@@ -340,33 +340,31 @@ The purpose of the adequacy statement is to show that our notion of weakest prec

There are two properties we are looking for: First of all, the postcondition should reflect actual properties of the values the program can terminate with.

Second, a proof of a weakest precondition with any postcondition should imply that the program is \emph{safe}, \ie that it does not get stuck.

To express the adequacy statement for functional correctness, we assume we are given some set $V \subseteq\Val$ of legal return values.

Furthermore, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic which reflects $V$ into the logic:

\begin{defn}[Adequacy]

A program $\expr$ in some initial state $\state$ is \emph{adequate} for a set $V \subseteq\Val$ of legal return values ($\expr, \state\vDash V$) if for all $\tpool', \state'$ such that $([\expr], \state)\tpstep^\ast(\tpool', \state')$ we have

\begin{enumerate}

\item Safety: For any $\expr' \in\tpool'$ we have that either $\expr'$ is a

Notice that this is stronger than saying that the thread pool can reduce; we actually assert that \emph{every} non-finished thread can take a step.

\item Legal return value: If $\tpool'_1$ (the main thread) is a value $\val'$, then $\val' \in V$:

\[\All\val',\tpool''. \tpool' =[\val']\dplus\tpool' \Ra\val' \in V \]

\end{enumerate}

\end{defn}

To express the adequacy statement for functional correctness, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic which reflects the set $V$ of legal return values into the logic:

The adequacy statement for safety says that our weakest preconditions imply that every expression in the thread pool either is a value, or can reduce further.

\\&( \TRUE\proves{\upd}_\mask\Exists S. S(\state) * \wpre{\expr}[\mask]{x.\;\pred(x)}) \Ra

\\&\expr, \state\vDash V

\end{align*}

Notice that this is stronger than saying that the thread pool can reduce; we actually assert that \emph{every} non-finished thread can take a step.

Notice that the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.

\paragraph{Hoare triples.}

It turns out that weakest precondition is actually quite convenient to work with, in particular when perfoming these proofs in Coq.