Commit f01fa68f authored by Glen Mével's avatar Glen Mével

cleaned ClockIntegers.v

parent cbbf1156
...@@ -5,152 +5,136 @@ Require Import stdpp.numbers. ...@@ -5,152 +5,136 @@ Require Import stdpp.numbers.
Open Scope Z_scope. Open Scope Z_scope.
Definition w : nat := 64. Definition w : nat := 64.
(*Definition max_uint : Z := Eval compute in 1 w.
Definition max_int : Z := Eval compute in 1 (w-1).
Definition min_int : Z := Eval compute in - max_int.*)
Definition max_int : Z := 1 (w-1). Definition max_int : Z := 1 (w-1).
Definition min_int : Z := - max_int. Definition min_int : Z := - max_int.
Definition max_uint : Z := 2 * max_int. Definition max_uint : Z := 2 * max_int.
(*
* Bare machine integers can overflow.
*)
Section machine_int. Section machine_int.
Context `{heapG Σ}. Context `{heapG Σ}.
Definition is_machine_int (n : Z) : iProp Σ := Definition is_machine_int (n : Z) : iProp Σ :=
min_int n < max_int%I. min_int n < max_int%I.
Definition machine_int_add : val := Definition machine_int_add : val :=
λ: "x" "y", λ: "x" "y",
("x" + "y" + #max_int) `rem` #max_uint - #max_int. ("x" + "y" + #max_int) `rem` #max_uint - #max_int.
Lemma machine_int_add_spec n1 n2 : (* Machine addition does not overflow when some inequality is met: *)
{{{ is_machine_int n1 is_machine_int n2 min_int n1+n2 < max_int }}} Lemma machine_int_add_spec n1 n2 :
machine_int_add #n1 #n2 {{{ is_machine_int n1 is_machine_int n2 min_int n1+n2 < max_int }}}
{{{ RET #(n1+n2) ; is_machine_int (n1+n2) }}}. machine_int_add #n1 #n2
Proof. {{{ RET #(n1+n2) ; is_machine_int (n1+n2) }}}.
iIntros (Φ) "(_ & _ & %) Post". repeat (wp_pure _). Proof.
(* boring arithmetic proof: *) iIntros (Φ) "(_ & _ & %) Post". repeat (wp_pure _).
assert ((n1 + n2 + max_int) `rem` max_uint - max_int = n1 + n2) as ->. { (* boring arithmetic proof: *)
assert ((n1 + n2 + max_int) `rem` max_uint = n1 + n2 + max_int). { assert ((n1 + n2 + max_int) `rem` max_uint - max_int = n1 + n2) as ->. {
(*assert (min_int = -max_int) by done. assert ((n1 + n2 + max_int) `rem` max_uint = n1 + n2 + max_int). {
assert (max_int + max_int = max_uint) by done.*) apply Z.rem_small. unfold min_int, max_uint in *. lia.
apply Z.rem_small. unfold min_int, max_uint in *. lia. }
lia.
} }
lia. by iApply "Post".
} Qed.
by iApply "Post".
Qed.
End machine_int. End machine_int.
Section clock_int. (*
* A clock integer (onetime integer in Clochards thesis) is a non-duplicable
* integer which supports addition.
*)
Context `{timeReceiptHeapG Σ}. Section clock_int.
Context (nmax : nat).
Context `(nmax max_int).
Definition is_clock_int (n : nat) : iProp Σ := Context `{timeReceiptHeapG Σ}.
TR n. Context (nmax : nat).
Context `(nmax max_int).
Lemma TR_weaken (n n : nat) : Definition is_clock_int (n : nat) : iProp Σ :=
(n n)%nat TR n.
TR n - TR n.
Require Import Auth_nat.
Proof. apply own_auth_nat_weaken. Qed.
Lemma TR_lt_nmax n (E : coPset) : (* Clock integers support addition, which consumes its arguments: *)
timeReceiptN E Lemma clock_int_add_spec n1 n2 :
TR_invariant nmax - TR n ={E}= TR n n < nmax%nat. TR_invariant nmax -
{{{ is_clock_int n1 is_clock_int n2 }}}
machine_int_add #n1 #n2
{{{ RET #(n1+n2) ; is_clock_int (n1+n2) }}}.
Proof. Proof.
iIntros (?) "#Inv Hγ1◯". iIntros "#Htrinv" (Φ) "!# (H1 & H2) Post".
destruct (le_lt_dec nmax n) as [ I | I ] ; last by iFrame. iAssert (TR (n1+n2)) with "[H1 H2]" as "H" ; first by (rewrite TR_plus ; iFrame).
iDestruct (TR_weaken n nmax with "Hγ1◯") as "Hγ1◯" ; first done. iDestruct (TR_lt_nmax with "Htrinv H") as ">(H & %)" ; first done.
iDestruct (TR_nmax_absurd with "Inv Hγ1◯") as ">?" ; first done. wp_apply (machine_int_add_spec n1 n2 with "[] [H Post]") .
done. {
iPureIntro. unfold min_int in *. lia.
}
{
iNext ; iIntros "%". iApply "Post". iFrame "H".
}
Qed. Qed.
Lemma clock_int_add_spec n1 n2 :
TR_invariant nmax -
{{{ is_clock_int n1 is_clock_int n2 }}}
machine_int_add #n1 #n2
{{{ RET #(n1+n2) ; is_clock_int (n1+n2) }}}.
Proof.
iIntros "#Htrinv" (Φ) "!# (H1 & H2) Post".
iAssert (TR (n1+n2)) with "[H1 H2]" as "H" ; first by (rewrite TR_plus ; iFrame).
iDestruct (TR_lt_nmax with "Htrinv H") as ">(H & %)" ; first done.
wp_apply (machine_int_add_spec n1 n2 with "[] [H Post]") .
{
iPureIntro. unfold min_int in *. lia.
}
{
iNext ; iIntros "%". iApply "Post". iFrame "H".
}
Qed.
End clock_int. End clock_int.
(*
* A snapclock integer (peano integer in Clochards thesis) is a duplicable
* integer which only supports incrementation.
*)
Section snapclock_int. Section snapclock_int.
Context `{timeReceiptHeapG Σ}. Context `{timeReceiptHeapG Σ}.
Context (nmax : nat). Context (nmax : nat).
Context `(nmax max_int). Context `(nmax max_int).
Definition is_snapclock_int (n : nat) : iProp Σ := Definition is_snapclock_int (n : nat) : iProp Σ :=
TRdup n. TRdup n.
Lemma TRdup_weaken (n n : nat) : (* Snapclock integers are persistent (in particular they are duplicable): *)
(n n)%nat Lemma snapclock_int_persistent (n : nat) :
TRdup n - TRdup n. Persistent (is_snapclock_int n).
Require Import Auth_mnat. Proof. exact _. Qed.
Proof. apply own_auth_mnat_weaken. Qed.
Lemma TRdup_lt_nmax n (E : coPset) : (* Snapclock integers support incrementation: *)
timeReceiptN E Lemma snapclock_int_incr_spec n1 :
TR_invariant nmax - TRdup n ={E}= TRdup n n < nmax%nat. TR_invariant nmax -
{{{ is_snapclock_int n1 }}}
tock #() ;; machine_int_add #n1 #1
{{{ RET #(n1+1) ; is_snapclock_int (n1+1) }}}.
Proof. Proof.
iIntros (?) "#Inv Hγ1◯". iIntros "#Htrinv" (Φ) "!# H1 Post".
destruct (le_lt_dec nmax n) as [ I | I ] ; last by iFrame. wp_apply (tock_spec_simple nmax #() with "Htrinv H1"). iIntros "(_ & H)".
iDestruct (TRdup_weaken n nmax with "Hγ1◯") as "Hγ1◯" ; first done. iDestruct (TRdup_lt_nmax with "Htrinv H") as ">(H & %)" ; first done.
iDestruct (TRdup_nmax_absurd with "Inv Hγ1◯") as ">?" ; first done. wp_seq.
done. wp_apply (machine_int_add_spec n1 1 with "[] [H Post]") .
{
iPureIntro. unfold min_int in *. lia.
}
{
iNext ; iIntros "%". iApply "Post". iFrame "H".
}
Qed. Qed.
Lemma snapclock_int_incr_spec n1 : (* Snapclock integers also support a limited form of addition: *)
TR_invariant nmax - Lemma snapclock_int_add_spec n1 n2 m :
{{{ is_snapclock_int n1 }}} TR_invariant nmax -
tock #() ;; machine_int_add #n1 #1 {{{ is_snapclock_int n1 is_snapclock_int n2
{{{ RET #(n1+1) ; is_snapclock_int (n1+1) }}}. is_snapclock_int m n1+n2 m }}}
Proof. machine_int_add #n1 #n2
iIntros "#Htrinv" (Φ) "!# H1 Post". {{{ RET #(n1+n2) ; is_snapclock_int (n1+n2) }}}.
wp_apply (tock_spec_simple nmax #() with "Htrinv H1"). iIntros "(_ & H)". Proof.
iDestruct (TRdup_lt_nmax with "Htrinv H") as ">(H & %)" ; first done. iIntros "#Htrinv" (Φ) "!# (_ & _ & Hm & %) Post".
wp_seq. iDestruct (TRdup_lt_nmax with "Htrinv Hm") as ">(Hm & %)" ; first done.
wp_apply (machine_int_add_spec n1 1 with "[] [H Post]") . iDestruct (TRdup_weaken m (n1 + n2) with "Hm") as "H" ; first lia.
{ wp_apply (machine_int_add_spec n1 n2 with "[] [H Post]") .
iPureIntro. unfold min_int in *. lia. {
} iPureIntro. unfold min_int in *. lia.
{ }
iNext ; iIntros "%". iApply "Post". iFrame "H". {
} iNext ; iIntros "%". iApply "Post". iFrame "H".
Qed. }
Qed.
Lemma snapclock_int_add_spec n1 n2 m :
TR_invariant nmax -
{{{ is_snapclock_int n1 is_snapclock_int n2
is_snapclock_int m n1+n2 m }}}
machine_int_add #n1 #n2
{{{ RET #(n1+n2) ; is_snapclock_int (n1+n2) }}}.
Proof.
iIntros "#Htrinv" (Φ) "!# (_ & _ & Hm & %) Post".
iDestruct (TRdup_lt_nmax with "Htrinv Hm") as ">(Hm & %)" ; first done.
iDestruct (TRdup_weaken m (n1 + n2) with "Hm") as "H" ; first lia.
wp_apply (machine_int_add_spec n1 n2 with "[] [H Post]") .
{
iPureIntro. unfold min_int in *. lia.
}
{
iNext ; iIntros "%". iApply "Post". iFrame "H".
}
Qed.
End snapclock_int. End snapclock_int.
\ No newline at end of file
...@@ -100,6 +100,11 @@ Section TockSpec. ...@@ -100,6 +100,11 @@ Section TockSpec.
Lemma TR_succ n : Lemma TR_succ n :
TR (S n) (TR 1 TR n)%I. TR (S n) (TR 1 TR n)%I.
Proof. by rewrite (eq_refl : S n = 1 + n)%nat TR_plus. Qed. Proof. by rewrite (eq_refl : S n = 1 + n)%nat TR_plus. Qed.
Lemma TR_weaken (n n : nat) :
(n n)%nat
TR n - TR n.
Require Import Auth_nat.
Proof. apply own_auth_nat_weaken. Qed.
Lemma TR_timeless n : Lemma TR_timeless n :
Timeless (TR n). Timeless (TR n).
...@@ -118,6 +123,11 @@ Section TockSpec. ...@@ -118,6 +123,11 @@ Section TockSpec.
Lemma TRdup_max m n : Lemma TRdup_max m n :
TRdup (m `max` n) (TRdup m TRdup n)%I. TRdup (m `max` n) (TRdup m TRdup n)%I.
Proof. by rewrite /TRdup auth_frag_op own_op. Qed. Proof. by rewrite /TRdup auth_frag_op own_op. Qed.
Lemma TRdup_weaken (n n : nat) :
(n n)%nat
TRdup n - TRdup n.
Require Import Auth_mnat.
Proof. apply own_auth_mnat_weaken. Qed.
Lemma TRdup_timeless n : Lemma TRdup_timeless n :
Timeless (TRdup n). Timeless (TRdup n).
...@@ -164,6 +174,16 @@ Section TockSpec. ...@@ -164,6 +174,16 @@ Section TockSpec.
iDestruct (own_auth_nat_le with "Hγ1● Hγ1◯") as %In'. iDestruct (own_auth_nat_le with "Hγ1● Hγ1◯") as %In'.
exfalso ; lia. exfalso ; lia.
Qed. Qed.
Lemma TR_lt_nmax n (E : coPset) :
timeReceiptN E
TR_invariant - TR n ={E}= TR n n < nmax%nat.
Proof.
iIntros (?) "#Inv Hγ1◯".
destruct (le_lt_dec nmax n) as [ I | I ] ; last by iFrame.
iDestruct (TR_weaken n nmax with "Hγ1◯") as "Hγ1◯" ; first done.
iDestruct (TR_nmax_absurd with "Inv Hγ1◯") as ">?" ; first done.
done.
Qed.
Lemma TRdup_nmax_absurd (E : coPset) : Lemma TRdup_nmax_absurd (E : coPset) :
timeReceiptN E timeReceiptN E
...@@ -174,6 +194,16 @@ Section TockSpec. ...@@ -174,6 +194,16 @@ Section TockSpec.
iDestruct (own_auth_mnat_le with "Hγ2● Hγ2◯") as %In'. iDestruct (own_auth_mnat_le with "Hγ2● Hγ2◯") as %In'.
exfalso ; lia. exfalso ; lia.
Qed. Qed.
Lemma TRdup_lt_nmax n (E : coPset) :
timeReceiptN E
TR_invariant - TRdup n ={E}= TRdup n n < nmax%nat.
Proof.
iIntros (?) "#Inv Hγ1◯".
destruct (le_lt_dec nmax n) as [ I | I ] ; last by iFrame.
iDestruct (TRdup_weaken n nmax with "Hγ1◯") as "Hγ1◯" ; first done.
iDestruct (TRdup_nmax_absurd with "Inv Hγ1◯") as ">?" ; first done.
done.
Qed.
Lemma TR_TRdup (E : coPset) n : Lemma TR_TRdup (E : coPset) n :
timeReceiptN E timeReceiptN E
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment