Commit 2c0f9c99 by Ralf Jung

### change STS construction: non-emptiness of the state set is now part of validity, not of closedness.

`This strengthens some lemmas that are written using the notion of closednes, shortening some proofs all the way up to barrier.v`
parent e7d1d5d0
 ... ... @@ -142,12 +142,12 @@ Lemma to_validity_valid (x : A) : ✓ to_validity x → ✓ x. Proof. intros. done. Qed. Lemma to_validity_op (x y : A) : ✓ x → ✓ y → (✓ (x ⋅ y) → x ⊥ y) → (✓ (x ⋅ y) → ✓ x ∧ ✓ y ∧ x ⊥ y) → to_validity (x ⋅ y) ≡ to_validity x ⋅ to_validity y. Proof. intros Hvalx Hvaly Hdisj. split; [split | done]. intros Hvd. split; [split | done]. - simpl. auto. - simpl. intros (_ & _ & ?). - clear Hvd. simpl. intros (? & ? & ?). auto using dra_op_valid, to_validity_valid. Qed. ... ...
This diff is collapsed.
 ... ... @@ -41,22 +41,18 @@ Module barrier_proto. sts.closed (i_states i) {[ Change i ]}. Proof. split. - apply (non_empty_inhabited(State Low {[ i ]})). rewrite !mkSet_elem_of /=. apply lookup_singleton. - move=>[p I]. rewrite /= /tok !mkSet_elem_of /= =>HI. move=>s' /elem_of_intersection. rewrite !mkSet_elem_of /=. move=>[[Htok|Htok] ? ]; subst s'; first done. destruct p; done. destruct p; set_solver. - (* If we do the destruct of the states early, and then inversion on the proof of a transition, it doesn't work - we do not obtain the equalities we need. So we destruct the states late, because this means we can use "destruct" instead of "inversion". *) move=>s1 s2. rewrite !mkSet_elem_of /==> Hs1 Hstep. (* We probably want some helper lemmas for this... *) inversion_clear Hstep as [T1 T2 Hdisj Hstep']. inversion_clear Hstep' as [? ? ? ? Htrans _ _ Htok]. destruct Htrans; last done; move:Hs1 Hdisj Htok. rewrite /= /tok /=. rewrite /= /tok /=. (* TODO: Can this be done better? *) intros. apply dec_stable. assert (Change i ∉ change_tokens I1) as HI1 by (rewrite mkSet_not_elem_of; set_solver +Hs1). ... ... @@ -74,9 +70,8 @@ Module barrier_proto. Lemma low_states_closed : sts.closed low_states {[ Send ]}. Proof. split. - apply (non_empty_inhabited(State Low ∅)). by rewrite !mkSet_elem_of /=. - move=>[p I]. rewrite /= /tok !mkSet_elem_of /= =>HI. destruct p; last done. set_solver. destruct p; set_solver. - move=>s1 s2. rewrite !mkSet_elem_of /==> Hs1 Hstep. inversion_clear Hstep as [T1 T2 Hdisj Hstep']. inversion_clear Hstep' as [? ? ? ? Htrans _ _ Htok]. ... ... @@ -101,9 +96,9 @@ Module barrier_proto. (* TODO this proof is rather annoying. *) apply elem_of_equiv=>t. rewrite !elem_of_union. rewrite !mkSet_elem_of /change_tokens /=. destruct t as [j|]; last naive_solver. destruct t as [j|]; last set_solver. rewrite elem_of_difference elem_of_singleton. destruct (decide (i = j)); naive_solver. destruct (decide (i = j)); set_solver. Qed. Lemma split_step p i i1 i2 I : ... ... @@ -115,15 +110,12 @@ Module barrier_proto. constructor; first constructor; rewrite /= /tok /=; first (destruct p; set_solver). (* This gets annoying... and I think I can see a pattern with all these proofs. Automatable? *) - apply elem_of_equiv=>t. destruct t; last set_solver. rewrite !mkSet_elem_of /change_tokens /=. rewrite !elem_of_union !elem_of_difference !elem_of_singleton. destruct p; naive_solver. rewrite !mkSet_elem_of. destruct p; set_solver. - apply elem_of_equiv=>t. destruct t as [j|]; last set_solver. rewrite !mkSet_elem_of /change_tokens /=. rewrite !elem_of_union !elem_of_difference !elem_of_singleton. destruct (decide (i1 = j)); first naive_solver. destruct (decide (i2 = j)); first naive_solver. destruct (decide (i = j)); naive_solver. rewrite !mkSet_elem_of. destruct (decide (i1 = j)); first set_solver. destruct (decide (i2 = j)); first set_solver. destruct (decide (i = j)); set_solver. Qed. End barrier_proto. ... ... @@ -145,9 +137,9 @@ Section proof. Local Hint Resolve signal_step wait_step split_step : sts. Local Hint Resolve sts.closed_op : sts. Hint Extern 50 (_ ∈ _) => set_solver : sts. Hint Extern 50 (_ ⊆ _) => set_solver : sts. Hint Extern 50 (_ ≡ _) => set_solver : sts. Hint Extern 50 (_ ∈ _) => try rewrite !mkSet_elem_of; set_solver : sts. Hint Extern 50 (_ ⊆ _) => try rewrite !mkSet_elem_of; set_solver : sts. Hint Extern 50 (_ ≡ _) => try rewrite !mkSet_elem_of; set_solver : sts. Local Notation iProp := (iPropG heap_lang Σ). ... ... @@ -293,20 +285,10 @@ Section proof. rewrite (sts_own_weaken ⊤ _ _ (i_states i ∩ low_states) _ ({[ Change i ]} ∪ {[ Send ]})). + apply pvs_mono. rewrite sts_ownS_op; eauto with sts. (* TODO the rest of this proof is rather annoying. *) + rewrite /= /tok /=. apply elem_of_equiv=>t. rewrite elem_of_difference elem_of_union. rewrite !mkSet_elem_of /change_tokens. (* TODO: destruct t; set_solver does not work. What is the best way to do on? *) destruct t as [i'|]; last by naive_solver. split. * move=>[_ Hn]. left. destruct (decide (i = i')); first by subst i. exfalso. apply Hn. left. set_solver. * move=>[[EQ]|?]; last discriminate. set_solver. + apply elem_of_intersection. rewrite !mkSet_elem_of /=. set_solver. + apply sts.closed_op; eauto with sts; []. apply (non_empty_inhabited (State Low {[ i ]})). apply elem_of_intersection. rewrite !mkSet_elem_of /=. set_solver. + rewrite /= /tok /= =>t. rewrite !mkSet_elem_of. move=>[[?]|?]; set_solver. + eauto with sts. + eauto with sts. Qed. Lemma signal_spec l P (Φ : val → iProp) : ... ... @@ -441,12 +423,7 @@ Section proof. do 2 rewrite !(assoc (★)%I) [(_ ★ sts_ownS _ _ _)%I]comm. rewrite -!assoc. rewrite [(sts_ownS _ _ _ ★ _ ★ _)%I]assoc -pvs_frame_r. apply sep_mono. * rewrite -sts_ownS_op; [|by eauto with sts..]. apply sts_own_weaken; first done. { rewrite !mkSet_elem_of /=. set_solver+. } apply sts.closed_op; [by eauto with sts..|]. apply (non_empty_inhabited (State Low ({[i1]} ∪ ({[i2]} ∪ (I ∖ {[i]}))))). rewrite !mkSet_elem_of /=. set_solver+. * rewrite -sts_ownS_op; by eauto using sts_own_weaken with sts. * rewrite {1}[heap_ctx _]always_sep_dup !assoc [(_ ★ heap_ctx _)%I]comm -!assoc. apply sep_mono_r. rewrite !assoc ![(_ ★ heap_ctx _)%I]comm -!assoc. apply sep_mono_r. rewrite {1}[sts_ctx _ _ _]always_sep_dup !assoc [(_ ★ sts_ctx _ _ _)%I]comm -!assoc. apply sep_mono_r. ... ... @@ -485,12 +462,7 @@ Section proof. do 2 rewrite !(assoc (★)%I) [(_ ★ sts_ownS _ _ _)%I]comm. rewrite -!assoc. rewrite [(sts_ownS _ _ _ ★ _ ★ _)%I]assoc -pvs_frame_r. apply sep_mono. * rewrite -sts_ownS_op; [|by eauto with sts..]. apply sts_own_weaken; first done. { rewrite !mkSet_elem_of /=. set_solver+. } apply sts.closed_op; [by eauto with sts..|]. apply (non_empty_inhabited (State High ({[i1]} ∪ ({[i2]} ∪ (I ∖ {[i]}))))). rewrite !mkSet_elem_of /=. set_solver+. * rewrite -sts_ownS_op; by eauto using sts_own_weaken with sts. * rewrite {1}[heap_ctx _]always_sep_dup !assoc [(_ ★ heap_ctx _)%I]comm -!assoc. apply sep_mono_r. rewrite !assoc ![(_ ★ heap_ctx _)%I]comm -!assoc. apply sep_mono_r. rewrite {1}[sts_ctx _ _ _]always_sep_dup !assoc [(_ ★ sts_ctx _ _ _)%I]comm -!assoc. apply sep_mono_r. ... ...
 ... ... @@ -53,23 +53,15 @@ Section sts. (* The same rule as implication does *not* hold, as could be shown using sts_frag_included. *) (* TODO: sts.closed forces the user to prove that S2 is inhabited. This is silly, we know that S1 is inhabited since we own it, and hence S2 is inhabited, too. Probably, sts.closed should really just be about closedness. I think keeping disjointnes of the token stuff in there is fine, since it does not incur any unnecessary side-conditions. Then we additionally demand for validity that S is nonempty, rather than making that part of "closed". *) Lemma sts_ownS_weaken E γ S1 S2 T1 T2 : T1 ≡ T2 → S1 ⊆ S2 → sts.closed S2 T2 → T2 ⊆ T1 → S1 ⊆ S2 → sts.closed S2 T2 → sts_ownS γ S1 T1 ⊑ (|={E}=> sts_ownS γ S2 T2). Proof. intros -> ? ?. by apply own_update, sts_update_frag. Qed. Proof. intros ? ? ?. by apply own_update, sts_update_frag. Qed. Lemma sts_own_weaken E γ s S T1 T2 : T1 ≡ T2 → s ∈ S → sts.closed S T2 → T2 ⊆ T1 → s ∈ S → sts.closed S T2 → sts_own γ s T1 ⊑ (|={E}=> sts_ownS γ S T2). Proof. intros -> ??. by apply own_update, sts_update_frag_up. Qed. Proof. intros ???. by apply own_update, sts_update_frag_up. Qed. Lemma sts_ownS_op γ S1 S2 T1 T2 : T1 ∩ T2 ⊆ ∅ → sts.closed S1 T1 → sts.closed S2 T2 → ... ... @@ -106,8 +98,9 @@ Section sts. rewrite -!assoc. apply const_elim_sep_l=> Hvalid. assert (s ∈ S) by (by eapply sts_auth_frag_valid_inv, discrete_valid). rewrite const_equiv // left_id comm sts_op_auth_frag //. (* this is horrible, but will be fixed whenever we have RAs back *) by rewrite -sts_frag_valid; eapply cmra_valid_op_r, discrete_valid. assert (✓ sts_frag S T) as Hv by by eapply cmra_valid_op_r, discrete_valid. apply (Hv 0). Qed. Lemma sts_closing E γ s T s' T' : ... ...
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!