Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Matthieu Sozeau
Iris
Commits
d8e8dfea
Commit
d8e8dfea
authored
Aug 09, 2019
by
Paolo G. Giarrusso
Committed by
Ralf Jung
Nov 06, 2020
Browse files
Documentation on Iris equalities
parent
7f8b01a9
Changes
2
Hide whitespace changes
Inline
Sidebyside
README.md
View file @
d8e8dfea
...
...
@@ 137,6 +137,8 @@ Getting along with Iris in Coq:
*
Iris proof patterns and conventions are documented in the
[
proof guide
](
docs/proof_guide.md
)
.
*
Various notions of equality in Iris and their Coq interface are described in the
[
equality
docs
](
docs/equalities.md
)
.
*
The Iris tactics are described in the
[
the Iris Proof Mode (IPM) / MoSeL documentation
](
docs/proof_mode.md
)
as well as the
[
HeapLang documentation
](
docs/heap_lang.md
)
.
...
...
docs/equalities.md
0 → 100644
View file @
d8e8dfea
# Equalities in Iris
Using Iris involves dealing with a few subtly different equivalence and equality
relations, especially among propositions.
This document summarizes these relations and the subtle distinctions among them.
This is not a general introduction to Iris: instead, we discuss the different
Iris equalities and the interface to their Coq implementation. In particular, we
discuss:

Equality from Iris metatheory vs Coq equality and setoid equivalence;

Nequivalence on OFEs;

Iris internal equality;

Iris entailment and bientailment.
## Leibniz equality and setoids
First off, in the metalogic (Coq) we have both the usual propositional (or
Leibniz) equality
`=`
, and setoid equality
`equiv`
/
`≡`
(defined in
`stdpp`
).
Notations for metalogic connectives like
`≡`
are declared in Coq scope
`stdpp_scope`
, which is "open" by default.
Setoid equality for a type
`A`
is defined by the instance of
`Equiv A`
; this
allows defining quotient setoids. To deal with setoids, we use Coq's
[
generalized
rewriting
](
https://coq.inria.fr/refman/addendum/generalizedrewriting.html
)
facilities.
Setoid equality can coincide with Leibniz equality:

`equivL`
defines a setoid equality coinciding with Leibniz equality.

Some types enjoy
`LeibnizEquiv`
, which makes
`equiv`
be equivalent to
`eq`
.
Given setoids
`A`
and
`B`
and a function
`f : A → B`
, an instance
`Proper ((≡)
==> (≡)) f`
declares that
`f`
respects setoid equality, as usual in Coq. Such
instances enable rewriting with setoid equalities.
Here, stdpp adds the following facilities:

`solve_proper`
for automating proofs of
`Proper`
instances.

`f_equiv`
generalizes
`f_equal`
to other relations; it will for instance turn
goal
`R (f a) (f b)`
into
`R a b`
given an appropriate
`Proper`
instance
(here,
`Proper (R ==> R) f`
).
## Equivalences on OFEs
On paper, OFEs involve two relations, equality "=" and distance "=_n". In Coq,
equality "=" is formalized as setoid equality, written
`≡`
or
`equiv`
, as before;
distance "=_n" is formalized as relation
`dist n`
, also written
`≡{n}≡`
.
Tactics
`solve_proper`
and
`f_equiv`
also support distance.
Some OFE constructors choose interesting equalities.

`discreteO`
constructs discrete OFEs (where distance coincides with setoid equality).

`leibnizO`
constructs discrete OFEs (like
`discreteO`
) but using
`equivL`
, so
that both distance and setoid equality coincide with Leibniz equality.
Given OFEs
`A`
and
`B`
, nonexpansive functions from
`A`
to
`B`
are functions
`f : A → B`
with a proof of
`NonExpansive f`
(that is,
`(∀ n, Proper (dist n
==> dist n) f)`
). The two can be packaged together via
`A n> B`
.
Nonexpansive functions from Leibniz OFEs can be given type
`A d> B`
instead of
`leibnizO A n> B`
; this spares the need for bundled
`NonExpansive`
instances.
Moreover,
`discreteO A n> B`
is isomorphic to
`f : A d> B`
plus an instance
for
`∀ n, Proper ((≡) ==> (≡{ n }≡)) f`
. However, in the second case the
`Proper`
instance can be omitted for proof convenience unless actively used.
In both OFE function spaces (
`A n> B`
and
`A d> B`
), setoid equality is
defined to be pointwise equality, so that functional extensionality holds for
`≡`
.
## Inside the Iris logic
Next, we introduce notions internal to the Iris logic. Such notions often
overload symbols used for external notions; however, those overloaded notations
are declared in scope
`bi_scope`
; when writing
`(P)%I`
, notations in
`P`
are
resolved in
`bi_scope`
in preference over
`stdpp_scope`
.
We also use
`bi_scope`
for the arguments of all variants of Iris entailments.
The Iris logic has an internal concept of equality. If
`a`
and
`b`
are Iris
terms of type
`A`
, then their internal equality is written (on paper) "a =_A b";
in Coq, that's written
`a ≡ b`
(notation for
`sbi_internal_eq`
in scope
`bi_scope`
).
As shown in the Iris appendix, an internal equality
`a ≡ b`
is interpreted using
OFE distance. Many types have
`_equivI`
lemmas characterizing internal
equality on them. For instance, if
`f, g : A d> B`
, lemma
`discrete_fun_equivI`
shows that
`f ≡ g`
is equivalent to
`∀ x, f x ≡ g x`
.
Typically, each
`_equivI`
lemma for type
`T`
lifts to internal equality on
`T`
properties of the distance on
`T`
.
## Relations among Iris propositions
In this section, we discuss relations among internal propositions.
Even though some of these notes generalize to all internal logics (other
`sbi`
s), we focus on Iris propositions (
`iProp Σ`
), to discuss both their proof
theory and their model.
As Iris propositions form a separation logic, we assume some familiarity with
separation logics, connectives such as
`∗`
,
`∗`
,
`emp`
and
`→`
, and the idea
that propositions in separation logics are interpreted with predicates over
resources (see for instance Sec. 2.1 of the MoSEL paper).
In the metalogic, Iris defines the entailment relation between uniform
predicates: intuitively,
`P`
entails
`Q`
(written
`P ⊢ Q`
) means that
`P`
implies
`Q`
on _every_ resource (for details see Iris appendix [Sec. 6]).
Entailment
`P ⊢ Q`
is distinct from the magic wand,
`(P ∗ Q)%I`
, but
equivalent, as
`P ⊢ Q`
is equivalent to
`emp ⊢ P ∗ Q`
(per Iris lemmas
`entails_wand`
and
`wand_entails`
).
Notation
`P ⊢ Q`
is declared in
`stdpp_scope`
, but takes arguments in
`bi_scope`
, so that we can write conveniently
`P ⊢ Q ∗ R`
in
`stdpp_scope`
.
For additional convenience,
`P ⊢ Q`
can also be written
`P ∗ Q`
in
`stdpp_scope`
, so that we can write
`P ∗ Q ∗ R`
instead of
`P ⊢ Q ∗ R`
or of
the equivalent
`emp ⊢ P ∗ Q ∗ R`
.
Using entailment, Iris defines an implicit coercion
`bi_emp_valid`
, mapping any
Iris propositions
`P`
into the Coq propositions
`emp ⊢ P`
.
On paper, uniform predicates are defined by quotienting by an equivalence
relation ([Iris appendix, Sec. 3.3]); that relation is used in Coq as setoid
equivalence. That relation is also equivalent to bientailment (or entailment in
both directions), per lemma
`equiv_spec`
:
```
coq
Lemma
equiv_spec
P
Q
:
P
≡
Q
↔
(
P
⊢
Q
)
∧
(
Q
⊢
P
).
```
Hence, setoid equality
`≡`
on propositions is also written
`⊣⊢`
. For instance,
our earlier lemma
`discrete_fun_equivI`
is stated using
`⊣⊢`
:
```
coq
Lemma
discrete_fun_equivI
{
A
}
{
B
:
A
→
ofeT
}
(
f
g
:
discrete_fun
B
)
:
f
≡
g
⊣
⊢
∀
x
,
f
x
≡
g
x
.
```
Inside the logic, we can use internal equality
`≡`
(in
`bi_scope`
), which
translates to distance as usual. Here is a pitfall: internal equality
`≡`
is in
general strictly stronger than
`∗∗`
, because
`Q1 ≡ Q2`
means that
`Q1`
and
`Q2`
are equivalent _independently of the available resources_.

When proving
`P ∗ Q1 ∗∗ Q2`
, we can use
`P`
to show that
`Q1`
and
`Q2`
are
equivalent.

Instead, to prove
`P ∗ Q1 ≡ Q2`
, we cannot use
`P`
unless it's a plain
proposition (so, one that holds on the empty resource). Crucially, pure
propositions
`⌜ φ ⌝`
are plain.
We can explain internal equality using the Iris plainly modality:
```
coq
Lemma
prop_ext
P
Q
:
P
≡
Q
⊣
⊢
■
(
P
∗

∗
Q
).
```
Looking at the Iris semantics for the plainly modality, to prove internal equality
`P ≡ Q`
, we must prove that
`P`
and
`Q`
are equivalent _without any resources
available_.
Last, metalevel propositions
`φ : Prop`
can be embedded as pure Iris
propositions
`⌜ φ ⌝`
, and this allows embedding equalities from the metalogic.
For instance,
`⌜ a1 = a2 ⌝`
can be useful for making some proofs more
convenient, as Leibniz equality is the strongest equivalence available, is
respected by all Coq functions, and can be used for rewriting in the absence of
`Proper`
instances. On the other hand, onpaper Iris does not allow writing
`⌜ a1 = a2 ⌝`
, only
`⌜ a1 ≡ a2 ⌝`
, unless setoid equality and Leibniz equality
coincide.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment