Commit 3d448c5d by Ralf Jung

 ... @@ -9,19 +9,18 @@ ... @@ -9,19 +9,18 @@ \ralf{Sync this with Coq.} \ralf{Sync this with Coq.} Hoare triples and view shifts are syntactic sugar for weakest (liberal) preconditions and primitive view shifts, respectively: Hoare triples and view shifts are syntactic sugar for weakest (liberal) preconditions and primitive view shifts, respectively: % \[ \hoare{\prop}{\expr}{\Ret\val.\propB}[\mask] \eqdef \always{(\prop \Ra \dynA{\expr}{\lambda\Ret\val.\propB}{\mask})} % \hoare{\prop}{\expr}{\Ret\val.\propB}[\mask] \eqdef \always{(\prop \Ra \dynA{\expr}{\lambda\Ret\val.\propB}{\mask})} \qquad\qquad % \qquad\qquad \begin{aligned} % \begin{aligned} \prop \vs[\mask_1][\mask_2] \propB &\eqdef \always{(\prop \Ra \pvsA{\propB}{\mask_1}{\mask_2})} \\ % \prop \vs[\mask_1][\mask_2] \propB &\eqdef \always{(\prop \Ra \pvsA{\propB}{\mask_1}{\mask_2})} \\ \prop \vsE[\mask_1][\mask_2] \propB &\eqdef \prop \vs[\mask_1][\mask_2] \propB \land \propB \vs[\mask2][\mask_1] \prop % \prop \vsE[\mask_1][\mask_2] \propB &\eqdef \prop \vs[\mask_1][\mask_2] \propB \land \propB \vs[\mask2][\mask_1] \prop \end{aligned} % \end{aligned} % \] We write just one mask for a view shift when $\mask_1 = \mask_2$. We write just one mask for a view shift when $\mask_1 = \mask_2$. The convention for omitted masks is generous: The convention for omitted masks is generous: An omitted $\mask$ is $\top$ for Hoare triples and $\emptyset$ for view shifts. An omitted $\mask$ is $\top$ for Hoare triples and $\emptyset$ for view shifts. We write $\provesalways$ to denote judgments that can only be extended with a boxed proof context, in contrast to our usual convention of allowing the context to be extended with any assertions. \paragraph{Hoare triples.} \paragraph{Hoare triples.} \begin{mathpar} \begin{mathpar} ... @@ -120,12 +119,12 @@ The following are easily derived by unfolding the sugar for Hoare triples and vi ... @@ -120,12 +119,12 @@ The following are easily derived by unfolding the sugar for Hoare triples and vi {\All \var. (\prop \vs[\mask_1][\mask_2] \propB)} {\All \var. (\prop \vs[\mask_1][\mask_2] \propB)} {(\Exists \var. \prop) \vs[\mask_1][\mask_2] \propB} {(\Exists \var. \prop) \vs[\mask_1][\mask_2] \propB} \and \and \inferHB{BoxOut} \inferHB{HtBox} {\always\propB \provesalways \hoare{\prop}{\expr}{\Ret\val.\propC}[\mask]} {\always\propB \proves \hoare{\prop}{\expr}{\Ret\val.\propC}[\mask]} {\hoare{\prop \land \always{\propB}}{\expr}{\Ret\val.\propC}[\mask]} {\hoare{\prop \land \always{\propB}}{\expr}{\Ret\val.\propC}[\mask]} \and \and \inferHB{VSBoxOut} \inferHB{VsBox} {\always\propB \provesalways \prop \vs[\mask_1][\mask_2] \propC} {\always\propB \proves \prop \vs[\mask_1][\mask_2] \propC} {\prop \land \always{\propB} \vs[\mask_1][\mask_2] \propC} {\prop \land \always{\propB} \vs[\mask_1][\mask_2] \propC} \and \and \inferH{False} \inferH{False} ... ...
 ... @@ -115,8 +115,8 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t ... @@ -115,8 +115,8 @@ Iris syntax is built up from a signature$\Sig$and a countably infinite set$\t \ownPhys{\term} \mid \ownPhys{\term} \mid \always\prop \mid \always\prop \mid {\later\prop} \mid {\later\prop} \mid \pvsA{\prop}{\term}{\term} \mid \pvs[\term][\term] \prop\mid \dynA{\term}{\pred}{\term} \wpre{\term}{\pred}[\term] \end{align*} \end{align*} Recursive predicates must be \emph{guarded}: in $\MU \var. \pred$, the variable $\var$ can only appear under the later $\later$ modality. Recursive predicates must be \emph{guarded}: in $\MU \var. \pred$, the variable $\var$ can only appear under the later $\later$ modality. ... @@ -263,7 +263,7 @@ In writing $\vctx, x:\type$, we presuppose that $x$ is not already declared in $... @@ -263,7 +263,7 @@ In writing$\vctx, x:\type$, we presuppose that$x$is not already declared in$ \vctx \proves \wtt{\mask}{\textsort{InvMask}} \and \vctx \proves \wtt{\mask}{\textsort{InvMask}} \and \vctx \proves \wtt{\mask'}{\textsort{InvMask}} \vctx \proves \wtt{\mask'}{\textsort{InvMask}} }{ }{ \vctx \proves \wtt{\pvsA{\prop}{\mask}{\mask'}}{\Prop} \vctx \proves \wtt{\pvs[\mask][\mask'] \prop}{\Prop} } } \and \and \infer{ \infer{ ... @@ -271,7 +271,7 @@ In writing $\vctx, x:\type$, we presuppose that $x$ is not already declared in $... @@ -271,7 +271,7 @@ In writing$\vctx, x:\type$, we presuppose that$x$is not already declared in$ \vctx \proves \wtt{\pred}{\textsort{Val} \to \Prop} \and \vctx \proves \wtt{\pred}{\textsort{Val} \to \Prop} \and \vctx \proves \wtt{\mask}{\textsort{InvMask}} \vctx \proves \wtt{\mask}{\textsort{InvMask}} }{ }{ \vctx \proves \wtt{\dynA{\expr}{\pred}{\mask}}{\Prop} \vctx \proves \wtt{\wpre{\expr}{\pred}[\mask]}{\Prop} } } \end{mathparpagebreakable} \end{mathparpagebreakable} ... @@ -288,6 +288,7 @@ This is a \emph{meta-level} assertions about propositions, defined by the follow ... @@ -288,6 +288,7 @@ This is a \emph{meta-level} assertions about propositions, defined by the follow The judgment $\vctx \mid \pfctx \proves \prop$ says that with free variables $\vctx$, proposition $\prop$ holds whenever all assumptions $\pfctx$ hold. The judgment $\vctx \mid \pfctx \proves \prop$ says that with free variables $\vctx$, proposition $\prop$ holds whenever all assumptions $\pfctx$ hold. We implicitly assume that an arbitrary variable context, $\vctx$, is added to every constituent of the rules. We implicitly assume that an arbitrary variable context, $\vctx$, is added to every constituent of the rules. Furthermore, an arbitrary \emph{boxed} assertion context $\always\pfctx$ may be added to every constituent. Axioms $\prop \Ra \propB$ stand for judgments $\vctx \mid \cdot \proves \prop \Ra \propB$ with no assumptions. Axioms $\prop \Ra \propB$ stand for judgments $\vctx \mid \cdot \proves \prop \Ra \propB$ with no assumptions. (Bi-implications are analogous.) (Bi-implications are analogous.) ... @@ -500,17 +501,17 @@ This is entirely standard. ... @@ -500,17 +501,17 @@ This is entirely standard. \subsection{Adequacy} \subsection{Adequacy} ~\\\ralf{Check if this is still accurate. Port to weakest-pre.} The adequacy statement reads as follows: The adequacy statement reads as follows: \begin{align*} \begin{align*} &\All \mask, \expr, \val, \pred, i, \state, \state', \tpool'. &\All \mask, \expr, \val, \pred, i, \state, \melt, \state', \tpool'. \\&( \proves \hoare{\ownPhys\state}{\expr}{x.\; \pred(x)}[\mask]) \implies \\&(\All n. \melt \in \mval_n) \Ra \\&\cfg{\state}{[i \mapsto \expr]} \step^\ast \\&( \ownPhys\state * \ownGGhost\melt \proves \wpre{\expr}{x.\; \pred(x)}[\mask]) \Ra \cfg{\state'}{[i \mapsto \val] \uplus \tpool'} \implies \\&\cfg{\state}{[\expr]} \step^\ast \cfg{\state'}{[\val] \dplus \tpool'} \Ra \\&\pred(\val) \\&\pred(\val) \end{align*} \end{align*} where $\pred$ can mention neither resources nor invariants. where $\pred$ is a \emph{meta-level} predicate over values, \ie it can mention neither resources nor invariants. % RJ: If we want this section back, we should port it to primitive view shifts and prove it in Coq. % RJ: If we want this section back, we should port it to primitive view shifts and prove it in Coq. ... ...