weakestpre.v 12.6 KB
Newer Older
1 2
From iris.base_logic.lib Require Export fancy_updates.
From iris.program_logic Require Export language.
3
From iris.bi Require Export weakestpre.
4
From iris.proofmode Require Import base tactics classes.
5
Set Default Proof Using "Type".
6 7
Import uPred.

8
Class irisG' (Λstate Λobservation : Type) (Σ : gFunctors) := IrisG {
9
  iris_invG :> invG Σ;
10
  state_interp : Λstate  list Λobservation  iProp Σ;
11
}.
12
Notation irisG Λ Σ := (irisG' (state Λ) (observation Λ) Σ).
13
Global Opaque iris_invG.
14

15
Definition wp_pre `{irisG Λ Σ} (s : stuckness)
16
    (wp : coPset -c> expr Λ -c> (val Λ -c> iProp Σ) -c> iProp Σ) :
Robbert Krebbers's avatar
Robbert Krebbers committed
17 18 19
    coPset -c> expr Λ -c> (val Λ -c> iProp Σ) -c> iProp Σ := λ E e1 Φ,
  match to_val e1 with
  | Some v => |={E}=> Φ v
20 21 22 23 24
  | None =>  σ1 κ κs,
      state_interp σ1 (cons_obs κ κs) ={E,}=
        if s is NotStuck then reducible e1 σ1 else True 
         e2 σ2 efs, prim_step e1 σ1 κ e2 σ2 efs ={,,E}=
          state_interp σ2 κs  wp E e2 Φ  [ list] ef  efs, wp  ef (λ _, True)
Robbert Krebbers's avatar
Robbert Krebbers committed
25
  end%I.
Robbert Krebbers's avatar
Robbert Krebbers committed
26

27
Local Instance wp_pre_contractive `{irisG Λ Σ} s : Contractive (wp_pre s).
28 29
Proof.
  rewrite /wp_pre=> n wp wp' Hwp E e1 Φ.
30
  repeat (f_contractive || f_equiv); apply Hwp.
Robbert Krebbers's avatar
Robbert Krebbers committed
31
Qed.
32

33
Definition wp_def `{irisG Λ Σ} (s : stuckness) :
34
  coPset  expr Λ  (val Λ  iProp Σ)  iProp Σ := fixpoint (wp_pre s).
35 36 37
Definition wp_aux `{irisG Λ Σ} : seal (@wp_def Λ Σ _). by eexists. Qed.
Instance wp' `{irisG Λ Σ} : Wp Λ (iProp Σ) stuckness := wp_aux.(unseal).
Definition wp_eq `{irisG Λ Σ} : wp = @wp_def Λ Σ _ := wp_aux.(seal_eq).
38

Robbert Krebbers's avatar
Robbert Krebbers committed
39
Section wp.
40
Context `{irisG Λ Σ}.
41
Implicit Types s : stuckness.
42 43
Implicit Types P : iProp Σ.
Implicit Types Φ : val Λ  iProp Σ.
44 45
Implicit Types v : val Λ.
Implicit Types e : expr Λ.
Robbert Krebbers's avatar
Robbert Krebbers committed
46

47
(* Weakest pre *)
48 49
Lemma wp_unfold s E e Φ :
  WP e @ s; E {{ Φ }}  wp_pre s (wp (PROP:=iProp Σ)  s) E e Φ.
50
Proof. rewrite wp_eq. apply (fixpoint_unfold (wp_pre s)). Qed.
51

52
Global Instance wp_ne s E e n :
53
  Proper (pointwise_relation _ (dist n) ==> dist n) (wp (PROP:=iProp Σ) s E e).
Robbert Krebbers's avatar
Robbert Krebbers committed
54
Proof.
55
  revert e. induction (lt_wf n) as [n _ IH]=> e Φ Ψ HΦ.
56 57 58 59
  rewrite !wp_unfold /wp_pre.
  (* FIXME: figure out a way to properly automate this proof *)
  (* FIXME: reflexivity, as being called many times by f_equiv and f_contractive
  is very slow here *)
60
  do 22 (f_contractive || f_equiv). apply IH; first lia.
Ralf Jung's avatar
Ralf Jung committed
61
  intros v. eapply dist_le; eauto with lia.
Robbert Krebbers's avatar
Robbert Krebbers committed
62
Qed.
63
Global Instance wp_proper s E e :
64
  Proper (pointwise_relation _ () ==> ()) (wp (PROP:=iProp Σ) s E e).
Robbert Krebbers's avatar
Robbert Krebbers committed
65
Proof.
66
  by intros Φ Φ' ?; apply equiv_dist=>n; apply wp_ne=>v; apply equiv_dist.
Robbert Krebbers's avatar
Robbert Krebbers committed
67
Qed.
68

69
Lemma wp_value' s E Φ v : Φ v  WP of_val v @ s; E {{ Φ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
70
Proof. iIntros "HΦ". rewrite wp_unfold /wp_pre to_of_val. auto. Qed.
71
Lemma wp_value_inv' s E Φ v : WP of_val v @ s; E {{ Φ }} ={E}= Φ v.
Robbert Krebbers's avatar
Robbert Krebbers committed
72
Proof. by rewrite wp_unfold /wp_pre to_of_val. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
73

74 75
Lemma wp_strong_mono s1 s2 E1 E2 e Φ Ψ :
  s1  s2  E1  E2 
76
  WP e @ s1; E1 {{ Φ }} - ( v, Φ v ={E2}= Ψ v) - WP e @ s2; E2 {{ Ψ }}.
77
Proof.
78
  iIntros (? HE) "H HΦ". iLöb as "IH" forall (e E1 E2 HE Φ Ψ).
79
  rewrite !wp_unfold /wp_pre.
Robbert Krebbers's avatar
Robbert Krebbers committed
80
  destruct (to_val e) as [v|] eqn:?.
81
  { iApply ("HΦ" with "[> -]"). by iApply (fupd_mask_mono E1 _). }
82
  iIntros (σ1 κ κs) "Hσ". iMod (fupd_intro_mask' E2 E1) as "Hclose"; first done.
83
  iMod ("H" with "[$]") as "[% H]".
84
  iModIntro. iSplit; [by destruct s1, s2|]. iIntros (e2 σ2 efs Hstep).
85
  iMod ("H" with "[//]") as "H". iIntros "!> !>". iMod "H" as "($ & H & Hefs)".
86
  iMod "Hclose" as "_". iModIntro. iSplitR "Hefs".
87
  - iApply ("IH" with "[//] H HΦ").
88
  - iApply (big_sepL_impl with "[$Hefs]"); iIntros "!#" (k ef _) "H".
89
    by iApply ("IH" with "[] H").
90 91 92
Qed.

Lemma fupd_wp s E e Φ : (|={E}=> WP e @ s; E {{ Φ }})  WP e @ s; E {{ Φ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
93
Proof.
94
  rewrite wp_unfold /wp_pre. iIntros "H". destruct (to_val e) as [v|] eqn:?.
Robbert Krebbers's avatar
Robbert Krebbers committed
95
  { by iMod "H". }
96
  iIntros (σ1 κ κs) "Hσ1". iMod "H". by iApply "H".
97
Qed.
98
Lemma wp_fupd s E e Φ : WP e @ s; E {{ v, |={E}=> Φ v }}  WP e @ s; E {{ Φ }}.
99
Proof. iIntros "H". iApply (wp_strong_mono s s E with "H"); auto. Qed.
100

Ralf Jung's avatar
Ralf Jung committed
101
Lemma wp_atomic s E1 E2 e Φ `{!Atomic (stuckness_to_atomicity s) e} :
102
  (|={E1,E2}=> WP e @ s; E2 {{ v, |={E2,E1}=> Φ v }})  WP e @ s; E1 {{ Φ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
103
Proof.
David Swasey's avatar
David Swasey committed
104
  iIntros "H". rewrite !wp_unfold /wp_pre.
Robbert Krebbers's avatar
Robbert Krebbers committed
105 106
  destruct (to_val e) as [v|] eqn:He.
  { by iDestruct "H" as ">>> $". }
107 108
  iIntros (σ1 κ κs) "Hσ". iMod "H". iMod ("H" $! σ1 with "Hσ") as "[$ H]".
  iModIntro. iIntros (e2 σ2 efs Hstep).
109
  iMod ("H" with "[//]") as "H". iIntros "!>!>". iMod "H" as "(Hphy & H & $)". destruct s.
110
  - rewrite !wp_unfold /wp_pre. destruct (to_val e2) as [v2|] eqn:He2.
David Swasey's avatar
David Swasey committed
111
    + iDestruct "H" as ">> $". by iFrame.
112
    + iMod ("H" $! _ None with "[$]") as "[H _]". iDestruct "H" as %(? & ? & ? & ? & ?).
113 114
      by edestruct (atomic _ _ _ _ _ Hstep).
  - destruct (atomic _ _ _ _ _ Hstep) as [v <-%of_to_val].
115
    iMod (wp_value_inv' with "H") as ">H". iFrame "Hphy". by iApply wp_value'.
Robbert Krebbers's avatar
Robbert Krebbers committed
116
Qed.
117

118
Lemma wp_step_fupd s E1 E2 e P Φ :
119
  to_val e = None  E2  E1 
120
  (|={E1,E2}=> P) - WP e @ s; E2 {{ v, P ={E1}= Φ v }} - WP e @ s; E1 {{ Φ }}.
121
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
122
  rewrite !wp_unfold /wp_pre. iIntros (-> ?) "HR H".
123 124
  iIntros (σ1 κ κs) "Hσ". iMod "HR". iMod ("H" with "[$]") as "[$ H]".
  iIntros "!>" (e2 σ2 efs Hstep). iMod ("H" $! e2 σ2 efs with "[% //]") as "H".
125
  iIntros "!>!>". iMod "H" as "($ & H & $)".
126 127
  iMod "HR". iModIntro. iApply (wp_strong_mono s s E2 with "H"); [done..|].
  iIntros (v) "H". by iApply "H".
Robbert Krebbers's avatar
Robbert Krebbers committed
128
Qed.
129

130
Lemma wp_bind K `{!LanguageCtx K} s E e Φ :
131
  WP e @ s; E {{ v, WP K (of_val v) @ s; E {{ Φ }} }}  WP K e @ s; E {{ Φ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
132
Proof.
133
  iIntros "H". iLöb as "IH" forall (E e Φ). rewrite wp_unfold /wp_pre.
Robbert Krebbers's avatar
Robbert Krebbers committed
134 135 136
  destruct (to_val e) as [v|] eqn:He.
  { apply of_to_val in He as <-. by iApply fupd_wp. }
  rewrite wp_unfold /wp_pre fill_not_val //.
137
  iIntros (σ1 κ κs) "Hσ". iMod ("H" with "[$]") as "[% H]". iModIntro; iSplit.
138 139
  { iPureIntro. destruct s; last done.
    unfold reducible in *. naive_solver eauto using fill_step. }
140
  iIntros (e2 σ2 efs Hstep).
141
  destruct (fill_step_inv e σ1 κ e2 σ2 efs) as (e2'&->&?); auto.
142
  iMod ("H" $! e2' σ2 efs with "[//]") as "H". iIntros "!>!>".
143
  iMod "H" as "($ & H & $)". by iApply "IH".
Robbert Krebbers's avatar
Robbert Krebbers committed
144 145
Qed.

146
Lemma wp_bind_inv K `{!LanguageCtx K} s E e Φ :
147
  WP K e @ s; E {{ Φ }}  WP e @ s; E {{ v, WP K (of_val v) @ s; E {{ Φ }} }}.
148 149 150 151 152
Proof.
  iIntros "H". iLöb as "IH" forall (E e Φ). rewrite !wp_unfold /wp_pre.
  destruct (to_val e) as [v|] eqn:He.
  { apply of_to_val in He as <-. by rewrite !wp_unfold /wp_pre. }
  rewrite fill_not_val //.
153
  iIntros (σ1 κ κs) "Hσ". iMod ("H" with "[$]") as "[% H]". iModIntro; iSplit.
154
  { destruct s; eauto using reducible_fill. }
155 156
  iIntros (e2 σ2 efs Hstep).
  iMod ("H" $! (K e2) σ2 efs with "[]") as "H"; [by eauto using fill_step|].
157
  iIntros "!>!>". iMod "H" as "($ & H & $)". by iApply "IH".
158 159
Qed.

160
(** * Derived rules *)
161
Lemma wp_mono s E e Φ Ψ : ( v, Φ v  Ψ v)  WP e @ s; E {{ Φ }}  WP e @ s; E {{ Ψ }}.
162
Proof.
163 164
  iIntros (HΦ) "H"; iApply (wp_strong_mono with "H"); auto.
  iIntros (v) "?". by iApply HΦ.
165
Qed.
David Swasey's avatar
David Swasey committed
166
Lemma wp_stuck_mono s1 s2 E e Φ :
167
  s1  s2  WP e @ s1; E {{ Φ }}  WP e @ s2; E {{ Φ }}.
168
Proof. iIntros (?) "H". iApply (wp_strong_mono with "H"); auto. Qed.
169 170 171
Lemma wp_stuck_weaken s E e Φ :
  WP e @ s; E {{ Φ }}  WP e @ E ?{{ Φ }}.
Proof. apply wp_stuck_mono. by destruct s. Qed.
172
Lemma wp_mask_mono s E1 E2 e Φ : E1  E2  WP e @ s; E1 {{ Φ }}  WP e @ s; E2 {{ Φ }}.
173
Proof. iIntros (?) "H"; iApply (wp_strong_mono with "H"); auto. Qed.
174
Global Instance wp_mono' s E e :
175
  Proper (pointwise_relation _ () ==> ()) (wp (PROP:=iProp Σ) s E e).
176
Proof. by intros Φ Φ' ?; apply wp_mono. Qed.
177

178 179
Lemma wp_value s E Φ e v : IntoVal e v  Φ v  WP e @ s; E {{ Φ }}.
Proof. intros <-. by apply wp_value'. Qed.
180
Lemma wp_value_fupd' s E Φ v : (|={E}=> Φ v)  WP of_val v @ s; E {{ Φ }}.
181
Proof. intros. by rewrite -wp_fupd -wp_value'. Qed.
182 183
Lemma wp_value_fupd s E Φ e v `{!IntoVal e v} :
  (|={E}=> Φ v)  WP e @ s; E {{ Φ }}.
184
Proof. intros. rewrite -wp_fupd -wp_value //. Qed.
185 186
Lemma wp_value_inv s E Φ e v : IntoVal e v  WP e @ s; E {{ Φ }} ={E}= Φ v.
Proof. intros <-. by apply wp_value_inv'. Qed.
187

188
Lemma wp_frame_l s E e Φ R : R  WP e @ s; E {{ Φ }}  WP e @ s; E {{ v, R  Φ v }}.
189
Proof. iIntros "[? H]". iApply (wp_strong_mono with "H"); auto with iFrame. Qed.
190
Lemma wp_frame_r s E e Φ R : WP e @ s; E {{ Φ }}  R  WP e @ s; E {{ v, Φ v  R }}.
191
Proof. iIntros "[H ?]". iApply (wp_strong_mono with "H"); auto with iFrame. Qed.
192

193
Lemma wp_frame_step_l s E1 E2 e Φ R :
194
  to_val e = None  E2  E1 
195
  (|={E1,E2}=> R)  WP e @ s; E2 {{ Φ }}  WP e @ s; E1 {{ v, R  Φ v }}.
196
Proof.
197
  iIntros (??) "[Hu Hwp]". iApply (wp_step_fupd with "Hu"); try done.
198 199
  iApply (wp_mono with "Hwp"). by iIntros (?) "$$".
Qed.
200
Lemma wp_frame_step_r s E1 E2 e Φ R :
201
  to_val e = None  E2  E1 
202
  WP e @ s; E2 {{ Φ }}  (|={E1,E2}=> R)  WP e @ s; E1 {{ v, Φ v  R }}.
Ralf Jung's avatar
Ralf Jung committed
203
Proof.
204
  rewrite [(WP _ @ _; _ {{ _ }}  _)%I]comm; setoid_rewrite (comm _ _ R).
205
  apply wp_frame_step_l.
Ralf Jung's avatar
Ralf Jung committed
206
Qed.
207 208 209 210 211 212 213 214 215
Lemma wp_frame_step_l' s E e Φ R :
  to_val e = None   R  WP e @ s; E {{ Φ }}  WP e @ s; E {{ v, R  Φ v }}.
Proof. iIntros (?) "[??]". iApply (wp_frame_step_l s E E); try iFrame; eauto. Qed.
Lemma wp_frame_step_r' s E e Φ R :
  to_val e = None  WP e @ s; E {{ Φ }}   R  WP e @ s; E {{ v, Φ v  R }}.
Proof. iIntros (?) "[??]". iApply (wp_frame_step_r s E E); try iFrame; eauto. Qed.

Lemma wp_wand s E e Φ Ψ :
  WP e @ s; E {{ Φ }} - ( v, Φ v - Ψ v) - WP e @ s; E {{ Ψ }}.
216
Proof.
217 218
  iIntros "Hwp H". iApply (wp_strong_mono with "Hwp"); auto.
  iIntros (?) "?". by iApply "H".
219
Qed.
220 221
Lemma wp_wand_l s E e Φ Ψ :
  ( v, Φ v - Ψ v)  WP e @ s; E {{ Φ }}  WP e @ s; E {{ Ψ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
222
Proof. iIntros "[H Hwp]". iApply (wp_wand with "Hwp H"). Qed.
223 224
Lemma wp_wand_r s E e Φ Ψ :
  WP e @ s; E {{ Φ }}  ( v, Φ v - Ψ v)  WP e @ s; E {{ Ψ }}.
Robbert Krebbers's avatar
Robbert Krebbers committed
225
Proof. iIntros "[Hwp H]". iApply (wp_wand with "Hwp H"). Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
226
End wp.
227 228 229 230 231 232 233

(** Proofmode class instances *)
Section proofmode_classes.
  Context `{irisG Λ Σ}.
  Implicit Types P Q : iProp Σ.
  Implicit Types Φ : val Λ  iProp Σ.

234
  Global Instance frame_wp p s E e R Φ Ψ :
235
    ( v, Frame p R (Φ v) (Ψ v)) 
236 237
    Frame p R (WP e @ s; E {{ Φ }}) (WP e @ s; E {{ Ψ }}).
  Proof. rewrite /Frame=> HR. rewrite wp_frame_l. apply wp_mono, HR. Qed.
238

239
  Global Instance is_except_0_wp s E e Φ : IsExcept0 (WP e @ s; E {{ Φ }}).
240
  Proof. by rewrite /IsExcept0 -{2}fupd_wp -except_0_fupd -fupd_intro. Qed.
241

242 243 244 245 246 247 248 249 250 251 252 253 254 255 256
  Global Instance elim_modal_bupd_wp p s E e P Φ :
    ElimModal True p false (|==> P) P (WP e @ s; E {{ Φ }}) (WP e @ s; E {{ Φ }}).
  Proof.
    by rewrite /ElimModal intuitionistically_if_elim
      (bupd_fupd E) fupd_frame_r wand_elim_r fupd_wp.
  Qed.

  Global Instance elim_modal_fupd_wp p s E e P Φ :
    ElimModal True p false (|={E}=> P) P (WP e @ s; E {{ Φ }}) (WP e @ s; E {{ Φ }}).
  Proof.
    by rewrite /ElimModal intuitionistically_if_elim
      fupd_frame_r wand_elim_r fupd_wp.
  Qed.

  Global Instance elim_modal_fupd_wp_atomic p s E1 E2 e P Φ :
Ralf Jung's avatar
Ralf Jung committed
257
    Atomic (stuckness_to_atomicity s) e 
258
    ElimModal True p false (|={E1,E2}=> P) P
259
            (WP e @ s; E1 {{ Φ }}) (WP e @ s; E2 {{ v, |={E2,E1}=> Φ v }})%I.
260 261 262 263
  Proof.
    intros. by rewrite /ElimModal intuitionistically_if_elim
      fupd_frame_r wand_elim_r wp_atomic.
  Qed.
264 265 266 267

  Global Instance add_modal_fupd_wp s E e P Φ :
    AddModal (|={E}=> P) P (WP e @ s; E {{ Φ }}).
  Proof. by rewrite /AddModal fupd_frame_r wand_elim_r fupd_wp. Qed.
Ralf Jung's avatar
Ralf Jung committed
268

Ralf Jung's avatar
Ralf Jung committed
269
  Global Instance elim_acc_wp {X} E1 E2 α β γ e s Φ :
Ralf Jung's avatar
Ralf Jung committed
270
    Atomic (stuckness_to_atomicity s) e 
271 272
    ElimAcc (X:=X) (fupd E1 E2) (fupd E2 E1)
            α β γ (WP e @ s; E1 {{ Φ }})
273
            (λ x, WP e @ s; E2 {{ v, |={E2}=> β x  (γ x -? Φ v) }})%I.
Ralf Jung's avatar
Ralf Jung committed
274
  Proof.
275
    intros ?. rewrite /ElimAcc.
276 277
    iIntros "Hinner >Hacc". iDestruct "Hacc" as (x) "[Hα Hclose]".
    iApply (wp_wand with "[Hinner Hα]"); first by iApply "Hinner".
278
    iIntros (v) ">[Hβ HΦ]". iApply "HΦ". by iApply "Hclose".
Ralf Jung's avatar
Ralf Jung committed
279 280
  Qed.

Ralf Jung's avatar
Ralf Jung committed
281
  Global Instance elim_acc_wp_nonatomic {X} E α β γ e s Φ :
282 283
    ElimAcc (X:=X) (fupd E E) (fupd E E)
            α β γ (WP e @ s; E {{ Φ }})
284
            (λ x, WP e @ s; E {{ v, |={E}=> β x  (γ x -? Φ v) }})%I.
Ralf Jung's avatar
Ralf Jung committed
285
  Proof.
286
    rewrite /ElimAcc.
287 288 289
    iIntros "Hinner >Hacc". iDestruct "Hacc" as (x) "[Hα Hclose]".
    iApply wp_fupd.
    iApply (wp_wand with "[Hinner Hα]"); first by iApply "Hinner".
290
    iIntros (v) ">[Hβ HΦ]". iApply "HΦ". by iApply "Hclose".
Ralf Jung's avatar
Ralf Jung committed
291
  Qed.
292
End proofmode_classes.