Tej Chajed authored 4 years ago and Robbert Krebbers committed 4 years ago

Implemented as an algebra for rules about `auth max_natUR` and a
logic-level wrapper for the auth element (a nat) and fragment (a
persistent lower-bound).

Fixes #327.

Notably, `big_andL_andL` and `big_andL_and` where a ⊣⊢ and ⊢ version
of the same lemma. I favored the `big_opL_op` naming scheme.

The absence of this axiom has two consequences:

- We no longer have `■ (P ∗ Q) ⊢ ■ P ∗ ■ Q` and `□ (P ∗ Q) ⊢ □ P ∗ □ Q`,
  and as a result, separating conjunctions in the unrestricted/persistent
  context cannot be eliminated.
- When having `(P -∗ ⬕ Q) ∗ P`, we do not get `⬕ Q ∗ P`. In the proof
  mode this means when having:

    H1 : P -∗ ⬕ Q
    H2 : P

  We cannot say `iDestruct ("H1" with "H2") as "#H1"` and keep `H2`.

However, there is now a type class `PositiveBI PROP`, and when there is an
instance of this type class, one gets the above reasoning principle back.

TODO: Can we describe positivity of individual propositions instead of the
whole BI? That way, we would get the above reasoning principles even when
the BI is not positive, but the propositions involved are.

Otherwise, ownership of cores in our ordered RA model will not be persistent.

Replace/remove some occurences of `persistently` into `persistent` where the property instead of the modality is used.

This way, iSplit will work when one side is persistent.

This are useful as proofmode cannot always guess in which direction
it should use ⊣⊢.

- Allow framing of persistent hypotheses below the always modality.
- Allow framing of persistent hypotheses in just one branch of a
  disjunction.

This patch was created using

  find -name *.v | xargs -L 1 awk -i inplace '{from = 0} /^From/{ from = 1; ever_from = 1} { if (from == 0 && seen == 0 && ever_from == 1) { print "Set Default Proof Using \"Type*\"."; seen = 1 } }1 '

and some minor manual editing

This fixes the following issue by JH Jourdan:

  The fact of including uPred_[...] in the module uPred (in base_logic.v),
  implies that typeclasses instances are declared twice. Once in module
  uPred and once in module uPred_[...]. This has the unfortunate
  consequence that it has to backtrack to both instances each time the
  first one fails, making failure of type class search for e.g.
  PersistentP potentially exponential.

  Goal ((□ ∀ (x1 x2 x3 x4 x5: nat), True -∗ True) -∗ True : iProp Σ).
    Time iIntros "#H".
    Undo.
    Remove Hints uPred_derived.forall_persistent : typeclass_instances.
    Time iIntros "#H".

Thanks to Jason Gross @ Coq club for suggesting this fix.

Using this new definition we can express being contractive using a
Proper. This has the following advantages:

- It makes it easier to state that a function with multiple arguments
  is contractive (in all or some arguments).
- A solve_contractive tactic can be implemented by extending the
  solve_proper tactic.