Commit 05110f9f authored by Glen Mével's avatar Glen Mével

alternative proofs for time credits

parent 50f77ef7
......@@ -477,7 +477,7 @@ Section Simulation.
Qed.
(* assuming the safety of the translated expression,
* a proof that the original expression is safe. *)
* a proof that the original expression is m-safe. *)
Lemma safe_translation__safe_here m e σ :
is_closed [] e
......@@ -510,7 +510,7 @@ Section Simulation.
(* remind that « ki[v] » = «ki»[tick «v»]: *)
rewrite -> translation_fill_item_active in Hsafe ; last done.
(* we have that «ki»[tick «v»] reduces to «ki»[«v»]
* (thanks to the safety hypothesis, m 1 and tick can be run): *)
* (m 1 so tick can be run): *)
assert (
prim_exec (fill_item Ki«ki» (tick V«v»)) S«σ, m»
(fill_item Ki«ki» V«v») S«σ, m-1» []
......@@ -558,7 +558,7 @@ Section Simulation.
Qed.
(* assuming the adequacy of the translated expression,
* a proof that the original expression has adequate results. *)
* a proof that the original expression has m-adequate results. *)
From iris.program_logic Require Import adequacy.
......
This diff is collapsed.
This diff is collapsed.
......@@ -5,9 +5,9 @@ Examples.v
Misc.v
Reduction.v
Tactics.v
test.v
Simulation.v
Thunks.v
TimeCredits.v
TimeCreditsAltProofs.v
TimeReceipts.v
Translation.v
From iris.heap_lang Require Import proofmode notation adequacy.
From iris.algebra Require Import auth.
From iris.base_logic Require Import invariants.
From iris.proofmode Require Import classes.
From stdpp Require Import namespaces.
Require Import Auth_nat TimeCredits.
Local Notation γ := timeCreditHeapG_name.
Local Notation := timeCreditLoc_loc.
Lemma gen_heap_ctx_mapsto {Σ : gFunctors} {Hgen : gen_heapG loc val Σ} (σ : state) (l : loc) (v v' : val) :
σ !! l = Some v
gen_heap_ctx σ -
l v' -
v = v'⌝.
Proof.
iIntros (Hσ) "Hheap Hl".
rewrite /gen_heap_ctx /=.
unfold mapsto ; destruct mapsto_aux as [_->] ; rewrite /mapsto_def /=.
iDestruct (own_valid_2 with "Hheap Hl") as %H.
iPureIntro.
assert (CmraDiscrete (gen_heapUR loc val)) as Hdiscrete by apply _.
apply ((auth_valid_discrete_2 (H:=Hdiscrete))) in H as [H _].
apply gen_heap_singleton_included in H.
pose proof (eq_stepl Hσ H) as E. by injection E.
Qed.
Lemma spec_tctranslation__bounded {Σ} m (ψ : val Prop) e :
( `{timeCreditHeapG Σ},
TICKCTXT -
{{{ TC m }}} «e» {{{ v, RET v ; ⌜ψ v }}}
)
`{!timeCreditLoc} `{!timeCreditHeapPreG Σ} σ1 t2 σ2 (z : Z),
rtc step ([«e»], S«σ1, m») (T«t2», S«σ2, z»)
0 z.
Proof.
intros Hspec Hloc HtcPreG σ1 t2 σ2 z Hsteps.
(* apply the invariance result. *)
apply (wp_invariance Σ _ NotStuck «e» S«σ1,m» T«t2» S«σ2,z») ; simpl ; last assumption.
intros HinvG.
(* now we have to prove a WP for some state interpretation, for which
* we settle the needed invariant TICKCTXT. *)
set σ' := S«σ1».
(* allocate the heap, including cell (on which we need to keep an eye): *)
iMod (own_alloc ( to_gen_heap (<[ := #m]> σ') to_gen_heap {[ := #m]}))
as (h) "[Hh● Hℓ◯]".
{
apply auth_valid_discrete_2 ; split.
- rewrite - insert_delete ; set σ'' := delete σ'.
unfold to_gen_heap ; rewrite 2! fmap_insert fmap_empty insert_empty.
exists (to_gen_heap σ'').
rewrite (@gmap.insert_singleton_op _ _ _ _ (to_gen_heap σ'')) //.
rewrite lookup_fmap ; apply fmap_None, lookup_delete.
- apply to_gen_heap_valid.
}
(* allocate the ghost state associated with : *)
iMod (auth_nat_alloc m) as (γ) "[Hγ● Hγ◯]".
(* packing all those bits, build the heap instance necessary to use time credits: *)
destruct HtcPreG as [[HinvPreG [HgenHeapPreInG]] HinG] ; simpl ; clear HinvPreG.
pose (Build_timeCreditHeapG Σ (HeapG Σ HinvG (GenHeapG _ _ Σ _ _ HgenHeapPreInG h)) HinG _ γ)
as HtcHeapG.
(* create the invariant: *)
iAssert (|={}=> TICKCTXT)%I with "[Hℓ◯ Hγ●]" as "> #Hinv".
{
iApply inv_alloc.
iExists m.
unfold mapsto ; destruct mapsto_aux as [_ ->] ; simpl.
unfold to_gen_heap ; rewrite fmap_insert fmap_empty insert_empty.
by iFrame.
}
(* finally, use the user-given specification: *)
iModIntro. iExists gen_heap_ctx. iFrame "Hh●".
iSplitL ; first (iApply (Hspec with "Hinv Hγ◯") ; auto).
(* it remains to prove that the interpretation of the final state, along
* with the invariant, implies the inequality *)
iIntros "Hheap2".
(* open the invariant: *)
iInv timeCreditN as (m') ">[Hc Hγ●]" "InvClose".
(* derive that z = m' (that is, the relative integer is in fact a natural integer): *)
iDestruct (gen_heap_ctx_mapsto with "Hheap2 Hc") as %Eq ; first (by apply lookup_insert) ;
injection Eq as ->.
(* close the invariant (in fact, this is not required): *)
iMod ("InvClose" with "[-]") as "_" ; first by auto with iFrame.
(* conclude: *)
iMod (fupd_intro_mask' ) as "_" ; first done. iPureIntro.
lia.
Qed.
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment