Require Import Vbase Varith.
Require Import Relations Classical ClassicalDescription.
Require Import List Permutation Vlistbase Vlist extralib.
Require Import c11 exps rslassn rslassnlemmas rslmodel.
Require Import rslhmap rslhmapna rslhmapa rsltriple rsltriple2.

Set Implicit Arguments.

Adequacy

The consistent executions of a closed program are given as follows.

Definition prg_sem e res acts lab sb rf mo sc mt :=
  ∃ fst lst pre post acts',
    acts = pre :: acts' ∧
    << pNIN: ¬ In pre acts' >> ∧
    << qNIN: ¬ In post acts' >> ∧
    << NEQ : pre ≠ post >> ∧
    << ESEM: exp_sem e res acts' lab sb fst lst >> ∧
    << CONS: Consistent (post :: acts) lab sb rf mo sc mt >> ∧
    << pSB1: ∀ x, ¬ sb x pre >> ∧
    << pSB2: ∀ x, sb pre x → x = fst >> ∧
    << pSB : unique (sb ^~ fst) pre >> ∧ << pL : lab pre = Askip >> ∧
    << qSB : unique (sb lst) post >> ∧ << qL : lab post = Askip >>.

Adequacy states that all consistent executions of closed programs, e, satisfying the triple {Atrue} e {y. QQ y}, are memory safe and race free. Moreover, the programs never read from uninitialized locations, and their return value satisfies the post-condition.

Theorem adequacy :
  ∀ mt e QQ (T: triple mt Atrue e QQ) reso acts lab sb rf mo sc
    (SEM : prg_sem e reso acts lab sb rf mo sc mt),
    mem_safe acts lab sb rf mo ∧
    race_free acts lab sb rf mo ∧
    initialized_reads acts lab rf ∧
    (∀ res, reso = Some res → ∃ h, assn_sem (QQ res) h ).

Soundness of the proof rules

We now proceed with the proofs of the various RSL proof rules. For conciseness, all the internal lemmas used in these proofs are in rslmodel.v.

Frame

Theorem rule_frame :
∀ mt P E QQ (T: triple mt P E QQ) F,
triple mt (Astar P F) E (fun y ⇒ Astar (QQ y) F).

Consequence

Theorem rule_conseq :
  ∀ mt P E QQ (T: triple mt P E QQ)
            P' (PI: implies P' P)
            QQ' (QI: ∀ y, implies (QQ y) (QQ' y)),
    triple mt P' E QQ'.

Disjunction

Theorem rule_disj :
  ∀ mt P1 E QQ (T1: triple mt P1 E QQ)
            P2 (T2: triple mt P2 E QQ),
    triple mt (Adisj P1 P2) E QQ.

Existential quantification

Theorem rule_exists :
∀ mt PP E QQ (T: ∀ x, triple mt (PP x) E QQ),
triple mt (Aexists PP) E QQ.

Values

Theorem rule_value mt v QQ :
triple mt (QQ v) (Evalue v) QQ.

Sequential composition (let)

Theorem rule_let :
  ∀ mt P e QQ (T1: triple mt P e QQ)
         RR e' (T2: ∀ x, triple mt (QQ x) (e' x) RR),
    triple mt P (Elet e e') RR.

Parallel composition

Theorem rule_par :
  ∀ mt P1 e1 QQ1 (T1: triple mt P1 e1 QQ1)
         P2 e2 Q2 (T2: triple mt P2 e2 (fun x ⇒ Q2)),
    triple mt (Astar P1 P2) (Epar e1 e2) (fun x ⇒ Astar (QQ1 x) Q2).

Loops

Theorem rule_repeat :
∀ mt P e QQ (T: triple mt P e QQ) (IMP: implies (QQ 0) P),
triple mt P (Erepeat e) (fun x ⇒ if x == 0 then Afalse else QQ x).

Non-atomic allocations

Theorem rule_alloc_na mt :
triple mt (Aemp) (Ealloc) (fun x ⇒ Aptu x).

Non-atomic stores

Note that besides non-atomic stores, we can also use release and SC atomic stores as these are stronger than the non-atomic ones.

Theorem rule_store_na1 :
  ∀ mt typ E E' E'' (TYP: with_mt mt (typ ≠ ATrlx ∧ typ ≠ ATacq) True),
  triple mt (Apt E E') (Estore typ E E'') (fun x ⇒ Apt E E'').

Theorem rule_store_na2 :
  ∀ mt typ E E'' (TYP: with_mt mt (typ ≠ ATrlx ∧ typ ≠ ATacq) True),
  triple mt (Aptu E) (Estore typ E E'') (fun x ⇒ Apt E E'').

Non-atomic loads

Due to the causality cycle problem, in the standard model relaxed and non-atomic reads are incomparable: this is why we cannot use a relaxed reads in this rule.

Theorem rule_load_na :
  ∀ mt typ E E' (TYP: with_mt mt (typ ≠ ATrlx ∧ typ ≠ ATrel) True),
  triple mt (Apt E E') (Eload typ E)
            (fun x ⇒ if x == E' then Apt E E' else Afalse).

Atomic allocations

Theorem rule_alloc_atom_acq mt QQ :
triple mt (Aemp) (Ealloc) (fun x ⇒ Astar (Arel x QQ) (Aacq x QQ)).

Theorem rule_alloc_atom_rmwacq mt QQ :
triple mt (Aemp) (Ealloc) (fun x ⇒ Astar (Arel x QQ) (Armwacq x QQ)).

Release stores

Definition release_typ typ := typ = ATrel ∨ typ = ATsc.

Theorem rule_store_rel mt typ E E' P (TYP : release_typ typ) :
  triple mt (Astar (Arel E (mupd (fun _ ⇒ Afalse) E' P)) P)
         (Estore typ E E')
         (fun _ ⇒ Arainit E).

Relaxed stores

We do not allow any relaxed stores in the standard model because of the causality cycle problem. The following rule is applicable only to relaxed stores in Model_hb_rf_acyclic.

Theorem rule_store_rlx E E' :
  triple Model_hb_rf_acyclic
         (Arel E (mupd (fun _ ⇒ Afalse) E' Aemp))
         (Estore ATrlx E E')
         (fun _ ⇒ Arainit E).

Relaxed loads

We have two rules for relaxed loads. First, we have a very weak rule that asserts nothing about the value that was read.

Theorem rule_load_rlx mt E :
  triple mt
         (Arainit E)
         (Eload ATrlx E)
         (fun _ ⇒ Arainit E).

Second, we have a stronger rule asserting that the value read was once written. Note that this stronger rule is valid only in Model_hb_rf_acyclic.

Theorem rule_load_rlx2 E QQ :
  triple Model_hb_rf_acyclic
         (Astar (Aacq E QQ) (Arainit E))
         (Eload ATrlx E)
         (fun v ⇒ if (excluded_middle_informative (∃ h, assn_sem (QQ v) h)) then
                     Astar (Aacq E QQ) (Arainit E)
                   else Afalse).

Acquire loads

Definition acquire_typ typ := typ = ATacq ∨ typ = ATsc.

Theorem rule_load_acq mt typ E QQ (PREC: ∀ v, precise (QQ v))
   (TYP : acquire_typ typ) :
  triple mt
         (Astar (Aacq E QQ) (Arainit E))
         (Eload typ E)
         (fun v ⇒ Astar (Aacq E (hupd QQ v Aemp)) (Astar (Arainit E) (QQ v))).

Atomic RMWs: Compare and swap

Theorem rule_cas :
  ∀ mt P typ1 typ2 E E' E'' RR QQ QQ'
    (NA: typ1 ≠ ATna)
    (NOT0: typ1 = ATrlx ∨ typ1 = ATrel ∨ typ1 = ATacq →
           mt = Model_hb_rf_acyclic)
    (NOT1: typ1 = ATrlx ∨ typ1 = ATrel → QQ E' = Aemp)
    (NOT2: typ1 = ATrlx ∨ typ1 = ATacq → QQ' E'' = Aemp)
    (IMP1: implies P (Astar (Astar (Armwacq E QQ) (Arainit E)) Atrue))
    (IMP2: implies (Astar (QQ E') P)
                   (Astar (Astar (Arel E QQ') (QQ' E'')) (RR E')))
    (T2: triple mt P (Eload typ2 E) (fun x ⇒ if x == E' then Atrue else RR x)),
  triple mt P (Ecas typ1 typ2 E E' E'') RR.

This page has been generated by coqdoc Imprint | Data protection