proof.v 8.96 KB
Newer Older
1 2 3
From iris.program_logic Require Export weakestpre.
From iris.heap_lang Require Export lang.
From iris.heap_lang.lib.barrier Require Export barrier.
4 5
From iris.prelude Require Import functions.
From iris.algebra Require Import upred_big_op.
6
From iris.program_logic Require Import saved_prop sts.
Robbert Krebbers's avatar
Robbert Krebbers committed
7
From iris.heap_lang Require Import proofmode.
Ralf Jung's avatar
Ralf Jung committed
8
From iris.heap_lang.lib.barrier Require Import protocol.
9

10
(** The CMRAs we need. *)
11 12
(* Not bundling heapG, as it may be shared with other users. *)
Class barrierG Σ := BarrierG {
13 14
  barrier_stsG :> stsG Σ sts;
  barrier_savedPropG :> savedPropG Σ idCF;
15
}.
16
(** The Functors we need. *)
17
Definition barrierΣ : gFunctors := #[stsΣ sts; savedPropΣ idCF].
18
(* Show and register that they match. *)
19 20
Instance subG_barrierΣ {Σ} : subG barrierΣ Σ  barrierG Σ.
Proof. intros [? [? _]%subG_inv]%subG_inv. split; apply _. Qed.
21 22 23

(** Now we come to the Iris part of the proof. *)
Section proof.
24
Context `{!heapG Σ, !barrierG Σ} (N : namespace).
Robbert Krebbers's avatar
Robbert Krebbers committed
25
Implicit Types I : gset gname.
26

27 28
Definition ress (P : iProp Σ) (I : gset gname) : iProp Σ :=
  ( Ψ : gname  iProp Σ,
29
     (P - [ set] i  I, Ψ i)  [ set] i  I, saved_prop_own i (Ψ i))%I.
30 31

Coercion state_to_val (s : state) : val :=
32
  match s with State Low _ => #0 | State High _ => #1 end.
Robbert Krebbers's avatar
Robbert Krebbers committed
33
Arguments state_to_val !_ / : simpl nomatch.
34

35
Definition state_to_prop (s : state) (P : iProp Σ) : iProp Σ :=
36
  match s with State Low _ => P | State High _ => True%I end.
Robbert Krebbers's avatar
Robbert Krebbers committed
37
Arguments state_to_prop !_ _ / : simpl nomatch.
38

39
Definition barrier_inv (l : loc) (P : iProp Σ) (s : state) : iProp Σ :=
40
  (l  s  ress (state_to_prop s P) (state_I s))%I.
41

42
Definition barrier_ctx (γ : gname) (l : loc) (P : iProp Σ) : iProp Σ :=
43
  ( (heapN  N)  heap_ctx  sts_ctx γ N (barrier_inv l P))%I.
44

45
Definition send (l : loc) (P : iProp Σ) : iProp Σ :=
46 47
  ( γ, barrier_ctx γ l P  sts_ownS γ low_states {[ Send ]})%I.

48
Definition recv (l : loc) (R : iProp Σ) : iProp Σ :=
49 50
  ( γ P Q i,
    barrier_ctx γ l P  sts_ownS γ (i_states i) {[ Change i ]} 
51
    saved_prop_own i Q   (Q - R))%I.
52

53
Global Instance barrier_ctx_persistent (γ : gname) (l : loc) (P : iProp Σ) :
54
  PersistentP (barrier_ctx γ l P).
55 56 57 58
Proof. apply _. Qed.

Typeclasses Opaque barrier_ctx send recv.

59
(** Setoids *)
60 61 62 63
Global Instance ress_ne n : Proper (dist n ==> (=) ==> dist n) ress.
Proof. solve_proper. Qed.
Global Instance state_to_prop_ne n s :
  Proper (dist n ==> dist n) (state_to_prop s).
64
Proof. solve_proper. Qed.
65
Global Instance barrier_inv_ne n l :
66 67
  Proper (dist n ==> eq ==> dist n) (barrier_inv l).
Proof. solve_proper. Qed.
68
Global Instance barrier_ctx_ne n γ l : Proper (dist n ==> dist n) (barrier_ctx γ l).
69
Proof. solve_proper. Qed. 
70
Global Instance send_ne n l : Proper (dist n ==> dist n) (send l).
71
Proof. solve_proper. Qed.
72
Global Instance recv_ne n l : Proper (dist n ==> dist n) (recv l).
73
Proof. solve_proper. Qed.
74 75

(** Helper lemmas *)
76
Lemma ress_split i i1 i2 Q R1 R2 P I :
77
  i  I  i1  I  i2  I  i1  i2 
78 79
  saved_prop_own i Q  saved_prop_own i1 R1  saved_prop_own i2 R2 
    (Q - R1  R2)  ress P I
80
   ress P ({[i1;i2]}  I  {[i]}).
81
Proof.
82
  iIntros (????) "(#HQ&#H1&#H2&HQR&H)"; iDestruct "H" as (Ψ) "[HPΨ HΨ]".
83
  iDestruct (big_sepS_delete _ _ i with "HΨ") as "[#HΨi HΨ]"; first done.
Robbert Krebbers's avatar
Robbert Krebbers committed
84
  iExists (<[i1:=R1]> (<[i2:=R2]> Ψ)). iSplitL "HQR HPΨ".
85
  - iPoseProof (saved_prop_agree i Q (Ψ i) with "[#]") as "Heq"; first by iSplit.
86 87 88
    iNext. iRewrite "Heq" in "HQR". iIntros "HP". iSpecialize ("HPΨ" with "HP").
    iDestruct (big_sepS_delete _ _ i with "HPΨ") as "[HΨ HPΨ]"; first done.
    iDestruct ("HQR" with "HΨ") as "[HR1 HR2]".
89
    rewrite -assoc_L !big_sepS_fn_insert'; [|abstract set_solver ..].
90
    by iFrame.
91
  - rewrite -assoc_L !big_sepS_fn_insert; [|abstract set_solver ..]. eauto.
92
Qed.
93 94

(** Actual proofs *)
95
Lemma newbarrier_spec (P : iProp Σ) (Φ : val  iProp Σ) :
96
  heapN  N 
97
  heap_ctx  ( l, recv l P  send l P - Φ #l)  WP newbarrier #() {{ Φ }}.
98
Proof.
99
  iIntros (HN) "[#? HΦ]".
100
  rewrite /newbarrier. wp_seq. wp_alloc l as "Hl".
Robbert Krebbers's avatar
Robbert Krebbers committed
101
  iApply ("HΦ" with "==>[-]").
102 103
  iVs (saved_prop_alloc (F:=idCF) P) as (γ) "#?".
  iVs (sts_alloc (barrier_inv l P) _ N (State Low {[ γ ]}) with "[-]")
104
    as (γ') "[#? Hγ']"; eauto.
105
  { iNext. rewrite /barrier_inv /=. iFrame.
106
    iExists (const P). rewrite !big_sepS_singleton /=. eauto. }
Robbert Krebbers's avatar
Robbert Krebbers committed
107 108
  iAssert (barrier_ctx γ' l P)%I as "#?".
  { rewrite /barrier_ctx. by repeat iSplit. }
109
  iAssert (sts_ownS γ' (i_states γ) {[Change γ]}
Robbert Krebbers's avatar
Robbert Krebbers committed
110
     sts_ownS γ' low_states {[Send]})%I with "==>[-]" as "[Hr Hs]".
Robbert Krebbers's avatar
Robbert Krebbers committed
111
  { iApply sts_ownS_op; eauto using i_states_closed, low_states_closed.
112 113
    - set_solver.
    - iApply (sts_own_weaken with "Hγ'");
Robbert Krebbers's avatar
Robbert Krebbers committed
114
        auto using sts.closed_op, i_states_closed, low_states_closed;
115
        abstract set_solver. }
116
  iVsIntro. rewrite /recv /send. iSplitL "Hr".
117
  - iExists γ', P, P, γ. iFrame. auto.
118
  - auto.
119 120
Qed.

121
Lemma signal_spec l P (Φ : val  iProp Σ) :
122
  send l P  P  Φ #()  WP signal #l {{ Φ }}.
123
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
124
  rewrite /signal /send /barrier_ctx.
125
  iIntros "(Hs&HP&HΦ)"; iDestruct "Hs" as (γ) "[#(%&Hh&Hsts) Hγ]". wp_let.
126 127 128 129
  iVs (sts_openS (barrier_inv l P) _ _ γ with "[Hγ]")
    as ([p I]) "(% & [Hl Hr] & Hclose)"; eauto.
  destruct p; [|done]. wp_store. iFrame "HΦ".
  iVs ("Hclose" $! (State High I) ( : set token) with "[-]"); last done.
Robbert Krebbers's avatar
Robbert Krebbers committed
130
  iSplit; [iPureIntro; by eauto using signal_step|].
131
  iNext. rewrite {2}/barrier_inv /ress /=; iFrame "Hl".
132
  iDestruct "Hr" as (Ψ) "[Hr Hsp]"; iExists Ψ; iFrame "Hsp".
Robbert Krebbers's avatar
Robbert Krebbers committed
133
  iIntros "!> _"; by iApply "Hr".
134 135
Qed.

136
Lemma wait_spec l P (Φ : val  iProp Σ) :
137
  recv l P  (P - Φ #())  WP wait #l {{ Φ }}.
138
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
139
  rename P into R; rewrite /recv /barrier_ctx.
140
  iIntros "[Hr HΦ]"; iDestruct "Hr" as (γ P Q i) "(#(%&Hh&Hsts)&Hγ&#HQ&HQR)".
141
  iLöb as "IH". wp_rec. wp_bind (! _)%E.
142 143 144 145 146
  iVs (sts_openS (barrier_inv l P) _ _ γ with "[Hγ]")
    as ([p I]) "(% & [Hl Hr] & Hclose)"; eauto.
  wp_load. destruct p.
  - iVs ("Hclose" $! (State Low I) {[ Change i ]} with "[Hl Hr]") as "Hγ".
    { iSplit; first done. iNext. rewrite {2}/barrier_inv /=. by iFrame. }
Robbert Krebbers's avatar
Robbert Krebbers committed
147
    iAssert (sts_ownS γ (i_states i) {[Change i]})%I with "==>[Hγ]" as "Hγ".
148
    { iApply (sts_own_weaken with "Hγ"); eauto using i_states_closed. }
149 150
    iVsIntro. wp_op=> ?; simplify_eq; wp_if.
    iApply ("IH" with "Hγ [HQR] HΦ"). auto.
Robbert Krebbers's avatar
Robbert Krebbers committed
151 152
  - (* a High state: the comparison succeeds, and we perform a transition and
    return to the client *)
153
    iDestruct "Hr" as (Ψ) "[HΨ Hsp]".
154
    iDestruct (big_sepS_delete _ _ i with "Hsp") as "[#HΨi Hsp]"; first done.
155
    iAssert ( Ψ i   [ set] j  I  {[i]}, Ψ j)%I with "[HΨ]" as "[HΨ HΨ']".
Robbert Krebbers's avatar
Robbert Krebbers committed
156
    { iNext. iApply (big_sepS_delete _ _ i); first done. by iApply "HΨ". }
157 158 159 160 161 162
    iVs ("Hclose" $! (State High (I  {[ i ]})) ( : set token) with "[HΨ' Hl Hsp]").
    { iSplit; [iPureIntro; by eauto using wait_step|].
      iNext. rewrite {2}/barrier_inv /=; iFrame "Hl". iExists Ψ; iFrame. auto. }
    iPoseProof (saved_prop_agree i Q (Ψ i) with "[#]") as "Heq"; first by auto.
    iVsIntro. wp_op=> ?; simplify_eq/=; wp_if.
    iVsIntro. iApply "HΦ". iApply "HQR". by iRewrite "Heq".
163 164
Qed.

165
Lemma recv_split E l P1 P2 :
166
  nclose N  E  recv l (P1  P2) ={E}=> recv l P1  recv l P2.
167
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
168
  rename P1 into R1; rename P2 into R2. rewrite {1}/recv /barrier_ctx.
169
  iIntros (?). iDestruct 1 as (γ P Q i) "(#(%&Hh&Hsts)&Hγ&#HQ&HQR)".
170 171 172 173 174
  iVs (sts_openS (barrier_inv l P) _ _ γ with "[Hγ]")
    as ([p I]) "(% & [Hl Hr] & Hclose)"; eauto.
  iVs (saved_prop_alloc_strong (R1: %CF (iProp Σ)) I) as (i1) "[% #Hi1]".
  iVs (saved_prop_alloc_strong (R2: %CF (iProp Σ)) (I  {[i1]}))
    as (i2) "[Hi2' #Hi2]"; iDestruct "Hi2'" as %Hi2.
Robbert Krebbers's avatar
Robbert Krebbers committed
175
  rewrite ->not_elem_of_union, elem_of_singleton in Hi2; destruct Hi2.
176 177 178 179 180 181
  iVs ("Hclose" $! (State p ({[i1; i2]}  I  {[i]}))
                   {[Change i1; Change i2 ]} with "[-]") as "Hγ".
  { iSplit; first by eauto using split_step.
    iNext. rewrite {2}/barrier_inv /=. iFrame "Hl".
    iApply (ress_split _ _ _ Q R1 R2); eauto. iFrame; auto. }
  iAssert (sts_ownS γ (i_states i1) {[Change i1]}
Robbert Krebbers's avatar
Robbert Krebbers committed
182
     sts_ownS γ (i_states i2) {[Change i2]})%I with "==>[-]" as "[Hγ1 Hγ2]".
183 184 185 186 187 188 189 190
  { iApply sts_ownS_op; eauto using i_states_closed, low_states_closed.
    - abstract set_solver.
    - iApply (sts_own_weaken with "Hγ");
        eauto using sts.closed_op, i_states_closed.
      abstract set_solver. }
  iVsIntro; iSplitL "Hγ1"; rewrite /recv /barrier_ctx.
  - iExists γ, P, R1, i1. iFrame; auto.
  - iExists γ, P, R2, i2. iFrame; auto.
191 192
Qed.

193
Lemma recv_weaken l P1 P2 : (P1 - P2)  recv l P1 - recv l P2.
194
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
195
  rewrite /recv.
196
  iIntros "HP HP1"; iDestruct "HP1" as (γ P Q i) "(#Hctx&Hγ&Hi&HP1)".
197
  iExists γ, P, Q, i. iFrame "Hctx Hγ Hi".
Robbert Krebbers's avatar
Robbert Krebbers committed
198
  iIntros "!> HQ". by iApply "HP"; iApply "HP1".
199
Qed.
200

201
Lemma recv_mono l P1 P2 : (P1  P2)  recv l P1  recv l P2.
202
Proof. iIntros (HP) "H". iApply (recv_weaken with "[] H"). iApply HP. Qed.
203
End proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
204 205

Typeclasses Opaque barrier_ctx send recv.