Commit 3f321758 authored by Jacques-Henri Jourdan's avatar Jacques-Henri Jourdan

Merge branch 'jh/upred_alt' into 'master'

Prove that uPred is complete even if we remove the validity restriction in uPred_closed.

See merge request FP/iris-coq!99
parents bba89517 a603fe3a
Pipeline #5800 passed with stages
in 10 minutes and 9 seconds
...@@ -53,6 +53,16 @@ In particular: ...@@ -53,6 +53,16 @@ In particular:
The function space $(-) \nfn (-)$ is a locally non-expansive bifunctor. The function space $(-) \nfn (-)$ is a locally non-expansive bifunctor.
Note that the composition of non-expansive (bi)functors is non-expansive, and the composition of a non-expansive and a contractive (bi)functor is contractive. Note that the composition of non-expansive (bi)functors is non-expansive, and the composition of a non-expansive and a contractive (bi)functor is contractive.
One very important OFE is the OFE of \emph{step-indexed propositions}:
For every step-index, such a proposition either holds or does not hold.
Moreover, if a propositions holds for some $n$, it also has to hold for all smaller step-indices.
\begin{align*}
\SProp \eqdef{}& \psetdown{\nat} \\
\eqdef{}& \setComp{X \in \pset{\nat}}{ \All n, m. n \geq m \Ra n \in X \Ra m \in X } \\
X \nequiv{n} Y \eqdef{}& \All m \leq n. m \in X \Lra m \in Y \\
X \nincl{n} Y \eqdef{}& \All m \leq n. m \in X \Ra m \in Y
\end{align*}
\subsection{COFE} \subsection{COFE}
COFEs are \emph{complete OFEs}, which means that we can take limits of arbitrary chains. COFEs are \emph{complete OFEs}, which means that we can take limits of arbitrary chains.
...@@ -79,12 +89,14 @@ For once, every \emph{contractive function} $f : \ofe \to \cofeB$ where $\cofeB$ ...@@ -79,12 +89,14 @@ For once, every \emph{contractive function} $f : \ofe \to \cofeB$ where $\cofeB$
This also holds if $f^k$ is contractive for an arbitrary $k$. This also holds if $f^k$ is contractive for an arbitrary $k$.
Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkedal:metric-space}, every contractive (bi)functor from $\COFEs$ to $\COFEs$ has a unique\footnote{Uniqueness is not proven in Coq.} fixed-point. Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkedal:metric-space}, every contractive (bi)functor from $\COFEs$ to $\COFEs$ has a unique\footnote{Uniqueness is not proven in Coq.} fixed-point.
$\SProp$ as defined above is complete, \ie it is a COFE.
\subsection{RA} \subsection{RA}
\begin{defn} \begin{defn}
A \emph{resource algebra} (RA) is a tuple \\ A \emph{resource algebra} (RA) is a tuple \\
$(\monoid, \mval \subseteq \monoid, \mcore{{-}}: $(\monoid, \mvalFull : \monoid \to \mProp, \mcore{{-}}:
\monoid \to \maybe\monoid, (\mtimes) : \monoid \times \monoid \to \monoid)$ satisfying: \monoid \to \maybe\monoid, (\mtimes) : \monoid \times \monoid \to \monoid)$ satisfying:
\begin{align*} \begin{align*}
\All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{ra-assoc} \\ \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{ra-assoc} \\
...@@ -92,16 +104,19 @@ Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkeda ...@@ -92,16 +104,19 @@ Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkeda
\All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{ra-core-id} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{ra-core-id} \\
\All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{ra-core-idem} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{ra-core-idem} \\
\All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{ra-core-mono} \\ \All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{ra-core-mono} \\
\All \melt, \meltB.& (\melt \mtimes \meltB) \in \mval \Ra \melt \in \mval \tagH{ra-valid-op} \\ \All \melt, \meltB.& \mvalFull(\melt \mtimes \meltB) \Ra \mvalFull(\melt) \tagH{ra-valid-op} \\
\text{where}\qquad %\qquad\\ \text{where}\qquad %\qquad\\
\maybe\monoid \eqdef{}& \monoid \uplus \set{\mnocore} \qquad\qquad\qquad \melt^? \mtimes \mnocore \eqdef \mnocore \mtimes \melt^? \eqdef \melt^? \\ \maybe\monoid \eqdef{}& \monoid \uplus \set{\mnocore} \qquad\qquad\qquad \melt^? \mtimes \mnocore \eqdef \mnocore \mtimes \melt^? \eqdef \melt^? \\
\melt \mincl \meltB \eqdef{}& \Exists \meltC \in \monoid. \meltB = \melt \mtimes \meltC \tagH{ra-incl} \melt \mincl \meltB \eqdef{}& \Exists \meltC \in \monoid. \meltB = \melt \mtimes \meltC \tagH{ra-incl}
\end{align*} \end{align*}
\end{defn} \end{defn}
\noindent Here, $\mProp$ is the set of (meta-level) propositions.
Think of \texttt{Prop} in Coq or $\mathbb{B}$ in classical mathematics.
RAs are closely related to \emph{Partial Commutative Monoids} (PCMs), with two key differences: RAs are closely related to \emph{Partial Commutative Monoids} (PCMs), with two key differences:
\begin{enumerate} \begin{enumerate}
\item The composition operation on RAs is total (as opposed to the partial composition operation of a PCM), but there is a specific subset $\mval$ of \emph{valid} elements that is compatible with the composition operation (\ruleref{ra-valid-op}). \item The composition operation on RAs is total (as opposed to the partial composition operation of a PCM), but there is a specific subset of \emph{valid} elements that is compatible with the composition operation (\ruleref{ra-valid-op}).
These valid elements are identified by the \emph{validity predicate} $\mvalFull$.
This take on partiality is necessary when defining the structure of \emph{higher-order} ghost state, CMRAs, in the next subsection. This take on partiality is necessary when defining the structure of \emph{higher-order} ghost state, CMRAs, in the next subsection.
...@@ -122,7 +137,7 @@ Notice also that the core of an RA is a strict generalization of the unit that a ...@@ -122,7 +137,7 @@ Notice also that the core of an RA is a strict generalization of the unit that a
\begin{defn} \begin{defn}
It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if
\[ \All \maybe{\melt_\f} \in \maybe\monoid. \melt \mtimes \maybe{\melt_\f} \in \mval \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \maybe{\melt_\f} \in \mval \] \[ \All \maybe{\melt_\f} \in \maybe\monoid. \melt \mtimes \mvalFull(\maybe{\melt_\f}) \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \mvalFull(\maybe{\melt_\f}) \]
We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$.
\end{defn} \end{defn}
...@@ -134,17 +149,15 @@ Since Iris ensures that the global ghost state is valid, this means that we can ...@@ -134,17 +149,15 @@ Since Iris ensures that the global ghost state is valid, this means that we can
\subsection{CMRA} \subsection{CMRA}
\begin{defn} \begin{defn}
A \emph{CMRA} is a tuple $(\monoid : \OFEs, (\mval_n \subseteq \monoid)_{n \in \nat},\\ \mcore{{-}}: \monoid \nfn \maybe\monoid, (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying: A \emph{CMRA} is a tuple $(\monoid : \OFEs, \mval : \monoid \nfn \SProp, \mcore{{-}}: \monoid \nfn \maybe\monoid,\\ (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying:
\begin{align*} \begin{align*}
\All n, \melt, \meltB.& \melt \nequiv{n} \meltB \land \melt\in\mval_n \Ra \meltB\in\mval_n \tagH{cmra-valid-ne} \\
\All n, m.& n \geq m \Ra \mval_n \subseteq \mval_m \tagH{cmra-valid-mono} \\
\All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{cmra-assoc} \\ \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{cmra-assoc} \\
\All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{cmra-comm} \\ \All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{cmra-comm} \\
\All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{cmra-core-id} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{cmra-core-id} \\
\All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{cmra-core-idem} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{cmra-core-idem} \\
\All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{cmra-core-mono} \\ \All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{cmra-core-mono} \\
\All n, \melt, \meltB.& (\melt \mtimes \meltB) \in \mval_n \Ra \melt \in \mval_n \tagH{cmra-valid-op} \\ \All \melt, \meltB.& \mval(\melt \mtimes \meltB) \subseteq \mval(\melt) \tagH{cmra-valid-op} \\
\All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$\melt \in \mval_n \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\ \All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$n \in \mval(\melt) \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\
&\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\ &\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\
\text{where}\qquad\qquad\\ \text{where}\qquad\qquad\\
\melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl} \\ \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl} \\
...@@ -154,8 +167,8 @@ Since Iris ensures that the global ghost state is valid, this means that we can ...@@ -154,8 +167,8 @@ Since Iris ensures that the global ghost state is valid, this means that we can
This is a natural generalization of RAs over OFEs. This is a natural generalization of RAs over OFEs.
All operations have to be non-expansive, and the validity predicate $\mval$ can now also depend on the step-index. All operations have to be non-expansive, and the validity predicate $\mval$ can now also depend on the step-index.
We define the plain $\mval$ as the ``limit'' of the $\mval_n$: We define the plain $\mvalFull$ as the ``limit'' of the step-indexed approximation:
\[ \mval \eqdef \bigcap_{n \in \nat} \mval_n \] \[ \mvalFull(\melt) \eqdef \All n. n \in \mval(\melt) \]
\paragraph{The extension axiom (\ruleref{cmra-extend}).} \paragraph{The extension axiom (\ruleref{cmra-extend}).}
Notice that the existential quantification in this axiom is \emph{constructive}, \ie it is a sigma type in Coq. Notice that the existential quantification in this axiom is \emph{constructive}, \ie it is a sigma type in Coq.
...@@ -184,7 +197,7 @@ This operation is needed to prove that $\later$ commutes with separating conjunc ...@@ -184,7 +197,7 @@ This operation is needed to prove that $\later$ commutes with separating conjunc
\begin{defn} \begin{defn}
An element $\munit$ of a CMRA $\monoid$ is called the \emph{unit} of $\monoid$ if it satisfies the following conditions: An element $\munit$ of a CMRA $\monoid$ is called the \emph{unit} of $\monoid$ if it satisfies the following conditions:
\begin{enumerate}[itemsep=0pt] \begin{enumerate}[itemsep=0pt]
\item $\munit$ is valid: \\ $\All n. \munit \in \mval_n$ \item $\munit$ is valid: \\ $\All n. n \in \mval(\munit)$
\item $\munit$ is a left-identity of the operation: \\ \item $\munit$ is a left-identity of the operation: \\
$\All \melt \in M. \munit \mtimes \melt = \melt$ $\All \melt \in M. \munit \mtimes \melt = \melt$
\item $\munit$ is its own core: \\ $\mcore\munit = \munit$ \item $\munit$ is its own core: \\ $\mcore\munit = \munit$
...@@ -197,7 +210,7 @@ This operation is needed to prove that $\later$ commutes with separating conjunc ...@@ -197,7 +210,7 @@ This operation is needed to prove that $\later$ commutes with separating conjunc
\begin{defn} \begin{defn}
It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if
\[ \All n, \maybe{\melt_\f}. \melt \mtimes \maybe{\melt_\f} \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \maybe{\melt_\f} \in \mval_n \] \[ \All n, \maybe{\melt_\f}. n \in \mval(\melt \mtimes \maybe{\melt_\f}) \Ra \Exists \meltB \in \meltsB. n \in\mval(\meltB \mtimes \maybe{\melt_\f}) \]
We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$.
\end{defn} \end{defn}
...@@ -208,7 +221,7 @@ Note that for RAs, this and the RA-based definition of a frame-preserving update ...@@ -208,7 +221,7 @@ Note that for RAs, this and the RA-based definition of a frame-preserving update
\begin{enumerate}[itemsep=0pt] \begin{enumerate}[itemsep=0pt]
\item $\monoid$ is a discrete COFE \item $\monoid$ is a discrete COFE
\item $\mval$ ignores the step-index: \\ \item $\mval$ ignores the step-index: \\
$\All \melt \in \monoid. \melt \in \mval_0 \Ra \All n, \melt \in \mval_n$ $\All \melt \in \monoid. 0 \in \mval(\melt) \Ra \All n. n \in \mval(\melt)$
\end{enumerate} \end{enumerate}
\end{defn} \end{defn}
Note that every RA is a discrete CMRA, by picking the discrete COFE for the equivalence relation. Note that every RA is a discrete CMRA, by picking the discrete COFE for the equivalence relation.
...@@ -223,7 +236,7 @@ Furthermore, discrete CMRAs can be turned into RAs by ignoring their COFE struct ...@@ -223,7 +236,7 @@ Furthermore, discrete CMRAs can be turned into RAs by ignoring their COFE struct
\item $f$ commutes with the core:\\ \item $f$ commutes with the core:\\
$\All \melt \in \monoid_1. \mcore{f(\melt)} = f(\mcore{\melt})$ $\All \melt \in \monoid_1. \mcore{f(\melt)} = f(\mcore{\melt})$
\item $f$ preserves validity: \\ \item $f$ preserves validity: \\
$\All n, \melt \in \monoid_1. \melt \in \mval_n \Ra f(\melt) \in \mval_n$ $\All n, \melt \in \monoid_1. n \in \mval(\melt) \Ra n \in \mval(f(\melt))$
\end{enumerate} \end{enumerate}
\end{defn} \end{defn}
......
This diff is collapsed.
...@@ -36,7 +36,7 @@ ...@@ -36,7 +36,7 @@
\newcommand{\upclose}{\mathord{\uparrow}} \newcommand{\upclose}{\mathord{\uparrow}}
\newcommand{\ALT}{\ |\ } \newcommand{\ALT}{\ |\ }
\newcommand{\spac}{\,} % a space \newcommand{\spac}{\hskip 0.2em plus 0.1em} % a space
\def\All #1.{\forall #1.\spac}% \def\All #1.{\forall #1.\spac}%
\def\Exists #1.{\exists #1.\spac}% \def\Exists #1.{\exists #1.\spac}%
...@@ -117,6 +117,7 @@ ...@@ -117,6 +117,7 @@
\newcommand{\wtt}[2]{#1 : #2} % well-typed term \newcommand{\wtt}[2]{#1 : #2} % well-typed term
\newcommand{\nequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{=}}}} \newcommand{\nequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{=}}}}
\newcommand{\nincl}[1]{\ensuremath{\mathrel{\stackrel{#1}{\subseteq}}}}
\newcommand{\notnequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{\neq}}}} \newcommand{\notnequiv}[1]{\ensuremath{\mathrel{\stackrel{#1}{\neq}}}}
\newcommand{\nequivset}[2]{\ensuremath{\mathrel{\stackrel{#1}{=}_{#2}}}} \newcommand{\nequivset}[2]{\ensuremath{\mathrel{\stackrel{#1}{=}_{#2}}}}
\newcommand{\nequivB}[1]{\ensuremath{\mathrel{\stackrel{#1}{\equiv}}}} \newcommand{\nequivB}[1]{\ensuremath{\mathrel{\stackrel{#1}{\equiv}}}}
......
...@@ -42,7 +42,7 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s ...@@ -42,7 +42,7 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s
\Lam \melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt) \cup \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt) \\ \Lam \melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt) \cup \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt) \\
\Sem{\vctx \proves \prop \Ra \propB : \Prop}_\gamma &\eqdef \Sem{\vctx \proves \prop \Ra \propB : \Prop}_\gamma &\eqdef
\Lam \melt. \setComp{n}{\begin{aligned} \Lam \melt. \setComp{n}{\begin{aligned}
\All m, \meltB.& m \leq n \land \melt \mincl \meltB \land \meltB \in \mval_m \Ra {} \\ \All m, \meltB.& m \leq n \land \melt \mincl \meltB \land m \in \mval(\meltB) \Ra {} \\
& m \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\meltB) \Ra {}\\& m \in \Sem{\vctx \proves \propB : \Prop}_\gamma(\meltB)\end{aligned}}\\ & m \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\meltB) \Ra {}\\& m \in \Sem{\vctx \proves \propB : \Prop}_\gamma(\meltB)\end{aligned}}\\
\Sem{\vctx \proves \All \var : \type. \prop : \Prop}_\gamma &\eqdef \Sem{\vctx \proves \All \var : \type. \prop : \Prop}_\gamma &\eqdef
\Lam \melt. \setComp{n}{ \All v \in \Sem{\type}. n \in \Sem{\vctx, \var : \type \proves \prop : \Prop}_{\mapinsert \var v \gamma}(\melt) } \\ \Lam \melt. \setComp{n}{ \All v \in \Sem{\type}. n \in \Sem{\vctx, \var : \type \proves \prop : \Prop}_{\mapinsert \var v \gamma}(\melt) } \\
...@@ -54,15 +54,15 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s ...@@ -54,15 +54,15 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s
\\ \\
\Sem{\vctx \proves \prop \wand \propB : \Prop}_\gamma &\eqdef \Sem{\vctx \proves \prop \wand \propB : \Prop}_\gamma &\eqdef
\Lam \melt. \setComp{n}{\begin{aligned} \Lam \melt. \setComp{n}{\begin{aligned}
\All m, \meltB.& m \leq n \land \melt\mtimes\meltB \in \mval_m \Ra {} \\ \All m, \meltB.& m \leq n \land m \in \mval(\melt\mtimes\meltB) \Ra {} \\
& m \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\meltB) \Ra {}\\& m \in \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt\mtimes\meltB)\end{aligned}} \\ & m \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\meltB) \Ra {}\\& m \in \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt\mtimes\meltB)\end{aligned}} \\
\Sem{\vctx \proves \ownM{\term} : \Prop}_\gamma &\eqdef \Lam\meltB. \setComp{n}{\Sem{\vctx \proves \term : \textlog{M}}_\gamma \mincl[n] \meltB} \\ \Sem{\vctx \proves \ownM{\term} : \Prop}_\gamma &\eqdef \Lam\meltB. \setComp{n}{\Sem{\vctx \proves \term : \textlog{M}}_\gamma \mincl[n] \meltB} \\
\Sem{\vctx \proves \mval(\term) : \Prop}_\gamma &\eqdef \Lam\any. \setComp{n}{\Sem{\vctx \proves \term : \textlog{M}}_\gamma \in \mval_n} \\ \Sem{\vctx \proves \mval(\term) : \Prop}_\gamma &\eqdef \Lam\any. \mval(\Sem{\vctx \proves \term : \textlog{M}}_\gamma) \\
\Sem{\vctx \proves \always{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\mcore\melt) \\ \Sem{\vctx \proves \always{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\mcore\melt) \\
\Sem{\vctx \proves \plainly{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\munit) \\ \Sem{\vctx \proves \plainly{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\munit) \\
\Sem{\vctx \proves \later{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \setComp{n}{n = 0 \lor n-1 \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt)}\\ \Sem{\vctx \proves \later{\prop} : \Prop}_\gamma &\eqdef \Lam\melt. \setComp{n}{n = 0 \lor n-1 \in \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt)}\\
\Sem{\vctx \proves \upd\prop : \Prop}_\gamma &\eqdef \Lam\melt. \setComp{n}{\begin{aligned} \Sem{\vctx \proves \upd\prop : \Prop}_\gamma &\eqdef \Lam\melt. \setComp{n}{\begin{aligned}
\All m, \melt'. & m \leq n \land (\melt \mtimes \melt') \in \mval_m \Ra {}\\& \Exists \meltB. (\meltB \mtimes \melt') \in \mval_m \land m \in \Sem{\vctx \proves \prop :\Prop}_\gamma(\meltB) \All m, \melt'. & m \leq n \land m \in \mval(\melt \mtimes \melt') \Ra {}\\& \Exists \meltB. m \in \mval(\meltB \mtimes \melt') \land m \in \Sem{\vctx \proves \prop :\Prop}_\gamma(\meltB)
\end{aligned} \end{aligned}
} }
\end{align*} \end{align*}
......
...@@ -30,11 +30,11 @@ Import uPred. ...@@ -30,11 +30,11 @@ Import uPred.
Lemma laterN_big n a x φ: {n} x a n (^a ⌜φ⌝)%I n x φ. Lemma laterN_big n a x φ: {n} x a n (^a ⌜φ⌝)%I n x φ.
Proof. Proof.
induction 2 as [| ?? IHle]. induction 2 as [| ?? IHle].
- induction a; repeat (rewrite //= || uPred.unseal). - induction a; repeat (rewrite //= || uPred.unseal).
intros Hlater. apply IHa; auto using cmra_validN_S. intros Hlater. apply IHa; auto using cmra_validN_S.
move:Hlater; repeat (rewrite //= || uPred.unseal). move:Hlater; repeat (rewrite //= || uPred.unseal).
- intros. apply IHle; auto using cmra_validN_S. - intros. apply IHle; auto using cmra_validN_S.
eapply uPred_closed; eauto using cmra_validN_S. eapply uPred_mono; eauto using cmra_validN_S.
Qed. Qed.
Lemma laterN_small n a x φ: {n} x n < a (^a ⌜φ⌝)%I n x. Lemma laterN_small n a x φ: {n} x n < a (^a ⌜φ⌝)%I n x.
...@@ -46,15 +46,15 @@ Proof. ...@@ -46,15 +46,15 @@ Proof.
- induction n as [| n IHn]; [| move: IHle]; - induction n as [| n IHn]; [| move: IHle];
repeat (rewrite //= || uPred.unseal). repeat (rewrite //= || uPred.unseal).
red; rewrite //=. intros. red; rewrite //=. intros.
eapply (uPred_closed _ _ (S n)); eauto using cmra_validN_S. eapply (uPred_mono _ _ (S n)); eauto using cmra_validN_S.
Qed. Qed.
(* It is easy to show that most of the basic properties of bupd that (* It is easy to show that most of the basic properties of bupd that
are used throughout Iris hold for nnupd. are used throughout Iris hold for nnupd.
In fact, the first three properties that follow hold for any In fact, the first three properties that follow hold for any
modality of the form (- -∗ Q) -∗ Q for arbitrary Q. The situation modality of the form (- -∗ Q) -∗ Q for arbitrary Q. The situation
here is slightly different, because nnupd is of the form here is slightly different, because nnupd is of the form
∀ n, (- -∗ (Q n)) -∗ (Q n), but the proofs carry over straightforwardly. ∀ n, (- -∗ (Q n)) -∗ (Q n), but the proofs carry over straightforwardly.
*) *)
...@@ -77,8 +77,8 @@ Proof. ...@@ -77,8 +77,8 @@ Proof.
Qed. Qed.
Lemma nnupd_ownM_updateP x (Φ : M Prop) : Lemma nnupd_ownM_updateP x (Φ : M Prop) :
x ~~>: Φ uPred_ownM x =n=> y, ⌜Φ y uPred_ownM y. x ~~>: Φ uPred_ownM x =n=> y, ⌜Φ y uPred_ownM y.
Proof. Proof.
intros Hbupd. split. rewrite /uPred_nnupd. repeat uPred.unseal. intros Hbupd. split. rewrite /uPred_nnupd. repeat uPred.unseal.
intros n y ? Hown a. intros n y ? Hown a.
red; rewrite //= => n' yf ??. red; rewrite //= => n' yf ??.
inversion Hown as (x'&Hequiv). inversion Hown as (x'&Hequiv).
...@@ -87,18 +87,18 @@ Proof. ...@@ -87,18 +87,18 @@ Proof.
case (decide (a n')). case (decide (a n')).
- intros Hle Hwand. - intros Hle Hwand.
exfalso. eapply laterN_big; last (uPred.unseal; eapply (Hwand n' (y' x'))); eauto. exfalso. eapply laterN_big; last (uPred.unseal; eapply (Hwand n' (y' x'))); eauto.
* rewrite comm -assoc. done. * rewrite comm -assoc. done.
* rewrite comm -assoc. done. * rewrite comm -assoc. done.
* eexists. split; eapply uPred_mono; red; rewrite //=; eauto. * exists y'. split=>//. by exists x'.
- intros; assert (n' < a). omega. - intros; assert (n' < a). omega.
move: laterN_small. uPred.unseal. move: laterN_small. uPred.unseal.
naive_solver. naive_solver.
Qed. Qed.
(* However, the transitivity property seems to be much harder to (* However, the transitivity property seems to be much harder to
prove. This is surprising, because transitivity does hold for prove. This is surprising, because transitivity does hold for
modalities of the form (- -∗ Q) -∗ Q. What goes wrong when we quantify modalities of the form (- -∗ Q) -∗ Q. What goes wrong when we quantify
now over n? now over n?
*) *)
Remark nnupd_trans P: (|=n=> |=n=> P) (|=n=> P). Remark nnupd_trans P: (|=n=> |=n=> P) (|=n=> P).
...@@ -111,7 +111,7 @@ Proof. ...@@ -111,7 +111,7 @@ Proof.
(* Oops -- the exponents of the later modality don't match up! *) (* Oops -- the exponents of the later modality don't match up! *)
Abort. Abort.
(* Instead, we will need to prove this in the model. We start by showing that (* Instead, we will need to prove this in the model. We start by showing that
nnupd is the limit of a the following sequence: nnupd is the limit of a the following sequence:
(- -∗ False) - ∗ False, (- -∗ False) - ∗ False,
...@@ -121,12 +121,12 @@ Abort. ...@@ -121,12 +121,12 @@ Abort.
Then, it is easy enough to show that each of the uPreds in this sequence Then, it is easy enough to show that each of the uPreds in this sequence
is transitive. It turns out that this implies that nnupd is transitive. *) is transitive. It turns out that this implies that nnupd is transitive. *)
(* The definition of the sequence above: *) (* The definition of the sequence above: *)
Fixpoint uPred_nnupd_k {M} k (P: uPred M) : uPred M := Fixpoint uPred_nnupd_k {M} k (P: uPred M) : uPred M :=
((P - ^k False) - ^k False) ((P - ^k False) - ^k False)
match k with match k with
O => True O => True
| S k' => uPred_nnupd_k k' P | S k' => uPred_nnupd_k k' P
end. end.
...@@ -138,11 +138,11 @@ Notation "|=n=>_ k Q" := (uPred_nnupd_k k Q) ...@@ -138,11 +138,11 @@ Notation "|=n=>_ k Q" := (uPred_nnupd_k k Q)
(* One direction of the limiting process is easy -- nnupd implies nnupd_k for each k *) (* One direction of the limiting process is easy -- nnupd implies nnupd_k for each k *)
Lemma nnupd_trunc1 k P: (|=n=> P) |=n=>_k P. Lemma nnupd_trunc1 k P: (|=n=> P) |=n=>_k P.
Proof. Proof.
induction k. induction k.
- rewrite /uPred_nnupd_k /uPred_nnupd. - rewrite /uPred_nnupd_k /uPred_nnupd.
rewrite (forall_elim 0) //= right_id //. rewrite (forall_elim 0) //= right_id //.
- simpl. apply and_intro; auto. - simpl. apply and_intro; auto.
rewrite /uPred_nnupd. rewrite /uPred_nnupd.
rewrite (forall_elim (S k)) //=. rewrite (forall_elim (S k)) //=.
Qed. Qed.
...@@ -190,11 +190,10 @@ Lemma nnupd_nnupd_k_dist k P: (|=n=> P)%I ≡{k}≡ (|=n=>_k P)%I. ...@@ -190,11 +190,10 @@ Lemma nnupd_nnupd_k_dist k P: (|=n=> P)%I ≡{k}≡ (|=n=>_k P)%I.
*** intros. exfalso. assert (n k'). omega. *** intros. exfalso. assert (n k'). omega.
assert (n = S k n < S k) as [->|] by omega. assert (n = S k n < S k) as [->|] by omega.
**** eapply laterN_big; eauto; unseal. eapply HnnP; eauto. **** eapply laterN_big; eauto; unseal. eapply HnnP; eauto.
**** move:nnupd_k_elim. unseal. intros Hnnupdk. **** move:nnupd_k_elim. unseal. intros Hnnupdk.
eapply laterN_big; eauto. unseal. eapply laterN_big; eauto. unseal.
eapply (Hnnupdk n k); first omega; eauto. eapply (Hnnupdk n k); first omega; eauto.
exists x, x'. split_and!; eauto. eapply uPred_closed; eauto. exists x, x'. split_and!; eauto. eapply uPred_mono; eauto.
eapply cmra_validN_op_l; eauto.
** intros HP. eapply IHk; auto. ** intros HP. eapply IHk; auto.
move:HP. unseal. intros (?&?); naive_solver. move:HP. unseal. intros (?&?); naive_solver.
Qed. Qed.
...@@ -204,13 +203,13 @@ Lemma nnupd_k_intro k P: P ⊢ (|=n=>_k P). ...@@ -204,13 +203,13 @@ Lemma nnupd_k_intro k P: P ⊢ (|=n=>_k P).
Proof. Proof.
induction k; rewrite //= ?right_id. induction k; rewrite //= ?right_id.
- apply wand_intro_l. apply wand_elim_l. - apply wand_intro_l. apply wand_elim_l.
- apply and_intro; auto. - apply and_intro; auto.
apply wand_intro_l. apply wand_elim_l. apply wand_intro_l. apply wand_elim_l.
Qed. Qed.
Lemma nnupd_k_mono k P Q: (P Q) (|=n=>_k P) (|=n=>_k Q). Lemma nnupd_k_mono k P Q: (P Q) (|=n=>_k P) (|=n=>_k Q).
Proof. Proof.
induction k; rewrite //= ?right_id=>HPQ. induction k; rewrite //= ?right_id=>HPQ.
- do 2 (apply wand_mono; auto). - do 2 (apply wand_mono; auto).
- apply and_mono; auto; do 2 (apply wand_mono; auto). - apply and_mono; auto; do 2 (apply wand_mono; auto).
Qed. Qed.
...@@ -228,13 +227,13 @@ Lemma nnupd_k_trans k P: (|=n=>_k |=n=>_k P) ⊢ (|=n=>_k P). ...@@ -228,13 +227,13 @@ Lemma nnupd_k_trans k P: (|=n=>_k |=n=>_k P) ⊢ (|=n=>_k P).
Proof. Proof.
revert P. revert P.
induction k; intros P. induction k; intros P.
- rewrite //= ?right_id. apply wand_intro_l. - rewrite //= ?right_id. apply wand_intro_l.
rewrite {1}(nnupd_k_intro 0 (P - False)%I) //= ?right_id. apply wand_elim_r. rewrite {1}(nnupd_k_intro 0 (P - False)%I) //= ?right_id. apply wand_elim_r.
- rewrite {2}(nnupd_k_unfold k P). - rewrite {2}(nnupd_k_unfold k P).
apply and_intro. apply and_intro.
* rewrite (nnupd_k_unfold k P). rewrite and_elim_l. * rewrite (nnupd_k_unfold k P). rewrite and_elim_l.
rewrite nnupd_k_unfold. rewrite and_elim_l. rewrite nnupd_k_unfold. rewrite and_elim_l.
apply wand_intro_l. apply wand_intro_l.
rewrite {1}(nnupd_k_intro (S k) (P - ^(S k) (False)%I)). rewrite {1}(nnupd_k_intro (S k) (P - ^(S k) (False)%I)).
rewrite nnupd_k_unfold and_elim_l. apply wand_elim_r. rewrite nnupd_k_unfold and_elim_l. apply wand_elim_r.
* do 2 rewrite nnupd_k_weaken //. * do 2 rewrite nnupd_k_weaken //.
...@@ -263,8 +262,8 @@ Proof. ...@@ -263,8 +262,8 @@ Proof.
case (decide (a n')). case (decide (a n')).
- intros Hle Hwand. - intros Hle Hwand.
exfalso. eapply laterN_big; last (uPred.unseal; eapply (Hwand n' x')); eauto. exfalso. eapply laterN_big; last (uPred.unseal; eapply (Hwand n' x')); eauto.
* rewrite comm. done. * rewrite comm. done.
* rewrite comm. done. * rewrite comm. done.
- intros; assert (n' < a). omega. - intros; assert (n' < a). omega.
move: laterN_small. uPred.unseal. move: laterN_small. uPred.unseal.
naive_solver. naive_solver.
...@@ -300,23 +299,23 @@ End classical. ...@@ -300,23 +299,23 @@ End classical.
Lemma nnupd_dne φ: (|=n=> ¬¬ φ φ⌝: uPred M)%I. Lemma nnupd_dne φ: (|=n=> ¬¬ φ φ⌝: uPred M)%I.
Proof. Proof.
rewrite /uPred_nnupd. apply forall_intro=>n. rewrite /uPred_nnupd. apply forall_intro=>n.
apply wand_intro_l. rewrite ?right_id. apply wand_intro_l. rewrite ?right_id.
assert ( φ, ¬¬¬¬φ ¬¬φ) by naive_solver. assert ( φ, ¬¬¬¬φ ¬¬φ) by naive_solver.
assert (Hdne: ¬¬ (¬¬φ φ)) by naive_solver. assert (Hdne: ¬¬ (¬¬φ φ)) by naive_solver.
split. unseal. intros n' ?? Hupd. split. unseal. intros n' ?? Hupd.
case (decide (n' < n)). case (decide (n' < n)).
- intros. move: laterN_small. unseal. naive_solver. - intros. move: laterN_small. unseal. naive_solver.
- intros. assert (n n'). omega. - intros. assert (n n'). omega.
exfalso. specialize (Hupd n' ε). exfalso. specialize (Hupd n' ε).
eapply Hdne. intros Hfal. eapply Hdne. intros Hfal.
eapply laterN_big; eauto. eapply laterN_big; eauto.
unseal. rewrite right_id in Hupd *; naive_solver. unseal. rewrite right_id in Hupd *; naive_solver.
Qed. Qed.
(* Nevertheless, we can prove a weaker form of adequacy (which is equvialent to adequacy (* Nevertheless, we can prove a weaker form of adequacy (which is equvialent to adequacy
under classical axioms) directly without passing through the proofs for bupd: *) under classical axioms) directly without passing through the proofs for bupd: *)
Lemma adequacy_helper1 P n k x: Lemma adequacy_helper1 P n k x:
{S n + k} x ¬¬ (Nat.iter (S n) (λ P, |=n=> P)%I P (S n + k) x) {S n + k} x ¬¬ (Nat.iter (S n) (λ P, |=n=> P)%I P (S n + k) x)
¬¬ ( x', {n + k} (x') Nat.iter n (λ P, |=n=> P)%I P (n + k) (x')). ¬¬ ( x', {n + k} (x') Nat.iter n (λ P, |=n=> P)%I P (n + k) (x')).
Proof. Proof.
revert k P x. induction n. revert k P x. induction n.
...@@ -326,12 +325,12 @@ Proof. ...@@ -326,12 +325,12 @@ Proof.
specialize (Hf3 (S k) (S k) ε). rewrite right_id in Hf3 *. unseal. specialize (Hf3 (S k) (S k) ε). rewrite right_id in Hf3 *. unseal.
intros Hf3. eapply Hf3; eauto. intros Hf3. eapply Hf3; eauto.
intros ??? Hx'. rewrite left_id in Hx' *=> Hx'. intros ??? Hx'. rewrite left_id in Hx' *=> Hx'.
unseal. unseal.
assert (n' < S k n' = S k) as [|] by omega. assert (n' < S k n' = S k) as [|] by omega.
* intros. move:(laterN_small n' (S k) x' False). rewrite //=. unseal. intros Hsmall. * intros. move:(laterN_small n' (S k) x' False). rewrite //=. unseal. intros Hsmall.
eapply Hsmall; eauto. eapply Hsmall; eauto.
* subst. intros. exfalso. eapply Hf2. exists x'. split; eauto using cmra_validN_S. * subst. intros. exfalso. eapply Hf2. exists x'. split; eauto using cmra_validN_S.
- intros k P x Hx. rewrite ?Nat_iter_S_r. - intros k P x Hx. rewrite ?Nat_iter_S_r.
replace (S (S n) + k) with (S n + (S k)) by omega. replace (S (S n) + k) with (S n + (S k)) by omega.
replace (S n + k) with (n + (S k)) by omega. replace (S n + k) with (n + (S k)) by omega.
intros. eapply IHn. replace (S n + S k) with (S (S n) + k) by omega. eauto. intros. eapply IHn. replace (S n + S k) with (S (S n) + k) by omega. eauto.
...@@ -339,7 +338,7 @@ Proof. ...@@ -339,7 +338,7 @@ Proof.
Qed. Qed.
Lemma adequacy_helper2 P n k x: Lemma adequacy_helper2 P n k x:
{S n + k} x ¬¬ (Nat.iter (S n) (λ P, |=n=> P)%I P (S n + k) x) {S n + k} x ¬¬ (Nat.iter (S n) (λ P, |=n=> P)%I P (S n + k) x)
¬¬ ( x', {k} (x') Nat.iter 0 (λ P, |=n=> P)%I P k (x')). ¬¬ ( x', {k} (x') Nat.iter 0 (λ P, |=n=> P)%I P k (x')).
Proof. Proof.
revert x. induction n. revert x. induction n.
......
...@@ -35,11 +35,10 @@ Program Definition uPred_impl_def {M} (P Q : uPred M) : uPred M := ...@@ -35,11 +35,10 @@ Program Definition uPred_impl_def {M} (P Q : uPred M) : uPred M :=
{| uPred_holds n x := n' x', {| uPred_holds n x := n' x',
x x' n' n {n'} x' P n' x' Q n' x' |}. x x' n' n {n'} x' P n' x' Q n' x' |}.
Next Obligation. Next Obligation.
intros M P Q n1 x1 x1' HPQ [x2 Hx1'] n2 x3 [x4 Hx3] ?; simpl in *. intros M P Q n1 n1' x1 x1' HPQ [x2 Hx1'] Hn1 n2 x3 [x4 Hx3] ?; simpl in *.
rewrite Hx3 (dist_le _ _ _ _ Hx1'); auto. intros ??. rewrite Hx3 (dist_le _ _ _ _ Hx1'); auto. intros ??.
eapply HPQ; auto. exists (x2 x4); by rewrite assoc. eapply HPQ; auto. exists (x2 x4); by rewrite assoc.
Qed. Qed.
Next Obligation. intros M P Q [|n1] [|n2] x; auto with lia. Qed.
Definition uPred_impl_aux : seal (@uPred_impl_def). by eexists. Qed. Definition uPred_impl_aux : seal (@uPred_impl_def). by eexists. Qed.
Definition uPred_impl {M} := unseal uPred_impl_aux M. Definition uPred_impl {M} := unseal uPred_impl_aux M.
Definition uPred_impl_eq : Definition uPred_impl_eq :
...@@ -71,14 +70,9 @@ Definition uPred_internal_eq_eq: ...@@ -71,14 +70,9 @@ Definition uPred_internal_eq_eq:
Program Definition uPred_sep_def {M} (P Q : uPred M) : uPred M := Program Definition uPred_sep_def {M} (P Q : uPred M) : uPred M :=
{| uPred_holds n x := x1 x2, x {n} x1 x2 P n x1 Q n x2 |}. {| uPred_holds n x := x1 x2, x {n} x1 x2 P n x1 Q n x2 |}.
Next Obligation. Next Obligation.
intros M P Q n x y (x1&x2&Hx&?&?) [z Hy]. intros M P Q n1 n2 x y (x1&x2&Hx&?&?) [z Hy] Hn.
exists x1, (x2 z); split_and?; eauto using uPred_mono, cmra_includedN_l. exists x1, (x2 z); split_and?; eauto using uPred_mono, cmra_includedN_l.
by rewrite Hy Hx assoc. eapply dist_le, Hn. by rewrite Hy Hx assoc.
Qed.
Next Obligation.
intros M P Q n1 n2 x (x1&x2&Hx&?&?) ?; rewrite {1}(dist_le _ _ _ _ Hx) // =>?.
exists x1, x2; ofe_subst; split_and!;
eauto using dist_le, uPred_closed, cmra_validN_op_l, cmra_validN_op_r.
Qed. Qed.
Definition uPred_sep_aux : seal (@uPred_sep_def). by eexists. Qed. Definition uPred_sep_aux : seal (@uPred_sep_def). by eexists. Qed.