Library zoo_saturn.mpmc_bqueue
From iris.base_logic Require Import
lib.ghost_map.
From zoo Require Import
prelude.
From zoo.common Require Import
countable
list.
From zoo.iris.bi Require Import
big_op.
From zoo.iris.base_logic Require Import
lib.mono_list
lib.auth_nat_max
lib.twins
lib.saved_pred.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
prophet_typed.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
domain
option
xtchain.
From zoo_saturn Require Export
base
mpmc_bqueue__code.
From zoo_saturn Require Import
mpmc_bqueue__types.
From zoo Require Import
options.
Implicit Types b : bool.
Implicit Types front node back new_back : location.
Implicit Types hist past nodes : list location.
Implicit Types v : val.
Implicit Types vs : list val.
Implicit Types waiter : gname.
Implicit Types waiters : gmap gname nat.
#[local] Program Definition prophet :=
{|prophet_typed_strong_1_type :=
location
; prophet_typed_strong_1_of_val v _ :=
match v with
| ValLoc l ⇒
Some l
| _ ⇒
None
end
; prophet_typed_strong_1_to_val l :=
(#l, ()%V)
|}.
Solve Obligations of prophet with
try done.
Class MpmcBqueueG Σ `{zoo_G : !ZooG Σ} :=
{ #[local] mpmc_bqueue_G_history_G :: MonoListG Σ location
; #[local] mpmc_bqueue_G_front_G :: AuthNatMaxG Σ
; #[local] mpmc_bqueue_G_model_G :: TwinsG Σ (leibnizO (list val))
; #[local] mpmc_bqueue_G_waiters_G :: ghost_mapG Σ gname nat
; #[local] mpmc_bqueue_G_saved_pred_G :: SavedPredG Σ bool;
}.
Definition mpmc_bqueue_Σ :=
#[mono_list_Σ location
; auth_nat_max_Σ
; twins_Σ (leibnizO (list val))
; ghost_mapΣ gname nat
; saved_pred_Σ bool
].
#[global] Instance subG_mpmc_bqueue_Σ Σ `{zoo_G : !ZooG Σ} :
subG mpmc_bqueue_Σ Σ →
MpmcBqueueG Σ.
Module base.
Section mpmc_bqueue_G.
Context `{mpmc_bqueue_G : MpmcBqueueG Σ}.
Implicit Types t : location.
Record mpmc_bqueue_name :=
{ mpmc_bqueue_name_inv : namespace
; mpmc_bqueue_name_capacity : nat
; mpmc_bqueue_name_history : gname
; mpmc_bqueue_name_front : gname
; mpmc_bqueue_name_model : gname
; mpmc_bqueue_name_waiters : gname
}.
Implicit Types γ : mpmc_bqueue_name.
#[global] Instance mpmc_bqueue_name_eq_dec : EqDecision mpmc_bqueue_name :=
ltac:(solve_decision).
#[global] Instance mpmc_bqueue_name_countable :
Countable mpmc_bqueue_name.
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(mpmc_bqueue_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(mpmc_bqueue_name_history).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(mpmc_bqueue_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(mpmc_bqueue_name_front).
#[local] Definition model₁' γ_model vs :=
twins_twin1 γ_model (DfracOwn 1) vs.
#[local] Definition model₁ γ :=
model₁' γ.(mpmc_bqueue_name_model).
#[local] Definition model₂' γ_model vs :=
twins_twin2 γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(mpmc_bqueue_name_model).
#[local] Definition waiters_auth' γ_waiters :=
ghost_map_auth γ_waiters 1.
#[local] Definition waiters_auth γ :=
waiters_auth' γ.(mpmc_bqueue_name_waiters).
#[local] Definition waiters_at γ waiter :=
ghost_map_elem γ.(mpmc_bqueue_name_waiters) waiter (DfracOwn 1).
#[local] Definition node_model γ node (i : nat) b : iProp Σ :=
node ↦ₕ Header §Node 4 ∗
node.[index] ↦□ #i ∗
history_at γ i node ∗
if b then front_lb γ i else True%I.
#[local] Instance : CustomIpat "node_model" :=
" ( #H{}_header & #H{}_index & #Hhistory_at_{} & {{front}#Hfront_lb_{};_} ) ".
#[local] Definition waiter_au γ (Ψ : bool → iProp Σ) : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
model₁ γ vs
, COMM
Ψ (bool_decide (vs = []))
}>.
#[local] Definition waiter_model γ past waiter i : iProp Σ :=
∃ Ψ,
saved_pred waiter Ψ ∗
if decide (i < length past) then
Ψ false
else
waiter_au γ Ψ.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ hist past front nodes back vs waiters,
⌜hist = past ++ front :: nodes⌝ ∗
⌜back ∈ hist⌝ ∗
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
xtchain (Header §Node 4) (DfracOwn 1) hist §Null ∗
( [∗ list] node; v ∈ nodes; vs,
node.[data] ↦ v
) ∗
( [∗ list] i ↦ node ∈ hist,
node.[index] ↦□ #i
) ∗
( [∗ list] i ↦ node ∈ hist,
∃ cap : nat,
node.[estimated_capacity] ↦ #cap ∗
⌜i + cap ≤ length past + γ.(mpmc_bqueue_name_capacity)⌝
) ∗
history_auth γ hist ∗
front_auth γ (length past) ∗
model₂ γ vs ∗
waiters_auth γ waiters ∗
( [∗ map] waiter ↦ i ∈ waiters,
waiter_model γ past waiter i
).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %hist{} & %past{} & %front{} & %nodes{} & %back{} & %vs{} & %waiters{} & >%Hhist{} & >%Hback{} & >Ht_front & >Ht_back & >Hhist & >Hnodes & >Hindices & >Hcapacities & >Hhistory_auth & >Hfront_auth & >Hmodel₂ & >Hwaiters_auth & Hwaiters ) ".
#[local] Definition inv' t γ :=
inv γ.(mpmc_bqueue_name_inv) (inv_inner t γ).
Definition mpmc_bqueue_inv t γ ι cap : iProp Σ :=
⌜ι = γ.(mpmc_bqueue_name_inv)⌝ ∗
⌜cap = γ.(mpmc_bqueue_name_capacity)⌝ ∗
t.[capacity] ↦□ #cap ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & -> & #Ht_capacity & #Hinv ) ".
Definition mpmc_bqueue_model γ vs : iProp Σ :=
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs.
#[local] Instance : CustomIpat "model" :=
" ( % & Hmodel₁{_{}} ) ".
#[global] Instance mpmc_bqueue_model_timeless γ vs :
Timeless (mpmc_bqueue_model γ vs).
#[global] Instance mpmc_bqueue_inv_persistent t γ ι cap :
Persistent (mpmc_bqueue_inv t γ ι cap).
#[local] Lemma history_alloc front :
⊢ |==>
∃ γ_history,
history_auth' γ_history [front].
#[local] Lemma history_at_get {γ hist} i node :
hist !! i = Some node →
history_auth γ hist ⊢
history_at γ i node.
#[local] Lemma history_at_agree γ i node1 node2 :
history_at γ i node1 -∗
history_at γ i node2 -∗
⌜node1 = node2⌝.
#[local] Lemma history_at_lookup γ hist i node :
history_auth γ hist -∗
history_at γ i node -∗
⌜hist !! i = Some node⌝.
#[local] Lemma history_at_elem_of γ hist i node :
history_auth γ hist -∗
history_at γ i node -∗
⌜node ∈ hist⌝.
#[local] Lemma history_update {γ hist} node :
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [node]) ∗
history_at γ (length hist) node.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 0.
#[local] Lemma front_lb_get γ i :
front_auth γ i ⊢
front_lb γ i.
#[local] Lemma front_lb_valid γ i1 i2 :
front_auth γ i1 -∗
front_lb γ i2 -∗
⌜i2 ≤ i1⌝.
#[local] Lemma front_update {γ i} i' :
i ≤ i' →
front_auth γ i ⊢ |==>
front_auth γ i'.
#[local] Lemma model_alloc :
⊢ |==>
∃ γ_model,
model₁' γ_model [] ∗
model₂' γ_model [].
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_update {γ vs1 vs2} vs :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma waiters_alloc :
⊢ |==>
∃ γ_waiters,
waiters_auth' γ_waiters ∅.
#[local] Lemma waiters_insert {γ waiters} i Ψ :
waiters_auth γ waiters ⊢ |==>
∃ waiter,
waiters_auth γ (<[waiter := i]> waiters) ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i.
#[local] Lemma waiters_delete γ waiters waiter i :
waiters_auth γ waiters -∗
waiters_at γ waiter i ==∗
⌜waiters !! waiter = Some i⌝ ∗
waiters_auth γ (delete waiter waiters).
Lemma mpmc_bqueue_model_valid t γ ι cap vs :
mpmc_bqueue_inv t γ ι cap -∗
mpmc_bqueue_model γ vs -∗
⌜length vs ≤ cap⌝.
Lemma mpmc_bqueue_model_exclusive γ vs1 vs2 :
mpmc_bqueue_model γ vs1 -∗
mpmc_bqueue_model γ vs2 -∗
False.
Lemma mpmc_bqueue٠create𑁒spec ι cap :
(0 ≤ cap)%Z →
{{{
True
}}}
mpmc_bqueue٠create #cap
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
mpmc_bqueue_inv t γ ι ₊cap ∗
mpmc_bqueue_model γ []
}}}.
Lemma mpmc_bqueue٠capacity𑁒spec t γ ι cap :
{{{
mpmc_bqueue_inv t γ ι cap
}}}
mpmc_bqueue٠capacity #t
{{{
RET #cap;
True
}}}.
#[local] Lemma front𑁒spec_strong Ψ t γ :
{{{
inv' t γ ∗
if Ψ is Some Ψ then
waiter_au γ Ψ
else
True
}}}
(#t).{front}
{{{
front i
, RET #front;
node_model γ front i true ∗
if Ψ is Some Ψ then
∃ waiter,
saved_pred waiter Ψ ∗
waiters_at γ waiter i
else
True
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front i
, RET #front;
node_model γ front i true
}}}.
#[local] Lemma back𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{back}
{{{
back i
, RET #back;
node_model γ back i false
}}}.
Variant operation :=
| Size (i_front : nat) (Ψ : val → iProp Σ)
| IsEmpty waiter (Ψ : bool → iProp Σ)
| Pop (Ψ : option val → iProp Σ)
| Other.
Implicit Types op : operation.
Variant operation' :=
| Size'
| IsEmpty'
| Pop'
| Other'.
#[local] Instance operation'_eq_dec : EqDecision operation' :=
ltac:(solve_decision).
#[local] Coercion operation_to_operation' op :=
match op with
| Size _ _ ⇒
Size'
| IsEmpty _ _ ⇒
IsEmpty'
| Pop _ ⇒
Pop'
| Other ⇒
Other'
end.
#[local] Definition size_au γ Ψ : iProp Σ :=
AU <{
∃∃ vs,
mpmc_bqueue_model γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
mpmc_bqueue_model γ vs
, COMM
True -∗ Ψ #(length vs)
}>.
#[local] Definition pop_au γ (Ψ : option val → iProp Σ) : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
model₁ γ (tail vs)
, COMM
True -∗ Ψ (head vs)
}>.
#[local] Lemma next𑁒spec_aux (next : option location) op t γ i node :
{{{
inv' t γ ∗
history_at γ i node ∗
from_option (history_at γ (S i)) True next ∗
match op with
| Size i_front Ψ ⇒
front_lb γ i_front ∗
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
front_lb γ i ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i ∗
£ 1
| Pop Ψ ⇒
front_lb γ i ∗
pop_au γ Ψ
| Other ⇒
True
end
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
from_option (const False) True next ∗
match op with
| Size i_front Ψ ⇒
Ψ #(i - i_front)
∨ ∃ i_front',
front_lb γ i_front' ∗
⌜i_front < i_front'⌝ ∗
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
Ψ true
| Pop Ψ ⇒
Ψ None
| _ ⇒
True
end
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
⌜from_option (node' =.) True next⌝ ∗
match op with
| Size _ Ψ ⇒
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
Ψ false
| Pop Ψ ⇒
pop_au γ Ψ
| Other ⇒
True
end
}}}.
#[local] Lemma next𑁒spec {t γ i} node :
{{{
inv' t γ ∗
history_at γ i node
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false
}}}.
#[local] Lemma next𑁒spec' {t γ i} node next :
{{{
inv' t γ ∗
history_at γ i node ∗
history_at γ (S i) next
}}}
(#node).{next}
{{{
RET #next;
node_model γ next (S i) false
}}}.
#[local] Lemma next𑁒spec_size {t γ i node} i_front Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i_front ∗
size_au γ Ψ
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
( Ψ #(i - i_front)
∨ ∃ i_front',
front_lb γ i_front' ∗
⌜i_front < i_front'⌝ ∗
size_au γ Ψ
)
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
size_au γ Ψ
}}}.
#[local] Lemma next𑁒spec_is_empty {t γ i node} waiter Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i ∗
£ 1
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
Ψ true
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
Ψ false
}}}.
#[local] Lemma next𑁒spec_pop {t γ i node} Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i ∗
pop_au γ Ψ
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
Ψ None
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
pop_au γ Ψ
}}}.
Lemma mpmc_bqueue٠size𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠size #t @ ↑ι
<<<
mpmc_bqueue_model γ vs
| RET #(length vs);
True
>>>.
Lemma mpmc_bqueue٠is_empty𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠is_empty #t @ ↑ι
<<<
mpmc_bqueue_model γ vs
| RET #(bool_decide (vs = []%list));
True
>>>.
#[local] Lemma mpmc_bqueue٠fix_back𑁒spec {t γ} i {back} j new_back :
{{{
inv' t γ ∗
history_at γ i back ∗
node_model γ new_back j false
}}}
mpmc_bqueue٠fix_back #t #back #new_back
{{{
RET ();
True
}}}.
#[local] Lemma mpmc_bqueue٠push_1_push_2𑁒spec t γ new_back v :
⊢ (
∀ back i_back i_front (cap : Z),
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
front_lb γ i_front ∗
⌜0 ≤ cap⌝%Z ∗
⌜i_back + cap ≤ i_front + γ.(mpmc_bqueue_name_capacity)⌝%Z ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_1 #t #back #cap #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>
) ∧ (
∀ back i_back,
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_2 #t #back #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>
).
#[local] Lemma mpmc_bqueue٠push_2𑁒spec t γ back i_back new_back v :
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_2 #t #back #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
Lemma mpmc_bqueue٠push𑁒spec t γ ι cap v :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠push #t v @ ↑ι
<<<
∃∃ b,
⌜b = bool_decide (length vs < cap)⌝ ∗
mpmc_bqueue_model γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
#[local] Lemma mpmc_bqueue٠pop𑁒spec_aux t γ :
<<<
inv' t γ
| ∀∀ vs,
model₁ γ vs
>>>
mpmc_bqueue٠pop #t @ ↑γ.(mpmc_bqueue_name_inv)
<<<
model₁ γ (tail vs)
| RET head vs;
True
>>>.
Lemma mpmc_bqueue٠pop𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠pop #t @ ↑ι
<<<
mpmc_bqueue_model γ (tail vs)
| RET head vs;
True
>>>.
End mpmc_bqueue_G.
#[global] Opaque mpmc_bqueue_inv.
#[global] Opaque mpmc_bqueue_model.
End base.
From zoo_saturn Require
mpmc_bqueue__opaque.
Section mpmc_bqueue_G.
Context `{mpmc_bqueue_G : MpmcBqueueG Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition mpmc_bqueue_inv t ι cap : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.mpmc_bqueue_inv 𝑡 γ ι cap.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition mpmc_bqueue_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.mpmc_bqueue_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
#[global] Instance mpmc_bqueue_model_timeless t vs :
Timeless (mpmc_bqueue_model t vs).
#[global] Instance mpmc_bqueue_inv_persistent t ι cap :
Persistent (mpmc_bqueue_inv t ι cap).
Lemma mpmc_bqueue_model_valid t ι cap vs :
mpmc_bqueue_inv t ι cap -∗
mpmc_bqueue_model t vs -∗
⌜length vs ≤ cap⌝.
Lemma mpmc_bqueue_model_exclusive t vs1 vs2 :
mpmc_bqueue_model t vs1 -∗
mpmc_bqueue_model t vs2 -∗
False.
Lemma mpmc_bqueue٠create𑁒spec ι cap :
(0 ≤ cap)%Z →
{{{
True
}}}
mpmc_bqueue٠create #cap
{{{
t
, RET t;
mpmc_bqueue_inv t ι ₊cap ∗
mpmc_bqueue_model t []
}}}.
Lemma mpmc_bqueue٠capacity𑁒spec t ι cap :
{{{
mpmc_bqueue_inv t ι cap
}}}
mpmc_bqueue٠capacity t
{{{
RET #cap;
True
}}}.
Lemma mpmc_bqueue٠size𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠size t @ ↑ι
<<<
mpmc_bqueue_model t vs
| RET #(length vs);
True
>>>.
Lemma mpmc_bqueue٠is_empty𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠is_empty t @ ↑ι
<<<
mpmc_bqueue_model t vs
| RET #(bool_decide (vs = []%list));
True
>>>.
Lemma mpmc_bqueue٠push𑁒spec t ι cap v :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠push t v @ ↑ι
<<<
∃∃ b,
⌜b = bool_decide (length vs < cap)⌝ ∗
mpmc_bqueue_model t (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
Lemma mpmc_bqueue٠pop𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠pop t @ ↑ι
<<<
mpmc_bqueue_model t (tail vs)
| RET head vs;
True
>>>.
End mpmc_bqueue_G.
#[global] Opaque mpmc_bqueue_inv.
#[global] Opaque mpmc_bqueue_model.
lib.ghost_map.
From zoo Require Import
prelude.
From zoo.common Require Import
countable
list.
From zoo.iris.bi Require Import
big_op.
From zoo.iris.base_logic Require Import
lib.mono_list
lib.auth_nat_max
lib.twins
lib.saved_pred.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
prophet_typed.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
domain
option
xtchain.
From zoo_saturn Require Export
base
mpmc_bqueue__code.
From zoo_saturn Require Import
mpmc_bqueue__types.
From zoo Require Import
options.
Implicit Types b : bool.
Implicit Types front node back new_back : location.
Implicit Types hist past nodes : list location.
Implicit Types v : val.
Implicit Types vs : list val.
Implicit Types waiter : gname.
Implicit Types waiters : gmap gname nat.
#[local] Program Definition prophet :=
{|prophet_typed_strong_1_type :=
location
; prophet_typed_strong_1_of_val v _ :=
match v with
| ValLoc l ⇒
Some l
| _ ⇒
None
end
; prophet_typed_strong_1_to_val l :=
(#l, ()%V)
|}.
Solve Obligations of prophet with
try done.
Class MpmcBqueueG Σ `{zoo_G : !ZooG Σ} :=
{ #[local] mpmc_bqueue_G_history_G :: MonoListG Σ location
; #[local] mpmc_bqueue_G_front_G :: AuthNatMaxG Σ
; #[local] mpmc_bqueue_G_model_G :: TwinsG Σ (leibnizO (list val))
; #[local] mpmc_bqueue_G_waiters_G :: ghost_mapG Σ gname nat
; #[local] mpmc_bqueue_G_saved_pred_G :: SavedPredG Σ bool;
}.
Definition mpmc_bqueue_Σ :=
#[mono_list_Σ location
; auth_nat_max_Σ
; twins_Σ (leibnizO (list val))
; ghost_mapΣ gname nat
; saved_pred_Σ bool
].
#[global] Instance subG_mpmc_bqueue_Σ Σ `{zoo_G : !ZooG Σ} :
subG mpmc_bqueue_Σ Σ →
MpmcBqueueG Σ.
Module base.
Section mpmc_bqueue_G.
Context `{mpmc_bqueue_G : MpmcBqueueG Σ}.
Implicit Types t : location.
Record mpmc_bqueue_name :=
{ mpmc_bqueue_name_inv : namespace
; mpmc_bqueue_name_capacity : nat
; mpmc_bqueue_name_history : gname
; mpmc_bqueue_name_front : gname
; mpmc_bqueue_name_model : gname
; mpmc_bqueue_name_waiters : gname
}.
Implicit Types γ : mpmc_bqueue_name.
#[global] Instance mpmc_bqueue_name_eq_dec : EqDecision mpmc_bqueue_name :=
ltac:(solve_decision).
#[global] Instance mpmc_bqueue_name_countable :
Countable mpmc_bqueue_name.
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(mpmc_bqueue_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(mpmc_bqueue_name_history).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(mpmc_bqueue_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(mpmc_bqueue_name_front).
#[local] Definition model₁' γ_model vs :=
twins_twin1 γ_model (DfracOwn 1) vs.
#[local] Definition model₁ γ :=
model₁' γ.(mpmc_bqueue_name_model).
#[local] Definition model₂' γ_model vs :=
twins_twin2 γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(mpmc_bqueue_name_model).
#[local] Definition waiters_auth' γ_waiters :=
ghost_map_auth γ_waiters 1.
#[local] Definition waiters_auth γ :=
waiters_auth' γ.(mpmc_bqueue_name_waiters).
#[local] Definition waiters_at γ waiter :=
ghost_map_elem γ.(mpmc_bqueue_name_waiters) waiter (DfracOwn 1).
#[local] Definition node_model γ node (i : nat) b : iProp Σ :=
node ↦ₕ Header §Node 4 ∗
node.[index] ↦□ #i ∗
history_at γ i node ∗
if b then front_lb γ i else True%I.
#[local] Instance : CustomIpat "node_model" :=
" ( #H{}_header & #H{}_index & #Hhistory_at_{} & {{front}#Hfront_lb_{};_} ) ".
#[local] Definition waiter_au γ (Ψ : bool → iProp Σ) : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
model₁ γ vs
, COMM
Ψ (bool_decide (vs = []))
}>.
#[local] Definition waiter_model γ past waiter i : iProp Σ :=
∃ Ψ,
saved_pred waiter Ψ ∗
if decide (i < length past) then
Ψ false
else
waiter_au γ Ψ.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ hist past front nodes back vs waiters,
⌜hist = past ++ front :: nodes⌝ ∗
⌜back ∈ hist⌝ ∗
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
xtchain (Header §Node 4) (DfracOwn 1) hist §Null ∗
( [∗ list] node; v ∈ nodes; vs,
node.[data] ↦ v
) ∗
( [∗ list] i ↦ node ∈ hist,
node.[index] ↦□ #i
) ∗
( [∗ list] i ↦ node ∈ hist,
∃ cap : nat,
node.[estimated_capacity] ↦ #cap ∗
⌜i + cap ≤ length past + γ.(mpmc_bqueue_name_capacity)⌝
) ∗
history_auth γ hist ∗
front_auth γ (length past) ∗
model₂ γ vs ∗
waiters_auth γ waiters ∗
( [∗ map] waiter ↦ i ∈ waiters,
waiter_model γ past waiter i
).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %hist{} & %past{} & %front{} & %nodes{} & %back{} & %vs{} & %waiters{} & >%Hhist{} & >%Hback{} & >Ht_front & >Ht_back & >Hhist & >Hnodes & >Hindices & >Hcapacities & >Hhistory_auth & >Hfront_auth & >Hmodel₂ & >Hwaiters_auth & Hwaiters ) ".
#[local] Definition inv' t γ :=
inv γ.(mpmc_bqueue_name_inv) (inv_inner t γ).
Definition mpmc_bqueue_inv t γ ι cap : iProp Σ :=
⌜ι = γ.(mpmc_bqueue_name_inv)⌝ ∗
⌜cap = γ.(mpmc_bqueue_name_capacity)⌝ ∗
t.[capacity] ↦□ #cap ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & -> & #Ht_capacity & #Hinv ) ".
Definition mpmc_bqueue_model γ vs : iProp Σ :=
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs.
#[local] Instance : CustomIpat "model" :=
" ( % & Hmodel₁{_{}} ) ".
#[global] Instance mpmc_bqueue_model_timeless γ vs :
Timeless (mpmc_bqueue_model γ vs).
#[global] Instance mpmc_bqueue_inv_persistent t γ ι cap :
Persistent (mpmc_bqueue_inv t γ ι cap).
#[local] Lemma history_alloc front :
⊢ |==>
∃ γ_history,
history_auth' γ_history [front].
#[local] Lemma history_at_get {γ hist} i node :
hist !! i = Some node →
history_auth γ hist ⊢
history_at γ i node.
#[local] Lemma history_at_agree γ i node1 node2 :
history_at γ i node1 -∗
history_at γ i node2 -∗
⌜node1 = node2⌝.
#[local] Lemma history_at_lookup γ hist i node :
history_auth γ hist -∗
history_at γ i node -∗
⌜hist !! i = Some node⌝.
#[local] Lemma history_at_elem_of γ hist i node :
history_auth γ hist -∗
history_at γ i node -∗
⌜node ∈ hist⌝.
#[local] Lemma history_update {γ hist} node :
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [node]) ∗
history_at γ (length hist) node.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 0.
#[local] Lemma front_lb_get γ i :
front_auth γ i ⊢
front_lb γ i.
#[local] Lemma front_lb_valid γ i1 i2 :
front_auth γ i1 -∗
front_lb γ i2 -∗
⌜i2 ≤ i1⌝.
#[local] Lemma front_update {γ i} i' :
i ≤ i' →
front_auth γ i ⊢ |==>
front_auth γ i'.
#[local] Lemma model_alloc :
⊢ |==>
∃ γ_model,
model₁' γ_model [] ∗
model₂' γ_model [].
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_update {γ vs1 vs2} vs :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma waiters_alloc :
⊢ |==>
∃ γ_waiters,
waiters_auth' γ_waiters ∅.
#[local] Lemma waiters_insert {γ waiters} i Ψ :
waiters_auth γ waiters ⊢ |==>
∃ waiter,
waiters_auth γ (<[waiter := i]> waiters) ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i.
#[local] Lemma waiters_delete γ waiters waiter i :
waiters_auth γ waiters -∗
waiters_at γ waiter i ==∗
⌜waiters !! waiter = Some i⌝ ∗
waiters_auth γ (delete waiter waiters).
Lemma mpmc_bqueue_model_valid t γ ι cap vs :
mpmc_bqueue_inv t γ ι cap -∗
mpmc_bqueue_model γ vs -∗
⌜length vs ≤ cap⌝.
Lemma mpmc_bqueue_model_exclusive γ vs1 vs2 :
mpmc_bqueue_model γ vs1 -∗
mpmc_bqueue_model γ vs2 -∗
False.
Lemma mpmc_bqueue٠create𑁒spec ι cap :
(0 ≤ cap)%Z →
{{{
True
}}}
mpmc_bqueue٠create #cap
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
mpmc_bqueue_inv t γ ι ₊cap ∗
mpmc_bqueue_model γ []
}}}.
Lemma mpmc_bqueue٠capacity𑁒spec t γ ι cap :
{{{
mpmc_bqueue_inv t γ ι cap
}}}
mpmc_bqueue٠capacity #t
{{{
RET #cap;
True
}}}.
#[local] Lemma front𑁒spec_strong Ψ t γ :
{{{
inv' t γ ∗
if Ψ is Some Ψ then
waiter_au γ Ψ
else
True
}}}
(#t).{front}
{{{
front i
, RET #front;
node_model γ front i true ∗
if Ψ is Some Ψ then
∃ waiter,
saved_pred waiter Ψ ∗
waiters_at γ waiter i
else
True
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front i
, RET #front;
node_model γ front i true
}}}.
#[local] Lemma back𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{back}
{{{
back i
, RET #back;
node_model γ back i false
}}}.
Variant operation :=
| Size (i_front : nat) (Ψ : val → iProp Σ)
| IsEmpty waiter (Ψ : bool → iProp Σ)
| Pop (Ψ : option val → iProp Σ)
| Other.
Implicit Types op : operation.
Variant operation' :=
| Size'
| IsEmpty'
| Pop'
| Other'.
#[local] Instance operation'_eq_dec : EqDecision operation' :=
ltac:(solve_decision).
#[local] Coercion operation_to_operation' op :=
match op with
| Size _ _ ⇒
Size'
| IsEmpty _ _ ⇒
IsEmpty'
| Pop _ ⇒
Pop'
| Other ⇒
Other'
end.
#[local] Definition size_au γ Ψ : iProp Σ :=
AU <{
∃∃ vs,
mpmc_bqueue_model γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
mpmc_bqueue_model γ vs
, COMM
True -∗ Ψ #(length vs)
}>.
#[local] Definition pop_au γ (Ψ : option val → iProp Σ) : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(mpmc_bqueue_name_inv), ∅ <{
model₁ γ (tail vs)
, COMM
True -∗ Ψ (head vs)
}>.
#[local] Lemma next𑁒spec_aux (next : option location) op t γ i node :
{{{
inv' t γ ∗
history_at γ i node ∗
from_option (history_at γ (S i)) True next ∗
match op with
| Size i_front Ψ ⇒
front_lb γ i_front ∗
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
front_lb γ i ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i ∗
£ 1
| Pop Ψ ⇒
front_lb γ i ∗
pop_au γ Ψ
| Other ⇒
True
end
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
from_option (const False) True next ∗
match op with
| Size i_front Ψ ⇒
Ψ #(i - i_front)
∨ ∃ i_front',
front_lb γ i_front' ∗
⌜i_front < i_front'⌝ ∗
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
Ψ true
| Pop Ψ ⇒
Ψ None
| _ ⇒
True
end
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
⌜from_option (node' =.) True next⌝ ∗
match op with
| Size _ Ψ ⇒
size_au γ Ψ
| IsEmpty waiter Ψ ⇒
Ψ false
| Pop Ψ ⇒
pop_au γ Ψ
| Other ⇒
True
end
}}}.
#[local] Lemma next𑁒spec {t γ i} node :
{{{
inv' t γ ∗
history_at γ i node
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false
}}}.
#[local] Lemma next𑁒spec' {t γ i} node next :
{{{
inv' t γ ∗
history_at γ i node ∗
history_at γ (S i) next
}}}
(#node).{next}
{{{
RET #next;
node_model γ next (S i) false
}}}.
#[local] Lemma next𑁒spec_size {t γ i node} i_front Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i_front ∗
size_au γ Ψ
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
( Ψ #(i - i_front)
∨ ∃ i_front',
front_lb γ i_front' ∗
⌜i_front < i_front'⌝ ∗
size_au γ Ψ
)
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
size_au γ Ψ
}}}.
#[local] Lemma next𑁒spec_is_empty {t γ i node} waiter Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i ∗
saved_pred waiter Ψ ∗
waiters_at γ waiter i ∗
£ 1
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
Ψ true
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
Ψ false
}}}.
#[local] Lemma next𑁒spec_pop {t γ i node} Ψ :
{{{
inv' t γ ∗
history_at γ i node ∗
front_lb γ i ∗
pop_au γ Ψ
}}}
(#node).{next}
{{{
res
, RET res;
⌜res = §Null%V⌝ ∗
Ψ None
∨ ∃ node',
⌜res = #node'⌝ ∗
node_model γ node' (S i) false ∗
pop_au γ Ψ
}}}.
Lemma mpmc_bqueue٠size𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠size #t @ ↑ι
<<<
mpmc_bqueue_model γ vs
| RET #(length vs);
True
>>>.
Lemma mpmc_bqueue٠is_empty𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠is_empty #t @ ↑ι
<<<
mpmc_bqueue_model γ vs
| RET #(bool_decide (vs = []%list));
True
>>>.
#[local] Lemma mpmc_bqueue٠fix_back𑁒spec {t γ} i {back} j new_back :
{{{
inv' t γ ∗
history_at γ i back ∗
node_model γ new_back j false
}}}
mpmc_bqueue٠fix_back #t #back #new_back
{{{
RET ();
True
}}}.
#[local] Lemma mpmc_bqueue٠push_1_push_2𑁒spec t γ new_back v :
⊢ (
∀ back i_back i_front (cap : Z),
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
front_lb γ i_front ∗
⌜0 ≤ cap⌝%Z ∗
⌜i_back + cap ≤ i_front + γ.(mpmc_bqueue_name_capacity)⌝%Z ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_1 #t #back #cap #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>
) ∧ (
∀ back i_back,
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_2 #t #back #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>
).
#[local] Lemma mpmc_bqueue٠push_2𑁒spec t γ back i_back new_back v :
<<<
t.[capacity] ↦□ #γ.(mpmc_bqueue_name_capacity) ∗
inv' t γ ∗
node_model γ back i_back false ∗
new_back ↦ₕ Header §Node 4 ∗
new_back.[next] ↦ §Null ∗
new_back.[data] ↦ v ∗
new_back.[index] ↦- ∗
new_back.[estimated_capacity] ↦-
| ∀∀ vs,
⌜length vs ≤ γ.(mpmc_bqueue_name_capacity)⌝ ∗
model₁ γ vs
>>>
mpmc_bqueue٠push_2 #t #back #new_back @ ↑γ.(mpmc_bqueue_name_inv)
<<<
∃∃ b,
⌜b = bool_decide (length vs < γ.(mpmc_bqueue_name_capacity))⌝ ∗
model₁ γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
Lemma mpmc_bqueue٠push𑁒spec t γ ι cap v :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠push #t v @ ↑ι
<<<
∃∃ b,
⌜b = bool_decide (length vs < cap)⌝ ∗
mpmc_bqueue_model γ (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
#[local] Lemma mpmc_bqueue٠pop𑁒spec_aux t γ :
<<<
inv' t γ
| ∀∀ vs,
model₁ γ vs
>>>
mpmc_bqueue٠pop #t @ ↑γ.(mpmc_bqueue_name_inv)
<<<
model₁ γ (tail vs)
| RET head vs;
True
>>>.
Lemma mpmc_bqueue٠pop𑁒spec t γ ι cap :
<<<
mpmc_bqueue_inv t γ ι cap
| ∀∀ vs,
mpmc_bqueue_model γ vs
>>>
mpmc_bqueue٠pop #t @ ↑ι
<<<
mpmc_bqueue_model γ (tail vs)
| RET head vs;
True
>>>.
End mpmc_bqueue_G.
#[global] Opaque mpmc_bqueue_inv.
#[global] Opaque mpmc_bqueue_model.
End base.
From zoo_saturn Require
mpmc_bqueue__opaque.
Section mpmc_bqueue_G.
Context `{mpmc_bqueue_G : MpmcBqueueG Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition mpmc_bqueue_inv t ι cap : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.mpmc_bqueue_inv 𝑡 γ ι cap.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition mpmc_bqueue_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.mpmc_bqueue_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
#[global] Instance mpmc_bqueue_model_timeless t vs :
Timeless (mpmc_bqueue_model t vs).
#[global] Instance mpmc_bqueue_inv_persistent t ι cap :
Persistent (mpmc_bqueue_inv t ι cap).
Lemma mpmc_bqueue_model_valid t ι cap vs :
mpmc_bqueue_inv t ι cap -∗
mpmc_bqueue_model t vs -∗
⌜length vs ≤ cap⌝.
Lemma mpmc_bqueue_model_exclusive t vs1 vs2 :
mpmc_bqueue_model t vs1 -∗
mpmc_bqueue_model t vs2 -∗
False.
Lemma mpmc_bqueue٠create𑁒spec ι cap :
(0 ≤ cap)%Z →
{{{
True
}}}
mpmc_bqueue٠create #cap
{{{
t
, RET t;
mpmc_bqueue_inv t ι ₊cap ∗
mpmc_bqueue_model t []
}}}.
Lemma mpmc_bqueue٠capacity𑁒spec t ι cap :
{{{
mpmc_bqueue_inv t ι cap
}}}
mpmc_bqueue٠capacity t
{{{
RET #cap;
True
}}}.
Lemma mpmc_bqueue٠size𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠size t @ ↑ι
<<<
mpmc_bqueue_model t vs
| RET #(length vs);
True
>>>.
Lemma mpmc_bqueue٠is_empty𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠is_empty t @ ↑ι
<<<
mpmc_bqueue_model t vs
| RET #(bool_decide (vs = []%list));
True
>>>.
Lemma mpmc_bqueue٠push𑁒spec t ι cap v :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠push t v @ ↑ι
<<<
∃∃ b,
⌜b = bool_decide (length vs < cap)⌝ ∗
mpmc_bqueue_model t (if b then vs ++ [v] else vs)
| RET #b;
True
>>>.
Lemma mpmc_bqueue٠pop𑁒spec t ι cap :
<<<
mpmc_bqueue_inv t ι cap
| ∀∀ vs,
mpmc_bqueue_model t vs
>>>
mpmc_bqueue٠pop t @ ↑ι
<<<
mpmc_bqueue_model t (tail vs)
| RET head vs;
True
>>>.
End mpmc_bqueue_G.
#[global] Opaque mpmc_bqueue_inv.
#[global] Opaque mpmc_bqueue_model.