Commit 7d74f654 authored by Robbert's avatar Robbert

Merge branch 'new_star' into 'master'

Use symbol ∗ for separating conjunction.

The old choice for ★ was a arbitrary: the precedence of the ASCII asterisk * was fixed at a wrong level in Coq, so we had to pick another symbol. The ★ was a random choice from a unicode chart.

The new symbol ∗ (as proposed by David Swasey) corresponds better to conventional practise and matches the symbol we use on paper.

See merge request !21
parents 6cb76aaa cc31476d
Pipeline #2936 failed with stage
in 2 minutes and 47 seconds
This diff is collapsed.
This diff is collapsed.
...@@ -13,14 +13,14 @@ Notation "▷^ n P" := (uPred_laterN n P) ...@@ -13,14 +13,14 @@ Notation "▷^ n P" := (uPred_laterN n P)
format "▷^ n P") : uPred_scope. format "▷^ n P") : uPred_scope.
Definition uPred_nnupd {M} (P: uPred M) : uPred M := Definition uPred_nnupd {M} (P: uPred M) : uPred M :=
n, (P - ^n False) - ^n False. n, (P - ^n False) - ^n False.
Notation "|=n=> Q" := (uPred_nnupd Q) Notation "|=n=> Q" := (uPred_nnupd Q)
(at level 99, Q at level 200, format "|=n=> Q") : uPred_scope. (at level 99, Q at level 200, format "|=n=> Q") : uPred_scope.
Notation "P =n=> Q" := (P |=n=> Q) Notation "P =n=> Q" := (P |=n=> Q)
(at level 99, Q at level 200, only parsing) : C_scope. (at level 99, Q at level 200, only parsing) : C_scope.
Notation "P =n=★ Q" := (P - |=n=> Q)%I Notation "P =n=∗ Q" := (P - |=n=> Q)%I
(at level 99, Q at level 200, format "P =n= Q") : uPred_scope. (at level 99, Q at level 200, format "P =n= Q") : uPred_scope.
(* Our goal is to prove that: (* Our goal is to prove that:
(1) |=n=> has (nearly) all the properties of the |==> modality that are used in Iris (1) |=n=> has (nearly) all the properties of the |==> modality that are used in Iris
...@@ -62,9 +62,9 @@ Qed. ...@@ -62,9 +62,9 @@ Qed.
are used throughout Iris hold for nnupd. are used throughout Iris hold for nnupd.
In fact, the first three properties that follow hold for any In fact, the first three properties that follow hold for any
modality of the form (- -★ Q) -★ Q for arbitrary Q. The situation modality of the form (- -∗ Q) -∗ Q for arbitrary Q. The situation
here is slightly different, because nnupd is of the form here is slightly different, because nnupd is of the form
∀ n, (- -★ (Q n)) -★ (Q n), but the proofs carry over straightforwardly. ∀ n, (- -∗ (Q n)) -∗ (Q n), but the proofs carry over straightforwardly.
*) *)
...@@ -77,7 +77,7 @@ Proof. ...@@ -77,7 +77,7 @@ Proof.
rewrite /uPred_nnupd (forall_elim n). rewrite /uPred_nnupd (forall_elim n).
apply wand_elim_r. apply wand_elim_r.
Qed. Qed.
Lemma nnupd_frame_r P R : (|=n=> P) R =n=> P R. Lemma nnupd_frame_r P R : (|=n=> P) R =n=> P R.
Proof. Proof.
apply forall_intro=>n. apply wand_intro_r. apply forall_intro=>n. apply wand_intro_r.
rewrite (comm _ P) -wand_curry. rewrite (comm _ P) -wand_curry.
...@@ -106,7 +106,7 @@ Qed. ...@@ -106,7 +106,7 @@ Qed.
(* However, the transitivity property seems to be much harder to (* However, the transitivity property seems to be much harder to
prove. This is surprising, because transitivity does hold for prove. This is surprising, because transitivity does hold for
modalities of the form (- -★ Q) -★ Q. What goes wrong when we quantify modalities of the form (- -∗ Q) -∗ Q. What goes wrong when we quantify
now over n? now over n?
*) *)
...@@ -115,7 +115,7 @@ Proof. ...@@ -115,7 +115,7 @@ Proof.
rewrite /uPred_nnupd. rewrite /uPred_nnupd.
apply forall_intro=>a. apply wand_intro_l. apply forall_intro=>a. apply wand_intro_l.
rewrite (forall_elim a). rewrite (forall_elim a).
rewrite (nnupd_intro (P - _)). rewrite (nnupd_intro (P - _)).
rewrite /uPred_nnupd. rewrite /uPred_nnupd.
(* Oops -- the exponents of the later modality don't match up! *) (* Oops -- the exponents of the later modality don't match up! *)
Abort. Abort.
...@@ -123,9 +123,9 @@ Abort. ...@@ -123,9 +123,9 @@ Abort.
(* Instead, we will need to prove this in the model. We start by showing that (* Instead, we will need to prove this in the model. We start by showing that
nnupd is the limit of a the following sequence: nnupd is the limit of a the following sequence:
(- -★ False) - ★ False, (- -∗ False) - ∗ False,
(- -★ ▷ False) - ★ ▷ False ∧ (- -★ False) - ★ False, (- -∗ ▷ False) - ∗ ▷ False ∧ (- -∗ False) - ∗ False,
(- -★ ▷^2 False) - ★ ▷^2 False ∧ (- -★ ▷ False) - ★ ▷ False ∧ (- -★ False) - ★ False, (- -∗ ▷^2 False) - ∗ ▷^2 False ∧ (- -∗ ▷ False) - ∗ ▷ False ∧ (- -∗ False) - ∗ False,
... ...
Then, it is easy enough to show that each of the uPreds in this sequence Then, it is easy enough to show that each of the uPreds in this sequence
...@@ -134,7 +134,7 @@ Abort. ...@@ -134,7 +134,7 @@ Abort.
(* The definition of the sequence above: *) (* The definition of the sequence above: *)
Fixpoint uPred_nnupd_k {M} k (P: uPred M) : uPred M := Fixpoint uPred_nnupd_k {M} k (P: uPred M) : uPred M :=
((P - ^k False) - ^k False) ((P - ^k False) - ^k False)
match k with match k with
O => True O => True
| S k' => uPred_nnupd_k k' P | S k' => uPred_nnupd_k k' P
...@@ -155,7 +155,7 @@ Proof. ...@@ -155,7 +155,7 @@ Proof.
rewrite (forall_elim (S k)) //=. rewrite (forall_elim (S k)) //=.
Qed. Qed.
Lemma nnupd_k_elim n k P: n k ((|=n=>_k P) (P - (^n False)) (^n False))%I. Lemma nnupd_k_elim n k P: n k ((|=n=>_k P) (P - (^n False)) (^n False))%I.
Proof. Proof.
induction k. induction k.
- inversion 1; subst; rewrite //= ?right_id. apply wand_elim_l. - inversion 1; subst; rewrite //= ?right_id. apply wand_elim_l.
...@@ -165,10 +165,10 @@ Proof. ...@@ -165,10 +165,10 @@ Proof.
Qed. Qed.
Lemma nnupd_k_unfold k P: Lemma nnupd_k_unfold k P:
(|=n=>_(S k) P) ((P - (^(S k) False)) - (^(S k) False)) (|=n=>_k P). (|=n=>_(S k) P) ((P - (^(S k) False)) - (^(S k) False)) (|=n=>_k P).
Proof. done. Qed. Proof. done. Qed.
Lemma nnupd_k_unfold' k P n x: Lemma nnupd_k_unfold' k P n x:
(|=n=>_(S k) P)%I n x (((P - (^(S k) False)) - (^(S k) False)) (|=n=>_k P))%I n x. (|=n=>_(S k) P)%I n x (((P - (^(S k) False)) - (^(S k) False)) (|=n=>_k P))%I n x.
Proof. done. Qed. Proof. done. Qed.
Lemma nnupd_k_weaken k P: (|=n=>_(S k) P) |=n=>_k P. Lemma nnupd_k_weaken k P: (|=n=>_(S k) P) |=n=>_k P.
...@@ -238,13 +238,13 @@ Proof. ...@@ -238,13 +238,13 @@ Proof.
revert P. revert P.
induction k; intros P. induction k; intros P.
- rewrite //= ?right_id. apply wand_intro_l. - rewrite //= ?right_id. apply wand_intro_l.
rewrite {1}(nnupd_k_intro 0 (P - False)%I) //= ?right_id. apply wand_elim_r. rewrite {1}(nnupd_k_intro 0 (P - False)%I) //= ?right_id. apply wand_elim_r.
- rewrite {2}(nnupd_k_unfold k P). - rewrite {2}(nnupd_k_unfold k P).
apply and_intro. apply and_intro.
* rewrite (nnupd_k_unfold k P). rewrite and_elim_l. * rewrite (nnupd_k_unfold k P). rewrite and_elim_l.
rewrite nnupd_k_unfold. rewrite and_elim_l. rewrite nnupd_k_unfold. rewrite and_elim_l.
apply wand_intro_l. apply wand_intro_l.
rewrite {1}(nnupd_k_intro (S k) (P - ^(S k) (False)%I)). rewrite {1}(nnupd_k_intro (S k) (P - ^(S k) (False)%I)).
rewrite nnupd_k_unfold and_elim_l. apply wand_elim_r. rewrite nnupd_k_unfold and_elim_l. apply wand_elim_r.
* do 2 rewrite nnupd_k_weaken //. * do 2 rewrite nnupd_k_weaken //.
Qed. Qed.
......
...@@ -21,7 +21,7 @@ Section definitions. ...@@ -21,7 +21,7 @@ Section definitions.
Definition auth_own (a : A) : iProp Σ := Definition auth_own (a : A) : iProp Σ :=
own γ ( a). own γ ( a).
Definition auth_inv (f : T A) (φ : T iProp Σ) : iProp Σ := Definition auth_inv (f : T A) (φ : T iProp Σ) : iProp Σ :=
( t, own γ ( f t) φ t)%I. ( t, own γ ( f t) φ t)%I.
Definition auth_ctx (N : namespace) (f : T A) (φ : T iProp Σ) : iProp Σ := Definition auth_ctx (N : namespace) (f : T A) (φ : T iProp Σ) : iProp Σ :=
inv N (auth_inv f φ). inv N (auth_inv f φ).
...@@ -69,7 +69,7 @@ Section auth. ...@@ -69,7 +69,7 @@ Section auth.
Implicit Types t u : T. Implicit Types t u : T.
Implicit Types γ : gname. Implicit Types γ : gname.
Lemma auth_own_op γ a b : auth_own γ (a b) auth_own γ a auth_own γ b. Lemma auth_own_op γ a b : auth_own γ (a b) auth_own γ a auth_own γ b.
Proof. by rewrite /auth_own -own_op auth_frag_op. Qed. Proof. by rewrite /auth_own -own_op auth_frag_op. Qed.
Global Instance from_sep_auth_own γ a b1 b2 : Global Instance from_sep_auth_own γ a b1 b2 :
...@@ -92,7 +92,7 @@ Section auth. ...@@ -92,7 +92,7 @@ Section auth.
Proof. intros a1 a2. apply auth_own_mono. Qed. Proof. intros a1 a2. apply auth_own_mono. Qed.
Lemma auth_alloc_strong N E t (G : gset gname) : Lemma auth_alloc_strong N E t (G : gset gname) :
(f t) φ t ={E}= γ, (γ G) auth_ctx γ N f φ auth_own γ (f t). (f t) φ t ={E}= γ, (γ G) auth_ctx γ N f φ auth_own γ (f t).
Proof. Proof.
iIntros (?) "Hφ". rewrite /auth_own /auth_ctx. iIntros (?) "Hφ". rewrite /auth_own /auth_ctx.
iMod (own_alloc_strong (Auth (Excl' (f t)) (f t)) G) as (γ) "[% Hγ]"; first done. iMod (own_alloc_strong (Auth (Excl' (f t)) (f t)) G) as (γ) "[% Hγ]"; first done.
...@@ -103,19 +103,19 @@ Section auth. ...@@ -103,19 +103,19 @@ Section auth.
Qed. Qed.
Lemma auth_alloc N E t : Lemma auth_alloc N E t :
(f t) φ t ={E}= γ, auth_ctx γ N f φ auth_own γ (f t). (f t) φ t ={E}= γ, auth_ctx γ N f φ auth_own γ (f t).
Proof. Proof.
iIntros (?) "Hφ". iIntros (?) "Hφ".
iMod (auth_alloc_strong N E t with "Hφ") as (γ) "[_ ?]"; eauto. iMod (auth_alloc_strong N E t with "Hφ") as (γ) "[_ ?]"; eauto.
Qed. Qed.
Lemma auth_empty γ : True == auth_own γ . Lemma auth_empty γ : True == auth_own γ .
Proof. by rewrite /auth_own -own_empty. Qed. Proof. by rewrite /auth_own -own_empty. Qed.
Lemma auth_acc E γ a : Lemma auth_acc E γ a :
auth_inv γ f φ auth_own γ a ={E}= t, auth_inv γ f φ auth_own γ a ={E}= t,
(a f t) φ t u b, (a f t) φ t u b,
((f t, a) ~l~> (f u, b)) φ u ={E}= auth_inv γ f φ auth_own γ b. ((f t, a) ~l~> (f u, b)) φ u ={E}= auth_inv γ f φ auth_own γ b.
Proof. Proof.
iIntros "(Hinv & Hγf)". rewrite /auth_inv /auth_own. iIntros "(Hinv & Hγf)". rewrite /auth_inv /auth_own.
iDestruct "Hinv" as (t) "[>Hγa Hφ]". iDestruct "Hinv" as (t) "[>Hγa Hφ]".
...@@ -129,9 +129,9 @@ Section auth. ...@@ -129,9 +129,9 @@ Section auth.
Lemma auth_open E N γ a : Lemma auth_open E N γ a :
nclose N E nclose N E
auth_ctx γ N f φ auth_own γ a ={E,EN}= t, auth_ctx γ N f φ auth_own γ a ={E,EN}= t,
(a f t) φ t u b, (a f t) φ t u b,
((f t, a) ~l~> (f u, b)) φ u ={EN,E}= auth_own γ b. ((f t, a) ~l~> (f u, b)) φ u ={EN,E}= auth_own γ b.
Proof. Proof.
iIntros (?) "[#? Hγf]". rewrite /auth_ctx. iInv N as "Hinv" "Hclose". iIntros (?) "[#? Hγf]". rewrite /auth_ctx. iInv N as "Hinv" "Hclose".
(* The following is essentially a very trivial composition of the accessors (* The following is essentially a very trivial composition of the accessors
......
...@@ -22,15 +22,15 @@ Section box_defs. ...@@ -22,15 +22,15 @@ Section box_defs.
own γ (:auth (option (excl bool)), Some (to_agree (Next (iProp_unfold P)))). own γ (:auth (option (excl bool)), Some (to_agree (Next (iProp_unfold P)))).
Definition slice_inv (γ : slice_name) (P : iProp Σ) : iProp Σ := Definition slice_inv (γ : slice_name) (P : iProp Σ) : iProp Σ :=
( b, box_own_auth γ ( Excl' b) box_own_prop γ P if b then P else True)%I. ( b, box_own_auth γ ( Excl' b) box_own_prop γ P if b then P else True)%I.
Definition slice (γ : slice_name) (P : iProp Σ) : iProp Σ := Definition slice (γ : slice_name) (P : iProp Σ) : iProp Σ :=
inv N (slice_inv γ P). inv N (slice_inv γ P).
Definition box (f : gmap slice_name bool) (P : iProp Σ) : iProp Σ := Definition box (f : gmap slice_name bool) (P : iProp Σ) : iProp Σ :=
( Φ : slice_name iProp Σ, ( Φ : slice_name iProp Σ,
(P [ map] γ b f, Φ γ) (P [ map] γ b f, Φ γ)
[ map] γ b f, box_own_auth γ ( Excl' b) box_own_prop γ (Φ γ) [ map] γ b f, box_own_auth γ ( Excl' b) box_own_prop γ (Φ γ)
inv N (slice_inv γ (Φ γ)))%I. inv N (slice_inv γ (Φ γ)))%I.
End box_defs. End box_defs.
...@@ -55,22 +55,22 @@ Global Instance slice_persistent γ P : PersistentP (slice N γ P). ...@@ -55,22 +55,22 @@ Global Instance slice_persistent γ P : PersistentP (slice N γ P).
Proof. apply _. Qed. Proof. apply _. Qed.
Lemma box_own_auth_agree γ b1 b2 : Lemma box_own_auth_agree γ b1 b2 :
box_own_auth γ ( Excl' b1) box_own_auth γ ( Excl' b2) b1 = b2. box_own_auth γ ( Excl' b1) box_own_auth γ ( Excl' b2) b1 = b2.
Proof. Proof.
rewrite /box_own_prop own_valid_2 prod_validI /= and_elim_l. rewrite /box_own_prop own_valid_2 prod_validI /= and_elim_l.
by iDestruct 1 as % [[[] [=]%leibniz_equiv] ?]%auth_valid_discrete. by iDestruct 1 as % [[[] [=]%leibniz_equiv] ?]%auth_valid_discrete.
Qed. Qed.
Lemma box_own_auth_update γ b1 b2 b3 : Lemma box_own_auth_update γ b1 b2 b3 :
box_own_auth γ ( Excl' b1) box_own_auth γ ( Excl' b2) box_own_auth γ ( Excl' b1) box_own_auth γ ( Excl' b2)
== box_own_auth γ ( Excl' b3) box_own_auth γ ( Excl' b3). == box_own_auth γ ( Excl' b3) box_own_auth γ ( Excl' b3).
Proof. Proof.
rewrite /box_own_auth -!own_op. apply own_update, prod_update; last done. rewrite /box_own_auth -!own_op. apply own_update, prod_update; last done.
by apply auth_update, option_local_update, exclusive_local_update. by apply auth_update, option_local_update, exclusive_local_update.
Qed. Qed.
Lemma box_own_agree γ Q1 Q2 : Lemma box_own_agree γ Q1 Q2 :
(box_own_prop γ Q1 box_own_prop γ Q2) (Q1 Q2). (box_own_prop γ Q1 box_own_prop γ Q2) (Q1 Q2).
Proof. Proof.
rewrite /box_own_prop own_valid_2 prod_validI /= and_elim_r. rewrite /box_own_prop own_valid_2 prod_validI /= and_elim_r.
rewrite option_validI /= agree_validI agree_equivI later_equivI /=. rewrite option_validI /= agree_validI agree_equivI later_equivI /=.
...@@ -86,8 +86,8 @@ Proof. ...@@ -86,8 +86,8 @@ Proof.
Qed. Qed.
Lemma box_insert f P Q : Lemma box_insert f P Q :
box N f P ={N}= γ, f !! γ = None box N f P ={N}= γ, f !! γ = None
slice N γ Q box N (<[γ:=false]> f) (Q P). slice N γ Q box N (<[γ:=false]> f) (Q P).
Proof. Proof.
iDestruct 1 as (Φ) "[#HeqP Hf]". iDestruct 1 as (Φ) "[#HeqP Hf]".
iMod (own_alloc_strong ( Excl' false Excl' false, iMod (own_alloc_strong ( Excl' false Excl' false,
...@@ -100,17 +100,17 @@ Proof. ...@@ -100,17 +100,17 @@ Proof.
iModIntro; iExists γ; repeat iSplit; auto. iModIntro; iExists γ; repeat iSplit; auto.
iNext. iExists (<[γ:=Q]> Φ); iSplit. iNext. iExists (<[γ:=Q]> Φ); iSplit.
- iNext. iRewrite "HeqP". by rewrite big_sepM_fn_insert'. - iNext. iRewrite "HeqP". by rewrite big_sepM_fn_insert'.
- rewrite (big_sepM_fn_insert (λ _ _ P', _ _ _ P' _ _ (_ _ P')))%I //. - rewrite (big_sepM_fn_insert (λ _ _ P', _ _ _ P' _ _ (_ _ P')))%I //.
iFrame; eauto. iFrame; eauto.
Qed. Qed.
Lemma box_delete f P Q γ : Lemma box_delete f P Q γ :
f !! γ = Some false f !! γ = Some false
slice N γ Q box N f P ={N}= P', slice N γ Q box N f P ={N}= P',
(P (Q P')) box N (delete γ f) P'. (P (Q P')) box N (delete γ f) P'.
Proof. Proof.
iIntros (?) "[#Hinv H]"; iDestruct "H" as (Φ) "[#HeqP Hf]". iIntros (?) "[#Hinv H]"; iDestruct "H" as (Φ) "[#HeqP Hf]".
iExists ([ map] γ'_ delete γ f, Φ γ')%I. iExists ([ map] γ'_ delete γ f, Φ γ')%I.
iInv N as (b) "(Hγ & #HγQ &_)" "Hclose". iInv N as (b) "(Hγ & #HγQ &_)" "Hclose".
iApply fupd_trans_frame; iFrame "Hclose"; iModIntro; iNext. iApply fupd_trans_frame; iFrame "Hclose"; iModIntro; iNext.
iDestruct (big_sepM_delete _ f _ false with "Hf") iDestruct (big_sepM_delete _ f _ false with "Hf")
...@@ -125,7 +125,7 @@ Qed. ...@@ -125,7 +125,7 @@ Qed.
Lemma box_fill f γ P Q : Lemma box_fill f γ P Q :
f !! γ = Some false f !! γ = Some false
slice N γ Q Q box N f P ={N}= box N (<[γ:=true]> f) P. slice N γ Q Q box N f P ={N}= box N (<[γ:=true]> f) P.
Proof. Proof.
iIntros (?) "(#Hinv & HQ & H)"; iDestruct "H" as (Φ) "[#HeqP Hf]". iIntros (?) "(#Hinv & HQ & H)"; iDestruct "H" as (Φ) "[#HeqP Hf]".
iInv N as (b') "(>Hγ & #HγQ & _)" "Hclose". iInv N as (b') "(>Hγ & #HγQ & _)" "Hclose".
...@@ -143,7 +143,7 @@ Qed. ...@@ -143,7 +143,7 @@ Qed.
Lemma box_empty f P Q γ : Lemma box_empty f P Q γ :
f !! γ = Some true f !! γ = Some true
slice N γ Q box N f P ={N}= Q box N (<[γ:=false]> f) P. slice N γ Q box N f P ={N}= Q box N (<[γ:=false]> f) P.
Proof. Proof.
iIntros (?) "[#Hinv H]"; iDestruct "H" as (Φ) "[#HeqP Hf]". iIntros (?) "[#Hinv H]"; iDestruct "H" as (Φ) "[#HeqP Hf]".
iInv N as (b) "(>Hγ & #HγQ & HQ)" "Hclose". iInv N as (b) "(>Hγ & #HγQ & HQ)" "Hclose".
...@@ -160,7 +160,7 @@ Proof. ...@@ -160,7 +160,7 @@ Proof.
iFrame; eauto. iFrame; eauto.
Qed. Qed.
Lemma box_fill_all f P Q : box N f P P ={N}= box N (const true <$> f) P. Lemma box_fill_all f P Q : box N f P P ={N}= box N (const true <$> f) P.
Proof. Proof.
iIntros "[H HP]"; iDestruct "H" as (Φ) "[#HeqP Hf]". iIntros "[H HP]"; iDestruct "H" as (Φ) "[#HeqP Hf]".
iExists Φ; iSplitR; first by rewrite big_sepM_fmap. iExists Φ; iSplitR; first by rewrite big_sepM_fmap.
...@@ -177,11 +177,11 @@ Qed. ...@@ -177,11 +177,11 @@ Qed.
Lemma box_empty_all f P Q : Lemma box_empty_all f P Q :
map_Forall (λ _, (true =)) f map_Forall (λ _, (true =)) f
box N f P ={N}= P box N (const false <$> f) P. box N f P ={N}= P box N (const false <$> f) P.
Proof. Proof.
iDestruct 1 as (Φ) "[#HeqP Hf]". iDestruct 1 as (Φ) "[#HeqP Hf]".
iAssert ([ map] γ↦b f, Φ γ box_own_auth γ ( Excl' false) iAssert ([ map] γ↦b f, Φ γ box_own_auth γ ( Excl' false)
box_own_prop γ (Φ γ) inv N (slice_inv γ (Φ γ)))%I with ">[Hf]" as "[HΦ ?]". box_own_prop γ (Φ γ) inv N (slice_inv γ (Φ γ)))%I with ">[Hf]" as "[HΦ ?]".
{ iApply (fupd_big_sepM _ _ f); iApply (big_sepM_impl _ _ f); iFrame "Hf". { iApply (fupd_big_sepM _ _ f); iApply (big_sepM_impl _ _ f); iFrame "Hf".
iAlways; iIntros (γ b ?) "(Hγ' & #$ & #$)". iAlways; iIntros (γ b ?) "(Hγ' & #$ & #$)".
assert (true = b) as <- by eauto. assert (true = b) as <- by eauto.
......
...@@ -32,19 +32,19 @@ Section proofs. ...@@ -32,19 +32,19 @@ Section proofs.
Proof. rewrite /cinv; apply _. Qed. Proof. rewrite /cinv; apply _. Qed.
Lemma cinv_own_op γ q1 q2 : Lemma cinv_own_op γ q1 q2 :
cinv_own γ q1 cinv_own γ q2 cinv_own γ (q1 + q2). cinv_own γ q1 cinv_own γ q2 cinv_own γ (q1 + q2).
Proof. by rewrite /cinv_own own_op. Qed. Proof. by rewrite /cinv_own own_op. Qed.
Lemma cinv_own_half γ q : cinv_own γ (q/2) cinv_own γ (q/2) cinv_own γ q. Lemma cinv_own_half γ q : cinv_own γ (q/2) cinv_own γ (q/2) cinv_own γ q.
Proof. by rewrite cinv_own_op Qp_div_2. Qed. Proof. by rewrite cinv_own_op Qp_div_2. Qed.
Lemma cinv_own_valid γ q1 q2 : cinv_own γ q1 cinv_own γ q2 (q1 + q2)%Qp. Lemma cinv_own_valid γ q1 q2 : cinv_own γ q1 cinv_own γ q2 (q1 + q2)%Qp.
Proof. rewrite /cinv_own own_valid_2. by iIntros "% !%". Qed. Proof. rewrite /cinv_own own_valid_2. by iIntros "% !%". Qed.
Lemma cinv_own_1_l γ q : cinv_own γ 1 cinv_own γ q False. Lemma cinv_own_1_l γ q : cinv_own γ 1 cinv_own γ q False.
Proof. rewrite cinv_own_valid. by iIntros (?%(exclusive_l 1%Qp)). Qed. Proof. rewrite cinv_own_valid. by iIntros (?%(exclusive_l 1%Qp)). Qed.
Lemma cinv_alloc E N P : P ={E}= γ, cinv N γ P cinv_own γ 1. Lemma cinv_alloc E N P : P ={E}= γ, cinv N γ P cinv_own γ 1.
Proof. Proof.
rewrite /cinv /cinv_own. iIntros "HP". rewrite /cinv /cinv_own. iIntros "HP".
iMod (own_alloc 1%Qp) as (γ) "H1"; first done. iMod (own_alloc 1%Qp) as (γ) "H1"; first done.
...@@ -52,7 +52,7 @@ Section proofs. ...@@ -52,7 +52,7 @@ Section proofs.
Qed. Qed.
Lemma cinv_cancel E N γ P : Lemma cinv_cancel E N γ P :
nclose N E cinv N γ P cinv_own γ 1 ={E}= P. nclose N E cinv N γ P cinv_own γ 1 ={E}= P.
Proof. Proof.
rewrite /cinv. iIntros (?) "#Hinv Hγ". rewrite /cinv. iIntros (?) "#Hinv Hγ".
iInv N as "[$|>Hγ']" "Hclose"; first iApply "Hclose"; eauto. iInv N as "[$|>Hγ']" "Hclose"; first iApply "Hclose"; eauto.
...@@ -61,7 +61,7 @@ Section proofs. ...@@ -61,7 +61,7 @@ Section proofs.
Lemma cinv_open E N γ p P : Lemma cinv_open E N γ p P :
nclose N E nclose N E
cinv N γ P cinv_own γ p ={E,EN}= P cinv_own γ p ( P ={EN,E}= True). cinv N γ P cinv_own γ p ={E,EN}= P cinv_own γ p ( P ={EN,E}= True).
Proof. Proof.
rewrite /cinv. iIntros (?) "#Hinv Hγ". rewrite /cinv. iIntros (?) "#Hinv Hγ".
iInv N as "[$|>Hγ']" "Hclose". iInv N as "[$|>Hγ']" "Hclose".
......
...@@ -13,13 +13,13 @@ Module savedprop. Section savedprop. ...@@ -13,13 +13,13 @@ Module savedprop. Section savedprop.
Context (sprop : Type) (saved : sprop iProp iProp). Context (sprop : Type) (saved : sprop iProp iProp).
Hypothesis sprop_persistent : i P, PersistentP (saved i P). Hypothesis sprop_persistent : i P, PersistentP (saved i P).
Hypothesis sprop_alloc_dep : Hypothesis sprop_alloc_dep :
(P : sprop iProp), True == ( i, saved i (P i)). (P : sprop iProp), True == ( i, saved i (P i)).
Hypothesis sprop_agree : i P Q, saved i P saved i Q (P Q). Hypothesis sprop_agree : i P Q, saved i P saved i Q (P Q).
(** A bad recursive reference: "Assertion with name [i] does not hold" *) (** A bad recursive reference: "Assertion with name [i] does not hold" *)
Definition A (i : sprop) : iProp := P, ¬ P saved i P. Definition A (i : sprop) : iProp := P, ¬ P saved i P.
Lemma A_alloc : True == i, saved i (A i). Lemma A_alloc : True == i, saved i (A i).
Proof. by apply sprop_alloc_dep. Qed. Proof. by apply sprop_alloc_dep. Qed.
Lemma saved_NA i : saved i (A i) ¬ A i. Lemma saved_NA i : saved i (A i) ¬ A i.
...@@ -63,7 +63,7 @@ Module inv. Section inv. ...@@ -63,7 +63,7 @@ Module inv. Section inv.
Hypothesis fupd_intro : E P, P fupd E P. Hypothesis fupd_intro : E P, P fupd E P.
Hypothesis fupd_mono : E P Q, (P Q) fupd E P fupd E Q. Hypothesis fupd_mono : E P Q, (P Q) fupd E P fupd E Q.
Hypothesis fupd_fupd : E P, fupd E (fupd E P) fupd E P. Hypothesis fupd_fupd : E P, fupd E (fupd E P) fupd E P.
Hypothesis fupd_frame_l : E P Q, P fupd E Q fupd E (P Q). Hypothesis fupd_frame_l : E P Q, P fupd E Q fupd E (P Q).
Hypothesis fupd_mask_mono : P, fupd M0 P fupd M1 P. Hypothesis fupd_mask_mono : P, fupd M0 P fupd M1 P.
(** We have invariants *) (** We have invariants *)
...@@ -71,7 +71,7 @@ Module inv. Section inv. ...@@ -71,7 +71,7 @@ Module inv. Section inv.
Hypothesis inv_persistent : i P, PersistentP (inv i P). Hypothesis inv_persistent : i P, PersistentP (inv i P).
Hypothesis inv_alloc : P, P fupd M1 ( i, inv i P). Hypothesis inv_alloc : P, P fupd M1 ( i, inv i P).
Hypothesis inv_open : Hypothesis inv_open :
i P Q R, (P Q fupd M0 (P R)) (inv i P Q fupd M1 R). i P Q R, (P Q fupd M0 (P R)) (inv i P Q fupd M1 R).
(* We have tokens for a little "two-state STS": [start] -> [finish]. (* We have tokens for a little "two-state STS": [start] -> [finish].
state. [start] also asserts the exact state; it is only ever owned by the state. [start] also asserts the exact state; it is only ever owned by the
...@@ -88,15 +88,15 @@ Module inv. Section inv. ...@@ -88,15 +88,15 @@ Module inv. Section inv.
Hypothesis sts_alloc : True fupd M0 ( γ, start γ). Hypothesis sts_alloc : True fupd M0 ( γ, start γ).
Hypotheses start_finish : γ, start γ fupd M0 (finished γ). Hypotheses start_finish : γ, start γ fupd M0 (finished γ).
Hypothesis finished_not_start : γ, start γ finished γ False. Hypothesis finished_not_start : γ, start γ finished γ False.
Hypothesis finished_dup : γ, finished γ finished γ finished γ. Hypothesis finished_dup : γ, finished γ finished γ finished γ.
(** We assume that we cannot update to false. *) (** We assume that we cannot update to false. *)
Hypothesis consistency : ¬ (True fupd M1 False). Hypothesis consistency : ¬ (True fupd M1 False).
(** Some general lemmas and proof mode compatibility. *) (** Some general lemmas and proof mode compatibility. *)
Lemma inv_open' i P R : inv i P (P - fupd M0 (P fupd M1 R)) fupd M1 R. Lemma inv_open' i P R : inv i P (P - fupd M0 (P fupd M1 R)) fupd M1 R.