@@ -250,48 +250,77 @@ This basically just copies the second branch (the non-value case) of the definit

...

@@ -250,48 +250,77 @@ This basically just copies the second branch (the non-value case) of the definit

\paragraph{Adequacy of weakest precondition.}

\paragraph{Adequacy of weakest precondition.}

\newcommand\traceprop{\Sigma}

The purpose of the adequacy statement is to show that our notion of weakest preconditions is \emph{realistic} in the sense that it actually has anything to do with the actual behavior of the program.

The purpose of the adequacy statement is to show that our notion of weakest preconditions is \emph{realistic} in the sense that it actually has anything to do with the actual behavior of the program.

There are two properties we are looking for: First of all, the postcondition should reflect actual properties of the values the program can terminate with.

The most general form of the adequacy statement is about proving properties of arbitrary program executions.

Second, a proof of a weakest precondition with any postcondition should imply that the program is \emph{safe}, \ie that it does not get stuck.

That is, the goal is to prove a statement of the form

A program $\expr$ in some initial state $\state$ is \emph{adequate} for stuckness $\stuckness$ and a set $V \subseteq\Val\times\State$ of legal return-value-final-state combinations (written $\expr, \state\vDash_\stuckness V$) if for all $\tpool', \state'$ such that $([\expr], \state)\tpsteps[\vec\obs](\tpool', \state')$ we have

\]

\begin{enumerate}

for some \emph{meta-level} relation $\traceprop$ characterizing the ``trace property'' we are interested in.

\item Safety: If $\stuckness=\NotStuck$, then for any $\expr' \in\tpool'$ we have that either $\expr'$ is a

value, or \(\red(\expr'_i,\state')\):

To state the adequacy theorem, we need a way to talk about $\traceprop$ inside Iris.

\item Legal return value: If $\tpool'_1$ (the main thread) is a value $\val'$, then $\val' \in V$:

Furthermore, we assume that the \emph{interpretation}$\Sem{\hat{\traceprop}}$ of $\hat{\traceprop}$ reflects $\traceprop$ (also see \Sref{sec:model}):

\[\All\val',\tpool''. \tpool' =[\val']\dplus\tpool'' \Ra(\val',\state')\in V \]

\end{enumerate}

\end{defn}

To express the adequacy statement for functional correctness, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic:

\[\pred : \Val\times\State\to\Prop\in\SigFn\]

Furthermore, we assume that the \emph{interpretation}$\Sem\pred$ of $\pred$ reflects some set $V$ of legal return values and final states into the logic (also see \Sref{sec:model}):

Notice that the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.

In other words, to show that $\traceprop$ holds for all possible executions of the program, we have to prove an entailment in Iris that, starting from the empty context, proves that the initial state interpretation holds, proves a weakest precondition, \emph{and} proves that $\hat{\traceprop}$ holds under the following assumptions:

Also, notice that the proof of $\expr$ must be performed with a universally quantified list of observations $\vec\obs$, but the \emph{entire} list is known to the proof from the beginning.

\begin{itemize}

\item The final thread-pool $\tpool_1$ contains the final state of the main thread $\expr_1$, and any number of additional threads in $\tpool_1'$.

\item If this is a stuck-free weakest precondition, then all threads in the final thread-pool are either values or are reducible in the final state $\state_1$.

\item The state interpretation holds for the final state.

\item If the main thread reduced to a value, the post-condition $\pred$ of the weakest precondition holds for that value.

\item If any other thread reduced to a value, the forked-thread post-condition $\pred_F$ holds for that value.

\end{itemize}

Notice also that the adequacy statement quantifies over the program trace only once, so it can be easily specialized to, say, some particular initial state $\state_0$.

This lets us show properties that only hold for some executions.

Furthermore, the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.

As an example for how to use this adequacy theorem, let us say we wanted to prove that a program $\expr_0$ for which we derived a $\NotStuck$ weakest-precondition cannot get stuck.

The following variant of adequacy also allows exploiting the second parameter of $\stateinterp$, the number of threads, but only applies when \emph{all} threads have reduced to a value:

Similarly, if we wanted to show that the final value of the main thread is always in some set $V \subseteq\Val$, we could pick