 01 Nov, 2017 1 commit


Robbert Krebbers authored
This class, in combination with `TCForall`, turns out the useful in LambdaRust to express that lists of expressions are values.

 29 Oct, 2017 2 commits
 26 Oct, 2017 1 commit


Robbert Krebbers authored
Now that we have the plain modality, we can get rid of the basic updates in the soundness statement.

 25 Oct, 2017 3 commits


Robbert Krebbers authored

Robbert Krebbers authored

Robbert Krebbers authored
The advantage is that we can directly use a Coq introduction pattern `cpat` to perform actions to the pure assertion. Before, this had to be done in several steps: iDestruct ... as "[Htmp ...]"; iDestruct "Htmp" as %cpat. That is, one had to introduce a temporary name. I expect this to be quite useful in various developments as many of e.g. our invariants are written as: ∃ x1 .. x2, ⌜ pure stuff ⌝ ∗ spacial stuff.

 04 Oct, 2017 2 commits


Robbert Krebbers authored

Robbert Krebbers authored

 27 Sep, 2017 1 commit


Robbert Krebbers authored
This causes a bit of backwards incompatibility: it may now succeed with later stripping below unlocked/TC transparent definitions. This problem actually occured for `wsat`.

 26 Sep, 2017 1 commit


Robbert Krebbers authored
We used to normalize the goal, and then checked whether it was of a certain shape. Since `uPred_valid P` normalized to `True ⊢ P`, there was no way of making a distinction between the two, hence `True ⊢ P` was treated as `uPred_valid P`. In this commit, I use type classes to check whether the goal is of a certain shape. Since we declared `uPred_valid` as `Typeclasses Opaque`, we can now make a distinction between `True ⊢ P` and `uPred_valid P`.

 25 Sep, 2017 6 commits


Robbert Krebbers authored

Dan Frumin authored

Dan Frumin authored

Dan Frumin authored

Dan Frumin authored
Instead of writing a separate tactic lemma for each pure reduction, there is a single tactic lemma for performing all of them. The instances of PureExec can be shared between WP tactics and, e.g. symbolic execution in the ghost threadpool

Robbert Krebbers authored
Typeclass search gets less confused when this version is used, also, we had the same for `wp_bind` already.

 24 Sep, 2017 1 commit


Robbert Krebbers authored

 20 Sep, 2017 1 commit


Robbert Krebbers authored

 09 Sep, 2017 2 commits


Robbert Krebbers authored

Robbert Krebbers authored

 20 Aug, 2017 1 commit


Robbert Krebbers authored
This makes it easier to frame or introduce some modalities before introducing universal quantifiers.

 13 Apr, 2017 1 commit


Robbert Krebbers authored

 24 Mar, 2017 2 commits


Robbert Krebbers authored

Robbert Krebbers authored
Instead, I have introduced a type class `Monoid` that is used by the big operators: Class Monoid {M : ofeT} (o : M → M → M) := { monoid_unit : M; monoid_ne : NonExpansive2 o; monoid_assoc : Assoc (≡) o; monoid_comm : Comm (≡) o; monoid_left_id : LeftId (≡) monoid_unit o; monoid_right_id : RightId (≡) monoid_unit o; }. Note that the operation is an argument because we want to have multiple monoids over the same type (for example, on `uPred`s we have monoids for `∗`, `∧`, and `∨`). However, we do bundle the unit because:  If we would not, the unit would appear explicitly in an implicit argument of the big operators, which confuses rewrite. By bundling the unit in the `Monoid` class it is hidden, and hence rewrite won't even see it.  The unit is unique. We could in principle have big ops over setoids instead of OFEs. However, since we do not have a canonical structure for bundled setoids, I did not go that way.

 15 Mar, 2017 5 commits


Robbert Krebbers authored
 Allow framing of persistent hypotheses below the always modality.  Allow framing of persistent hypotheses in just one branch of a disjunction.

Robbert Krebbers authored

Robbert Krebbers authored

Robbert Krebbers authored

Ralf Jung authored

 14 Mar, 2017 4 commits


Robbert Krebbers authored

Robbert Krebbers authored
This has some advantages:  Evaluation contexts behave like a proper "Huet's zipper", and thus: + We no longer need to reverse the list of evaluation context items in the `reshape_expr` tactic. + The `fill` function becomes tailrecursive.  It gives rise to more definitional equalities in simulation proofs using binary logical relations proofs. In the case of binary logical relations, we simulate an expressions in some ambient context, i.e. `fill K e`. Now, whenever we reshape `e` by turning it into `fill K' e'`, we end up with `fill K (fill K' e')`. In order to use the rules for the expression that is being simulated, we need to turn `fill K (fill K' e')` into `fill K'' e'` for some `K'`. In case of the old `foldr`based approach, we had to rewrite using the lemma `fill_app` to achieve that. However, in case of the old `foldl`based `fill`, we have that `fill K (fill K' e')` is definitionally equal to `fill (K' ++ K) e'` provided that `K'` consists of a bunch of `cons`es (which is always the case, since we obtained `K'` by reshaping `e`). Note that this change hardly affected `heap_lang`. Only the proof of `atomic_correct` broke. I fixed this by proving a more general lemma `ectxi_language_atomic` about `ectxi`languages, which should have been there in the first place.

Robbert Krebbers authored

Robbert Krebbers authored
 Support for a `//` modifier to close the goal using `done`.  Support for framing in the `[#]` specialization pattern for persistent premises, i.e. `[# $H1 $H2]`  Add new "auto framing patterns" `[$]`, `[# $]` and `>[$]` that will try to solve the premise by framing. Hypothesis that are not framed are carried over to the next goal.

 10 Mar, 2017 1 commit


Ralf Jung authored

 09 Mar, 2017 2 commits
 11 Feb, 2017 1 commit


David Swasey authored

 27 Jan, 2017 1 commit


Ralf Jung authored

 24 Jan, 2017 1 commit


Robbert Krebbers authored
