1. 31 Oct, 2018 2 commits
    • Robbert Krebbers's avatar
    • Robbert Krebbers's avatar
      Fine-grained post-conditions for forked-off threads. · ebf06f91
      Robbert Krebbers authored
      This commit extends the state interpretation with an additional parameter to
      talk about the number of forked-off threads, and a fixed postcondition for each
      forked-off thread:
          state_interp : Λstate → list Λobservation → nat → iProp Σ;
          fork_post : iProp Σ;
      This way, instead of having `True` as the post-condition of `Fork`, one can
      have any post-condition, which is then recorded in the state interpretation.
      The point of keeping track of the postconditions of forked-off threads, is that
      we get an (additional) stronger adequacy theorem:
          Theorem wp_strong_all_adequacy Σ Λ `{invPreG Σ} s e σ1 v vs σ2 φ :
             (∀ `{Hinv : invG Σ} κs,
               (|={⊤}=> ∃
                   (stateI : state Λ → list (observation Λ) → nat → iProp Σ)
                   (fork_post : iProp Σ),
                 let _ : irisG Λ Σ := IrisG _ _ _ Hinv stateI fork_post in
                 stateI σ1 κs 0 ∗ WP e @ s; ⊤ {{ v,
                   let m := length vs in
                   stateI σ2 [] m -∗ [∗] replicate m fork_post ={⊤,∅}=∗ ⌜ φ v ⌝ }})%I) →
            rtc erased_step ([e], σ1) (of_val <$> v :: vs, σ2) →
            φ v.
      The difference with the ordinary adequacy theorem is that this one only applies
      once all threads terminated. In this case, one gets back the post-conditions
      `[∗] replicate m fork_post` of all forked-off threads.
      In Iron we showed that we can use this mechanism to make sure that all
      resources are disposed of properly in the presence of fork-based concurrency.
  2. 18 Oct, 2018 1 commit
  3. 05 Oct, 2018 3 commits
  4. 14 Jun, 2018 2 commits
  5. 24 May, 2018 1 commit
  6. 07 Dec, 2017 1 commit
  7. 26 Nov, 2017 1 commit
  8. 23 Nov, 2017 1 commit
  9. 09 Nov, 2017 3 commits
  10. 08 Nov, 2017 4 commits
  11. 25 Sep, 2017 1 commit
  12. 24 Mar, 2017 1 commit
    • Robbert Krebbers's avatar
      Generic big operators that are no longer tied to CMRAs. · 6fbff46e
      Robbert Krebbers authored
      Instead, I have introduced a type class `Monoid` that is used by the big operators:
          Class Monoid {M : ofeT} (o : M → M → M) := {
            monoid_unit : M;
            monoid_ne : NonExpansive2 o;
            monoid_assoc : Assoc (≡) o;
            monoid_comm : Comm (≡) o;
            monoid_left_id : LeftId (≡) monoid_unit o;
            monoid_right_id : RightId (≡) monoid_unit o;
      Note that the operation is an argument because we want to have multiple monoids over
      the same type (for example, on `uPred`s we have monoids for `∗`, `∧`, and `∨`). However,
      we do bundle the unit because:
      - If we would not, the unit would appear explicitly in an implicit argument of the
        big operators, which confuses rewrite. By bundling the unit in the `Monoid` class
        it is hidden, and hence rewrite won't even see it.
      - The unit is unique.
      We could in principle have big ops over setoids instead of OFEs. However, since we do
      not have a canonical structure for bundled setoids, I did not go that way.
  13. 15 Mar, 2017 3 commits
  14. 09 Mar, 2017 1 commit
  15. 05 Jan, 2017 1 commit
  16. 04 Jan, 2017 1 commit
  17. 03 Jan, 2017 1 commit
  18. 09 Dec, 2016 2 commits
    • Ralf Jung's avatar
      move everything to subfolder theories/ · 6b8069fa
      Ralf Jung authored
    • Robbert Krebbers's avatar
      Invariants over states in WP and get rid of heap_ctx. · fd89aa52
      Robbert Krebbers authored
      The WP construction now takes an invariant on states as a parameter
      (part of the irisG class) and no longer builds in the authoritative
      ownership of the entire state. When instantiating WP with a concrete
      language on can choose its state invariant. For example, for heap_lang
      we directly use `auth (gmap loc (frac * dec_agree val))`, and avoid
      the indirection through invariants entirely.
      As a result, we no longer have to carry `heap_ctx` around.
  19. 08 Dec, 2016 1 commit
  20. 06 Dec, 2016 1 commit
  21. 22 Nov, 2016 1 commit
  22. 03 Nov, 2016 1 commit
    • Robbert Krebbers's avatar
      Use symbol ∗ for separating conjunction. · cc31476d
      Robbert Krebbers authored
      The old choice for ★ was a arbitrary: the precedence of the ASCII asterisk *
      was fixed at a wrong level in Coq, so we had to pick another symbol. The ★ was
      a random choice from a unicode chart.
      The new symbol ∗ (as proposed by David Swasey) corresponds better to
      conventional practise and matches the symbol we use on paper.
  23. 01 Nov, 2016 3 commits
  24. 28 Oct, 2016 1 commit
  25. 25 Oct, 2016 2 commits
    • Robbert Krebbers's avatar
      Generalize update tactics into iMod and iModIntro for modalities. · fc30ca08
      Robbert Krebbers authored
      There are now two proof mode tactics for dealing with modalities:
      - `iModIntro` : introduction of a modality
      - `iMod pm_trm as (x1 ... xn) "ipat"` : eliminate a modality
      The behavior of these tactics can be controlled by instances of the `IntroModal`
      and `ElimModal` type class. We have declared instances for later, except 0,
      basic updates and fancy updates. The tactic `iMod` is flexible enough that it
      can also eliminate an updates around a weakest pre, and so forth.
      The corresponding introduction patterns of these tactics are `!>` and `>`.
      These tactics replace the tactics `iUpdIntro`, `iUpd` and `iTimeless`.
      Source of backwards incompatability: the introduction pattern `!>` is used for
      introduction of arbitrary modalities. It used to introduce laters by stripping
      of a later of each hypotheses.
    • Robbert Krebbers's avatar
      Rename rvs -> bupd (basic update), pvs -> fupd (fancy update). · 1b85d654
      Robbert Krebbers authored
      And also rename the corresponding proof mode tactics.