite -(wp_lift_atomic_det_step σ (LitV $ LitBool false) σ None)
?right_id //; last by intros; inv_step; eauto. ?right_id //; last (by intros; inv_step; eauto);
simpl; split_and?; by eauto.
Qed. Qed.
Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ : Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ :
...@@ -69,7 +72,8 @@ Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ : ...@@ -69,7 +72,8 @@ Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ :
WP CAS (Loc l) e1 e2 @ E {{ Φ }}. WP CAS (Loc l) e1 e2 @ E {{ Φ }}.
Proof. Proof.
intros. rewrite -(wp_lift_atomic_det_step σ (LitV $ LitBool true) intros. rewrite -(wp_lift_atomic_det_step σ (LitV $ LitBool true)
(<[l:=v2]>σ) None) ?right_id //; last by intros; inv_step; eauto. (<[l:=v2]>σ) None) ?right_id //; last (by intros; inv_step; eauto);
simpl; split_and?; by eauto.
Qed. Qed.
(** Base axioms for core primitives of the language: Stateless reductions *) (** Base axioms for core primitives of the language: Stateless reductions *)
......
...@@ -23,19 +23,19 @@ Lemma ht_lift_step E1 E2 ...@@ -23,19 +23,19 @@ Lemma ht_lift_step E1 E2
E2 E1 to_val e1 = None E2 E1 to_val e1 = None
reducible e1 σ1