### Merge branch 'master' into gen_proofmode

parents 1a1aa388 09741a03
 ... ... @@ -3,19 +3,43 @@ way the logic is used on paper. We also mention some significant changes in the Coq development, but not every API-breaking change is listed. Changes marked [#] still need to be ported to the Iris Documentation LaTeX file(s). ## Iris 3.1.0 (unfinished) ## Iris 3.1.0 (released 2017-12-19) Changes in and extensions of the theory: * Add new modality: ■ ("plainly"). * Define uPred as a quotient on monotone predicates M -> SProp. * Get rid of some primitive laws; they can be derived: True ⊢ □ True and □ (P ∧ Q) ⊢ □ (P ∗ Q) * Camera morphisms have to be homomorphisms, not just monotone functions. * Add a proof that f has a fixed point if f^k is contractive. * Constructions for least and greatest fixed points over monotone predicates (defined in the logic of Iris using impredicative quantification). * Add a proof of the inverse of wp_bind. * [Experimental feature] Add new modality: ■ ("plainly"). * [Experimental feature] Support verifying code that might get stuck by distinguishing "non-stuck" vs. "(potentially) stuck" weakest preconditions. (See [Swasey et al., OOPSLA '17] for examples.) The non-stuck WP e @ E {{ Φ }} ensures that, as e runs, it does not get stuck. The stuck WP e @ E ?{{ Φ }} ensures that, as usual, all invariants are preserved while e runs, but it permits execution to get stuck. The former implies the latter. The full judgment is WP e @ s; E {{ Φ }}, where non-stuck WP uses *stuckness bit* s = NotStuck while stuck WP uses s = MaybeStuck. Changes in Coq: * Move the prelude folder to its own project: [coq-std++](https://gitlab.mpi-sws.org/robbertkrebbers/coq-stdpp) * Some extensions/improvements of heap_lang: - Improve handling of pure (non-state-dependent) reductions. - Add fetch-and-add (FAA) operation. - Add syntax for all Coq's binary operations on Z. * Generalize saved_prop to let the user choose the location of the type-level later. Rename the general form to saved_anything. Provide saved_prop and saved_pred as special cases. * Improved big operators: + They are no longer tied to cameras, but work on any monoid + The version of big operations over lists was redefined so that it enjoys more definitional equalities. * Rename some things and change notation: - The unit of a camera: empty -> unit, ∅ -> ε - Disjointness: ⊥ -> ## ... ... @@ -26,6 +50,7 @@ Changes in Coq: - Camera elements such that core x = x: Persistent -> CoreId - Persistent propositions: PersistentP -> Persistent - The persistent modality: always -> persistently - Adequacy for non-stuck weakestpre: adequate_safe -> adequate_not_stuck - Consistently SnakeCase identifiers: + CMRAMixin -> CmraMixin + CMRAT -> CmraT ... ... @@ -53,6 +78,8 @@ Changes in Coq:  sed 's/\bPersistentP\b/Persistent/g; s/\bTimelessP\b/Timeless/g; s/\bCMRADiscrete\b/CmraDiscrete/g; s/\bCMRAT\b/CmraT/g; s/\bCMRAMixin\b/CmraMixin/g; s/\bUCMRAT\b/UcmraT/g; s/\bUCMRAMixin\b/UcmraMixin/g; s/\bSTS\b/Sts/g' -i $(find -name "*.v")  * PersistentL and TimelessL (persistence and timelessness of lists of propositions) are replaces by TCForall from std++. * Fix a bunch of consistency issues in the proof mode, and make it overall more usable. In particular: - All proof mode tactics start the proof mode if necessary; iStartProof is ... ... @@ -74,9 +101,6 @@ sed 's/\bPersistentP\b/Persistent/g; s/\bTimelessP\b/Timeless/g; s/\bCMRADiscret behind a type class opaque definition. Furthermore, this can change the name of anonymous identifiers introduced with the "%" pattern. * Make ofe_fun dependently typed, subsuming iprod. The latter got removed. * Generalize saved_prop to let the user choose the location of the type-level later. Rename the general form to saved_anything. Provide saved_prop and saved_pred as special cases. * Define the generic fill operation of the ectxi_language construct in terms of a left fold instead of a right fold. This gives rise to more definitional equalities. ... ... @@ -85,18 +109,16 @@ sed 's/\bPersistentP\b/Persistent/g; s/\bTimelessP\b/Timeless/g; s/\bCMRADiscret type classes and canonical structures. Also, it now uses explicit mixins. The file program_logic/ectxi_language contains some documentation on how to setup Iris for your language. * Improved big operators: + They are no longer tied to cameras, but work on any monoid + The version of big operations over lists was redefined so that it enjoys more definitional equalities. * Restore the original, stronger notion of atomicity alongside the weaker notion. These are Atomic a e where the stuckness bit s indicates whether expression e is weakly (a = WeaklyAtomic) or strongly (a = StronglyAtomic) atomic. * Various improvements to solve_ndisj. * Improve handling of pure (non-state-dependent) reductions in heap_lang. * Use Hint Mode to prevent Coq from making arbitrary guesses in the presence of evars, which often led to divergence. There are a few places where type annotations are now needed. * Move the prelude folder to its own project: std++ * The rules internal_eq_rewrite and internal_eq_rewrite_contractive are now stated in the logic, i.e. they are iApply friendly. stated in the logic, i.e., they are iApply-friendly. ## Iris 3.0.0 (released 2017-01-11) ... ...  # CONTRIBUTING TO THE IRIS COQ DEVELOPMENT # Contributing to the Iris Coq Development Discussion about the Iris Coq development happens on the mailing list [iris-club@lists.mpi-sws.org](https://lists.mpi-sws.org/listinfo/iris-club). This is also the right place to ask questions. If you want to report a bug, please use the [issue tracker](https://gitlab.mpi-sws.org/FP/iris-coq/issues). You will have to create an account at the [iris-club@lists.mpi-sws.org](https://lists.mpi-sws.org/listinfo/iris-club) and in the [Iris Chat](https://mattermost.mpi-sws.org/iris). This is also the right place to ask questions. The chat requires an account at the [MPI-SWS GitLab](https://gitlab.mpi-sws.org/users/sign_in) (use the "Register" tab). To contribute code, please send your MPI-SWS GitLab username to [Ralf Jung](https://gitlab.mpi-sws.org/jung) to enable personal projects for your account. Then you can fork the If you want to report a bug, please use the [issue tracker](https://gitlab.mpi-sws.org/FP/iris-coq/issues), which also requires an MPI-SWS GitLab account. To contribute code, please send your MPI-SWS GitLab username to [Ralf Jung](https://gitlab.mpi-sws.org/jung) to enable personal projects for your account. Then you can fork the [Iris git repository](https://gitlab.mpi-sws.org/FP/iris-coq/), make your changes in your fork, and create a merge request.  ... ... @@ -6,34 +6,45 @@ This is the Coq development of the [Iris Project](http://iris-project.org). This version is known to compile with: - Coq 8.6.1 / 8.7.0 - Coq 8.6.1 / 8.7.0 / 8.7.1 - Ssreflect 1.6.4 - A development version of [std++](https://gitlab.mpi-sws.org/robbertkrebbers/coq-stdpp) - [std++](https://gitlab.mpi-sws.org/robbertkrebbers/coq-stdpp) 1.1.0 If you need to work with Coq 8.5, please check out the [iris-3.0 branch](https://gitlab.mpi-sws.org/FP/iris-coq/tree/iris-3.0). The easiest way to install the correct versions of the dependencies is through opam. You will need the Coq and Iris opam repositories: ## Installing via opam To obtain the latest stable release via opam (1.2.2 or newer), you have to add the Coq opam repository: opam repo add coq-released https://coq.inria.fr/opam/released Then you can do opam install coq-iris. To obtain a development version, add the Iris opam repository: opam repo add iris-dev https://gitlab.mpi-sws.org/FP/opam-dev.git Once you got opam set up, run make build-dep to install the right versions of the dependencies. ## Building from source ## Updating When building Iris from source, we recommend to use opam (1.2.2 or newer) for installing Iris's dependencies. This requires the following two repositories: After doing git pull, the development may fail to compile because of outdated dependencies. To fix that, please run opam update followed by make build-dep. opam repo add coq-released https://coq.inria.fr/opam/released opam repo add iris-dev https://gitlab.mpi-sws.org/FP/opam-dev.git ## Building Instructions Once you got opam set up, run make build-dep to install the right versions of the dependencies. Run make -jN to build the full development, where N is the number of your CPU cores. ## Structure To update Iris, do git pull. After an update, the development may fail to compile because of outdated dependencies. To fix that, please run opam update followed by make build-dep. ## Directory Structure * The folder [algebra](theories/algebra) contains the COFE and CMRA constructions as well as the solver for recursive domain equations. ... ... @@ -66,13 +77,26 @@ CPU cores. A LaTeX version of the core logic definitions and some derived forms is available in [docs/iris.tex](docs/iris.tex). A compiled PDF version of this document is [available online](http://plv.mpi-sws.org/iris/appendix-3.0.pdf). document is [available online](http://plv.mpi-sws.org/iris/appendix-3.1.pdf). ## Case Studies The following is a (probably incomplete) list of case studies that use Iris, and that should be compatible with this version: * [Iris Examples](https://gitlab.mpi-sws.org/FP/iris-examples) is where we collect miscellaneous case studies that do not have their own repository. * [LambdaRust](https://gitlab.mpi-sws.org/FP/LambdaRust-coq/) is a Coq formalization of the core Rust type system. * [Iris Atomic](https://gitlab.mpi-sws.org/FP/iris-atomic/) is an experimental formalization of logically atomic triples in Iris. ## For Developers: How to update the std++ dependency * Do the change in std++, push it. * Wait for CI to publish a new std++ version on the opam archive. * In Iris, change opam to depend on the new version. * Wait for CI to publish a new std++ version on the opam archive, then run opam update iris-dev. * In Iris, change the opam file to depend on the new version. * Run make build-dep (in Iris) to install the new version of std++. * You may have to do make clean as Coq will likely complain about .vo file You may have to do make clean as Coq will likely complain about .vo file mismatches.  ... ... @@ -53,6 +53,16 @@ In particular: The function space$(-) \nfn (-)$is a locally non-expansive bifunctor. Note that the composition of non-expansive (bi)functors is non-expansive, and the composition of a non-expansive and a contractive (bi)functor is contractive. One very important OFE is the OFE of \emph{step-indexed propositions}: For every step-index, such a proposition either holds or does not hold. Moreover, if a propositions holds for some$n, it also has to hold for all smaller step-indices. \begin{align*} \SProp \eqdef{}& \psetdown{\nat} \\ \eqdef{}& \setComp{X \in \pset{\nat}}{ \All n, m. n \geq m \Ra n \in X \Ra m \in X } \\ X \nequiv{n} Y \eqdef{}& \All m \leq n. m \in X \Lra m \in Y \\ X \nincl{n} Y \eqdef{}& \All m \leq n. m \in X \Ra m \in Y \end{align*} \subsection{COFE} COFEs are \emph{complete OFEs}, which means that we can take limits of arbitrary chains. ... ... @@ -73,18 +83,28 @@ COFEs are \emph{complete OFEs}, which means that we can take limits of arbitrary \end{defn} The function space\ofe \nfn \cofeB$is a COFE if$\cofeB$is a COFE (\ie the domain$\ofe$can actually be just an OFE).$\SProp$as defined above is complete, \ie it is a COFE. Completeness is necessary to take fixed-points. For once, every \emph{contractive function}$f : \ofe \to \cofeB$where$\cofeB$is a COFE and inhabited has a \emph{unique} fixed-point$\fix(f)$such that$\fix(f) = f(\fix(f))$. This also holds if$f^k$is contractive for an arbitrary$k$. Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkedal:metric-space}, every contractive (bi)functor from$\COFEs$to$\COFEs$has a unique\footnote{Uniqueness is not proven in Coq.} fixed-point. \begin{thm}[Banach's fixed-point] \label{thm:banach} Given an inhabited COFE$\ofe$and a contractive function$f : \ofe \to \ofe$, there exists a unique fixed-point$\fixp_T f$such that$f(\fixp_T f) = \fixp_T f$. Moreover, this theorem also holds if$f$is just non-expansive, and$f^k$is contractive for an arbitrary$k$. \end{thm} \begin{thm}[America and Rutten~\cite{America-Rutten:JCSS89,birkedal:metric-space}] \label{thm:america_rutten} Let$1$be the discrete COFE on the unit type:$1 \eqdef \Delta \{ () \}$. Given a locally contractive bifunctor$G : \COFEs^{\textrm{op}} \times \COFEs \to \COFEs$, and provided that $$G(1, 1)$$ is inhabited, then there exists a unique\footnote{Uniqueness is not proven in Coq.} COFE$\ofe$such that$G(\ofe^{\textrm{op}}, \ofe) \cong \ofe$(\ie the two are isomorphic in$\COFEs$). \end{thm} \subsection{RA} \begin{defn} A \emph{resource algebra} (RA) is a tuple \\$(\monoid, \mval \subseteq \monoid, \mcore{{-}}: $(\monoid, \mvalFull : \monoid \to \mProp, \mcore{{-}}: \monoid \to \maybe\monoid, (\mtimes) : \monoid \times \monoid \to \monoid)$ satisfying: \begin{align*} \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{ra-assoc} \\ ... ... @@ -92,18 +112,21 @@ Furthermore, by America and Rutten's theorem~\cite{America-Rutten:JCSS89,birkeda \All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{ra-core-id} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{ra-core-idem} \\ \All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{ra-core-mono} \\ \All \melt, \meltB.& (\melt \mtimes \meltB) \in \mval \Ra \melt \in \mval \tagH{ra-valid-op} \\ \All \melt, \meltB.& \mvalFull(\melt \mtimes \meltB) \Ra \mvalFull(\melt) \tagH{ra-valid-op} \\ \text{where}\qquad %\qquad\\ \maybe\monoid \eqdef{}& \monoid \uplus \set{\mnocore} \qquad\qquad\qquad \melt^? \mtimes \mnocore \eqdef \mnocore \mtimes \melt^? \eqdef \melt^? \\ \melt \mincl \meltB \eqdef{}& \Exists \meltC \in \monoid. \meltB = \melt \mtimes \meltC \tagH{ra-incl} \end{align*} \end{defn} \noindent Here, $\mProp$ is the set of (meta-level) propositions. Think of \texttt{Prop} in Coq or $\mathbb{B}$ in classical mathematics. RAs are closely related to \emph{Partial Commutative Monoids} (PCMs), with two key differences: \begin{enumerate} \item The composition operation on RAs is total (as opposed to the partial composition operation of a PCM), but there is a specific subset $\mval$ of \emph{valid} elements that is compatible with the composition operation (\ruleref{ra-valid-op}). \item The composition operation on RAs is total (as opposed to the partial composition operation of a PCM), but there is a specific subset of \emph{valid} elements that is compatible with the composition operation (\ruleref{ra-valid-op}). These valid elements are identified by the \emph{validity predicate} $\mvalFull$. This take on partiality is necessary when defining the structure of \emph{higher-order} ghost state, CMRAs, in the next subsection. This take on partiality is necessary when defining the structure of \emph{higher-order} ghost state, \emph{cameras}, in the next subsection. \item Instead of a single unit that is an identity to every element, we allow for an arbitrary number of units, via a function $\mcore{{-}}$ assigning to an element $\melt$ its \emph{(duplicable) core} $\mcore\melt$, as demanded by \ruleref{ra-core-id}. ... ... @@ -122,42 +145,44 @@ Notice also that the core of an RA is a strict generalization of the unit that a \begin{defn} It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if $\All \maybe{\melt_\f} \in \maybe\monoid. \melt \mtimes \maybe{\melt_\f} \in \mval \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \maybe{\melt_\f} \in \mval$ $\All \maybe{\melt_\f} \in \maybe\monoid. \melt \mtimes \mvalFull(\maybe{\melt_\f}) \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \mvalFull(\maybe{\melt_\f})$ We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. \end{defn} The assertion $\melt \mupd \meltsB$ says that every element $\maybe{\melt_\f}$ compatible with $\melt$ (we also call such elements \emph{frames}), must also be compatible with some $\meltB \in \meltsB$. The proposition $\melt \mupd \meltsB$ says that every element $\maybe{\melt_\f}$ compatible with $\melt$ (we also call such elements \emph{frames}), must also be compatible with some $\meltB \in \meltsB$. Notice that $\maybe{\melt_\f}$ could be $\mnocore$, so the frame-preserving update can also be applied to elements that have \emph{no} frame. Intuitively, this means that whatever assumptions the rest of the program is making about the state of $\gname$, if these assumptions are compatible with $\melt$, then updating to $\meltB$ will not invalidate any of these assumptions. Since Iris ensures that the global ghost state is valid, this means that we can soundly update the ghost state from $\melt$ to a non-deterministically picked $\meltB \in \meltsB$. \subsection{CMRA} \subsection{Cameras} \begin{defn} A \emph{CMRA} is a tuple $(\monoid : \OFEs, (\mval_n \subseteq \monoid)_{n \in \nat},\\ \mcore{{-}}: \monoid \nfn \maybe\monoid, (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying: A \emph{camera} is a tuple $(\monoid : \OFEs, \mval : \monoid \nfn \SProp, \mcore{{-}}: \monoid \nfn \maybe\monoid,\\ (\mtimes) : \monoid \times \monoid \nfn \monoid)$ satisfying: \begin{align*} \All n, \melt, \meltB.& \melt \nequiv{n} \meltB \land \melt\in\mval_n \Ra \meltB\in\mval_n \tagH{cmra-valid-ne} \\ \All n, m.& n \geq m \Ra \mval_n \subseteq \mval_m \tagH{cmra-valid-mono} \\ \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{cmra-assoc} \\ \All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{cmra-comm} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{cmra-core-id} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{cmra-core-idem} \\ \All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{cmra-core-mono} \\ \All n, \melt, \meltB.& (\melt \mtimes \meltB) \in \mval_n \Ra \melt \in \mval_n \tagH{cmra-valid-op} \\ \All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$\melt \in \mval_n \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\ &\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\ \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{camera-assoc} \\ \All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{camera-comm} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore\melt \mtimes \melt = \melt \tagH{camera-core-id} \\ \All \melt.& \mcore\melt \in \monoid \Ra \mcore{\mcore\melt} = \mcore\melt \tagH{camera-core-idem} \\ \All \melt, \meltB.& \mcore\melt \in \monoid \land \melt \mincl \meltB \Ra \mcore\meltB \in \monoid \land \mcore\melt \mincl \mcore\meltB \tagH{camera-core-mono} \\ \All \melt, \meltB.& \mval(\melt \mtimes \meltB) \subseteq \mval(\melt) \tagH{camera-valid-op} \\ \All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$n \in \mval(\melt) \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\ &\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{camera-extend} \\ \text{where}\qquad\qquad\\ \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl} \\ \melt \mincl[n] \meltB \eqdef{}& \Exists \meltC. \meltB \nequiv{n} \melt \mtimes \meltC \tagH{cmra-inclN} \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{camera-incl} \\ \melt \mincl[n] \meltB \eqdef{}& \Exists \meltC. \meltB \nequiv{n} \melt \mtimes \meltC \tagH{camera-inclN} \end{align*} \end{defn} This is a natural generalization of RAs over OFEs. This is a natural generalization of RAs over OFEs\footnote{The reader may wonder why on earth we call them cameras''. The reason, which may not be entirely convincing, is that camera'' was originally just used as a comfortable pronunciation of CMRA'', the name used in earlier Iris papers. CMRA was originally supposed to be an acronym for complete metric resource algebras'' (or something like that), but we were never very satisfied with it and thus ended up never spelling it out. To make matters worse, the complete'' part of CMRA is now downright misleading, for whereas previously the carrier of a CMRA was required to be a COFE (complete OFE), we have relaxed that restriction and permit it to be an (incomplete) OFE. For these reasons, we have decided to stick with the name camera'', for purposes of continuity, but to drop any pretense that it stands for something.}. All operations have to be non-expansive, and the validity predicate $\mval$ can now also depend on the step-index. We define the plain $\mval$ as the limit'' of the $\mval_n$: $\mval \eqdef \bigcap_{n \in \nat} \mval_n$ We define the plain $\mvalFull$ as the limit'' of the step-indexed approximation: $\mvalFull(\melt) \eqdef \All n. n \in \mval(\melt)$ \paragraph{The extension axiom (\ruleref{cmra-extend}).} \paragraph{The extension axiom (\ruleref{camera-extend}).} Notice that the existential quantification in this axiom is \emph{constructive}, \ie it is a sigma type in Coq. The purpose of this axiom is to compute $\melt_1$, $\melt_2$ completing the following square: ... ... @@ -182,40 +207,40 @@ This operation is needed to prove that $\later$ commutes with separating conjunc \end{mathpar} \begin{defn} An element $\munit$ of a CMRA $\monoid$ is called the \emph{unit} of $\monoid$ if it satisfies the following conditions: An element $\munit$ of a camera $\monoid$ is called the \emph{unit} of $\monoid$ if it satisfies the following conditions: \begin{enumerate}[itemsep=0pt] \item $\munit$ is valid: \\ $\All n. \munit \in \mval_n$ \item $\munit$ is valid: \\ $\All n. n \in \mval(\munit)$ \item $\munit$ is a left-identity of the operation: \\ $\All \melt \in M. \munit \mtimes \melt = \melt$ \item $\munit$ is its own core: \\ $\mcore\munit = \munit$ \end{enumerate} \end{defn} \begin{lem}\label{lem:cmra-unit-total-core} \begin{lem}\label{lem:camera-unit-total-core} If $\monoid$ has a unit $\munit$, then the core $\mcore{{-}}$ is total, \ie $\All\melt. \mcore\melt \in \monoid$. \end{lem} \begin{defn} It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if $\All n, \maybe{\melt_\f}. \melt \mtimes \maybe{\melt_\f} \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \maybe{\melt_\f} \in \mval_n$ $\All n, \maybe{\melt_\f}. n \in \mval(\melt \mtimes \maybe{\melt_\f}) \Ra \Exists \meltB \in \meltsB. n \in\mval(\meltB \mtimes \maybe{\melt_\f})$ We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. \end{defn} Note that for RAs, this and the RA-based definition of a frame-preserving update coincide. \begin{defn} A CMRA $\monoid$ is \emph{discrete} if it satisfies the following conditions: A camera $\monoid$ is \emph{discrete} if it satisfies the following conditions: \begin{enumerate}[itemsep=0pt] \item $\monoid$ is a discrete COFE \item $\mval$ ignores the step-index: \\ $\All \melt \in \monoid. \melt \in \mval_0 \Ra \All n, \melt \in \mval_n$ $\All \melt \in \monoid. 0 \in \mval(\melt) \Ra \All n. n \in \mval(\melt)$ \end{enumerate} \end{defn} Note that every RA is a discrete CMRA, by picking the discrete COFE for the equivalence relation. Furthermore, discrete CMRAs can be turned into RAs by ignoring their COFE structure, as well as the step-index of $\mval$. Note that every RA is a discrete camera, by picking the discrete COFE for the equivalence relation. Furthermore, discrete cameras can be turned into RAs by ignoring their COFE structure, as well as the step-index of $\mval$. \begin{defn}[CMRA homomorphism] A function $f : \monoid_1 \to \monoid_2$ between two CMRAs is \emph{a CMRA homomorphism} if it satisfies the following conditions: \begin{defn}[Camera homomorphism] A function $f : \monoid_1 \to \monoid_2$ between two cameras is \emph{a camera homomorphism} if it satisfies the following conditions: \begin{enumerate}[itemsep=0pt] \item $f$ is non-expansive \item $f$ commutes with composition:\\ ... ... @@ -223,12 +248,12 @@ Furthermore, discrete CMRAs can be turned into RAs by ignoring their COFE struct \item $f$ commutes with the core:\\ $\All \melt \in \monoid_1. \mcore{f(\melt)} = f(\mcore{\melt})$ \item $f$ preserves validity: \\ $\All n, \melt \in \monoid_1. \melt \in \mval_n \Ra f(\melt) \in \mval_n$ $\All n, \melt \in \monoid_1. n \in \mval(\melt) \Ra n \in \mval(f(\melt))$ \end{enumerate} \end{defn} \begin{defn} The category $\CMRAs$ consists of CMRAs as objects, and monotone functions as arrows. The category $\CMRAs$ consists of cameras as objects, and monotone functions as arrows. \end{defn} Note that every object/arrow in $\CMRAs$ is also an object/arrow of $\OFEs$. The notion of a locally non-expansive (or contractive) bifunctor naturally generalizes to bifunctors between these categories. ... ...
 \section{Base Logic} \label{sec:base-logic} The base logic is parameterized by an arbitrary CMRA $\monoid$ having a unit $\munit$. By \lemref{lem:cmra-unit-total-core}, this means that the core of $\monoid$ is a total function, so we will treat it as such in the following. The base logic is parameterized by an arbitrary camera $\monoid$ having a unit $\munit$. By \lemref{lem:camera-unit-total-core}, this means that the core of $\monoid$ is a total function, so we will treat it as such in the following. This defines the structure of resources that can be owned. As usual for higher-order logics, you can furthermore pick a \emph{signature} $\Sig = (\SigType, \SigFn, \SigAx)$ to add more types, symbols and axioms to the language. ... ... @@ -193,7 +193,7 @@ In writing $\vctx, x:\type$, we presuppose that $x$ is not already declared in $\infer{\vctx \proves \wtt{\melt}{\textlog{M}}} {\vctx \proves \wtt{\ownM{\melt}}{\Prop}} \and \infer{\vctx \proves \wtt{\melt}{\type} \and \text{$\type$is a CMRA}} \infer{\vctx \proves \wtt{\melt}{\type} \and \text{$\type$is a camera}} {\vctx \proves \wtt{\mval(\melt)}{\Prop}} \and \infer{\vctx \proves \wtt{\prop}{\Prop}} ... ... @@ -212,13 +212,13 @@ In writing$\vctx, x:\type$, we presuppose that$x$is not already declared in$ } \end{mathparpagebreakable} \subsection{Proof rules} \subsection{Proof Rules} \label{sec:proof-rules} The judgment $\vctx \mid \prop \proves \propB$ says that with free variables $\vctx$, proposition $\propB$ holds whenever assumption $\prop$ holds. Most of the rules will entirely omit the variable contexts $\vctx$. In this case, we assume the same arbitrary context is used for every constituent of the rules. %Furthermore, an arbitrary \emph{boxed} assertion context $\always\pfctx$ may be added to every constituent. %Furthermore, an arbitrary \emph{boxed} proposition context $\always\pfctx$ may be added to every constituent. Axioms $\vctx \mid \prop \provesIff \propB$ indicate that both $\vctx \mid \prop \proves \propB$ and $\vctx \mid \propB \proves \prop$ are proof rules of the logic. \judgment{\vctx \mid \prop \proves \propB} ... ... @@ -448,7 +448,7 @@ Furthermore, we have the usual $\eta$ and $\beta$ laws for projections, $\textlo {\upd\plainly\prop \proves \prop} \end{mathpar} The premise in \ruleref{upd-update} is a \emph{meta-level} side-condition that has to be proven about$a$and$B$. %\ralf{Trouble is, we don't actually have$\in$inside the logic...} %\ralf{Trouble is, we do not actually have$\in$inside the logic...} \subsection{Consistency} ... ...  ... ... @@ -3829,3 +3829,10 @@ year = {2013} pages = {256--269}, year = {2016}, } @Article{iris-ground-up, author={Ralf Jung and Robbert Krebbers and Jacques-Henri Jourdan and Ale\v{s} Bizjak and Lars Birkedal and Derek Dreyer}, title={Iris from the Ground Up}, journal={Submitted to JFP}, year = {2017}, }  \section{OFE and COFE constructions} \section{OFE and COFE Constructions} \subsection{Trivial pointwise lifting} \subsection{Trivial Pointwise Lifting} The (C)OFE structure on many types can be easily obtained by pointwise lifting of the structure of the components. This is what we do for option$\maybe\cofe$, product$(M_i)_{i \in I}$(with$I$some finite index set), sum$\cofe + \cofe'$and finite partial functions$K \fpfn \monoid$(with$K$infinite countable). \subsection{Next (type-level later)} \subsection{Next (Type-Level Later)} Given a OFE$\cofe$, we define$\latert\cofeas follows (using a datatype-like notation to define the type): \begin{align*} ... ... @@ -19,42 +19,44 @@\latert(-)$is a locally \emph{contractive} functor from$\OFEs$to$\OFEs$. \subsection{Uniform Predicates} Given a CMRA$\monoid$, we define the COFE$\UPred(\monoid)$of \emph{uniform predicates} over$\monoid$as follows: Given a camera$\monoid$, we define the COFE$\UPred(\monoid)$of \emph{uniform predicates} over$\monoidas follows: \begin{align*} \UPred(\monoid) \eqdef{} \setComp{\pred: \nat \times \monoid \to \mProp}{ \begin{inbox}[c] (\All n, x, y. \pred(n, x) \land x \nequiv{n} y \Ra \pred(n, y)) \land {}\\ (\All n, m, x, y. \pred(n, x) \land x \mincl y \land m \leq n \land y \in \mval_m \Ra \pred(m, y)) \end{inbox} } \monoid \monnra \SProp \eqdef{}& \setComp{\pred: \monoid \nfn \SProp} {\All n, \melt, \meltB. \melt \mincl[n] \meltB \Ra \pred(\melt) \nincl{n} \pred(\meltB)} \\ \UPred(\monoid) \eqdef{}& \faktor{\monoid \monnra \SProp}{\equiv} \\ \pred \equiv \predB \eqdef{}& \All m, \melt. m \in \mval(\melt) \Ra (m \in \pred(\melt) \iff m \in \predB(\melt)) \\ \pred \nequiv{n} \predB \eqdef{}& \All m \le n, \melt. m \in \mval(\melt) \Ra (m \in \pred(\melt) \iff m \in \predB(\melt)) \end{align*} where\mProp$is the set of meta-level propositions, \eg Coq's \texttt{Prop}. You can think of uniform predicates as monotone, step-indexed predicates over a camera that ignore'' invalid elements (as defined by the quotient).$\UPred(-)$is a locally non-expansive functor from$\CMRAs$to$\COFEs$. One way to understand this definition is to re-write it a little. We start by defining the COFE of \emph{step-indexed propositions}: For every step-index, the proposition either holds or does not hold. It is worth noting that the above quotient admits canonical representatives. More precisely, one can show that every equivalence class contains exactly one element$P_0such that: \begin{align*} \SProp \eqdef{}& \psetdown{\nat} \\ \eqdef{}& \setComp{X \in \pset{\nat}}{ \All n, m. n \geq m \Ra n \in X \Ra m \in X } \\ X \nequiv{n} Y \eqdef{}& \All m \leq n. m \in X \Lra m \in Y \All n, \melt. (\mval(\melt) \nincl{n} P_0(\melt)) \Ra n \in P_0(\melt) \tagH{UPred-canonical} \end{align*} Notice that this notion of\SProp$is already hidden in the validity predicate$\mval_n$of a CMRA: We could equivalently require every CMRA to define$\mval_{-}(-) : \monoid \nfn \SProp$, replacing \ruleref{cmra-valid-ne} and \ruleref{cmra-valid-mono}. Intuitively, this says that$P_0$trivially holds whenever the resource is invalid. Starting from any element$P$, one can find this canonical representative by choosing$P_0(\melt) := \setComp{n}{n \in \mval(\melt) \Ra n \in P(\melt)}$. Hence, as an alternative definition of$\UPred$, we could use the set of canonical representatives. This alternative definition would save us from using a quotient. However, the definitions of the various connectives would get more complicated, because we have to make sure they all verify \ruleref{UPred-canonical}, which sometimes requires some adjustments. We would moreover need to prove one more property for every logical connective. Now we can rewrite$\UPred(\monoid)$as monotone step-indexed predicates over$\monoid, where the definition of a monotone'' function here is a little funny. \begin{align*} \UPred(\monoid) \cong{}& \monoid \monra \SProp \\ \eqdef{}& \setComp{\pred: \monoid \nfn \SProp}{\All n, m, x, y. n \in \pred(x) \land x \mincl y \land m \leq n \land y \in \mval_m \Ra m \in \pred(y)} \end{align*} The reason we chose the first definition is that it is easier to work with in Coq. \clearpage \section{RA and CMRA constructions} \section{RA and Camera Constructions} \subsection{Product} \label{sec:prodm} Given a family(M_i)_{i \in I}$of CMRAs ($I$finite), we construct a CMRA for the product$\prod_{i \in I} M_i$by lifting everything pointwise. Given a family$(M_i)_{i \in I}$of cameras ($I$finite), we construct a camera for the product$\prod_{i \in I} M_i$by lifting everything pointwise. Frame-preserving updates on the$M_i$lift to the product: \begin{mathpar} ... ... @@ -66,21 +68,21 @@ Frame-preserving updates on the$M_i$lift to the product: \subsection{Sum} \label{sec:summ} The \emph{sum CMRA}$\monoid_1 \csumm \monoid_2$for any CMRAs$\monoid_1$and$\monoid_2$is defined as (again, we use a datatype-like notation): The \emph{sum camera}$\monoid_1 \csumm \monoid_2$for any cameras$\monoid_1$and$\monoid_2is defined as (again, we use a datatype-like notation): \begin{align*} \monoid_1 \csumm \monoid_2 \eqdef{}& \cinl(\melt_1:\monoid_1) \mid \cinr(\melt_2:\monoid_2) \mid \mundef \\ \mval_n \eqdef{}& \setComp{\cinl(\melt_1)}{\melt_1 \in \mval'_n} \cup \setComp{\cinr(\melt_2)}{\melt_2 \in \mval''_n} \\ \mval(\mundef) \eqdef{}& \emptyset \\ \mval(\cinl(\melt)) \eqdef{}& \mval_1(\melt) \\ \cinl(\melt_1) \mtimes \cinl(\meltB_1) \eqdef{}& \cinl(\melt_1 \mtimes \meltB_1) \\ % \munit \mtimes \ospending \eqdef{}& \ospending \mtimes \munit \eqdef \ospending \\ % \munit \mtimes \osshot(\melt) \eqdef{}& \osshot(\melt) \mtimes \munit \eqdef \osshot(\melt) \\ \mcore{\cinl(\melt_1)} \eqdef{}& \begin{cases}\mnocore & \text{if\mcore{\melt_1} = \mnocore} \\ \cinl({\mcore{\melt_1}}) & \text{otherwise} \end{cases} \end{align*} The composition and core for\cinr$are defined symmetrically. Above,$\mval_1$refers to the validity of$\monoid_1$. The validity, composition and core for$\cinr$are defined symmetrically. The remaining cases of the composition and core are all$\mundef$. Above,$\mval'$refers to the validity of$\monoid_1$, and$\mval''$to the validity of$\monoid_2$. Notice that we added the artificial invalid'' (or undefined'') element$\mundef$to this CMRA just in order to make certain compositions of elements (in this case,$\cinl$and$\cinr$) invalid. Notice that we added the artificial invalid'' (or undefined'') element$\mundef$to this camera just in order to make certain compositions of elements (in this case,$\cinl$and$\cinr$) invalid. The step-indexed equivalence is inductively defined as follows: \begin{mathpar} ... ... @@ -99,54 +101,54 @@ We obtain the following frame-preserving updates, as well as their symmetric cou {\cinl(\melt) \mupd \setComp{ \cinl(\meltB)}{\meltB \in \meltsB}} \inferH{sum-swap} {\All \melt_\f, n. \melt \mtimes \melt_\f \notin \mval'_n \and \meltB \in \mval''} {\All \melt_\f \in M, n. n \notin \mval(\melt \mtimes \melt_\f) \and \mvalFull(\meltB)} {\cinl(\melt) \mupd \cinr(\meltB)} \end{mathpar} Crucially, the second rule allows us to \emph{swap} the side'' of the sum that the CMRA is on if$\mval$has \emph{no possible frame}. Crucially, the second rule allows us to \emph{swap} the side'' of the sum that the camera is on if$\mval\$ has \emph{no possible frame}.