Commit 39b9a3c5 by Ralf Jung

### Merge branch 'janno/hoare-notation' into 'master'

```Add triple notation for generalized post-condition

This changeset defines notation for the Iris style of writing Hoare triples:

`{{{ P }}} e {{{ v1 .. vn; T, Q }}} := P ★ (∀ v1 .. vn, Q → Φ T) ⊢ WP e {{ Φ }}`

For no good reason the notation is parsing only, although I do not declare it as such. We might want to do that though, since it might be too hard to understand a Hoare triple goal without unfolding it.

I have changed the barrier specifications to use the new notation in an attempt to demonstrate their usefulness (or, at a minimum, their applicability). The changes are rather minimal, as you can see.

## Changes

First and foremost, the specifications change. (Duh!)
Then, there are three kinds of changes to the proofs:
1. The first `iIntros` needs to take care of introducing `Φ`. No big deal, in my opinion.
2. Introducing the spatial assumptions needs one additional level of structure since we go from

```P1 ★ P2 ★ (∀ v, Q v -★ Φ v)```
to
```(P1 ★ P2) ★ (∀ v, Q v -★ Φ v)```

3. A post-condition of `True` leads to the rather annoying hypothesis `True -★ Φ v`, which (as far as I can tell) cannot be made to behave the same as just (Φ v) in the context of `iFrame`.

## Applicability

I have also looked at most other examples of specifications in heap_lang/lib.  The notation seems to be applicable to almost all of them. The only place where I spotted an obvious mismatch is par.v, where the current lemmas have a later before the generalized post-condition, as in `... ★ (∀ .., ... -★ ▷ Φ ..) ⊢ WP ..`. We could always add another pair of notations for this special case, I suppose.

## Nomenclature
I think "Texan triple" would be a good name, seeing how everything is bigger in Texas, including the number of curly braces.

See merge request !9```
parents c476d109 90ba4346
 ... ... @@ -171,9 +171,11 @@ Notation "(★)" := uPred_sep (only parsing) : uPred_scope. Notation "P -★ Q" := (uPred_wand P Q) (at level 99, Q at level 200, right associativity) : uPred_scope. Notation "∀ x .. y , P" := (uPred_forall (λ x, .. (uPred_forall (λ y, P)) ..)%I) : uPred_scope. (uPred_forall (λ x, .. (uPred_forall (λ y, P)) ..)%I) (at level 200, x binder, y binder, right associativity) : uPred_scope. Notation "∃ x .. y , P" := (uPred_exist (λ x, .. (uPred_exist (λ y, P)) ..)%I) : uPred_scope. (uPred_exist (λ x, .. (uPred_exist (λ y, P)) ..)%I) (at level 200, x binder, y binder, right associativity) : uPred_scope. Notation "□ P" := (uPred_always P) (at level 20, right associativity) : uPred_scope. Notation "▷ P" := (uPred_later P) ... ...
 ... ... @@ -104,11 +104,11 @@ Section heap. Proof. by rewrite heap_mapsto_op_half. Qed. (** Weakest precondition *) Lemma wp_alloc E e v Φ : Lemma wp_alloc E e v : to_val e = Some v → nclose heapN ⊆ E → heap_ctx ★ ▷ (∀ l, l ↦ v ={E}=★ Φ (LitV (LitLoc l))) ⊢ WP Alloc e @ E {{ Φ }}. {{{ heap_ctx }}} Alloc e @ E {{{ l; LitV (LitLoc l), l ↦ v }}}. Proof. iIntros (<-%of_to_val ?) "[#Hinv HΦ]". rewrite /heap_ctx. iIntros (<-%of_to_val ? Φ) "[#Hinv HΦ]". rewrite /heap_ctx. iMod (auth_empty heap_name) as "Ha". iMod (auth_open with "[\$Hinv \$Ha]") as (σ) "(%&Hσ&Hcl)"; first done. iApply wp_alloc_pst. iFrame "Hσ". iNext. iIntros (l) "[% Hσ] !>". ... ... @@ -118,12 +118,12 @@ Section heap. iApply "HΦ". by rewrite heap_mapsto_eq /heap_mapsto_def. Qed. Lemma wp_load E l q v Φ : Lemma wp_load E l q v : nclose heapN ⊆ E → heap_ctx ★ ▷ l ↦{q} v ★ ▷ (l ↦{q} v ={E}=★ Φ v) ⊢ WP Load (Lit (LitLoc l)) @ E {{ Φ }}. {{{ heap_ctx ★ ▷ l ↦{q} v }}} Load (Lit (LitLoc l)) @ E {{{; v, l ↦{q} v }}}. Proof. iIntros (?) "[#Hinv [>Hl HΦ]]". iIntros (? Φ) "[[#Hinv >Hl] HΦ]". rewrite /heap_ctx heap_mapsto_eq /heap_mapsto_def. iMod (auth_open with "[\$Hinv \$Hl]") as (σ) "(%&Hσ&Hcl)"; first done. iApply (wp_load_pst _ σ); first eauto using heap_singleton_included. ... ... @@ -131,12 +131,12 @@ Section heap. iMod ("Hcl" with "* [Hσ]") as "Ha"; first eauto. by iApply "HΦ". Qed. Lemma wp_store E l v' e v Φ : Lemma wp_store E l v' e v : to_val e = Some v → nclose heapN ⊆ E → heap_ctx ★ ▷ l ↦ v' ★ ▷ (l ↦ v ={E}=★ Φ (LitV LitUnit)) ⊢ WP Store (Lit (LitLoc l)) e @ E {{ Φ }}. {{{ heap_ctx ★ ▷ l ↦ v' }}} Store (Lit (LitLoc l)) e @ E {{{; LitV LitUnit, l ↦ v }}}. Proof. iIntros (<-%of_to_val ?) "[#Hinv [>Hl HΦ]]". iIntros (<-%of_to_val ? Φ) "[[#Hinv >Hl] HΦ]". rewrite /heap_ctx heap_mapsto_eq /heap_mapsto_def. iMod (auth_open with "[\$Hinv \$Hl]") as (σ) "(%&Hσ&Hcl)"; first done. iApply (wp_store_pst _ σ); first eauto using heap_singleton_included. ... ... @@ -147,12 +147,12 @@ Section heap. by iApply "HΦ". Qed. Lemma wp_cas_fail E l q v' e1 v1 e2 v2 Φ : Lemma wp_cas_fail E l q v' e1 v1 e2 v2 : to_val e1 = Some v1 → to_val e2 = Some v2 → v' ≠ v1 → nclose heapN ⊆ E → heap_ctx ★ ▷ l ↦{q} v' ★ ▷ (l ↦{q} v' ={E}=★ Φ (LitV (LitBool false))) ⊢ WP CAS (Lit (LitLoc l)) e1 e2 @ E {{ Φ }}. {{{ heap_ctx ★ ▷ l ↦{q} v' }}} CAS (Lit (LitLoc l)) e1 e2 @ E {{{; LitV (LitBool false), l ↦{q} v' }}}. Proof. iIntros (<-%of_to_val <-%of_to_val ??) "[#Hinv [>Hl HΦ]]". iIntros (<-%of_to_val <-%of_to_val ?? Φ) "[[#Hinv >Hl] HΦ]". rewrite /heap_ctx heap_mapsto_eq /heap_mapsto_def. iMod (auth_open with "[\$Hinv \$Hl]") as (σ) "(%&Hσ&Hcl)"; first done. iApply (wp_cas_fail_pst _ σ); [eauto using heap_singleton_included|done|]. ... ... @@ -160,12 +160,12 @@ Section heap. iMod ("Hcl" with "* [Hσ]") as "Ha"; first eauto. by iApply "HΦ". Qed. Lemma wp_cas_suc E l e1 v1 e2 v2 Φ : Lemma wp_cas_suc E l e1 v1 e2 v2 : to_val e1 = Some v1 → to_val e2 = Some v2 → nclose heapN ⊆ E → heap_ctx ★ ▷ l ↦ v1 ★ ▷ (l ↦ v2 ={E}=★ Φ (LitV (LitBool true))) ⊢ WP CAS (Lit (LitLoc l)) e1 e2 @ E {{ Φ }}. {{{ heap_ctx ★ ▷ l ↦ v1 }}} CAS (Lit (LitLoc l)) e1 e2 @ E {{{; LitV (LitBool true), l ↦ v2 }}}. Proof. iIntros (<-%of_to_val <-%of_to_val ?) "[#Hinv [>Hl HΦ]]". iIntros (<-%of_to_val <-%of_to_val ? Φ) "[[#Hinv >Hl] HΦ]". rewrite /heap_ctx heap_mapsto_eq /heap_mapsto_def. iMod (auth_open with "[\$Hinv \$Hl]") as (σ) "(%&Hσ&Hcl)"; first done. iApply (wp_cas_suc_pst _ σ); first eauto using heap_singleton_included. ... ...
 ... ... @@ -91,11 +91,11 @@ Proof. Qed. (** Actual proofs *) Lemma newbarrier_spec (P : iProp Σ) (Φ : val → iProp Σ) : Lemma newbarrier_spec (P : iProp Σ) : heapN ⊥ N → heap_ctx ★ (∀ l, recv l P ★ send l P -★ Φ #l) ⊢ WP newbarrier #() {{ Φ }}. {{{ heap_ctx }}} newbarrier #() {{{ l; #l, recv l P ★ send l P }}}. Proof. iIntros (HN) "[#? HΦ]". iIntros (HN Φ) "[#? HΦ]". rewrite /newbarrier /=. wp_seq. wp_alloc l as "Hl". iApply ("HΦ" with ">[-]"). iMod (saved_prop_alloc (F:=idCF) P) as (γ) "#?". ... ... @@ -117,14 +117,15 @@ Proof. - auto. Qed. Lemma signal_spec l P (Φ : val → iProp Σ) : send l P ★ P ★ Φ #() ⊢ WP signal #l {{ Φ }}. Lemma signal_spec l P : {{{ send l P ★ P }}} signal #l {{{; #(), True }}}. Proof. rewrite /signal /send /barrier_ctx /=. iIntros "(Hs&HP&HΦ)"; iDestruct "Hs" as (γ) "[#(%&Hh&Hsts) Hγ]". wp_let. iIntros (Φ) "((Hs&HP)&HΦ)"; iDestruct "Hs" as (γ) "[#(%&Hh&Hsts) Hγ]". wp_let. iMod (sts_openS (barrier_inv l P) _ _ γ with "[Hγ]") as ([p I]) "(% & [Hl Hr] & Hclose)"; eauto. destruct p; [|done]. wp_store. iFrame "HΦ". destruct p; [|done]. wp_store. iSpecialize ("HΦ" with "[#]") => //. iFrame "HΦ". iMod ("Hclose" \$! (State High I) (∅ : set token) with "[-]"); last done. iSplit; [iPureIntro; by eauto using signal_step|]. iNext. rewrite {2}/barrier_inv /ress /=; iFrame "Hl". ... ... @@ -132,11 +133,11 @@ Proof. iNext. iIntros "_"; by iApply "Hr". Qed. Lemma wait_spec l P (Φ : val → iProp Σ) : recv l P ★ (P -★ Φ #()) ⊢ WP wait #l {{ Φ }}. Lemma wait_spec l P: {{{ recv l P }}} wait #l {{{ ; #(), P }}}. Proof. rename P into R; rewrite /recv /barrier_ctx. iIntros "[Hr HΦ]"; iDestruct "Hr" as (γ P Q i) "(#(%&Hh&Hsts)&Hγ&#HQ&HQR)". iIntros (Φ) "[Hr HΦ]"; iDestruct "Hr" as (γ P Q i) "(#(%&Hh&Hsts)&Hγ&#HQ&HQR)". iLöb as "IH". wp_rec. wp_bind (! _)%E. iMod (sts_openS (barrier_inv l P) _ _ γ with "[Hγ]") as ([p I]) "(% & [Hl Hr] & Hclose)"; eauto. ... ... @@ -146,7 +147,7 @@ Proof. iAssert (sts_ownS γ (i_states i) {[Change i]})%I with ">[Hγ]" as "Hγ". { iApply (sts_own_weaken with "Hγ"); eauto using i_states_closed. } iModIntro. wp_if. iApply ("IH" with "Hγ [HQR] HΦ"). auto. iApply ("IH" with "Hγ [HQR] [HΦ]"); auto. - (* a High state: the comparison succeeds, and we perform a transition and return to the client *) iDestruct "Hr" as (Ψ) "[HΨ Hsp]". ... ...
 ... ... @@ -20,8 +20,9 @@ Proof. intros HN. exists (λ l, CofeMor (recv N l)), (λ l, CofeMor (send N l)). split_and?; simpl. - iIntros (P) "#? !# _". iApply (newbarrier_spec _ P); eauto. - iIntros (l P) "!# [Hl HP]". by iApply signal_spec; iFrame "Hl HP". - iIntros (P) "#? !# _". iApply (newbarrier_spec _ P); first done. iSplit; first done. iNext. eauto. - iIntros (l P) "!# [Hl HP]". iApply signal_spec; iFrame "Hl HP"; by eauto. - iIntros (l P) "!# Hl". iApply wait_spec; iFrame "Hl"; eauto. - iIntros (l P Q) "!#". by iApply recv_split. - apply recv_weaken. ... ...