Library zoo_saturn.inf_ws_deque_1
From zoo Require Import
prelude.
From zoo.common Require Import
countable
function
relations.
From zoo.iris.base_logic Require Import
lib.excl
lib.twins
lib.auth_twins
lib.auth_nat_max
lib.mono_list.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
identifier
prophet_identifier
prophet_multi.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
domain
inf_array
option.
From zoo_saturn Require Export
base
inf_ws_deque_1__code.
From zoo_saturn Require Import
inf_ws_deque_1__types.
From zoo Require Import
options.
Implicit Types front back : nat.
Implicit Types id : prophet_id.
Implicit Types v : val.
Implicit Types vs ws hist lhist : list val.
Implicit Types priv : nat → val.
Implicit Types past prophs : list prophet_identifier.(prophet_typed_type).
Implicit Types pasts prophss : nat → list prophet_identifier.(prophet_typed_type).
Variant state :=
| Empty
| Nonempty
| Emptyish
| Superempty.
Implicit Types state : state.
#[local] Instance state_inhabited : Inhabited state :=
populate Empty.
Variant stability :=
| Stable
| Unstable.
Implicit Types stable : stability.
#[local] Instance stability_inhabited : Inhabited stability :=
populate Stable.
Class InfWsDeque1G Σ `{zoo_G : !ZooG Σ} :=
{ #[local] inf_ws_deque_1_G_inf_array_G :: InfArrayG Σ
; #[local] inf_ws_deque_1_G_prophet_G :: ProphetMultiG Σ prophet_identifier
; #[local] inf_ws_deque_1_G_model_G :: AuthTwinsG Σ (leibnizO (list val)) suffix
; #[local] inf_ws_deque_1_G_owner_G :: TwinsG Σ (leibnizO (stability × nat × (nat → val)))
; #[local] inf_ws_deque_1_G_front_G :: AuthNatMaxG Σ
; #[local] inf_ws_deque_1_G_history_G :: MonoListG Σ val
; #[local] inf_ws_deque_1_G_winner_G :: TwinsG Σ (natO × ▶ ∙)
}.
Definition inf_ws_deque_1_Σ :=
#[inf_array_Σ
; prophet_multi_Σ prophet_identifier
; auth_twins_Σ (leibnizO (list val)) suffix
; twins_Σ (leibnizO (stability × nat × (nat → val)))
; auth_nat_max_Σ
; mono_list_Σ val
; twins_Σ (natO × ▶ ∙)
].
#[global] Instance subG_inf_ws_deque_1_Σ Σ `{zoo_G : !ZooG Σ} :
subG inf_ws_deque_1_Σ Σ →
InfWsDeque1G Σ .
Module base.
Section inf_ws_deque_1_G.
Context `{inf_ws_deque_1_G : InfWsDeque1G Σ}.
Implicit Types t : location.
Implicit Types P : iProp Σ.
Record inf_ws_deque_1_name :=
{ inf_ws_deque_1_name_data : val
; inf_ws_deque_1_name_inv : namespace
; inf_ws_deque_1_name_prophet : prophet_id
; inf_ws_deque_1_name_prophet_name : prophet_multi_name
; inf_ws_deque_1_name_model : auth_twins_name
; inf_ws_deque_1_name_owner : gname
; inf_ws_deque_1_name_front : gname
; inf_ws_deque_1_name_history : gname
; inf_ws_deque_1_name_winner : gname
}.
Implicit Types γ : inf_ws_deque_1_name.
#[global] Instance inf_ws_deque_1_name_eq_dec : EqDecision inf_ws_deque_1_name :=
ltac:(solve_decision).
#[global] Instance inf_ws_deque_1_name_countable :
Countable inf_ws_deque_1_name.
#[local] Definition model₁' γ_model vs :=
auth_twins_twin1 _ γ_model vs.
#[local] Definition model₁ γ :=
model₁' γ.(inf_ws_deque_1_name_model).
#[local] Definition model₂' γ_model vs :=
auth_twins_twin2 _ γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(inf_ws_deque_1_name_model).
#[local] Definition owner₁' γ_owner γ_model stable back priv ws : iProp Σ :=
twins_twin1 (twins_G := inf_ws_deque_1_G_owner_G) γ_owner (DfracOwn 1) (stable, back, priv) ∗
auth_twins_auth _ γ_model ws.
#[local] Definition owner₁ γ :=
owner₁' γ.(inf_ws_deque_1_name_owner) γ.(inf_ws_deque_1_name_model).
#[local] Instance : CustomIpat "owner₁" :=
" ( Howner₁{_{}} & Hmodel_auth{_{}} ) ".
#[local] Definition owner₂' γ_owner stable back priv :=
twins_twin2 (twins_G := inf_ws_deque_1_G_owner_G) γ_owner (stable, back, priv).
#[local] Definition owner₂ γ :=
owner₂' γ.(inf_ws_deque_1_name_owner).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(inf_ws_deque_1_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(inf_ws_deque_1_name_front).
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(inf_ws_deque_1_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(inf_ws_deque_1_name_history).
#[local] Definition winner_pop' γ_winner front P : iProp Σ :=
twins_twin1 γ_winner (DfracOwn 1) (front, Next P).
#[local] Definition winner_pop γ :=
winner_pop' γ.(inf_ws_deque_1_name_winner).
#[local] Definition winner_steal' γ_winner front P :=
twins_twin2 γ_winner (front, Next P).
#[local] Definition winner_steal γ :=
winner_steal' γ.(inf_ws_deque_1_name_winner).
#[local] Definition winner γ : iProp Σ :=
∃ front P1 P2,
winner_pop γ front P1 ∗
winner_steal γ front P2.
#[local] Instance : CustomIpat "winner" :=
" ( %front_winner & %P_winner_1 & %P_winner_2 & Hwinner_pop{_{}} & Hwinner_steal{_{}} ) ".
#[local] Definition winner_au γ front P : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(inf_ws_deque_1_name_inv), ∅ <{
∀∀ v vs',
⌜vs = v :: vs'⌝ ∗
model₁ γ vs' ∗
history_at γ front v
, COMM
P
}>.
#[local] Definition winner_pending_1 γ front P id : iProp Σ :=
winner_steal γ front P ∗
identifier_model' id ∗
winner_au γ front P.
#[local] Instance : CustomIpat "winner_pending_1" :=
" ( Hwinner_steal{_{!}} & Hid{_{!}} & HP ) ".
#[local] Definition winner_pending_2 γ front id : iProp Σ :=
∃ P,
winner_pending_1 γ front P id.
#[local] Instance : CustomIpat "winner_pending_2" :=
" ( %P{} & (:winner_pending_1) ) ".
#[local] Definition winner_linearized γ front P : iProp Σ :=
winner_steal γ front P ∗
P.
#[local] Instance : CustomIpat "winner_linearized" :=
" ( Hwinner_steal{_{!}} & HP ) ".
#[local] Definition inv_state_empty γ stable front back hist lhist : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_empty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty γ stable front back hist lhist vs prophs : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜lhist = hist ++ take 1 vs⌝ ∗
⌜length hist = front⌝ ∗
( winner γ
∨ match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_2 γ front id
end
).
#[local] Instance : CustomIpat "inv_state_nonempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty_steal γ state stable front back hist lhist vs prophs P : iProp Σ :=
⌜state = Nonempty⌝ ∗
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜lhist = hist ++ take 1 vs⌝ ∗
⌜length hist = front⌝ ∗
match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_1 γ front P id
end.
#[local] Instance : CustomIpat "inv_state_nonempty_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}-> & {>;}%Hhist{} & (:winner_pending_1) ) ".
#[local] Definition inv_state_emptyish γ stable front back hist lhist : iProp Σ :=
∃ P,
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
( winner_pop γ front P
∨ winner_linearized γ front P
).
#[local] Instance : CustomIpat "inv_state_emptyish" :=
" ( %P_ & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_emptyish_pop γ state stable front back hist lhist P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
winner_pop γ front P.
#[local] Instance : CustomIpat "inv_state_emptyish_pop" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner_pop ) ".
#[local] Definition inv_state_emptyish_steal γ state stable front back hist lhist P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
winner_linearized γ front P.
#[local] Instance : CustomIpat "inv_state_emptyish_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & (:winner_linearized) ) ".
#[local] Definition inv_state_superempty γ stable front back hist lhist : iProp Σ :=
⌜stable = Unstable⌝ ∗
⌜front = S back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_superempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state γ state stable front back hist lhist vs prophs : iProp Σ :=
match state with
| Empty ⇒
inv_state_empty γ stable front back hist lhist
| Nonempty ⇒
inv_state_nonempty γ stable front back hist lhist vs prophs
| Emptyish ⇒
inv_state_emptyish γ stable front back hist lhist
| Superempty ⇒
inv_state_superempty γ stable front back hist lhist
end.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ state stable front back hist lhist vs priv pasts prophss,
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
owner₂ γ stable back priv ∗
front_auth γ front ∗
⌜0 < front⌝ ∗
model₂ γ vs ∗
⌜length vs = back - front⌝ ∗
inf_array_model' γ.(inf_ws_deque_1_name_data) (hist ++ vs) priv ∗
history_auth γ lhist ∗
prophet_multi_model prophet_identifier γ.(inf_ws_deque_1_name_prophet) γ.(inf_ws_deque_1_name_prophet_name) pasts prophss ∗
⌜∀ i, front ≤ i → pasts i = []⌝ ∗
inv_state γ state stable front back hist lhist vs (prophss front).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %state{} & %stable{} & %front{} & %back{} & %hist{} & %lhist{} & %vs{} & %priv{} & %pasts{} & %prophss{} & >Ht_front & >Ht_back & >Howner₂ & >Hfront_auth & >%Hfront{} & >Hmodel₂ & >%Hvs{} & >Hdata_model & >Hhistory_auth & >Hprophet_model & >%Hpasts{} & Hstate ) ".
#[local] Definition inv' t γ : iProp Σ :=
t.[data] ↦□ γ.(inf_ws_deque_1_name_data) ∗
t.[proph] ↦□ #γ.(inf_ws_deque_1_name_prophet) ∗
inf_array_inv γ.(inf_ws_deque_1_name_data) ∗
inv γ.(inf_ws_deque_1_name_inv) (inv_inner t γ).
#[local] Instance : CustomIpat "inv'" :=
" ( #Ht_data & #Ht_proph & #Hdata_inv & #Hinv ) ".
Definition inf_ws_deque_1_inv t γ ι : iProp Σ :=
⌜ι = γ.(inf_ws_deque_1_name_inv)⌝ ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & (:inv') ) ".
Definition inf_ws_deque_1_model :=
model₁.
#[local] Instance : CustomIpat "model" :=
" Hmodel₁{_{}} ".
Definition inf_ws_deque_1_owner γ ws : iProp Σ :=
∃ back priv,
owner₁ γ Stable back priv ws.
#[local] Instance : CustomIpat "owner" :=
" ( %back{} & %priv{} & Howner₁{_{}} ) ".
#[global] Instance inf_ws_deque_1_model_timeless γ vs :
Timeless (inf_ws_deque_1_model γ vs).
#[global] Instance inf_ws_deque_1_owner_timeless γ ws :
Timeless (inf_ws_deque_1_owner γ ws).
#[global] Instance inf_ws_deque_1_inv_persistent t γ ι :
Persistent (inf_ws_deque_1_inv t γ ι).
#[local] Lemma model_owner_alloc :
⊢ |==>
∃ γ_model γ_owner,
model₁' γ_model [] ∗
model₂' γ_model [] ∗
owner₁' γ_owner γ_model Stable 1 (λ _, ()%V) [] ∗
owner₂' γ_owner Stable 1 (λ _, ()%V).
#[local] Lemma model₁_valid γ stable back priv ws vs :
owner₁ γ stable back priv ws -∗
model₁ γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_owner₁_agree γ stable back priv ws vs1 vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 `suffix_of` ws⌝ ∗
⌜vs1 = vs2⌝.
#[local] Lemma model_empty {γ stable back priv ws vs1 vs2} :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv [] ∗
model₁ γ [] ∗
model₂ γ [].
#[local] Lemma model_push {γ stable back priv ws vs1 vs2} v :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv (vs1 ++ [v]) ∗
model₁ γ (vs1 ++ [v]) ∗
model₂ γ (vs1 ++ [v]).
#[local] Lemma model_steal γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ (tail vs1) ∗
model₂ γ (tail vs1).
#[local] Lemma model_pop γ stable back priv ws vs1 vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv (removelast vs1) ∗
model₁ γ (removelast vs1) ∗
model₂ γ (removelast vs1).
#[local] Lemma model_pop' γ stable back priv ws vs1 v vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ (vs1 ++ [v]) -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv vs1 ∗
model₁ γ vs1 ∗
model₂ γ vs1.
#[local] Lemma owner₁_exclusive γ stable1 back1 priv1 ws1 stable2 back2 priv2 ws2 :
owner₁ γ stable1 back1 priv1 ws1 -∗
owner₁ γ stable2 back2 priv2 ws2 -∗
False.
#[local] Lemma owner_agree γ stable1 back1 priv1 ws stable2 back2 priv2 :
owner₁ γ stable1 back1 priv1 ws -∗
owner₂ γ stable2 back2 priv2 -∗
⌜stable1 = stable2⌝ ∗
⌜back1 = back2⌝ ∗
⌜priv1 = priv2⌝.
#[local] Lemma owner₁_update γ stable back priv ws vs :
owner₁ γ stable back priv ws -∗
model₁ γ vs -∗
model₂ γ vs ==∗
owner₁ γ stable back priv vs ∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma owner_update {γ stable1 back1 priv1 ws stable2 back2 priv2} stable back priv :
owner₁ γ stable1 back1 priv1 ws -∗
owner₂ γ stable2 back2 priv2 ==∗
owner₁ γ stable back priv ws ∗
owner₂ γ stable back priv.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 1.
#[local] Lemma front_lb_get γ front :
front_auth γ front ⊢
front_lb γ front.
#[local] Lemma front_lb_le {γ front} front' :
front' ≤ front →
front_lb γ front ⊢
front_lb γ front'.
#[local] Lemma front_lb_valid γ front1 front2 :
front_auth γ front1 -∗
front_lb γ front2 -∗
⌜front2 ≤ front1⌝.
#[local] Lemma front_update γ front :
front_auth γ front ⊢ |==>
front_auth γ (S front).
#[local] Lemma history_alloc :
⊢ |==>
∃ γ_hist,
history_auth' γ_hist [()%V].
#[local] Lemma history_at_get {γ hist v} i :
i = length hist →
history_auth γ (hist ++ [v]) ⊢
history_at γ i v.
#[local] Lemma history_at_lookup γ hist i v :
history_auth γ hist -∗
history_at γ i v -∗
⌜hist !! i = Some v⌝.
#[local] Lemma history_at_agree γ i v1 v2 :
history_at γ i v1 -∗
history_at γ i v2 -∗
⌜v1 = v2⌝.
#[local] Lemma history_update {γ hist} i v :
i = length hist →
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [v]) ∗
history_at γ i v.
#[local] Lemma winner_alloc :
⊢ |==>
∃ γ_winner,
winner_pop' γ_winner 1 True ∗
winner_steal' γ_winner 1 True.
#[local] Lemma winner_pop_exclusive γ front1 P1 front2 P2 :
winner_pop γ front1 P1 -∗
winner_pop γ front2 P2 -∗
False.
#[local] Lemma winner_pop_exclusive' γ front P :
winner_pop γ front P -∗
winner γ -∗
False.
#[local] Lemma winner_steal_exclusive γ front1 P1 front2 P2 :
winner_steal γ front1 P1 -∗
winner_steal γ front2 P2 -∗
False.
#[local] Lemma winner_steal_exclusive' γ front P :
winner_steal γ front P -∗
winner γ -∗
False.
#[local] Lemma winner_agree γ front1 P1 front2 P2 :
winner_pop γ front1 P1 -∗
winner_steal γ front2 P2 -∗
⌜front1 = front2⌝ ∗
▷ (P1 ≡ P2).
#[local] Lemma winner_update {γ front1 P1 front2 P2} front P :
winner_pop γ front1 P1 -∗
winner_steal γ front2 P2 ==∗
winner_pop γ front P ∗
winner_steal γ front P.
Opaque owner₁'.
Lemma inf_ws_deque_1_model_exclusive γ vs1 vs2 :
inf_ws_deque_1_model γ vs1 -∗
inf_ws_deque_1_model γ vs2 -∗
False.
Lemma inf_ws_deque_1_owner_exclusive γ ws1 ws2 :
inf_ws_deque_1_owner γ ws1 -∗
inf_ws_deque_1_owner γ ws2 -∗
False.
Lemma inf_ws_deque_1_owner_model γ ws vs :
inf_ws_deque_1_owner γ ws -∗
inf_ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma inv_state_Stable γ state front back hist lhist vs prophs :
length vs = back - front →
inv_state γ state Stable front back hist lhist vs prophs ⊢
⌜state = Empty ∨ state = Nonempty⌝ ∗
⌜front ≤ back⌝ ∗
⌜length (hist ++ vs) = back⌝.
#[local] Lemma inv_state_Unstable γ state front back hist lhist vs prophs :
inv_state γ state Unstable front back hist lhist vs prophs ⊢
⌜state = Emptyish ∨ state = Superempty⌝ ∗
⌜front = back ∨ front = S back⌝.
#[local] Lemma inv_state_Nonempty γ state stable front back hist lhist vs prophs :
front < back →
inv_state γ state stable front back hist lhist vs prophs ⊢
⌜state = Nonempty⌝.
#[local] Lemma inv_state_Superempty γ state front back hist lhist vs prophs :
back < front →
inv_state γ state Unstable front back hist lhist vs prophs -∗
⌜state = Superempty⌝.
#[local] Lemma inv_state_winner_pop γ state stable front1 back hist lhist vs prophs front2 P :
inv_state γ state stable front1 back hist lhist vs prophs -∗
winner_pop γ front2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P ≡ P_) ∗
( inv_state_nonempty_steal γ state stable front2 back hist lhist vs prophs P_
∨ inv_state_emptyish_steal γ state stable front2 back hist lhist P_
) ∗
winner_pop γ front2 P.
#[local] Lemma inv_state_winner_steal γ state stable front1 back hist lhist vs prophs front2 P :
inv_state γ state stable front1 back hist lhist vs prophs -∗
winner_steal γ front2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P_ ≡ P) ∗
inv_state_emptyish_pop γ state stable front2 back hist lhist P_ ∗
winner_steal γ front2 P.
Lemma inf_ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
inf_ws_deque_1٠create ()
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_model γ [] ∗
inf_ws_deque_1_owner γ []
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front
, RET #front;
front_lb γ front
}}}.
#[local] Lemma front𑁒spec_owner_Stable t γ back priv ws :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Stable back priv ws ∗
front_lb γ front ∗
⌜front ≤ back⌝
}}}.
#[local] Lemma front𑁒spec_owner_Unstable t γ back priv ws :
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Unstable back priv ws ∗
front_lb γ front ∗
⌜front = back ∨ front = S back⌝
}}}.
#[local] Lemma front𑁒spec_Superempty t γ back priv ws front :
back < front →
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws ∗
front_lb γ front
}}}
(#t).{front}
{{{
RET #front;
owner₁ γ Unstable back priv ws
}}}.
#[local] Lemma front𑁒spec_winner_steal t γ front P :
{{{
inv' t γ ∗
winner_steal γ front P
}}}
(#t).{front}
{{{
RET #front;
winner_steal γ front P
}}}.
#[local] Lemma back𑁒spec t γ stable back priv ws :
{{{
inv' t γ ∗
owner₁ γ stable back priv ws
}}}
(#t).{back}
{{{
RET #back;
owner₁ γ stable back priv ws
}}}.
#[local] Lemma set_back𑁒spec_Superempty t γ back priv ws front (back' : Z) :
back < front →
back' = S back →
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws ∗
front_lb γ front
}}}
#t <-{back} #back'
{{{
RET ();
owner₁ γ Stable (S back) priv ws
}}}.
#[local] Lemma inf_array٠get𑁒spec_history t γ (i : nat) (i_ : Z) v :
i_ = i →
{{{
inv' t γ ∗
history_at γ i v
}}}
inf_array٠get γ.(inf_ws_deque_1_name_data) #i_
{{{
RET v;
True
}}}.
#[local] Lemma inf_array٠get𑁒spec_owner t γ back (back_ : Z) priv ws v :
back_ = back →
priv 0 = v →
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
inf_array٠get γ.(inf_ws_deque_1_name_data) #back_
{{{
RET v;
owner₁ γ Stable back priv ws
}}}.
#[local] Lemma inf_array٠set𑁒spec_owner t γ back priv ws v :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
inf_array٠set γ.(inf_ws_deque_1_name_data) #back v
{{{
RET ();
owner₁ γ Stable back (<[0 := v]> priv) ws
}}}.
#[local] Lemma resolve𑁒spec_loser_1 t γ front1 front2 id :
front1 < front2 →
{{{
inv' t γ ∗
front_lb γ front2
}}}
Resolve (CAS (#t).[front]%V #front1 #(front1 + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front1, #id)%V
{{{
RET false;
True
}}}.
#[local] Lemma resolve𑁒spec_loser_2 t γ front id prophs0 :
head prophs0 ≠ Some id →
{{{
inv' t γ ∗
front_lb γ front ∗
prophet_multi_full prophet_identifier γ.(inf_ws_deque_1_name_prophet_name) front prophs0
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET false;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_winner_pop t γ front P id :
{{{
inv' t γ ∗
winner_pop γ front P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
▷ P
}}}.
#[local] Lemma resolve𑁒spec_winner_steal t γ front P id :
{{{
inv' t γ ∗
winner_steal γ front P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_Empty t γ back priv ws id :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws ∗
front_lb γ back
}}}
Resolve (CAS (#t).[front]%V #back #(back + 1)) #γ.(inf_ws_deque_1_name_prophet) (#back, #id)%V
{{{
RET true;
owner₁ γ Unstable back (priv ∘ S) ws ∗
front_lb γ (S back) ∗
history_at γ back (priv 0)
}}}.
Lemma inf_ws_deque_1٠size𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠size #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ vs
| RET #(length vs);
inf_ws_deque_1_owner γ vs
>>>.
Lemma inf_ws_deque_1٠is_empty𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠is_empty #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ vs
| RET #(bool_decide (vs = []%list));
inf_ws_deque_1_owner γ vs
>>>.
Lemma inf_ws_deque_1٠push𑁒spec t γ ι ws v :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠push #t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ (vs ++ [v])
| RET ();
inf_ws_deque_1_owner γ (vs ++ [v])
>>>.
Lemma inf_ws_deque_1٠steal𑁒spec t γ ι :
<<<
inf_ws_deque_1_inv t γ ι
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠steal #t @ ↑ι
<<<
inf_ws_deque_1_model γ (tail vs)
| RET head vs;
True
>>>.
Variant pop_state :=
| PopNonempty v
| PopEmptyishWinner v
| PopEmptyishLoser
| PopSuperempty.
#[local] Lemma inf_ws_deque_1٠pop₀𑁒spec {t γ} (state : pop_state) stable back (back_ : Z) priv ws id :
back_ = back →
{{{
inv' t γ ∗
owner₁ γ stable back priv ws ∗
match state with
| PopNonempty v ⇒
⌜stable = Stable⌝ ∗
⌜priv 0 = v⌝
| PopEmptyishWinner v ⇒
⌜stable = Unstable⌝ ∗
history_at γ back v ∗
winner_steal γ back inhabitant
| PopEmptyishLoser ⇒
∃ id_winner prophs,
⌜stable = Unstable⌝ ∗
prophet_multi_full prophet_identifier γ.(inf_ws_deque_1_name_prophet_name) back (id_winner :: prophs) ∗
⌜head (id_winner :: prophs) ≠ Some id⌝
| PopSuperempty ⇒
∃ front,
⌜stable = Unstable⌝ ∗
front_lb γ front ∗
⌜front = S back⌝
end
}}}
inf_ws_deque_1٠pop₀ #t #id #back_
{{{
o back priv
, RET o;
owner₁ γ Stable back priv ws ∗
match state with
| PopNonempty v ⇒
⌜o = Some v⌝
| PopEmptyishWinner v ⇒
⌜o = Some v⌝
| PopEmptyishLoser ⇒
⌜o = None⌝
| PopSuperempty ⇒
⌜o = None⌝
end
}}}.
Lemma inf_ws_deque_1٠pop𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠pop #t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
inf_ws_deque_1_model γ []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
inf_ws_deque_1_model γ vs'
end
| RET o;
inf_ws_deque_1_owner γ ws'
>>>.
End inf_ws_deque_1_G.
#[global] Opaque inf_ws_deque_1_inv.
#[global] Opaque inf_ws_deque_1_model.
#[global] Opaque inf_ws_deque_1_owner.
End base.
From zoo_saturn Require
inf_ws_deque_1__opaque.
Section inf_ws_deque_1_G.
Context `{inf_ws_deque_1_G : InfWsDeque1G Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition inf_ws_deque_1_inv t ι : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_inv 𝑡 γ ι.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition inf_ws_deque_1_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
Definition inf_ws_deque_1_owner t ws : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_owner γ ws.
#[local] Instance : CustomIpat "owner" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Howner{_{}} ) ".
#[global] Instance inf_ws_deque_1_model_timeless γ vs :
Timeless (inf_ws_deque_1_model γ vs).
#[global] Instance inf_ws_deque_1_owner_timeless γ ws :
Timeless (inf_ws_deque_1_owner γ ws).
#[global] Instance inf_ws_deque_1_inv_persistent t ι :
Persistent (inf_ws_deque_1_inv t ι).
Lemma inf_ws_deque_1_model_exclusive t vs1 vs2 :
inf_ws_deque_1_model t vs1 -∗
inf_ws_deque_1_model t vs2 -∗
False.
Lemma inf_ws_deque_1_owner_exclusive t ws1 ws2 :
inf_ws_deque_1_owner t ws1 -∗
inf_ws_deque_1_owner t ws2 -∗
False.
Lemma inf_ws_deque_1_owner_model γ ws vs :
inf_ws_deque_1_owner γ ws -∗
inf_ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
Lemma inf_ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
inf_ws_deque_1٠create ()
{{{
t
, RET t;
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_model t [] ∗
inf_ws_deque_1_owner t []
}}}.
Lemma inf_ws_deque_1٠size𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠size t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t vs
| RET #(length vs);
inf_ws_deque_1_owner t vs
>>>.
Lemma inf_ws_deque_1٠is_empty𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠is_empty t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t vs
| RET #(bool_decide (vs = []%list));
inf_ws_deque_1_owner t vs
>>>.
Lemma inf_ws_deque_1٠push𑁒spec t ι ws v :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠push t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t (vs ++ [v])
| RET ();
inf_ws_deque_1_owner t (vs ++ [v])
>>>.
Lemma inf_ws_deque_1٠steal𑁒spec t ι :
<<<
inf_ws_deque_1_inv t ι
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠steal t @ ↑ι
<<<
inf_ws_deque_1_model t (tail vs)
| RET head vs;
True
>>>.
Lemma inf_ws_deque_1٠pop𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠pop t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
inf_ws_deque_1_model t []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
inf_ws_deque_1_model t vs'
end
| RET o;
inf_ws_deque_1_owner t ws'
>>>.
End inf_ws_deque_1_G.
#[global] Opaque inf_ws_deque_1_inv.
#[global] Opaque inf_ws_deque_1_model.
#[global] Opaque inf_ws_deque_1_owner.
prelude.
From zoo.common Require Import
countable
function
relations.
From zoo.iris.base_logic Require Import
lib.excl
lib.twins
lib.auth_twins
lib.auth_nat_max
lib.mono_list.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
identifier
prophet_identifier
prophet_multi.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
domain
inf_array
option.
From zoo_saturn Require Export
base
inf_ws_deque_1__code.
From zoo_saturn Require Import
inf_ws_deque_1__types.
From zoo Require Import
options.
Implicit Types front back : nat.
Implicit Types id : prophet_id.
Implicit Types v : val.
Implicit Types vs ws hist lhist : list val.
Implicit Types priv : nat → val.
Implicit Types past prophs : list prophet_identifier.(prophet_typed_type).
Implicit Types pasts prophss : nat → list prophet_identifier.(prophet_typed_type).
Variant state :=
| Empty
| Nonempty
| Emptyish
| Superempty.
Implicit Types state : state.
#[local] Instance state_inhabited : Inhabited state :=
populate Empty.
Variant stability :=
| Stable
| Unstable.
Implicit Types stable : stability.
#[local] Instance stability_inhabited : Inhabited stability :=
populate Stable.
Class InfWsDeque1G Σ `{zoo_G : !ZooG Σ} :=
{ #[local] inf_ws_deque_1_G_inf_array_G :: InfArrayG Σ
; #[local] inf_ws_deque_1_G_prophet_G :: ProphetMultiG Σ prophet_identifier
; #[local] inf_ws_deque_1_G_model_G :: AuthTwinsG Σ (leibnizO (list val)) suffix
; #[local] inf_ws_deque_1_G_owner_G :: TwinsG Σ (leibnizO (stability × nat × (nat → val)))
; #[local] inf_ws_deque_1_G_front_G :: AuthNatMaxG Σ
; #[local] inf_ws_deque_1_G_history_G :: MonoListG Σ val
; #[local] inf_ws_deque_1_G_winner_G :: TwinsG Σ (natO × ▶ ∙)
}.
Definition inf_ws_deque_1_Σ :=
#[inf_array_Σ
; prophet_multi_Σ prophet_identifier
; auth_twins_Σ (leibnizO (list val)) suffix
; twins_Σ (leibnizO (stability × nat × (nat → val)))
; auth_nat_max_Σ
; mono_list_Σ val
; twins_Σ (natO × ▶ ∙)
].
#[global] Instance subG_inf_ws_deque_1_Σ Σ `{zoo_G : !ZooG Σ} :
subG inf_ws_deque_1_Σ Σ →
InfWsDeque1G Σ .
Module base.
Section inf_ws_deque_1_G.
Context `{inf_ws_deque_1_G : InfWsDeque1G Σ}.
Implicit Types t : location.
Implicit Types P : iProp Σ.
Record inf_ws_deque_1_name :=
{ inf_ws_deque_1_name_data : val
; inf_ws_deque_1_name_inv : namespace
; inf_ws_deque_1_name_prophet : prophet_id
; inf_ws_deque_1_name_prophet_name : prophet_multi_name
; inf_ws_deque_1_name_model : auth_twins_name
; inf_ws_deque_1_name_owner : gname
; inf_ws_deque_1_name_front : gname
; inf_ws_deque_1_name_history : gname
; inf_ws_deque_1_name_winner : gname
}.
Implicit Types γ : inf_ws_deque_1_name.
#[global] Instance inf_ws_deque_1_name_eq_dec : EqDecision inf_ws_deque_1_name :=
ltac:(solve_decision).
#[global] Instance inf_ws_deque_1_name_countable :
Countable inf_ws_deque_1_name.
#[local] Definition model₁' γ_model vs :=
auth_twins_twin1 _ γ_model vs.
#[local] Definition model₁ γ :=
model₁' γ.(inf_ws_deque_1_name_model).
#[local] Definition model₂' γ_model vs :=
auth_twins_twin2 _ γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(inf_ws_deque_1_name_model).
#[local] Definition owner₁' γ_owner γ_model stable back priv ws : iProp Σ :=
twins_twin1 (twins_G := inf_ws_deque_1_G_owner_G) γ_owner (DfracOwn 1) (stable, back, priv) ∗
auth_twins_auth _ γ_model ws.
#[local] Definition owner₁ γ :=
owner₁' γ.(inf_ws_deque_1_name_owner) γ.(inf_ws_deque_1_name_model).
#[local] Instance : CustomIpat "owner₁" :=
" ( Howner₁{_{}} & Hmodel_auth{_{}} ) ".
#[local] Definition owner₂' γ_owner stable back priv :=
twins_twin2 (twins_G := inf_ws_deque_1_G_owner_G) γ_owner (stable, back, priv).
#[local] Definition owner₂ γ :=
owner₂' γ.(inf_ws_deque_1_name_owner).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(inf_ws_deque_1_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(inf_ws_deque_1_name_front).
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(inf_ws_deque_1_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(inf_ws_deque_1_name_history).
#[local] Definition winner_pop' γ_winner front P : iProp Σ :=
twins_twin1 γ_winner (DfracOwn 1) (front, Next P).
#[local] Definition winner_pop γ :=
winner_pop' γ.(inf_ws_deque_1_name_winner).
#[local] Definition winner_steal' γ_winner front P :=
twins_twin2 γ_winner (front, Next P).
#[local] Definition winner_steal γ :=
winner_steal' γ.(inf_ws_deque_1_name_winner).
#[local] Definition winner γ : iProp Σ :=
∃ front P1 P2,
winner_pop γ front P1 ∗
winner_steal γ front P2.
#[local] Instance : CustomIpat "winner" :=
" ( %front_winner & %P_winner_1 & %P_winner_2 & Hwinner_pop{_{}} & Hwinner_steal{_{}} ) ".
#[local] Definition winner_au γ front P : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(inf_ws_deque_1_name_inv), ∅ <{
∀∀ v vs',
⌜vs = v :: vs'⌝ ∗
model₁ γ vs' ∗
history_at γ front v
, COMM
P
}>.
#[local] Definition winner_pending_1 γ front P id : iProp Σ :=
winner_steal γ front P ∗
identifier_model' id ∗
winner_au γ front P.
#[local] Instance : CustomIpat "winner_pending_1" :=
" ( Hwinner_steal{_{!}} & Hid{_{!}} & HP ) ".
#[local] Definition winner_pending_2 γ front id : iProp Σ :=
∃ P,
winner_pending_1 γ front P id.
#[local] Instance : CustomIpat "winner_pending_2" :=
" ( %P{} & (:winner_pending_1) ) ".
#[local] Definition winner_linearized γ front P : iProp Σ :=
winner_steal γ front P ∗
P.
#[local] Instance : CustomIpat "winner_linearized" :=
" ( Hwinner_steal{_{!}} & HP ) ".
#[local] Definition inv_state_empty γ stable front back hist lhist : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_empty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty γ stable front back hist lhist vs prophs : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜lhist = hist ++ take 1 vs⌝ ∗
⌜length hist = front⌝ ∗
( winner γ
∨ match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_2 γ front id
end
).
#[local] Instance : CustomIpat "inv_state_nonempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty_steal γ state stable front back hist lhist vs prophs P : iProp Σ :=
⌜state = Nonempty⌝ ∗
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜lhist = hist ++ take 1 vs⌝ ∗
⌜length hist = front⌝ ∗
match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_1 γ front P id
end.
#[local] Instance : CustomIpat "inv_state_nonempty_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}-> & {>;}%Hhist{} & (:winner_pending_1) ) ".
#[local] Definition inv_state_emptyish γ stable front back hist lhist : iProp Σ :=
∃ P,
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
( winner_pop γ front P
∨ winner_linearized γ front P
).
#[local] Instance : CustomIpat "inv_state_emptyish" :=
" ( %P_ & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_emptyish_pop γ state stable front back hist lhist P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
winner_pop γ front P.
#[local] Instance : CustomIpat "inv_state_emptyish_pop" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner_pop ) ".
#[local] Definition inv_state_emptyish_steal γ state stable front back hist lhist P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = S front⌝ ∗
winner_linearized γ front P.
#[local] Instance : CustomIpat "inv_state_emptyish_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & (:winner_linearized) ) ".
#[local] Definition inv_state_superempty γ stable front back hist lhist : iProp Σ :=
⌜stable = Unstable⌝ ∗
⌜front = S back⌝ ∗
⌜lhist = hist⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_superempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state γ state stable front back hist lhist vs prophs : iProp Σ :=
match state with
| Empty ⇒
inv_state_empty γ stable front back hist lhist
| Nonempty ⇒
inv_state_nonempty γ stable front back hist lhist vs prophs
| Emptyish ⇒
inv_state_emptyish γ stable front back hist lhist
| Superempty ⇒
inv_state_superempty γ stable front back hist lhist
end.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ state stable front back hist lhist vs priv pasts prophss,
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
owner₂ γ stable back priv ∗
front_auth γ front ∗
⌜0 < front⌝ ∗
model₂ γ vs ∗
⌜length vs = back - front⌝ ∗
inf_array_model' γ.(inf_ws_deque_1_name_data) (hist ++ vs) priv ∗
history_auth γ lhist ∗
prophet_multi_model prophet_identifier γ.(inf_ws_deque_1_name_prophet) γ.(inf_ws_deque_1_name_prophet_name) pasts prophss ∗
⌜∀ i, front ≤ i → pasts i = []⌝ ∗
inv_state γ state stable front back hist lhist vs (prophss front).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %state{} & %stable{} & %front{} & %back{} & %hist{} & %lhist{} & %vs{} & %priv{} & %pasts{} & %prophss{} & >Ht_front & >Ht_back & >Howner₂ & >Hfront_auth & >%Hfront{} & >Hmodel₂ & >%Hvs{} & >Hdata_model & >Hhistory_auth & >Hprophet_model & >%Hpasts{} & Hstate ) ".
#[local] Definition inv' t γ : iProp Σ :=
t.[data] ↦□ γ.(inf_ws_deque_1_name_data) ∗
t.[proph] ↦□ #γ.(inf_ws_deque_1_name_prophet) ∗
inf_array_inv γ.(inf_ws_deque_1_name_data) ∗
inv γ.(inf_ws_deque_1_name_inv) (inv_inner t γ).
#[local] Instance : CustomIpat "inv'" :=
" ( #Ht_data & #Ht_proph & #Hdata_inv & #Hinv ) ".
Definition inf_ws_deque_1_inv t γ ι : iProp Σ :=
⌜ι = γ.(inf_ws_deque_1_name_inv)⌝ ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & (:inv') ) ".
Definition inf_ws_deque_1_model :=
model₁.
#[local] Instance : CustomIpat "model" :=
" Hmodel₁{_{}} ".
Definition inf_ws_deque_1_owner γ ws : iProp Σ :=
∃ back priv,
owner₁ γ Stable back priv ws.
#[local] Instance : CustomIpat "owner" :=
" ( %back{} & %priv{} & Howner₁{_{}} ) ".
#[global] Instance inf_ws_deque_1_model_timeless γ vs :
Timeless (inf_ws_deque_1_model γ vs).
#[global] Instance inf_ws_deque_1_owner_timeless γ ws :
Timeless (inf_ws_deque_1_owner γ ws).
#[global] Instance inf_ws_deque_1_inv_persistent t γ ι :
Persistent (inf_ws_deque_1_inv t γ ι).
#[local] Lemma model_owner_alloc :
⊢ |==>
∃ γ_model γ_owner,
model₁' γ_model [] ∗
model₂' γ_model [] ∗
owner₁' γ_owner γ_model Stable 1 (λ _, ()%V) [] ∗
owner₂' γ_owner Stable 1 (λ _, ()%V).
#[local] Lemma model₁_valid γ stable back priv ws vs :
owner₁ γ stable back priv ws -∗
model₁ γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_owner₁_agree γ stable back priv ws vs1 vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 `suffix_of` ws⌝ ∗
⌜vs1 = vs2⌝.
#[local] Lemma model_empty {γ stable back priv ws vs1 vs2} :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv [] ∗
model₁ γ [] ∗
model₂ γ [].
#[local] Lemma model_push {γ stable back priv ws vs1 vs2} v :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv (vs1 ++ [v]) ∗
model₁ γ (vs1 ++ [v]) ∗
model₂ γ (vs1 ++ [v]).
#[local] Lemma model_steal γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ (tail vs1) ∗
model₂ γ (tail vs1).
#[local] Lemma model_pop γ stable back priv ws vs1 vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv (removelast vs1) ∗
model₁ γ (removelast vs1) ∗
model₂ γ (removelast vs1).
#[local] Lemma model_pop' γ stable back priv ws vs1 v vs2 :
owner₁ γ stable back priv ws -∗
model₁ γ (vs1 ++ [v]) -∗
model₂ γ vs2 ==∗
owner₁ γ stable back priv vs1 ∗
model₁ γ vs1 ∗
model₂ γ vs1.
#[local] Lemma owner₁_exclusive γ stable1 back1 priv1 ws1 stable2 back2 priv2 ws2 :
owner₁ γ stable1 back1 priv1 ws1 -∗
owner₁ γ stable2 back2 priv2 ws2 -∗
False.
#[local] Lemma owner_agree γ stable1 back1 priv1 ws stable2 back2 priv2 :
owner₁ γ stable1 back1 priv1 ws -∗
owner₂ γ stable2 back2 priv2 -∗
⌜stable1 = stable2⌝ ∗
⌜back1 = back2⌝ ∗
⌜priv1 = priv2⌝.
#[local] Lemma owner₁_update γ stable back priv ws vs :
owner₁ γ stable back priv ws -∗
model₁ γ vs -∗
model₂ γ vs ==∗
owner₁ γ stable back priv vs ∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma owner_update {γ stable1 back1 priv1 ws stable2 back2 priv2} stable back priv :
owner₁ γ stable1 back1 priv1 ws -∗
owner₂ γ stable2 back2 priv2 ==∗
owner₁ γ stable back priv ws ∗
owner₂ γ stable back priv.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 1.
#[local] Lemma front_lb_get γ front :
front_auth γ front ⊢
front_lb γ front.
#[local] Lemma front_lb_le {γ front} front' :
front' ≤ front →
front_lb γ front ⊢
front_lb γ front'.
#[local] Lemma front_lb_valid γ front1 front2 :
front_auth γ front1 -∗
front_lb γ front2 -∗
⌜front2 ≤ front1⌝.
#[local] Lemma front_update γ front :
front_auth γ front ⊢ |==>
front_auth γ (S front).
#[local] Lemma history_alloc :
⊢ |==>
∃ γ_hist,
history_auth' γ_hist [()%V].
#[local] Lemma history_at_get {γ hist v} i :
i = length hist →
history_auth γ (hist ++ [v]) ⊢
history_at γ i v.
#[local] Lemma history_at_lookup γ hist i v :
history_auth γ hist -∗
history_at γ i v -∗
⌜hist !! i = Some v⌝.
#[local] Lemma history_at_agree γ i v1 v2 :
history_at γ i v1 -∗
history_at γ i v2 -∗
⌜v1 = v2⌝.
#[local] Lemma history_update {γ hist} i v :
i = length hist →
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [v]) ∗
history_at γ i v.
#[local] Lemma winner_alloc :
⊢ |==>
∃ γ_winner,
winner_pop' γ_winner 1 True ∗
winner_steal' γ_winner 1 True.
#[local] Lemma winner_pop_exclusive γ front1 P1 front2 P2 :
winner_pop γ front1 P1 -∗
winner_pop γ front2 P2 -∗
False.
#[local] Lemma winner_pop_exclusive' γ front P :
winner_pop γ front P -∗
winner γ -∗
False.
#[local] Lemma winner_steal_exclusive γ front1 P1 front2 P2 :
winner_steal γ front1 P1 -∗
winner_steal γ front2 P2 -∗
False.
#[local] Lemma winner_steal_exclusive' γ front P :
winner_steal γ front P -∗
winner γ -∗
False.
#[local] Lemma winner_agree γ front1 P1 front2 P2 :
winner_pop γ front1 P1 -∗
winner_steal γ front2 P2 -∗
⌜front1 = front2⌝ ∗
▷ (P1 ≡ P2).
#[local] Lemma winner_update {γ front1 P1 front2 P2} front P :
winner_pop γ front1 P1 -∗
winner_steal γ front2 P2 ==∗
winner_pop γ front P ∗
winner_steal γ front P.
Opaque owner₁'.
Lemma inf_ws_deque_1_model_exclusive γ vs1 vs2 :
inf_ws_deque_1_model γ vs1 -∗
inf_ws_deque_1_model γ vs2 -∗
False.
Lemma inf_ws_deque_1_owner_exclusive γ ws1 ws2 :
inf_ws_deque_1_owner γ ws1 -∗
inf_ws_deque_1_owner γ ws2 -∗
False.
Lemma inf_ws_deque_1_owner_model γ ws vs :
inf_ws_deque_1_owner γ ws -∗
inf_ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma inv_state_Stable γ state front back hist lhist vs prophs :
length vs = back - front →
inv_state γ state Stable front back hist lhist vs prophs ⊢
⌜state = Empty ∨ state = Nonempty⌝ ∗
⌜front ≤ back⌝ ∗
⌜length (hist ++ vs) = back⌝.
#[local] Lemma inv_state_Unstable γ state front back hist lhist vs prophs :
inv_state γ state Unstable front back hist lhist vs prophs ⊢
⌜state = Emptyish ∨ state = Superempty⌝ ∗
⌜front = back ∨ front = S back⌝.
#[local] Lemma inv_state_Nonempty γ state stable front back hist lhist vs prophs :
front < back →
inv_state γ state stable front back hist lhist vs prophs ⊢
⌜state = Nonempty⌝.
#[local] Lemma inv_state_Superempty γ state front back hist lhist vs prophs :
back < front →
inv_state γ state Unstable front back hist lhist vs prophs -∗
⌜state = Superempty⌝.
#[local] Lemma inv_state_winner_pop γ state stable front1 back hist lhist vs prophs front2 P :
inv_state γ state stable front1 back hist lhist vs prophs -∗
winner_pop γ front2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P ≡ P_) ∗
( inv_state_nonempty_steal γ state stable front2 back hist lhist vs prophs P_
∨ inv_state_emptyish_steal γ state stable front2 back hist lhist P_
) ∗
winner_pop γ front2 P.
#[local] Lemma inv_state_winner_steal γ state stable front1 back hist lhist vs prophs front2 P :
inv_state γ state stable front1 back hist lhist vs prophs -∗
winner_steal γ front2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P_ ≡ P) ∗
inv_state_emptyish_pop γ state stable front2 back hist lhist P_ ∗
winner_steal γ front2 P.
Lemma inf_ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
inf_ws_deque_1٠create ()
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_model γ [] ∗
inf_ws_deque_1_owner γ []
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front
, RET #front;
front_lb γ front
}}}.
#[local] Lemma front𑁒spec_owner_Stable t γ back priv ws :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Stable back priv ws ∗
front_lb γ front ∗
⌜front ≤ back⌝
}}}.
#[local] Lemma front𑁒spec_owner_Unstable t γ back priv ws :
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Unstable back priv ws ∗
front_lb γ front ∗
⌜front = back ∨ front = S back⌝
}}}.
#[local] Lemma front𑁒spec_Superempty t γ back priv ws front :
back < front →
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws ∗
front_lb γ front
}}}
(#t).{front}
{{{
RET #front;
owner₁ γ Unstable back priv ws
}}}.
#[local] Lemma front𑁒spec_winner_steal t γ front P :
{{{
inv' t γ ∗
winner_steal γ front P
}}}
(#t).{front}
{{{
RET #front;
winner_steal γ front P
}}}.
#[local] Lemma back𑁒spec t γ stable back priv ws :
{{{
inv' t γ ∗
owner₁ γ stable back priv ws
}}}
(#t).{back}
{{{
RET #back;
owner₁ γ stable back priv ws
}}}.
#[local] Lemma set_back𑁒spec_Superempty t γ back priv ws front (back' : Z) :
back < front →
back' = S back →
{{{
inv' t γ ∗
owner₁ γ Unstable back priv ws ∗
front_lb γ front
}}}
#t <-{back} #back'
{{{
RET ();
owner₁ γ Stable (S back) priv ws
}}}.
#[local] Lemma inf_array٠get𑁒spec_history t γ (i : nat) (i_ : Z) v :
i_ = i →
{{{
inv' t γ ∗
history_at γ i v
}}}
inf_array٠get γ.(inf_ws_deque_1_name_data) #i_
{{{
RET v;
True
}}}.
#[local] Lemma inf_array٠get𑁒spec_owner t γ back (back_ : Z) priv ws v :
back_ = back →
priv 0 = v →
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
inf_array٠get γ.(inf_ws_deque_1_name_data) #back_
{{{
RET v;
owner₁ γ Stable back priv ws
}}}.
#[local] Lemma inf_array٠set𑁒spec_owner t γ back priv ws v :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws
}}}
inf_array٠set γ.(inf_ws_deque_1_name_data) #back v
{{{
RET ();
owner₁ γ Stable back (<[0 := v]> priv) ws
}}}.
#[local] Lemma resolve𑁒spec_loser_1 t γ front1 front2 id :
front1 < front2 →
{{{
inv' t γ ∗
front_lb γ front2
}}}
Resolve (CAS (#t).[front]%V #front1 #(front1 + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front1, #id)%V
{{{
RET false;
True
}}}.
#[local] Lemma resolve𑁒spec_loser_2 t γ front id prophs0 :
head prophs0 ≠ Some id →
{{{
inv' t γ ∗
front_lb γ front ∗
prophet_multi_full prophet_identifier γ.(inf_ws_deque_1_name_prophet_name) front prophs0
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET false;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_winner_pop t γ front P id :
{{{
inv' t γ ∗
winner_pop γ front P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
▷ P
}}}.
#[local] Lemma resolve𑁒spec_winner_steal t γ front P id :
{{{
inv' t γ ∗
winner_steal γ front P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(inf_ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_Empty t γ back priv ws id :
{{{
inv' t γ ∗
owner₁ γ Stable back priv ws ∗
front_lb γ back
}}}
Resolve (CAS (#t).[front]%V #back #(back + 1)) #γ.(inf_ws_deque_1_name_prophet) (#back, #id)%V
{{{
RET true;
owner₁ γ Unstable back (priv ∘ S) ws ∗
front_lb γ (S back) ∗
history_at γ back (priv 0)
}}}.
Lemma inf_ws_deque_1٠size𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠size #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ vs
| RET #(length vs);
inf_ws_deque_1_owner γ vs
>>>.
Lemma inf_ws_deque_1٠is_empty𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠is_empty #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ vs
| RET #(bool_decide (vs = []%list));
inf_ws_deque_1_owner γ vs
>>>.
Lemma inf_ws_deque_1٠push𑁒spec t γ ι ws v :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠push #t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model γ (vs ++ [v])
| RET ();
inf_ws_deque_1_owner γ (vs ++ [v])
>>>.
Lemma inf_ws_deque_1٠steal𑁒spec t γ ι :
<<<
inf_ws_deque_1_inv t γ ι
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠steal #t @ ↑ι
<<<
inf_ws_deque_1_model γ (tail vs)
| RET head vs;
True
>>>.
Variant pop_state :=
| PopNonempty v
| PopEmptyishWinner v
| PopEmptyishLoser
| PopSuperempty.
#[local] Lemma inf_ws_deque_1٠pop₀𑁒spec {t γ} (state : pop_state) stable back (back_ : Z) priv ws id :
back_ = back →
{{{
inv' t γ ∗
owner₁ γ stable back priv ws ∗
match state with
| PopNonempty v ⇒
⌜stable = Stable⌝ ∗
⌜priv 0 = v⌝
| PopEmptyishWinner v ⇒
⌜stable = Unstable⌝ ∗
history_at γ back v ∗
winner_steal γ back inhabitant
| PopEmptyishLoser ⇒
∃ id_winner prophs,
⌜stable = Unstable⌝ ∗
prophet_multi_full prophet_identifier γ.(inf_ws_deque_1_name_prophet_name) back (id_winner :: prophs) ∗
⌜head (id_winner :: prophs) ≠ Some id⌝
| PopSuperempty ⇒
∃ front,
⌜stable = Unstable⌝ ∗
front_lb γ front ∗
⌜front = S back⌝
end
}}}
inf_ws_deque_1٠pop₀ #t #id #back_
{{{
o back priv
, RET o;
owner₁ γ Stable back priv ws ∗
match state with
| PopNonempty v ⇒
⌜o = Some v⌝
| PopEmptyishWinner v ⇒
⌜o = Some v⌝
| PopEmptyishLoser ⇒
⌜o = None⌝
| PopSuperempty ⇒
⌜o = None⌝
end
}}}.
Lemma inf_ws_deque_1٠pop𑁒spec t γ ι ws :
<<<
inf_ws_deque_1_inv t γ ι ∗
inf_ws_deque_1_owner γ ws
| ∀∀ vs,
inf_ws_deque_1_model γ vs
>>>
inf_ws_deque_1٠pop #t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
inf_ws_deque_1_model γ []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
inf_ws_deque_1_model γ vs'
end
| RET o;
inf_ws_deque_1_owner γ ws'
>>>.
End inf_ws_deque_1_G.
#[global] Opaque inf_ws_deque_1_inv.
#[global] Opaque inf_ws_deque_1_model.
#[global] Opaque inf_ws_deque_1_owner.
End base.
From zoo_saturn Require
inf_ws_deque_1__opaque.
Section inf_ws_deque_1_G.
Context `{inf_ws_deque_1_G : InfWsDeque1G Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition inf_ws_deque_1_inv t ι : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_inv 𝑡 γ ι.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition inf_ws_deque_1_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
Definition inf_ws_deque_1_owner t ws : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.inf_ws_deque_1_owner γ ws.
#[local] Instance : CustomIpat "owner" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Howner{_{}} ) ".
#[global] Instance inf_ws_deque_1_model_timeless γ vs :
Timeless (inf_ws_deque_1_model γ vs).
#[global] Instance inf_ws_deque_1_owner_timeless γ ws :
Timeless (inf_ws_deque_1_owner γ ws).
#[global] Instance inf_ws_deque_1_inv_persistent t ι :
Persistent (inf_ws_deque_1_inv t ι).
Lemma inf_ws_deque_1_model_exclusive t vs1 vs2 :
inf_ws_deque_1_model t vs1 -∗
inf_ws_deque_1_model t vs2 -∗
False.
Lemma inf_ws_deque_1_owner_exclusive t ws1 ws2 :
inf_ws_deque_1_owner t ws1 -∗
inf_ws_deque_1_owner t ws2 -∗
False.
Lemma inf_ws_deque_1_owner_model γ ws vs :
inf_ws_deque_1_owner γ ws -∗
inf_ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
Lemma inf_ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
inf_ws_deque_1٠create ()
{{{
t
, RET t;
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_model t [] ∗
inf_ws_deque_1_owner t []
}}}.
Lemma inf_ws_deque_1٠size𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠size t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t vs
| RET #(length vs);
inf_ws_deque_1_owner t vs
>>>.
Lemma inf_ws_deque_1٠is_empty𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠is_empty t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t vs
| RET #(bool_decide (vs = []%list));
inf_ws_deque_1_owner t vs
>>>.
Lemma inf_ws_deque_1٠push𑁒spec t ι ws v :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠push t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
inf_ws_deque_1_model t (vs ++ [v])
| RET ();
inf_ws_deque_1_owner t (vs ++ [v])
>>>.
Lemma inf_ws_deque_1٠steal𑁒spec t ι :
<<<
inf_ws_deque_1_inv t ι
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠steal t @ ↑ι
<<<
inf_ws_deque_1_model t (tail vs)
| RET head vs;
True
>>>.
Lemma inf_ws_deque_1٠pop𑁒spec t ι ws :
<<<
inf_ws_deque_1_inv t ι ∗
inf_ws_deque_1_owner t ws
| ∀∀ vs,
inf_ws_deque_1_model t vs
>>>
inf_ws_deque_1٠pop t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
inf_ws_deque_1_model t []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
inf_ws_deque_1_model t vs'
end
| RET o;
inf_ws_deque_1_owner t ws'
>>>.
End inf_ws_deque_1_G.
#[global] Opaque inf_ws_deque_1_inv.
#[global] Opaque inf_ws_deque_1_model.
#[global] Opaque inf_ws_deque_1_owner.