Simon Friis Vindum
examples
Commits
ab73c379
Commit
ab73c379
authored
Mar 25, 2020
by
Simon Friis Vindum
Advance dequeue proof when queue is nonempty
parent
62a67970
Changes
theories/logrel/F_mu_ref_conc/examples/queue/refinement.v
theories/logrel/F_mu_ref_conc/examples/queue/refinement.v
+49
7
theories/logrel/F_mu_ref_conc/examples/queue/refinement.v
View file @
ab73c379
...
...
@@ 172,7 +172,7 @@ Section Queue_refinement.
rewrite
with_lock_of_val
.
iApply
wp_pure_step_later
;
auto
.
iNext
.
asimpl
.
iApply
(
wp_bind
(
fill
[
LetInCtx
_
])).
iInv
queueN
as
(
ℓ
q
ℓ
'
xs
xs
'
)
"(>> & isMSQ & >> & Hsq & lofal & Hlink & >%)"
"Hclose"
.
iInv
queueN
as
(
ℓ
q
ℓ
'
xs
xs
ₛ
)
"(>> & isMSQ & >> & Hsq & lofal & Hlink & >%)"
"Hclose"
.
iDestruct
"isMSQ"
as
(
ℓ
sentinel
v
ℓ
hdPt
ℓ
hd
q
p
)
"(qPts & [sentinelPts sentinelPts'] & [hdPts hdPts'] & isNodeList)"
.
iApply
(
wp_load
with
"qPts"
).
iNext
.
iIntros
"qPts"
.
...
...
@@ 210,10 +210,10 @@ Section Queue_refinement.
iApply
wp_value
.
simpl
.
iApply
(
wp_load
with
"[$hdPts]"
).
iNext
.
iIntros
"hdPts"
.
simpl
.
destruct
xs
as
[
x
xs'
'
]
;
simpl
.
destruct
xs
as
[
x
xs'
]
;
simpl
.
(* xs is the empty list *)
+
assert
(
xs
'
=
[])
as
>.
{
destruct
xs
'
.
done
.
inversion
H3
.
}
+
assert
(
xs
ₛ
=
[])
as
>.
{
destruct
xs
ₛ
.
done
.
inversion
H3
.
}
simpl
.
(* FIXME: Hnodes should tell us something useful in this case. *)
(* iApply (wp_load with "[$]"). *)
...
...
@@ 228,7 +228,9 @@ Section Queue_refinement.
(* iApply wp_value. *)
admit
.
(* xs is not the empty list *)
+
iDestruct
"Hnodes"
as
(
ℓ
hd'
ℓ
tail'
)
"(hdPts' & tailPts' & Hnodes')"
.
+
destruct
xs
ₛ
as
[
x
ₛ
xs
ₛ
'
].
{
inversion
H3
.
}
iDestruct
"Hnodes"
as
(
ℓ
hd'
ℓ
tail'
)
"(hdPts' & tailPts' & Hnodes')"
.
iApply
(
wp_load
with
"[$hdPts']"
).
iNext
.
iIntros
"hdPts'"
.
simpl
.
iApply
wp_pure_step_later
;
auto
.
iNext
.
...
...
@@ 242,8 +244,48 @@ Section Queue_refinement.
iApply
wp_value
.
simpl
.
iApply
(
wp_load
with
"hdPts"
).
iNext
.
iIntros
"hdPts"
.
simpl
.
(* FIXME: Here we must open the queue invariant again. *)
admit
.
rename
ℓ
q
into
ℓ
q'
.
iInv
queueN
as
(
ℓ
q
ℓ
'
2
xs2
xs'2
)
"(>> & isMSQ & >> & Hsq & lofal & Hlink & >%)"
"Hclose"
.
(* clear. *)
iDestruct
"isMSQ"
as
(
ℓ
sentinel2
v2
ℓ
hdPt2
ℓ
hd2
q2
p2
)
"(qPts & sentinelPts' & hdPts2 & isNodeList)"
.
destruct
(
decide
(
ℓ
sentinel2
=
ℓ
sentinel
))
as
[
Hneq
]
;
subst
.
*
(* The queue still points to the same sentinel that we read earlierthe CAS succeeds *)
iApply
(
wp_cas_suc
with
"qPts"
)
;
auto
.
iNext
.
iIntros
"qPts"
.
(* We have opened the queue invariant twice. Since the queue pointer
still points to the same sentinel a lot of the existential variables
we receieved the first time around are equal to the ones we have now.
Establishing this is critical. *)
iAssert
(
⌜
v
=
v2
⌝
)%
I
as
%<.
{
iDestruct
(
mapsto_agree
with
"sentinelPts sentinelPts'"
)
as
%[=>].
done
.
}
iAssert
(
⌜ℓ
hdPt
=
ℓ
hdPt2
⌝
)%
I
as
%<.
{
iDestruct
(
mapsto_agree
with
"sentinelPts sentinelPts'"
)
as
%[=>].
done
.
}
iAssert
(
⌜ℓ
hd
=
ℓ
hd2
⌝
)%
I
as
%<.
{
iDestruct
(
mapsto_agree
with
"hdPts hdPts2"
)
as
%[=>].
done
.
}
(* xs2 is not necessarily equal to xs, but it still has xs as a
prefix. And since we know that xs is a cons xs2 must also be a cons
with the same element. *)
destruct
xs2
as
[
x2'
xs2'
]
;
simpl
.
{
iDestruct
(
mapsto_agree
with
"isNodeList hdPts'"
)
as
%[=>].
}
iDestruct
"isNodeList"
as
(
ℓ
tail
ℓ
next
)
"[hdPts'' isNodeList']"
.
iAssert
(
⌜
x
=
x2'
⌝
)%
I
as
%<.
{
iDestruct
(
mapsto_agree
with
"hdPts' hdPts''"
)
as
%[=<].
done
.
}
(* We must now reestablish the invariant. *)
iMod
(
"Hclose"
with
"[qPts lofal Hlink Hsq isNodeList']"
)
as
"_"
.
{
iNext
.
rewrite
/
invariant
.
iExists
_
,
_
,
xs'
,
xs
ₛ
'
.
iFrame
.
iSplit
;
auto
.
iSplit
;
auto
.
rewrite
/
isMSQueue
.
iExists
_
,
_
,
_
,
_
,
_
,
_
.
iFrame
.
}
*
iApply
(
wp_load
with
"qPts"
).
iNext
.
iIntros
"qPts"
.
admit
.

(* enqueue *)
iIntros
([
v1
v2
])
"!> #Hrel"
.
clear
j
K
.
...
...
