From 0c801b0975429fd4a5524dc52a8f6846f456f5a1 Mon Sep 17 00:00:00 2001
From: Ralf Jung <jung@mpi-sws.org>
Date: Tue, 9 Feb 2016 20:32:44 +0100
Subject: [PATCH] some comments

---
 program_logic/invariants.v  | 13 +++++++------
 program_logic/pviewshifts.v |  5 +++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/program_logic/invariants.v b/program_logic/invariants.v
index f7d0f9801..6a6b20872 100644
--- a/program_logic/invariants.v
+++ b/program_logic/invariants.v
@@ -64,12 +64,13 @@ Global Instance inv_always_stable N P : AlwaysStable (inv N P) := _.
 Lemma always_inv N P : (â–¡ inv N P)%I â‰¡ inv N P.
 Proof. by rewrite always_always. Qed.
 
-(* We actually pretty much lose the abolity to deal with mask-changing view
-   shifts when using `inv`. This is because we cannot exactly name the invariants
-   any more. But that's okay; all this means is that sugar like the atomic
-   triples will have to prove its own version of the open_close rule
-   by unfolding `inv`. *)
-(* TODO Can we prove something that helps for both open_close lemmas? *)
+(* There is not really a way to provide versions of pvs_openI and pvs_closeI
+   that work with inv. The issue is that these rules track the exact current
+   mask too precisely. However, we *can* provide abstract rules by
+   performing both the opening and the closing of the invariant in the rule,
+   and then implicitly framing all the unused invariants around the
+   "inner" view shift provided by the client. *)
+
 Lemma pvs_open_close E N P Q :
   nclose N âŠ† E â†’
   (inv N P âˆ§ (â–·P -â˜… pvs (E âˆ– nclose N) (E âˆ– nclose N) (â–·P â˜… Q))) âŠ‘ pvs E E Q.
diff --git a/program_logic/pviewshifts.v b/program_logic/pviewshifts.v
index 7e05716b7..8574c679c 100644
--- a/program_logic/pviewshifts.v
+++ b/program_logic/pviewshifts.v
@@ -158,6 +158,11 @@ Lemma pvs_mask_frame_mono E1 E1' E2 E2' P Q :
   P âŠ‘ Q â†’ pvs E1' E2' P âŠ‘ pvs E1 E2 Q.
 Proof. intros HE1 HE2 HEE ->. by apply pvs_mask_frame'. Qed.
 
+(* It should be possible to give a stronger version of this rule
+   that does not force the conclusion view shift to have twice the
+   same mask. However, even expressing the side-conditions on the
+   mask becomes really ugly then, and we have now found an instance
+   where that would be useful. *)
 Lemma pvs_trans3 E1 E2 Q :
   E2 âŠ† E1 â†’ pvs E1 E2 (pvs E2 E2 (pvs E2 E1 Q)) âŠ‘ pvs E1 E1 Q.
 Proof.
-- 
GitLab