pl/frap
1
0
Fork 0
mirror of https://github.com/achlipala/frap.git synced 2024-09-19 19:57:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revising for this week's lectures

Browse source
This commit is contained in:
Adam Chlipala 2021-05-02 12:56:47 -04:00
parent 7e4068d5db
commit 45fa64d69e
3 changed files with 20 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
ProofByReflection.v
View file

@ -26,7 +26,7 @@ Set Asymmetric Patterns.
(* Proving that particular natural-number constants are even is certainly (* Proving that particular natural-number constants are even is certainly
* something we would rather have happen automatically. The Ltac-programming * something we would rather have happen automatically. The Ltac-programming
* techniques that we learned last week make it easy to implement such a * techniques that we learned previously make it easy to implement such a
* procedure. *) * procedure. *)
Inductive isEven : nat -> Prop := Inductive isEven : nat -> Prop :=
@ -136,7 +136,7 @@ Unset Printing All.
Theorem even_255 : isEven 255. Theorem even_255 : isEven 255.
Proof. Proof.
(*prove_even_reflective.*) Fail prove_even_reflective.
Abort. Abort.
(* Coq reports that [reflexivity] can't prove [false = true], which makes (* Coq reports that [reflexivity] can't prove [false = true], which makes
* perfect sense! *) * perfect sense! *)
@ -166,7 +166,6 @@ Print true_galore.
* to case-analyze a [Prop] in any way in Gallina. We must _reify_ [Prop] into * to case-analyze a [Prop] in any way in Gallina. We must _reify_ [Prop] into
* some type that we _can_ analyze. This inductive type is a good candidate: *) * some type that we _can_ analyze. This inductive type is a good candidate: *)
(* begin thide *)
Inductive taut : Set := Inductive taut : Set :=
| TautTrue : taut | TautTrue : taut
| TautAnd : taut -> taut -> taut | TautAnd : taut -> taut -> taut
@ -368,7 +367,7 @@ Section monoid.
(* We can make short work of theorems like this one: *) (* We can make short work of theorems like this one: *)
Theorem t1 : forall a b c d, a + b + c + d = a + (b + c) + d. Theorem t1 : forall a b c d, a + b + c + e + d = a + (b + c) + d.
Proof. Proof.
simplify; monoid. simplify; monoid.
@ -596,8 +595,8 @@ Section my_tauto.
* module of the standard library, which (unsurprisingly) presents a view of * module of the standard library, which (unsurprisingly) presents a view of
* lists as sets. *) * lists as sets. *)
(* The [eq_nat_dec] below is a richly typed equality test on [nat]s. We'll (* The [eq_nat_dec] below is a richly typed equality test on [nat]s.
* get to the ideas behind it in a later class. *) * See SubsetTypes.v for a review. *)
Definition add (s : set propvar) (v : propvar) := set_add eq_nat_dec v s. Definition add (s : set propvar) (v : propvar) := set_add eq_nat_dec v s.
(* We define what it means for all members of a variable set to represent (* We define what it means for all members of a variable set to represent

28
SharedMemory.v
View file

@ -13,8 +13,8 @@ Set Asymmetric Patterns.
Notation "m $! k" := (match m $? k with Some n => n | None => O end) (at level 30). Notation "m $! k" := (match m $? k with Some n => n | None => O end) (at level 30).
Definition heap := fmap nat nat. Definition heap := fmap nat nat.
Hint Extern 1 (_ <= _) => linear_arithmetic : core. Local Hint Extern 1 (_ <= _) => linear_arithmetic : core.
Hint Extern 1 (@eq nat _ _) => linear_arithmetic : core. Local Hint Extern 1 (@eq nat _ _) => linear_arithmetic : core.
(** * An object language with shared-memory concurrency *) (** * An object language with shared-memory concurrency *)
@ -25,7 +25,7 @@ Hint Extern 1 (@eq nat _ _) => linear_arithmetic : core.
* theoretical benefits; we'll start with the most venerable style, shared * theoretical benefits; we'll start with the most venerable style, shared
* memory. *) * memory. *)
(* We'll build on the mixed-embedding languages from the last two chapter. (* We'll build on the mixed-embedding languages from the last two chapters.
* Let's simplify the encoding by only working with commands that generate * Let's simplify the encoding by only working with commands that generate
* [nat]. *) * [nat]. *)
Inductive cmd := Inductive cmd :=
@ -95,9 +95,9 @@ Definition trsys_of (h : heap) (l : locks) (c : cmd) := {|
* technique. Recall that model checking is all about reducing a problem to a * technique. Recall that model checking is all about reducing a problem to a
* reachability question in a finite-state system. Our programs here have the * reachability question in a finite-state system. Our programs here have the
* (perhaps surprising!) property that termination is guaranteed, for any * (perhaps surprising!) property that termination is guaranteed, for any
* initial state, regardless of how the scheduler behaves. Therefore, all * initial state, regardless of how the scheduler behaves. However,
* programs of this language are finite-state and thus, in principle, amenable * counterintuitively, program execution does *not* need to be finite-state,
* to model checking! (We were careful to leave out looping constructs.) * and thus amenable to model checking, though we will stick to examples that are.
* Let's define a simple two-thread program and model-check it. *) * Let's define a simple two-thread program and model-check it. *)
(* Throughout this file, we'll only be verifying that no thread could ever reach (* Throughout this file, we'll only be verifying that no thread could ever reach
@ -204,7 +204,7 @@ Definition trsys_ofL (h : heap) (l : locks) (c : cmd) := {|
(* Now we prove some basic facts; commentary resumes before [step_runLocal]. *) (* Now we prove some basic facts; commentary resumes before [step_runLocal]. *)
Hint Constructors step stepL : core. Local Hint Constructors step stepL : core.
Lemma run_Return : forall h l r h' l' c, Lemma run_Return : forall h l r h' l' c,
step^* (h, l, Return r) (h', l', c) step^* (h, l, Return r) (h', l', c)
@ -266,7 +266,7 @@ Proof.
eauto. eauto.
Qed. Qed.
Hint Resolve StepBindRecur_star StepParRecur1_star StepParRecur2_star : core. Local Hint Resolve StepBindRecur_star StepParRecur1_star StepParRecur2_star : core.
Lemma runLocal_idem : forall c, runLocal (runLocal c) = runLocal c. Lemma runLocal_idem : forall c, runLocal (runLocal c) = runLocal c.
Proof. Proof.
@ -725,7 +725,7 @@ Proof.
first_order; eauto. first_order; eauto.
Qed. Qed.
Hint Constructors summarize : core. Local Hint Constructors summarize : core.
(* The next two lemmas show that, once a summary is accurate for a command, it (* The next two lemmas show that, once a summary is accurate for a command, it
* remains accurate throughout the whole execution lifetime of the command. *) * remains accurate throughout the whole execution lifetime of the command. *)
@ -805,7 +805,7 @@ Proof.
linear_arithmetic. linear_arithmetic.
Qed. Qed.
Hint Constructors boundRunningTime : core. Local Hint Constructors boundRunningTime : core.
(* Key property: taking a step of execution lowers the running-time bound. *) (* Key property: taking a step of execution lowers the running-time bound. *)
Lemma boundRunningTime_step : forall c n h l h' l', Lemma boundRunningTime_step : forall c n h l h' l',
@ -843,7 +843,7 @@ Qed.
(* Here we get a bit naughty and begin to depend on *classical logic*, as with (* Here we get a bit naughty and begin to depend on *classical logic*, as with
* the *law of the excluded middle*: [forall P, P \/ ~P]. You may not have * the *law of the excluded middle*: [forall P, P \/ ~P]. You may not have
* noticed that we've never applied that principle explicitly so far! *) * noticed that we've rarely applied that principle explicitly so far! *)
(* A very useful property: when a command has bounded running time, any (* A very useful property: when a command has bounded running time, any
* execution starting from that command can be *completed* to one ending in a * execution starting from that command can be *completed* to one ending in a
@ -1032,7 +1032,7 @@ Inductive stepsi : nat -> heap * locks * cmd -> heap * locks * cmd -> Prop :=
-> stepsi i st2 st3 -> stepsi i st2 st3
-> stepsi (S i) st1 st3. -> stepsi (S i) st1 st3.
Hint Constructors stepsi : core. Local Hint Constructors stepsi : core.
Theorem steps_stepsi : forall st1 st2, Theorem steps_stepsi : forall st1 st2,
step^* st1 st2 step^* st1 st2
@ -1041,7 +1041,7 @@ Proof.
induct 1; first_order; eauto. induct 1; first_order; eauto.
Qed. Qed.
Hint Constructors stepC : core. Local Hint Constructors stepC : core.
(* The next few lemmas are quite technical. Commentary resumes for (* The next few lemmas are quite technical. Commentary resumes for
* [translate_trace]. *) * [translate_trace]. *)
@ -1412,7 +1412,7 @@ Proof.
(* We computed an inexact running time. By filling in zeroes for some (* We computed an inexact running time. By filling in zeroes for some
* existential variables, we commit to a concrete bound. *) * existential variables, we commit to a concrete bound. *)
Grab Existential Variables. Unshelve.
exact 0. exact 0.
exact 0. exact 0.
exact 0. exact 0.

3
frap_book.tex
View file

@ -5013,7 +5013,7 @@ New component $l$ is a \emph{lockset}\index{lockset}, recording which locks are
$$\infer{\smallstep{(h, l, x \leftarrow c_1; c_2(x))}{(h', l', x \leftarrow c'_1; c_2(x))}}{ $$\infer{\smallstep{(h, l, x \leftarrow c_1; c_2(x))}{(h', l', x \leftarrow c'_1; c_2(x))}}{
\smallstep{(h, l, c_1)}{(h', l', c'_1)} \smallstep{(h, l, c_1)}{(h', l', c'_1)}
} }
\quad \infer{\smallstep{(h, l, x \leftarrow \mt{Return} \; v; c_2(x))}{(h, k, c_2(v))}}{}$$ \quad \infer{\smallstep{(h, l, x \leftarrow \mt{Return} \; v; c_2(x))}{(h, l, c_2(v))}}{}$$
$$\infer{\smallstep{(h, l, \mt{Read} \; a)}{(h, l, \mt{Return} \; \msel{h}{a})}}{} $$\infer{\smallstep{(h, l, \mt{Read} \; a)}{(h, l, \mt{Return} \; \msel{h}{a})}}{}
\quad \infer{\smallstep{(h, l, \mt{Write} \; a \; v)}{(\mupd{h}{a}{v}, l, \mt{Return} \; 0)}}{}$$ \quad \infer{\smallstep{(h, l, \mt{Write} \; a \; v)}{(\mupd{h}{a}{v}, l, \mt{Return} \; 0)}}{}$$
@ -5222,7 +5222,6 @@ The whole thing is wrapped up into transition systems as $\mathbb T_C(h, l, c_1,
Our proof of soundness for this reduction will depend on having some constant upper bound on program execution time. Our proof of soundness for this reduction will depend on having some constant upper bound on program execution time.
This relation computes a conservative overapproximation. This relation computes a conservative overapproximation.
$$\infer{\tof{\mt{Return} \; r}{n}}{} $$\infer{\tof{\mt{Return} \; r}{n}}{}
\quad \infer{\tof{\mt{Fail}}{n}}{} \quad \infer{\tof{\mt{Fail}}{n}}{}
\quad \infer{\tof{\mt{Read} \; a}{n+1}}{} \quad \infer{\tof{\mt{Read} \; a}{n+1}}{}