GitLab

We used to normalize the goal, and then checked whether it was of
a certain shape. Since `uPred_valid P` normalized to `True ⊢ P`,
there was no way of making a distinction between the two, hence
`True ⊢ P` was treated as `uPred_valid P`.

In this commit, I use type classes to check whether the goal is of
a certain shape. Since we declared `uPred_valid` as `Typeclasses
Opaque`, we can now make a distinction between `True ⊢ P` and
`uPred_valid P`.

Instead of writing a separate tactic lemma for each pure reduction,
there is a single tactic lemma for performing all of them.

The instances of PureExec can be shared between WP tactics and, e.g.
symbolic execution in the ghost  threadpool

This patch was created using

  find -name *.v | xargs -L 1 awk -i inplace '{from = 0} /^From/{ from = 1; ever_from = 1} { if (from == 0 && seen == 0 && ever_from == 1) { print "Set Default Proof Using \"Type*\"."; seen = 1 } }1 '

and some minor manual editing

Really, *all* of our files contain proof rules

The WP construction now takes an invariant on states as a parameter
(part of the irisG class) and no longer builds in the authoritative
ownership of the entire state. When instantiating WP with a concrete
language on can choose its state invariant. For example, for heap_lang
we directly use `auth (gmap loc (frac * dec_agree val))`, and avoid
the indirection through invariants entirely.

As a result, we no longer have to carry `heap_ctx` around.

The old choice for ★ was a arbitrary: the precedence of the ASCII asterisk *
was fixed at a wrong level in Coq, so we had to pick another symbol. The ★ was
a random choice from a unicode chart.

The new symbol ∗ (as proposed by David Swasey) corresponds better to
conventional practise and matches the symbol we use on paper.

This should make theme asier to parse, "{{{ v, v; l |-> v }}}" looks rather funny.

Now we try to avoid adding them unnecessarily, so we don't have to remove them automatically any more.

And also rename the corresponding proof mode tactics.

This fact is deduced from reducibility. Unfortunately, this sometimes depends on the type of states being inhabited, so that this additional hypothesis sometimes appear.

rename program_logic.{ownership -> wsat}. It really is about world satisfaction and invariants more than about ownership.

This also removes the double use of the name 'wp_fork' in both
program_logic/weakestpre and heap_lang/lifting.

Also, since do_head_step no longer has a purpose, I have removed it
and just use a bunch of eauto hints.

This is more consistent with CAS, which also can be used on any value.
Note that being able to (atomically) test for equality of any value and
being able to CAS on any value is not realistic. See the discussion at
https://gitlab.mpi-sws.org/FP/iris-coq/issues/26, and in particular JH
Jourdan's observation:

  I think indeed for heap_lang this is just too complicated.

  Anyway, the role of heap_lang is not to model any actual
  programming language, but rather to show that we can do proofs
  about certain programs. The fact that you can write unrealistic
  programs is not a problem, IMHO. The only thing which is important
  is that the program that we write are realistic (i.e., faithfully
  represents the algorithm we want to p

This commit is based on a commit by Zhen Zhang who generalized equality
to work on any literal (and not just integers).