Skip to content
Snippets Groups Projects
Commit 7696a7c1 authored by Robbert Krebbers's avatar Robbert Krebbers
Browse files

Use \nat macro.

parent 68aead2a
No related branches found
No related tags found
No related merge requests found
...@@ -6,11 +6,11 @@ The model of Iris lives in the category of \emph{Complete Ordered Families of Eq ...@@ -6,11 +6,11 @@ The model of Iris lives in the category of \emph{Complete Ordered Families of Eq
This definition varies slightly from the original one in~\cite{catlogic}. This definition varies slightly from the original one in~\cite{catlogic}.
\begin{defn}[Chain] \begin{defn}[Chain]
Given some set $\cofe$ and an indexed family $({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \mathbb{N}}$ of equivalence relations, a \emph{chain} is a function $c : \mathbb{N} \to \cofe$ such that $\All n, m. n \leq m \Ra c (m) \nequiv{n} c (n)$. Given some set $\cofe$ and an indexed family $({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \nat}$ of equivalence relations, a \emph{chain} is a function $c : \nat \to \cofe$ such that $\All n, m. n \leq m \Ra c (m) \nequiv{n} c (n)$.
\end{defn} \end{defn}
\begin{defn} \begin{defn}
A \emph{complete ordered family of equivalences} (COFE) is a tuple $(\cofe, ({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \mathbb{N}}, \lim : \chain(\cofe) \to \cofe)$ satisfying A \emph{complete ordered family of equivalences} (COFE) is a tuple $(\cofe, ({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \nat}, \lim : \chain(\cofe) \to \cofe)$ satisfying
\begin{align*} \begin{align*}
\All n. (\nequiv{n}) ~& \text{is an equivalence relation} \tagH{cofe-equiv} \\ \All n. (\nequiv{n}) ~& \text{is an equivalence relation} \tagH{cofe-equiv} \\
\All n, m.& n \geq m \Ra (\nequiv{n}) \subseteq (\nequiv{m}) \tagH{cofe-mono} \\ \All n, m.& n \geq m \Ra (\nequiv{n}) \subseteq (\nequiv{m}) \tagH{cofe-mono} \\
...@@ -115,7 +115,7 @@ Since Iris ensures that the global ghost state is valid, this means that we can ...@@ -115,7 +115,7 @@ Since Iris ensures that the global ghost state is valid, this means that we can
\subsection{CMRA} \subsection{CMRA}
\begin{defn} \begin{defn}
A \emph{CMRA} is a tuple $(\monoid : \COFEs, (\mval_n \subseteq \monoid)_{n \in \mathbb{N}},\\ \mcore{{-}}: \monoid \nfn \maybe\monoid, (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying: A \emph{CMRA} is a tuple $(\monoid : \COFEs, (\mval_n \subseteq \monoid)_{n \in \nat},\\ \mcore{{-}}: \monoid \nfn \maybe\monoid, (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying:
\begin{align*} \begin{align*}
\All n, \melt, \meltB.& \melt \nequiv{n} \meltB \land \melt\in\mval_n \Ra \meltB\in\mval_n \tagH{cmra-valid-ne} \\ \All n, \melt, \meltB.& \melt \nequiv{n} \meltB \land \melt\in\mval_n \Ra \meltB\in\mval_n \tagH{cmra-valid-ne} \\
\All n, m.& n \geq m \Ra \mval_n \subseteq \mval_m \tagH{cmra-valid-mono} \\ \All n, m.& n \geq m \Ra \mval_n \subseteq \mval_m \tagH{cmra-valid-mono} \\
...@@ -136,7 +136,7 @@ Since Iris ensures that the global ghost state is valid, this means that we can ...@@ -136,7 +136,7 @@ Since Iris ensures that the global ghost state is valid, this means that we can
This is a natural generalization of RAs over COFEs. This is a natural generalization of RAs over COFEs.
All operations have to be non-expansive, and the validity predicate $\mval$ can now also depend on the step-index. All operations have to be non-expansive, and the validity predicate $\mval$ can now also depend on the step-index.
We define the plain $\mval$ as the ``limit'' of the $\mval_n$: We define the plain $\mval$ as the ``limit'' of the $\mval_n$:
\[ \mval \eqdef \bigcap_{n \in \mathbb{N}} \mval_n \] \[ \mval \eqdef \bigcap_{n \in \nat} \mval_n \]
\paragraph{The extension axiom (\ruleref{cmra-extend}).} \paragraph{The extension axiom (\ruleref{cmra-extend}).}
Notice that the existential quantification in this axiom is \emph{constructive}, \ie it is a sigma type in Coq. Notice that the existential quantification in this axiom is \emph{constructive}, \ie it is a sigma type in Coq.
......
...@@ -16,7 +16,7 @@ $\latert(-)$ is a locally \emph{contractive} functor from $\COFEs$ to $\COFEs$. ...@@ -16,7 +16,7 @@ $\latert(-)$ is a locally \emph{contractive} functor from $\COFEs$ to $\COFEs$.
Given a CMRA $\monoid$, we define the COFE $\UPred(\monoid)$ of \emph{uniform predicates} over $\monoid$ as follows: Given a CMRA $\monoid$, we define the COFE $\UPred(\monoid)$ of \emph{uniform predicates} over $\monoid$ as follows:
\begin{align*} \begin{align*}
\UPred(\monoid) \eqdef{} \setComp{\pred: \mathbb{N} \times \monoid \to \mProp}{ \UPred(\monoid) \eqdef{} \setComp{\pred: \nat \times \monoid \to \mProp}{
\begin{inbox}[c] \begin{inbox}[c]
(\All n, x, y. \pred(n, x) \land x \nequiv{n} y \Ra \pred(n, y)) \land {}\\ (\All n, x, y. \pred(n, x) \land x \nequiv{n} y \Ra \pred(n, y)) \land {}\\
(\All n, m, x, y. \pred(n, x) \land x \mincl y \land m \leq n \land y \in \mval_m \Ra \pred(m, y)) (\All n, m, x, y. \pred(n, x) \land x \mincl y \land m \leq n \land y \in \mval_m \Ra \pred(m, y))
...@@ -29,8 +29,8 @@ $\UPred(-)$ is a locally non-expansive functor from $\CMRAs$ to $\COFEs$. ...@@ -29,8 +29,8 @@ $\UPred(-)$ is a locally non-expansive functor from $\CMRAs$ to $\COFEs$.
One way to understand this definition is to re-write it a little. One way to understand this definition is to re-write it a little.
We start by defining the COFE of \emph{step-indexed propositions}: For every step-index, the proposition either holds or does not hold. We start by defining the COFE of \emph{step-indexed propositions}: For every step-index, the proposition either holds or does not hold.
\begin{align*} \begin{align*}
\SProp \eqdef{}& \psetdown{\mathbb{N}} \\ \SProp \eqdef{}& \psetdown{\nat} \\
\eqdef{}& \setComp{X \in \pset{\mathbb{N}}}{ \All n, m. n \geq m \Ra n \in X \Ra m \in X } \\ \eqdef{}& \setComp{X \in \pset{\nat}}{ \All n, m. n \geq m \Ra n \in X \Ra m \in X } \\
X \nequiv{n} Y \eqdef{}& \All m \leq n. m \in X \Lra m \in Y X \nequiv{n} Y \eqdef{}& \All m \leq n. m \in X \Lra m \in Y
\end{align*} \end{align*}
Notice that this notion of $\SProp$ is already hidden in the validity predicate $\mval_n$ of a CMRA: Notice that this notion of $\SProp$ is already hidden in the validity predicate $\mval_n$ of a CMRA:
...@@ -114,7 +114,7 @@ $K \fpfn (-)$ is a locally non-expansive functor from $\CMRAs$ to $\CMRAs$. ...@@ -114,7 +114,7 @@ $K \fpfn (-)$ is a locally non-expansive functor from $\CMRAs$ to $\CMRAs$.
Given some COFE $\cofe$, we define $\agm(\cofe)$ as follows: Given some COFE $\cofe$, we define $\agm(\cofe)$ as follows:
\begin{align*} \begin{align*}
\agm(\cofe) \eqdef{}& \set{(c, V) \in (\mathbb{N} \to \cofe) \times \SProp}/\ {\sim} \\[-0.2em] \agm(\cofe) \eqdef{}& \set{(c, V) \in (\nat \to \cofe) \times \SProp}/\ {\sim} \\[-0.2em]
\textnormal{where }& \melt \sim \meltB \eqdef{} \melt.V = \meltB.V \land \textnormal{where }& \melt \sim \meltB \eqdef{} \melt.V = \meltB.V \land
\All n. n \in \melt.V \Ra \melt.c(n) \nequiv{n} \meltB.c(n) \\ \All n. n \in \melt.V \Ra \melt.c(n) \nequiv{n} \meltB.c(n) \\
% \All n \in {\melt.V}.\, \melt.x \nequiv{n} \meltB.x \\ % \All n \in {\melt.V}.\, \melt.x \nequiv{n} \meltB.x \\
...@@ -131,11 +131,11 @@ You can think of the $c$ as a \emph{chain} of elements of $\cofe$ that has to co ...@@ -131,11 +131,11 @@ You can think of the $c$ as a \emph{chain} of elements of $\cofe$ that has to co
The reason we store a chain, rather than a single element, is that $\agm(\cofe)$ needs to be a COFE itself, so we need to be able to give a limit for every chain of $\agm(\cofe)$. The reason we store a chain, rather than a single element, is that $\agm(\cofe)$ needs to be a COFE itself, so we need to be able to give a limit for every chain of $\agm(\cofe)$.
However, given such a chain, we cannot constructively define its limit: Clearly, the $V$ of the limit is the limit of the $V$ of the chain. However, given such a chain, we cannot constructively define its limit: Clearly, the $V$ of the limit is the limit of the $V$ of the chain.
But what to pick for the actual data, for the element of $\cofe$? But what to pick for the actual data, for the element of $\cofe$?
Only if $V = \mathbb{N}$ we have a chain of $\cofe$ that we can take a limit of; if the $V$ is smaller, the chain ``cancels'', \ie stops converging as we reach indices $n \notin V$. Only if $V = \nat$ we have a chain of $\cofe$ that we can take a limit of; if the $V$ is smaller, the chain ``cancels'', \ie stops converging as we reach indices $n \notin V$.
To mitigate this, we apply the usual construction to close a set; we go from elements of $\cofe$ to chains of $\cofe$. To mitigate this, we apply the usual construction to close a set; we go from elements of $\cofe$ to chains of $\cofe$.
We define an injection $\aginj$ into $\agm(\cofe)$ as follows: We define an injection $\aginj$ into $\agm(\cofe)$ as follows:
\[ \aginj(x) \eqdef \record{\mathrm c \eqdef \Lam \any. x, \mathrm V \eqdef \mathbb{N}} \] \[ \aginj(x) \eqdef \record{\mathrm c \eqdef \Lam \any. x, \mathrm V \eqdef \nat} \]
There are no interesting frame-preserving updates for $\agm(\cofe)$, but we can show the following: There are no interesting frame-preserving updates for $\agm(\cofe)$, but we can show the following:
\begin{mathpar} \begin{mathpar}
\axiomH{ag-val}{\aginj(x) \in \mval_n} \axiomH{ag-val}{\aginj(x) \in \mval_n}
......
...@@ -156,7 +156,7 @@ To instantiate the DC logic (base logic with dynamic composeable resources), the ...@@ -156,7 +156,7 @@ To instantiate the DC logic (base logic with dynamic composeable resources), the
From this, we construct the bifunctor defining the overall resources as follows: From this, we construct the bifunctor defining the overall resources as follows:
\begin{align*} \begin{align*}
\textdom{ResF}(\cofe^\op, \cofe) \eqdef{}& \prod_{i \in \mathcal I} \mathbb{N} \fpfn \iFunc_i(\cofe^\op, \cofe) \textdom{ResF}(\cofe^\op, \cofe) \eqdef{}& \prod_{i \in \mathcal I} \nat \fpfn \iFunc_i(\cofe^\op, \cofe)
\end{align*} \end{align*}
(We will motivate both the use of a product and the finite partial function below.) (We will motivate both the use of a product and the finite partial function below.)
$\textdom{ResF}(\cofe^\op, \cofe)$ is a CMRA by lifting the individual CMRAs pointwise, and it has a unit (using the empty finite partial functions). $\textdom{ResF}(\cofe^\op, \cofe)$ is a CMRA by lifting the individual CMRAs pointwise, and it has a unit (using the empty finite partial functions).
......
...@@ -33,7 +33,7 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s ...@@ -33,7 +33,7 @@ We are thus going to define the assertions as mapping CMRA elements to sets of s
\Sem{\vctx \proves t =_\type u : \Prop}_\gamma &\eqdef \Sem{\vctx \proves t =_\type u : \Prop}_\gamma &\eqdef
\Lam \any. \setComp{n}{\Sem{\vctx \proves t : \type}_\gamma \nequiv{n} \Sem{\vctx \proves u : \type}_\gamma} \\ \Lam \any. \setComp{n}{\Sem{\vctx \proves t : \type}_\gamma \nequiv{n} \Sem{\vctx \proves u : \type}_\gamma} \\
\Sem{\vctx \proves \FALSE : \Prop}_\gamma &\eqdef \Lam \any. \emptyset \\ \Sem{\vctx \proves \FALSE : \Prop}_\gamma &\eqdef \Lam \any. \emptyset \\
\Sem{\vctx \proves \TRUE : \Prop}_\gamma &\eqdef \Lam \any. \mathbb{N} \\ \Sem{\vctx \proves \TRUE : \Prop}_\gamma &\eqdef \Lam \any. \nat \\
\Sem{\vctx \proves \prop \land \propB : \Prop}_\gamma &\eqdef \Sem{\vctx \proves \prop \land \propB : \Prop}_\gamma &\eqdef
\Lam \melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt) \cap \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt) \\ \Lam \melt. \Sem{\vctx \proves \prop : \Prop}_\gamma(\melt) \cap \Sem{\vctx \proves \propB : \Prop}_\gamma(\melt) \\
\Sem{\vctx \proves \prop \lor \propB : \Prop}_\gamma &\eqdef \Sem{\vctx \proves \prop \lor \propB : \Prop}_\gamma &\eqdef
...@@ -101,7 +101,7 @@ We can now define \emph{semantic} logical entailment. ...@@ -101,7 +101,7 @@ We can now define \emph{semantic} logical entailment.
\Sem{\vctx \mid \prop \proves \propB} \eqdef \Sem{\vctx \mid \prop \proves \propB} \eqdef
\begin{aligned}[t] \begin{aligned}[t]
\MoveEqLeft \MoveEqLeft
\forall n \in \mathbb{N}.\; \forall n \in \nat.\;
\forall \rs \in \textdom{Res}.\; \forall \rs \in \textdom{Res}.\;
\forall \gamma \in \Sem{\vctx},\; \forall \gamma \in \Sem{\vctx},\;
\\& \\&
......
...@@ -15,9 +15,9 @@ To this end, we use tokens that manage which invariants are currently enabled. ...@@ -15,9 +15,9 @@ To this end, we use tokens that manage which invariants are currently enabled.
We assume to have the following four CMRAs available: We assume to have the following four CMRAs available:
\begin{align*} \begin{align*}
\textmon{State} \eqdef{}& \authm(\exm(\State)) \\ \textmon{State} \eqdef{}& \authm(\exm(\State)) \\
\textmon{Inv} \eqdef{}& \authm(\mathbb N \fpfn \agm(\latert \iPreProp)) \\ \textmon{Inv} \eqdef{}& \authm(\nat \fpfn \agm(\latert \iPreProp)) \\
\textmon{En} \eqdef{}& \pset{\mathbb N} \\ \textmon{En} \eqdef{}& \pset{\nat} \\
\textmon{Dis} \eqdef{}& \finpset{\mathbb N} \textmon{Dis} \eqdef{}& \finpset{\nat}
\end{align*} \end{align*}
The last two are the tokens used for managing invariants, $\textmon{Inv}$ is the monoid used to manage the invariants themselves. The last two are the tokens used for managing invariants, $\textmon{Inv}$ is the monoid used to manage the invariants themselves.
Finally, $\textmon{State}$ is used to provide the program with a view of the physical state of the machine. Finally, $\textmon{State}$ is used to provide the program with a view of the physical state of the machine.
...@@ -28,7 +28,7 @@ Furthermore, we assume that instances named $\gname_{\textmon{State}}$, $\gname_ ...@@ -28,7 +28,7 @@ Furthermore, we assume that instances named $\gname_{\textmon{State}}$, $\gname_
\paragraph{World Satisfaction.} \paragraph{World Satisfaction.}
We can now define the assertion $W$ (\emph{world satisfaction}) which ensures that the enabled invariants are actually maintained: We can now define the assertion $W$ (\emph{world satisfaction}) which ensures that the enabled invariants are actually maintained:
\begin{align*} \begin{align*}
W \eqdef{}& \Exists I : \mathbb N \fpfn \Prop. W \eqdef{}& \Exists I : \nat \fpfn \Prop.
\begin{array}{@{} l} \begin{array}{@{} l}
\ownGhost{\gname_{\textmon{Inv}}}{\authfull \ownGhost{\gname_{\textmon{Inv}}}{\authfull
\mapsingletonComp {\iname} \mapsingletonComp {\iname}
...@@ -47,7 +47,7 @@ The following assertion states that an invariant with name $\iname$ exists and m ...@@ -47,7 +47,7 @@ The following assertion states that an invariant with name $\iname$ exists and m
Next, we define \emph{view updates}, which are essentially the same as the resource updates of the base logic ($\Sref{sec:base-logic}$), except that they also have access to world satisfaction and can enable and disable invariants: Next, we define \emph{view updates}, which are essentially the same as the resource updates of the base logic ($\Sref{sec:base-logic}$), except that they also have access to world satisfaction and can enable and disable invariants:
\[ \pvs[\mask_1][\mask_2] \prop \eqdef W * \ownGhost{\gname_{\textmon{En}}}{\mask_1} \wand \upd\diamond (W * \ownGhost{\gname_{\textmon{En}}}{\mask_2} * \prop) \] \[ \pvs[\mask_1][\mask_2] \prop \eqdef W * \ownGhost{\gname_{\textmon{En}}}{\mask_1} \wand \upd\diamond (W * \ownGhost{\gname_{\textmon{En}}}{\mask_2} * \prop) \]
Here, $\mask_1$ and $\mask_2$ are the \emph{masks} of the view update, defining which invariants have to be (at least!) available before and after the update. Here, $\mask_1$ and $\mask_2$ are the \emph{masks} of the view update, defining which invariants have to be (at least!) available before and after the update.
We use $\top$ as symbol for the largest possible mask, $\mathbb N$, and $\bot$ for the smallest possible mask $\emptyset$. We use $\top$ as symbol for the largest possible mask, $\nat$, and $\bot$ for the smallest possible mask $\emptyset$.
We will write $\pvs[\mask] \prop$ for $\pvs[\mask][\mask]\prop$. We will write $\pvs[\mask] \prop$ for $\pvs[\mask][\mask]\prop$.
% %
View updates satisfy the following basic proof rules: View updates satisfy the following basic proof rules:
...@@ -369,14 +369,14 @@ Furthermore, we will often know that namespaces are \emph{disjoint} just by look ...@@ -369,14 +369,14 @@ Furthermore, we will often know that namespaces are \emph{disjoint} just by look
The namespaces $\namesp.\texttt{iris}$ and $\namesp.\texttt{gps}$ are disjoint no matter the choice of $\namesp$. The namespaces $\namesp.\texttt{iris}$ and $\namesp.\texttt{gps}$ are disjoint no matter the choice of $\namesp$.
As a result, there is often no need to track disjointness of namespaces, we just have to pick the namespaces that we allocate our invariants in accordingly. As a result, there is often no need to track disjointness of namespaces, we just have to pick the namespaces that we allocate our invariants in accordingly.
Formally speaking, let $\namesp \in \textlog{InvNamesp} \eqdef \List(\mathbb N)$ be the type of \emph{invariant namespaces}. Formally speaking, let $\namesp \in \textlog{InvNamesp} \eqdef \List(\nat)$ be the type of \emph{invariant namespaces}.
We use the notation $\namesp.\iname$ for the namespace $[\iname] \dplus \namesp$. We use the notation $\namesp.\iname$ for the namespace $[\iname] \dplus \namesp$.
(In other words, the list is ``backwards''. This is because cons-ing to the list, like the dot does above, is easier to deal with in Coq than appending at the end.) (In other words, the list is ``backwards''. This is because cons-ing to the list, like the dot does above, is easier to deal with in Coq than appending at the end.)
The elements of a namespaces are \emph{structured invariant names} (think: Java fully qualified class name). The elements of a namespaces are \emph{structured invariant names} (think: Java fully qualified class name).
They, too, are lists of $\mathbb N$, the same type as namespaces. They, too, are lists of $\nat$, the same type as namespaces.
In order to connect this up to the definitions of \Sref{sec:invariants}, we need a way to map structued invariant names to $\mathbb N$, the type of ``plain'' invariant names. In order to connect this up to the definitions of \Sref{sec:invariants}, we need a way to map structued invariant names to $\nat$, the type of ``plain'' invariant names.
Any injective mapping $\textlog{namesp\_inj}$ will do; and such a mapping has to exist because $\List(\mathbb N)$ is countable. Any injective mapping $\textlog{namesp\_inj}$ will do; and such a mapping has to exist because $\List(\nat)$ is countable.
Whenever needed, we (usually implicitly) coerce $\namesp$ to its encoded suffix-closure, \ie to the set of encoded structured invariant names contained in the namespace: \[\namecl\namesp \eqdef \setComp{\iname}{\Exists \namesp'. \iname = \textlog{namesp\_inj}(\namesp' \dplus \namesp)}\] Whenever needed, we (usually implicitly) coerce $\namesp$ to its encoded suffix-closure, \ie to the set of encoded structured invariant names contained in the namespace: \[\namecl\namesp \eqdef \setComp{\iname}{\Exists \namesp'. \iname = \textlog{namesp\_inj}(\namesp' \dplus \namesp)}\]
We will overload the notation for invariant assertions for using namespaces instead of names: We will overload the notation for invariant assertions for using namespaces instead of names:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment