Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Iris
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Terraform modules
Monitor
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
William Mansky
Iris
Commits
1560da9e
Commit
1560da9e
authored
4 years ago
by
Ralf Jung
Browse files
Options
Downloads
Patches
Plain Diff
update RA docs
parent
632f92c5
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
docs/resource_algebras.md
+26
-21
26 additions, 21 deletions
docs/resource_algebras.md
with
26 additions
and
21 deletions
docs/resource_algebras.md
+
26
−
21
View file @
1560da9e
...
...
@@ -7,7 +7,8 @@ that when dealing with higher-order ghost state -- see "Camera functors" below.)
In our proofs, we always keep the
`Σ`
universally quantified to enable composition of proofs.
Each proof just assumes that some particular resource algebras are contained in that global list.
This is expressed via the
`inG Σ R`
typeclass, which roughly says that
`R ∈ Σ`
.
This is expressed via the
`inG Σ R`
typeclass, which roughly says that
`R ∈ Σ`
("
`R`
is in the
`G`
lobal list of RAs
`Σ`
-- hence the
`G`
).
Libraries typically bundle the
`inG`
they need in a
`libG`
typeclass, so they do
not have to expose to clients what exactly their resource algebras are. For
...
...
@@ -112,46 +113,50 @@ Proof. apply (heap_adequacy clientΣ)=> ?. apply client_safe. Qed.
Some Iris modules involve a form of "global state". For example, defining the
`↦`
for HeapLang involves a piece of ghost state that matches the current
physical heap. The
`gname`
of that ghost state must be picked once when the
proof starts, and then globally known everywhere. Hence
`gen_heapG`
, the type
proof starts, and then globally known everywhere. Hence
`gen_heapG
S
`
, the type
class for the generalized heap module, bundles the usual
`inG`
assumptions
together with the
`gname`
:
```
coq
Class
gen_heap
P
re
G
(
L
V
:
Type
)
(
Σ
:
gFunctors
)
`{
Countable
L
}
:=
{
gen_heap
_
pre
G_inG
:>
inG
Σ
(
authR
(
gen_heapUR
L
V
))
Class
gen_heap
Gp
re
S
(
L
V
:
Type
)
(
Σ
:
gFunctors
)
`{
Countable
L
}
:=
{
gen_heap
G
pre
S_heap
:>
ghost_mapG
Σ
L
V
;
}
.
Class
gen_heapG
(
L
V
:
Type
)
(
Σ
:
gFunctors
)
`{
Countable
L
}
:=
{
gen_heap_inG
:>
gen_heap
P
re
G
L
V
Σ
;
gen_heap_name
:
gname
Class
gen_heapG
S
(
L
V
:
Type
)
(
Σ
:
gFunctors
)
`{
Countable
L
}
:=
GenHeapGS
{
gen_heap_inG
:>
gen_heap
Gp
re
S
L
V
Σ
;
gen_heap_name
:
gname
;
}.
```
The trailing
`S`
here is for "singleton", because the idea is that only one
instance of
`gen_heapGS`
ever exists. This is important, since two instances
might have different
`gname`
s, so
`↦`
based on these two distinct instances
would be incompatible with each other.
The
`gen_heap
P
re
G
`
typeclass (without the singleton data) is relevant for
initialization, i.e., to create an instance of
`gen_heapG`
. This is happening as
The
`gen_heap
Gp
re
S
`
typeclass (without the singleton data) is relevant for
initialization, i.e., to create an instance of
`gen_heapG
S
`
. This is happening as
part of
[
`heap_adequacy`
](
iris_heap_lang/adequacy.v
)
using the
initialization lemma for
`gen_heapG`
from
initialization lemma for
`gen_heapG
S
`
from
[
`gen_heap_init`
](
iris/base_logic/lib/gen_heap.v
)
:
```
coq
Lemma
gen_heap_init
`{
gen_heap
P
re
G
L
V
Σ
}
σ
:
(|
==>
∃
_
:
gen_heapG
L
V
Σ
,
gen_heap_ctx
σ
)
%
I
.
Lemma
gen_heap_init
`{
gen_heap
Gp
re
S
L
V
Σ
}
σ
:
(|
==>
∃
_
:
gen_heapG
S
L
V
Σ
,
gen_heap_ctx
σ
)
%
I
.
```
These lemmas themselves only make assumptions the way normal modules (those
without global state) do. Just like in the normal case,
`something
P
re
G
`
type
without global state) do. Just like in the normal case,
`something
Gp
re
S
`
type
classes have an
`Instance`
showing that a
`subG`
is enough to instantiate them:
```
coq
Instance
subG_gen_heap
P
re
G
{
Σ
L
V
}
`{
Countable
L
}
:
subG
(
gen_heapΣ
L
V
)
Σ
→
gen_heap
P
re
G
L
V
Σ
.
Global
Instance
subG_gen_heap
Gp
re
S
{
Σ
L
V
}
`{
Countable
L
}
:
subG
(
gen_heapΣ
L
V
)
Σ
→
gen_heap
Gp
re
S
L
V
Σ
.
Proof
.
solve_inG
.
Qed
.
```
The initialization lemma then shows that the
`something
P
re
G
`
type class is
enough to create an instance of the main
`somethingG`
class
*
below a view
The initialization lemma then shows that the
`something
Gp
re
S
`
type class is
enough to create an instance of the main
`somethingG
S
`
class
*
below a view
shift
*
. This is written with an existential quantifier in the lemma because the
statement after the view shift (
`gen_heap_ctx σ`
in this case) depends on having
an instance of
`gen_heapG`
in the context.
an instance of
`gen_heapG
S
`
in the context.
Given that these global ghost state instances are singletons, they must be
assumed explicitly everywhere. Bundling
`heapG`
in a
module type class lik
e
`one_shotG`
would lose track of the fact that there exists just
one
`heapG`
instance that is shared by everyone.
assumed explicitly everywhere. Bundling
`heapG
S
`
in a
(non-singleton) modul
e
type class like
`one_shotG`
would lose track of the fact that there exists just
one
`heapGS`
instance that is shared by everyone.
## Advanced topic: Camera functors and higher-order ghost state
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
