1. 31 Oct, 2018 2 commits
    • Robbert Krebbers's avatar
      Fine-grained post-conditions for forked-off threads. · ebf06f91
      Robbert Krebbers authored
      This commit extends the state interpretation with an additional parameter to
      talk about the number of forked-off threads, and a fixed postcondition for each
      forked-off thread:
      
          state_interp : Λstate → list Λobservation → nat → iProp Σ;
          fork_post : iProp Σ;
      
      This way, instead of having `True` as the post-condition of `Fork`, one can
      have any post-condition, which is then recorded in the state interpretation.
      The point of keeping track of the postconditions of forked-off threads, is that
      we get an (additional) stronger adequacy theorem:
      
          Theorem wp_strong_all_adequacy Σ Λ `{invPreG Σ} s e σ1 v vs σ2 φ :
             (∀ `{Hinv : invG Σ} κs,
               (|={⊤}=> ∃
                   (stateI : state Λ → list (observation Λ) → nat → iProp Σ)
                   (fork_post : iProp Σ),
                 let _ : irisG Λ Σ := IrisG _ _ _ Hinv stateI fork_post in
                 stateI σ1 κs 0 ∗ WP e @ s; ⊤ {{ v,
                   let m := length vs in
                   stateI σ2 [] m -∗ [∗] replicate m fork_post ={⊤,∅}=∗ ⌜ φ v ⌝ }})%I) →
            rtc erased_step ([e], σ1) (of_val <$> v :: vs, σ2) →
            φ v.
      
      The difference with the ordinary adequacy theorem is that this one only applies
      once all threads terminated. In this case, one gets back the post-conditions
      `[∗] replicate m fork_post` of all forked-off threads.
      
      In Iron we showed that we can use this mechanism to make sure that all
      resources are disposed of properly in the presence of fork-based concurrency.
      ebf06f91
    • Robbert Krebbers's avatar
      f716d0dc
  2. 24 Oct, 2018 2 commits
  3. 18 Oct, 2018 2 commits
  4. 05 Oct, 2018 3 commits
  5. 03 Oct, 2018 1 commit
  6. 25 Jun, 2018 1 commit
  7. 14 Jun, 2018 1 commit
  8. 05 Jun, 2018 1 commit
  9. 20 Jan, 2018 1 commit
    • Robbert Krebbers's avatar
      Consistently name `wp_value_inv`. · 6edc1fe3
      Robbert Krebbers authored
      We already used the following naming convention: `wp_value'` is stated in
      terms of `of_val` and `wp_value` is stated in terms of `IntoVal`. This
      commit applies this convention to `wp_value_inv` as well.
      6edc1fe3
  10. 11 Dec, 2017 1 commit
  11. 07 Dec, 2017 2 commits
  12. 26 Nov, 2017 1 commit
  13. 09 Nov, 2017 3 commits
  14. 08 Nov, 2017 4 commits
  15. 30 Oct, 2017 1 commit
  16. 26 Oct, 2017 1 commit
  17. 25 Oct, 2017 1 commit
    • Robbert Krebbers's avatar
      Make `iDestruct ... as (cpat) "..."` work on '⌜φ⌝ ∧ P` and `⌜φ⌝ ∗ P`. · c5045145
      Robbert Krebbers authored
      The advantage is that we can directly use a Coq introduction pattern
      `cpat` to perform actions to the pure assertion. Before, this had
      to be done in several steps:
      
        iDestruct ... as "[Htmp ...]"; iDestruct "Htmp" as %cpat.
      
      That is, one had to introduce a temporary name.
      
      I expect this to be quite useful in various developments as many of
      e.g. our invariants are written as:
      
        ∃ x1 .. x2, ⌜ pure stuff ⌝ ∗ spacial stuff.
      c5045145
  18. 27 Sep, 2017 1 commit
    • Robbert Krebbers's avatar
      Fix issue #99. · 7ed067a9
      Robbert Krebbers authored
      This causes a bit of backwards incompatibility: it may now succeed with
      later stripping below unlocked/TC transparent definitions. This problem
      actually occured for `wsat`.
      7ed067a9
  19. 26 Sep, 2017 1 commit
    • Robbert Krebbers's avatar
      Fix issue #98. · e17ac4ad
      Robbert Krebbers authored
      We used to normalize the goal, and then checked whether it was of
      a certain shape. Since `uPred_valid P` normalized to `True ⊢ P`,
      there was no way of making a distinction between the two, hence
      `True ⊢ P` was treated as `uPred_valid P`.
      
      In this commit, I use type classes to check whether the goal is of
      a certain shape. Since we declared `uPred_valid` as `Typeclasses
      Opaque`, we can now make a distinction between `True ⊢ P` and
      `uPred_valid P`.
      e17ac4ad
  20. 24 Mar, 2017 1 commit
  21. 15 Mar, 2017 1 commit
  22. 11 Feb, 2017 1 commit
  23. 24 Jan, 2017 1 commit
  24. 12 Jan, 2017 1 commit
  25. 09 Jan, 2017 1 commit
  26. 06 Jan, 2017 1 commit
  27. 05 Jan, 2017 1 commit
  28. 03 Jan, 2017 1 commit
  29. 09 Dec, 2016 1 commit