Library zoo_saturn.ws_deque_1
From zoo Require Import
prelude.
From zoo.common Require Import
countable
function
list
relations.
From zoo.iris.bi Require Import
big_op.
From zoo.iris.base_logic Require Import
lib.auth_nat_max
lib.auth_twins
lib.excl
lib.mono_gmultiset
lib.mono_list
lib.twins.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
identifier
prophet_identifier
prophet_multi.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
array
domain
option.
From zoo_saturn Require Export
base
ws_deque_1__code.
From zoo_saturn Require Import
ws_deque_1__types.
From zoo Require Import
options.
Implicit Types b : bool.
Implicit Types front back : nat.
Implicit Types id : prophet_id.
Implicit Types v : val.
Implicit Types us vs ws hist priv : list val.
Implicit Types datas : gmultiset val.
Implicit Types past prophs : list prophet_identifier.(prophet_typed_type).
Implicit Types pasts prophss : nat → list prophet_identifier.(prophet_typed_type).
Variant state :=
| Empty
| Nonempty
| Emptyish
| Superempty.
Implicit Types state : state.
#[local] Instance state_inhabited : Inhabited state :=
populate Empty.
Variant stability :=
| Stable
| Unstable.
Implicit Types stable : stability.
#[local] Instance stability_inhabited : Inhabited stability :=
populate Stable.
Class WsDeque1G Σ `{zoo_G : !ZooG Σ} :=
{ #[local] ws_deque_1_G_prophet_G :: ProphetMultiG Σ prophet_identifier
; #[local] ws_deque_1_G_model_G :: AuthTwinsG Σ (leibnizO (list val)) suffix
; #[local] ws_deque_1_G_owner_G :: TwinsG Σ (leibnizO (stability × nat × val × nat))
; #[local] ws_deque_1_G_front_G :: AuthNatMaxG Σ
; #[local] ws_deque_1_G_history_G :: MonoListG Σ val
; #[local] ws_deque_1_G_winner_G :: TwinsG Σ (natO × leibnizO (option val) × ▶ ∙)
; #[local] ws_deque_1_G_datas_G :: MonoGmultisetG Σ val
}.
Definition ws_deque_1_Σ :=
#[prophet_multi_Σ prophet_identifier
; auth_twins_Σ (leibnizO (list val)) suffix
; twins_Σ (leibnizO (stability × nat × val × nat))
; auth_nat_max_Σ
; mono_list_Σ val
; twins_Σ (natO × leibnizO (option val) × ▶ ∙)
; mono_gmultiset_Σ val
].
#[global] Instance subG_ws_deque_1_Σ Σ `{zoo_G : !ZooG Σ} :
subG ws_deque_1_Σ Σ →
WsDeque1G Σ .
#[local] Definition min_capacity :=
val_to_nat' ws_deque_1٠min_capacity.
#[local] Lemma min_capacity_nonzero :
0 < min_capacity.
#[local] Hint Resolve
min_capacity_nonzero
: core.
#[local] Lemma ws_deque_1_min_capacity :
ws_deque_1٠min_capacity = #min_capacity.
Opaque ws_deque_1__code.ws_deque_1٠min_capacity.
Opaque min_capacity.
Module base.
Section ws_deque_1_G.
Context `{ws_deque_1_G : WsDeque1G Σ}.
Implicit Types t : location.
Implicit Types P : iProp Σ.
Record ws_deque_1_name :=
{ ws_deque_1_name_inv : namespace
; ws_deque_1_name_prophet : prophet_id
; ws_deque_1_name_prophet_name : prophet_multi_name
; ws_deque_1_name_model : auth_twins_name
; ws_deque_1_name_owner : gname
; ws_deque_1_name_front : gname
; ws_deque_1_name_history : gname
; ws_deque_1_name_winner : gname
; ws_deque_1_name_datas : gname
}.
Implicit Types γ : ws_deque_1_name.
#[global] Instance ws_deque_1_name_eq_dec : EqDecision ws_deque_1_name :=
ltac:(solve_decision).
#[global] Instance ws_deque_1_name_countable :
Countable ws_deque_1_name.
#[local] Definition model₁' γ_model vs :=
auth_twins_twin1 _ γ_model vs.
#[local] Definition model₁ γ :=
model₁' γ.(ws_deque_1_name_model).
#[local] Definition model₂' γ_model vs :=
auth_twins_twin2 _ γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(ws_deque_1_name_model).
#[local] Definition owner₁' γ_owner γ_model stable back data cap ws : iProp Σ :=
twins_twin1 (twins_G := ws_deque_1_G_owner_G) γ_owner (DfracOwn 1) (stable, back, data, cap) ∗
auth_twins_auth _ γ_model ws.
#[local] Definition owner₁ γ :=
owner₁' γ.(ws_deque_1_name_owner) γ.(ws_deque_1_name_model).
#[local] Instance : CustomIpat "owner₁" :=
" ( Howner₁{_{}} & Hmodel_auth{_{}} ) ".
#[local] Definition owner₂' γ_owner stable back data cap :=
twins_twin2 (twins_G := ws_deque_1_G_owner_G) γ_owner (stable, back, data, cap).
#[local] Definition owner₂ γ :=
owner₂' γ.(ws_deque_1_name_owner).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(ws_deque_1_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(ws_deque_1_name_front).
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(ws_deque_1_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(ws_deque_1_name_history).
#[local] Definition winner_pop' γ_winner front (data : option val) P : iProp Σ :=
twins_twin1 γ_winner (DfracOwn 1) (front, data, Next P).
#[local] Definition winner_pop γ :=
winner_pop' γ.(ws_deque_1_name_winner).
#[local] Definition winner_steal' γ_winner front (data : option val) P :=
twins_twin2 γ_winner (front, data, Next P).
#[local] Definition winner_steal γ :=
winner_steal' γ.(ws_deque_1_name_winner).
#[local] Definition winner γ : iProp Σ :=
∃ front data P1 P2,
winner_pop γ front data P1 ∗
winner_steal γ front data P2.
#[local] Instance : CustomIpat "winner" :=
" ( %front_winner & %data_winner & %P1 & %P2 & Hwinner_pop{_{}} & Hwinner_steal{_{}} ) ".
#[local] Definition datas_auth' γ_datas :=
mono_gmultiset_auth γ_datas (DfracOwn 1).
#[local] Definition datas_auth γ :=
datas_auth' γ.(ws_deque_1_name_datas).
#[local] Definition datas_elem' γ_datas :=
mono_gmultiset_elem γ_datas.
#[local] Definition datas_elem γ :=
datas_elem' γ.(ws_deque_1_name_datas).
#[local] Definition data_model data : iProp Σ :=
∃ cap i vs,
array_cslice data cap i DfracDiscarded vs ∗
⌜0 < cap⌝ ∗
⌜length vs = cap⌝.
#[local] Instance : CustomIpat "data_model" :=
" ( %cap_data{} & %i_data{} & %vs_data{} & Hdata{}_cslice & %Hcap_data{} & %Hvs_data{} ) ".
#[local] Definition winner_au γ front P : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(ws_deque_1_name_inv), ∅ <{
∀∀ v vs',
⌜vs = v :: vs'⌝ ∗
model₁ γ vs' ∗
history_at γ front v
, COMM
P
}>.
#[local] Definition winner_model_1 γ front data data_winner : iProp Σ :=
⌜data = data_winner⌝
∨ ∃ cap_winner v,
array_cslice data_winner cap_winner front DfracDiscarded [v] ∗
history_at γ front v.
#[local] Instance : CustomIpat "winner_model_1" :=
" [ -> | ( %cap & %v_ & Hdata_cslice & Hhistory_at_ ) ] ".
#[local] Definition winner_model_2 γ front data data_winner P : iProp Σ :=
winner_steal γ front (Some data_winner) P ∗
winner_model_1 γ front data data_winner.
#[local] Instance : CustomIpat "winner_model_2" :=
" ( Hwinner_steal{_{!}} & Hwinner ) ".
#[local] Definition winner_pending_1 γ front data data_winner P id : iProp Σ :=
winner_model_2 γ front data data_winner P ∗
identifier_model' id ∗
winner_au γ front P.
#[local] Instance : CustomIpat "winner_pending_1" :=
" ( (:winner_model_2) & Hid{_{!}} & HP ) ".
#[local] Definition winner_pending_2 γ front data id : iProp Σ :=
∃ data_winner P,
winner_pending_1 γ front data data_winner P id.
#[local] Instance : CustomIpat "winner_pending_2" :=
" ( %data_winner & %P{} & (:winner_pending_1) ) ".
#[local] Definition winner_linearized_1 γ front data data_winner P : iProp Σ :=
winner_model_2 γ front data data_winner P ∗
P.
#[local] Instance : CustomIpat "winner_linearized_1" :=
" ( (:winner_model_2) & HP ) ".
#[local] Definition winner_linearized_2 γ front data P : iProp Σ :=
∃ data_winner,
winner_linearized_1 γ front data data_winner P.
#[local] Instance : CustomIpat "winner_linearized_2" :=
" ( %data_winner & (:winner_linearized_1) ) ".
#[local] Definition inv_state_empty γ stable front back hist : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_empty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty γ stable front back data hist vs prophs : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant vs) ∗
( winner γ
∨ match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_2 γ front data id
end
).
#[local] Instance : CustomIpat "inv_state_nonempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_nonempty_steal γ state stable front back data hist vs prophs data_winner P : iProp Σ :=
⌜state = Nonempty⌝ ∗
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant vs) ∗
match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_1 γ front data data_winner P id
end.
#[local] Instance : CustomIpat "inv_state_nonempty_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_emptyish γ stable front back data hist priv : iProp Σ :=
∃ P,
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
( winner_pop γ front None P
∨ winner_linearized_2 γ front data P
).
#[local] Instance : CustomIpat "inv_state_emptyish" :=
" ( %P_ & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_emptyish_pop γ state stable front back hist priv P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
winner_pop γ front None P.
#[local] Instance : CustomIpat "inv_state_emptyish_pop" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner_pop ) ".
#[local] Definition inv_state_emptyish_steal γ state stable front back data hist priv data_winner P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
winner_linearized_1 γ front data data_winner P.
#[local] Instance : CustomIpat "inv_state_emptyish_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & (:winner_linearized_1) ) ".
#[local] Definition inv_state_superempty γ stable front back hist : iProp Σ :=
⌜stable = Unstable⌝ ∗
⌜front = S back⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_superempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state γ state stable front back data hist vs priv prophs : iProp Σ :=
match state with
| Empty ⇒
inv_state_empty γ stable front back hist
| Nonempty ⇒
inv_state_nonempty γ stable front back data hist vs prophs
| Emptyish ⇒
inv_state_emptyish γ stable front back data hist priv
| Superempty ⇒
inv_state_superempty γ stable front back hist
end.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ state stable front back data cap hist vs priv datas pasts prophss,
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
t.[data] ↦ data ∗
owner₂ γ stable back data cap ∗
front_auth γ front ∗
⌜0 < front⌝ ∗
model₂ γ vs ∗
⌜length vs = back - front⌝ ∗
array_cslice data cap front (DfracOwn (1/2)) (vs ++ priv) ∗
⌜0 < cap⌝ ∗
⌜(length vs + length priv)%nat = cap⌝ ∗
history_auth γ hist ∗
datas_auth γ ({[+data+]} ⊎ datas) ∗
([∗ mset] data ∈ datas, data_model data) ∗
prophet_multi_model prophet_identifier γ.(ws_deque_1_name_prophet) γ.(ws_deque_1_name_prophet_name) pasts prophss ∗
⌜∀ i, front ≤ i → pasts i = []⌝ ∗
inv_state γ state stable front back data hist vs priv (prophss front).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %state{} & %stable{} & %front{} & %back{} & %data{} & %cap{} & %hist{} & %vs{} & %priv{} & %datas{} & %pasts{} & %prophss{} & >Ht_front & >Ht_back & >Ht_data & >Howner₂ & >Hfront_auth & >%Hfront{} & >Hmodel₂ & >%Hvs{} & >Hdata{}_cslice₁ & >%Hcap{} & >%Hdata{} & >Hhistory_auth & >Hdatas_auth & >Hdatas & >Hprophet_model & >%Hpasts{} & Hstate ) ".
#[local] Definition inv' t γ : iProp Σ :=
t.[proph] ↦□ #γ.(ws_deque_1_name_prophet) ∗
inv γ.(ws_deque_1_name_inv) (inv_inner t γ).
#[local] Instance : CustomIpat "inv'" :=
" ( #Ht_proph & #Hinv ) ".
Definition ws_deque_1_inv t γ ι : iProp Σ :=
⌜ι = γ.(ws_deque_1_name_inv)⌝ ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & (:inv') ) ".
Definition ws_deque_1_model :=
model₁.
#[local] Instance : CustomIpat "model" :=
" Hmodel₁{_{}} ".
#[local] Definition owner' γ stable back data cap ws i us : iProp Σ :=
owner₁ γ stable back data cap ws ∗
array_cslice data cap i (DfracOwn (1/2)) us ∗
⌜0 < cap⌝ ∗
⌜length us = cap⌝.
#[local] Instance : CustomIpat "owner'" :=
" ( Howner₁{_{}} & Hdata_cslice₂{_{}} & { {!} _ ; %Hcap{} ; %Hcap } & { {!} _ ; %Hus{} ; %Hus } ) ".
Definition ws_deque_1_owner γ ws : iProp Σ :=
∃ back data cap i us,
owner' γ Stable back data cap ws i us.
#[local] Instance : CustomIpat "owner" :=
" ( %back{} & %data{} & %cap{} & %i{} & %us{} & Howner{_{}} ) ".
#[global] Instance ws_deque_1_model_timeless γ vs :
Timeless (ws_deque_1_model γ vs).
#[global] Instance ws_deque_1_owner_timeless γ ws :
Timeless (ws_deque_1_owner γ ws).
#[global] Instance ws_deque_1_inv_persistent t γ ι :
Persistent (ws_deque_1_inv t γ ι).
#[local] Lemma model_owner_alloc data cap :
⊢ |==>
∃ γ_model γ_owner,
model₁' γ_model [] ∗
model₂' γ_model [] ∗
owner₁' γ_owner γ_model Stable 1 data cap [] ∗
owner₂' γ_owner Stable 1 data cap.
#[local] Lemma model₁_valid γ stable back data cap ws vs :
owner₁ γ stable back data cap ws -∗
model₁ γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_owner₁_agree γ stable back data cap ws vs1 vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 `suffix_of` ws⌝ ∗
⌜vs1 = vs2⌝.
#[local] Lemma model_empty {γ stable back data cap ws vs1 vs2} :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap [] ∗
model₁ γ [] ∗
model₂ γ [].
#[local] Lemma model_push {γ stable back data cap ws vs1 vs2} v :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap (vs1 ++ [v]) ∗
model₁ γ (vs1 ++ [v]) ∗
model₂ γ (vs1 ++ [v]).
#[local] Lemma model_steal γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ (tail vs1) ∗
model₂ γ (tail vs1).
#[local] Lemma model_pop γ stable back data cap ws vs1 vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap (removelast vs1) ∗
model₁ γ (removelast vs1) ∗
model₂ γ (removelast vs1).
#[local] Lemma model_pop' γ stable back data cap ws vs1 v vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ (vs1 ++ [v]) -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap vs1 ∗
model₁ γ vs1 ∗
model₂ γ vs1.
#[local] Lemma owner₁_exclusive γ stable1 back1 data1 cap1 ws1 stable2 back2 data2 cap2 ws2 :
owner₁ γ stable1 back1 data1 cap1 ws1 -∗
owner₁ γ stable2 back2 data2 cap2 ws2 -∗
False.
#[local] Lemma owner_agree γ stable1 back1 data1 cap1 ws stable2 back2 data2 cap2 :
owner₁ γ stable1 back1 data1 cap1 ws -∗
owner₂ γ stable2 back2 data2 cap2 -∗
⌜stable1 = stable2⌝ ∗
⌜back1 = back2⌝ ∗
⌜data1 = data2⌝ ∗
⌜cap1 = cap2⌝.
#[local] Lemma owner₁_update γ stable back data cap ws vs :
owner₁ γ stable back data cap ws -∗
model₁ γ vs -∗
model₂ γ vs ==∗
owner₁ γ stable back data cap vs ∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma owner_update {γ stable1 back1 data1 cap1 ws stable2 back2 data2 cap2} stable back data cap :
owner₁ γ stable1 back1 data1 cap1 ws -∗
owner₂ γ stable2 back2 data2 cap2 ==∗
owner₁ γ stable back data cap ws ∗
owner₂ γ stable back data cap.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 1.
#[local] Lemma front_lb_get γ front :
front_auth γ front ⊢
front_lb γ front.
#[local] Lemma front_lb_le {γ front} front' :
front' ≤ front →
front_lb γ front ⊢
front_lb γ front'.
#[local] Lemma front_lb_valid γ front1 front2 :
front_auth γ front1 -∗
front_lb γ front2 -∗
⌜front2 ≤ front1⌝.
#[local] Lemma front_update γ front :
front_auth γ front ⊢ |==>
front_auth γ (S front).
#[local] Lemma history_alloc :
⊢ |==>
∃ γ_hist,
history_auth' γ_hist [()%V].
#[local] Lemma history_at_get {γ hist v} i :
i = length hist →
history_auth γ (hist ++ [v]) ⊢
history_at γ i v.
#[local] Lemma history_at_lookup γ hist i v :
history_auth γ hist -∗
history_at γ i v -∗
⌜hist !! i = Some v⌝.
#[local] Lemma history_at_agree γ i v1 v2 :
history_at γ i v1 -∗
history_at γ i v2 -∗
⌜v1 = v2⌝.
#[local] Lemma history_update {γ hist} i v :
i = length hist →
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [v]) ∗
history_at γ i v.
#[local] Lemma winner_alloc :
⊢ |==>
∃ γ_winner,
winner_pop' γ_winner 1 None True ∗
winner_steal' γ_winner 1 None True.
#[local] Lemma winner_pop_exclusive γ front1 data1 P1 front2 data2 P2 :
winner_pop γ front1 data1 P1 -∗
winner_pop γ front2 data2 P2 -∗
False.
#[local] Lemma winner_pop_exclusive' γ front data P :
winner_pop γ front data P -∗
winner γ -∗
False.
#[local] Lemma winner_steal_exclusive γ front1 data1 P1 front2 data2 P2 :
winner_steal γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 -∗
False.
#[local] Lemma winner_steal_exclusive' γ front data P :
winner_steal γ front data P -∗
winner γ -∗
False.
#[local] Lemma winner_agree γ front1 data1 P1 front2 data2 P2 :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 -∗
⌜front1 = front2⌝ ∗
⌜data1 = data2⌝ ∗
▷ (P1 ≡ P2).
#[local] Lemma winner_update' {γ front1 data1 P1 front2 data2 P2} front data :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 ==∗
winner_pop γ front data P1 ∗
winner_steal γ front data P2.
#[local] Lemma winner_update {γ front1 data1 P1 front2 data2 P2} front data P :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 ==∗
winner_pop γ front data P ∗
winner_steal γ front data P.
#[local] Lemma datas_alloc data :
⊢ |==>
∃ γ_datas,
datas_auth' γ_datas ({[+data+]} ⊎ ∅).
#[local] Lemma datas_elem_get γ data datas :
datas_auth γ ({[+data+]} ⊎ datas) ⊢
datas_elem γ data.
#[local] Lemma datas_elem_valid γ data1 datas data2 :
datas_auth γ ({[+data1+]} ⊎ datas) -∗
datas_elem γ data2 -∗
⌜data1 = data2 ∨ data2 ∈ datas⌝.
#[local] Lemma datas_insert {γ datas} data :
datas_auth γ datas ⊢ |==>
datas_auth γ ({[+data+]} ⊎ datas).
Opaque owner₁'.
Lemma ws_deque_1_model_exclusive γ vs1 vs2 :
ws_deque_1_model γ vs1 -∗
ws_deque_1_model γ vs2 -∗
False.
#[local] Lemma owner'_rebase {γ stable back data cap ws i1 us} i2 :
owner' γ stable back data cap ws i1 us ⊢
∃ us,
owner' γ stable back data cap ws i2 us.
#[local] Lemma array_cslice_reshape {data cap back dq us} front :
0 < cap →
length us = cap →
front ≤ back →
back ≤ front + cap →
array_cslice data cap back dq us ⊢
∃ vs priv,
⌜(front + length vs)%nat = back⌝ ∗
⌜(length vs + length priv)%nat = cap⌝ ∗
array_cslice data cap front dq (vs ++ priv) ∗
( array_cslice data cap front dq (vs ++ priv) -∗
array_cslice data cap back dq us
).
Lemma ws_deque_1_owner_exclusive γ ws1 ws2 :
ws_deque_1_owner γ ws1 -∗
ws_deque_1_owner γ ws2 -∗
False.
Lemma ws_deque_1_owner_model γ ws vs :
ws_deque_1_owner γ ws -∗
ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma inv_state_Stable γ state front data back hist vs priv prophs :
length vs = back - front →
inv_state γ state Stable front back data hist vs priv prophs ⊢
⌜state = Empty ∨ state = Nonempty⌝ ∗
⌜front ≤ back⌝.
#[local] Lemma inv_state_Unstable γ state front back data hist vs priv prophs :
inv_state γ state Unstable front back data hist vs priv prophs ⊢
⌜state = Emptyish ∨ state = Superempty⌝ ∗
⌜front = back ∨ front = S back⌝.
#[local] Lemma inv_state_Nonempty γ state stable front back data hist vs priv prophs :
front < back →
inv_state γ state stable front back data hist vs priv prophs ⊢
⌜state = Nonempty⌝.
#[local] Lemma inv_state_Superempty γ state front back data hist vs priv prophs :
back < front →
inv_state γ state Unstable front back data hist vs priv prophs -∗
⌜state = Superempty⌝.
#[local] Lemma inv_state_winner_pop γ state stable front1 back data1 hist vs priv prophs front2 data2 P :
inv_state γ state stable front1 back data1 hist vs priv prophs -∗
winner_pop γ front2 (Some data2) P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P ≡ P_) ∗
( inv_state_nonempty_steal γ state stable front2 back data1 hist vs prophs data2 P_
∨ inv_state_emptyish_steal γ state stable front2 back data1 hist priv data2 P_
) ∗
winner_model_1 γ front2 data1 data2 ∗
winner_pop γ front2 (Some data2) P.
#[local] Lemma inv_state_winner_steal γ state stable front2 back data1 hist vs priv prophs front1 data2 P :
inv_state γ state stable front1 back data1 hist vs priv prophs -∗
winner_steal γ front2 data2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P_ ≡ P) ∗
inv_state_emptyish_pop γ state stable front2 back hist priv P_ ∗
winner_steal γ front2 data2 P.
Lemma ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
ws_deque_1٠create ()
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
ws_deque_1_inv t γ ι ∗
ws_deque_1_model γ [] ∗
ws_deque_1_owner γ []
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front
, RET #front;
front_lb γ front
}}}.
#[local] Lemma front𑁒spec_owner_Stable t γ back data cap ws :
{{{
inv' t γ ∗
owner₁ γ Stable back data cap ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Stable back data cap ws ∗
front_lb γ front ∗
⌜front ≤ back⌝
}}}.
#[local] Lemma front𑁒spec_owner_Unstable t γ back data cap ws :
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Unstable back data cap ws ∗
front_lb γ front ∗
⌜front = back ∨ front = S back⌝
}}}.
#[local] Lemma front𑁒spec_Superempty t γ back data cap ws front :
back < front →
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws ∗
front_lb γ front
}}}
(#t).{front}
{{{
RET #front;
owner₁ γ Unstable back data cap ws
}}}.
#[local] Lemma front𑁒spec_winner_steal t γ front data P :
{{{
inv' t γ ∗
winner_steal γ front data P
}}}
(#t).{front}
{{{
RET #front;
winner_steal γ front data P
}}}.
#[local] Lemma back𑁒spec t γ stable back data cap ws :
{{{
inv' t γ ∗
owner₁ γ stable back data cap ws
}}}
(#t).{back}
{{{
RET #back;
owner₁ γ stable back data cap ws
}}}.
#[local] Lemma set_back𑁒spec_Superempty t γ back data cap ws front (back' : Z) :
back < front →
back' = S back →
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws ∗
front_lb γ front
}}}
#t <-{back} #back'
{{{
RET ();
owner₁ γ Stable (S back) data cap ws
}}}.
#[local] Lemma data𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{data}
{{{
data
, RET data;
datas_elem γ data
}}}.
#[local] Lemma data𑁒spec_owner t γ stable back data cap ws :
{{{
inv' t γ ∗
owner₁ γ stable back data cap ws
}}}
(#t).{data}
{{{
RET data;
owner₁ γ stable back data cap ws
}}}.
#[local] Lemma data𑁒spec_winner_pop t γ front data P :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P
}}}
(#t).{data}
{{{
data
, RET data;
winner_pop γ front (Some data) P
}}}.
#[local] Lemma set_data𑁒spec t γ front vs back data1 cap1 priv1 ws data2 cap2 priv2 :
0 < cap2 →
front + length vs = back →
length vs + length priv1 = cap1 →
length vs + length priv2 = cap2 →
{{{
inv' t γ ∗
owner₁ γ Stable back data1 cap1 ws ∗
front_lb γ front ∗
array_cslice data1 cap1 front (DfracOwn (1/2)) (vs ++ priv1) ∗
array_cslice data2 cap2 front (DfracOwn (1/2)) (vs ++ priv2)
}}}
#t <-{data} data2
{{{
RET ();
owner₁ γ Stable back data2 cap2 ws ∗
array_cslice data1 cap1 front (DfracOwn (1/2)) (vs ++ priv1)
}}}.
#[local] Lemma array٠unsafe_cget𑁒spec_loser t γ (data : val) i :
(0 ≤ i)%Z →
{{{
inv' t γ ∗
datas_elem γ data
}}}
array٠unsafe_cget data #i
{{{
v
, RET v;
True
}}}.
#[local] Lemma array٠unsafe_cget𑁒spec_winner_pop t γ front data P v :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P ∗
history_at γ front v
}}}
array٠unsafe_cget data #front
{{{
RET v;
winner_pop γ front (Some data) P
}}}.
#[local] Lemma array٠unsafe_cset𑁒spec_owner t γ back data cap ws us front v :
back < front + cap →
{{{
inv' t γ ∗
owner' γ Stable back data cap ws back us ∗
front_lb γ front
}}}
array٠unsafe_cset data #back v
{{{
RET ();
owner' γ Stable back data cap ws back (<[0 := v]> us)
}}}.
#[local] Lemma resolve𑁒spec_loser_1 t γ front1 front2 id :
front1 < front2 →
{{{
inv' t γ ∗
front_lb γ front2
}}}
Resolve (CAS (#t).[front]%V #front1 #(front1 + 1)) #γ.(ws_deque_1_name_prophet) (#front1, #id)%V
{{{
RET false;
True
}}}.
#[local] Lemma resolve𑁒spec_loser_2 t γ front id prophs0 :
head prophs0 ≠ Some id →
{{{
inv' t γ ∗
front_lb γ front ∗
prophet_multi_full prophet_identifier γ.(ws_deque_1_name_prophet_name) front prophs0
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET false;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_winner_pop t γ front data P id :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
▷ P
}}}.
#[local] Lemma resolve𑁒spec_winner_steal t γ front P id :
{{{
inv' t γ ∗
winner_steal γ front None P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_Empty t γ back data cap ws id :
{{{
inv' t γ ∗
owner₁ γ Stable back data cap ws ∗
front_lb γ back
}}}
Resolve (CAS (#t).[front]%V #back #(back + 1)) #γ.(ws_deque_1_name_prophet) (#back, #id)%V
{{{
RET true;
owner₁ γ Unstable back data cap ws ∗
front_lb γ (S back)
}}}.
Lemma ws_deque_1٠size𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠size #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ vs
| RET #(length vs);
ws_deque_1_owner γ vs
>>>.
Lemma ws_deque_1٠is_empty𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠is_empty #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ vs
| RET #(bool_decide (vs = []%list));
ws_deque_1_owner γ vs
>>>.
Lemma ws_deque_1٠push𑁒spec t γ ι ws v :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠push #t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ (vs ++ [v])
| RET ();
ws_deque_1_owner γ (vs ++ [v])
>>>.
Lemma ws_deque_1٠steal𑁒spec t γ ι :
<<<
ws_deque_1_inv t γ ι
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠steal #t @ ↑ι
<<<
ws_deque_1_model γ (tail vs)
| RET head vs;
True
>>>.
Variant pop_state :=
| PopNonempty v
| PopEmptyishWinner v
| PopEmptyishLoser
| PopSuperempty.
#[local] Lemma ws_deque_1٠pop₀𑁒spec {t γ} (state : pop_state) stable back (back_ : Z) data cap ws us id :
back_ = back →
{{{
inv' t γ ∗
owner' γ stable back data cap ws back us ∗
match state with
| PopNonempty v ⇒
⌜stable = Stable⌝ ∗
⌜us !! 0 = Some v⌝
| PopEmptyishWinner v ⇒
⌜stable = Unstable⌝ ∗
⌜us !! 0 = Some v⌝ ∗
winner_steal γ back None inhabitant
| PopEmptyishLoser ⇒
∃ id_winner prophs,
⌜stable = Unstable⌝ ∗
prophet_multi_full prophet_identifier γ.(ws_deque_1_name_prophet_name) back (id_winner :: prophs) ∗
⌜head (id_winner :: prophs) ≠ Some id⌝
| PopSuperempty ⇒
∃ front,
⌜stable = Unstable⌝ ∗
front_lb γ front ∗
⌜front = S back⌝
end
}}}
ws_deque_1٠pop₀ #t #id #back_
{{{
o back data cap i us
, RET o;
owner' γ Stable back data cap ws i us ∗
match state with
| PopNonempty v ⇒
⌜o = Some v⌝
| PopEmptyishWinner v ⇒
⌜o = Some v⌝
| PopEmptyishLoser ⇒
⌜o = None⌝
| PopSuperempty ⇒
⌜o = None⌝
end
}}}.
Lemma ws_deque_1٠pop𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠pop #t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
ws_deque_1_model γ []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
ws_deque_1_model γ vs'
end
| RET o;
ws_deque_1_owner γ ws'
>>>.
End ws_deque_1_G.
#[global] Opaque ws_deque_1_inv.
#[global] Opaque ws_deque_1_model.
#[global] Opaque ws_deque_1_owner.
End base.
From zoo_saturn Require
ws_deque_1__opaque.
Section ws_deque_1_G.
Context `{ws_deque_1_G : WsDeque1G Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition ws_deque_1_inv t ι : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_inv 𝑡 γ ι.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition ws_deque_1_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
Definition ws_deque_1_owner t ws : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_owner γ ws.
#[local] Instance : CustomIpat "owner" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Howner{_{}} ) ".
#[global] Instance ws_deque_1_model_timeless γ vs :
Timeless (ws_deque_1_model γ vs).
#[global] Instance ws_deque_1_owner_timeless γ ws :
Timeless (ws_deque_1_owner γ ws).
#[global] Instance ws_deque_1_inv_persistent t ι :
Persistent (ws_deque_1_inv t ι).
Lemma ws_deque_1_model_exclusive t vs1 vs2 :
ws_deque_1_model t vs1 -∗
ws_deque_1_model t vs2 -∗
False.
Lemma ws_deque_1_owner_exclusive t ws1 ws2 :
ws_deque_1_owner t ws1 -∗
ws_deque_1_owner t ws2 -∗
False.
Lemma ws_deque_1_owner_model γ ws vs :
ws_deque_1_owner γ ws -∗
ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
Lemma ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
ws_deque_1٠create ()
{{{
t
, RET t;
ws_deque_1_inv t ι ∗
ws_deque_1_model t [] ∗
ws_deque_1_owner t []
}}}.
Lemma ws_deque_1٠size𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠size t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t vs
| RET #(length vs);
ws_deque_1_owner t vs
>>>.
Lemma ws_deque_1٠is_empty𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠is_empty t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t vs
| RET #(bool_decide (vs = []%list));
ws_deque_1_owner t vs
>>>.
Lemma ws_deque_1٠push𑁒spec t ι ws v :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠push t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t (vs ++ [v])
| RET ();
ws_deque_1_owner t (vs ++ [v])
>>>.
Lemma ws_deque_1٠steal𑁒spec t ι :
<<<
ws_deque_1_inv t ι
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠steal t @ ↑ι
<<<
ws_deque_1_model t (tail vs)
| RET head vs;
True
>>>.
Lemma ws_deque_1٠pop𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠pop t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
ws_deque_1_model t []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
ws_deque_1_model t vs'
end
| RET o;
ws_deque_1_owner t ws'
>>>.
End ws_deque_1_G.
#[global] Opaque ws_deque_1_inv.
#[global] Opaque ws_deque_1_model.
#[global] Opaque ws_deque_1_owner.
prelude.
From zoo.common Require Import
countable
function
list
relations.
From zoo.iris.bi Require Import
big_op.
From zoo.iris.base_logic Require Import
lib.auth_nat_max
lib.auth_twins
lib.excl
lib.mono_gmultiset
lib.mono_list
lib.twins.
From zoo.language Require Import
notations.
From zoo.program_logic Require Import
identifier
prophet_identifier
prophet_multi.
From zoo.diaframe Require Import
diaframe.
From zoo_std Require Import
array
domain
option.
From zoo_saturn Require Export
base
ws_deque_1__code.
From zoo_saturn Require Import
ws_deque_1__types.
From zoo Require Import
options.
Implicit Types b : bool.
Implicit Types front back : nat.
Implicit Types id : prophet_id.
Implicit Types v : val.
Implicit Types us vs ws hist priv : list val.
Implicit Types datas : gmultiset val.
Implicit Types past prophs : list prophet_identifier.(prophet_typed_type).
Implicit Types pasts prophss : nat → list prophet_identifier.(prophet_typed_type).
Variant state :=
| Empty
| Nonempty
| Emptyish
| Superempty.
Implicit Types state : state.
#[local] Instance state_inhabited : Inhabited state :=
populate Empty.
Variant stability :=
| Stable
| Unstable.
Implicit Types stable : stability.
#[local] Instance stability_inhabited : Inhabited stability :=
populate Stable.
Class WsDeque1G Σ `{zoo_G : !ZooG Σ} :=
{ #[local] ws_deque_1_G_prophet_G :: ProphetMultiG Σ prophet_identifier
; #[local] ws_deque_1_G_model_G :: AuthTwinsG Σ (leibnizO (list val)) suffix
; #[local] ws_deque_1_G_owner_G :: TwinsG Σ (leibnizO (stability × nat × val × nat))
; #[local] ws_deque_1_G_front_G :: AuthNatMaxG Σ
; #[local] ws_deque_1_G_history_G :: MonoListG Σ val
; #[local] ws_deque_1_G_winner_G :: TwinsG Σ (natO × leibnizO (option val) × ▶ ∙)
; #[local] ws_deque_1_G_datas_G :: MonoGmultisetG Σ val
}.
Definition ws_deque_1_Σ :=
#[prophet_multi_Σ prophet_identifier
; auth_twins_Σ (leibnizO (list val)) suffix
; twins_Σ (leibnizO (stability × nat × val × nat))
; auth_nat_max_Σ
; mono_list_Σ val
; twins_Σ (natO × leibnizO (option val) × ▶ ∙)
; mono_gmultiset_Σ val
].
#[global] Instance subG_ws_deque_1_Σ Σ `{zoo_G : !ZooG Σ} :
subG ws_deque_1_Σ Σ →
WsDeque1G Σ .
#[local] Definition min_capacity :=
val_to_nat' ws_deque_1٠min_capacity.
#[local] Lemma min_capacity_nonzero :
0 < min_capacity.
#[local] Hint Resolve
min_capacity_nonzero
: core.
#[local] Lemma ws_deque_1_min_capacity :
ws_deque_1٠min_capacity = #min_capacity.
Opaque ws_deque_1__code.ws_deque_1٠min_capacity.
Opaque min_capacity.
Module base.
Section ws_deque_1_G.
Context `{ws_deque_1_G : WsDeque1G Σ}.
Implicit Types t : location.
Implicit Types P : iProp Σ.
Record ws_deque_1_name :=
{ ws_deque_1_name_inv : namespace
; ws_deque_1_name_prophet : prophet_id
; ws_deque_1_name_prophet_name : prophet_multi_name
; ws_deque_1_name_model : auth_twins_name
; ws_deque_1_name_owner : gname
; ws_deque_1_name_front : gname
; ws_deque_1_name_history : gname
; ws_deque_1_name_winner : gname
; ws_deque_1_name_datas : gname
}.
Implicit Types γ : ws_deque_1_name.
#[global] Instance ws_deque_1_name_eq_dec : EqDecision ws_deque_1_name :=
ltac:(solve_decision).
#[global] Instance ws_deque_1_name_countable :
Countable ws_deque_1_name.
#[local] Definition model₁' γ_model vs :=
auth_twins_twin1 _ γ_model vs.
#[local] Definition model₁ γ :=
model₁' γ.(ws_deque_1_name_model).
#[local] Definition model₂' γ_model vs :=
auth_twins_twin2 _ γ_model vs.
#[local] Definition model₂ γ :=
model₂' γ.(ws_deque_1_name_model).
#[local] Definition owner₁' γ_owner γ_model stable back data cap ws : iProp Σ :=
twins_twin1 (twins_G := ws_deque_1_G_owner_G) γ_owner (DfracOwn 1) (stable, back, data, cap) ∗
auth_twins_auth _ γ_model ws.
#[local] Definition owner₁ γ :=
owner₁' γ.(ws_deque_1_name_owner) γ.(ws_deque_1_name_model).
#[local] Instance : CustomIpat "owner₁" :=
" ( Howner₁{_{}} & Hmodel_auth{_{}} ) ".
#[local] Definition owner₂' γ_owner stable back data cap :=
twins_twin2 (twins_G := ws_deque_1_G_owner_G) γ_owner (stable, back, data, cap).
#[local] Definition owner₂ γ :=
owner₂' γ.(ws_deque_1_name_owner).
#[local] Definition front_auth' γ_front :=
auth_nat_max_auth γ_front (DfracOwn 1).
#[local] Definition front_auth γ :=
front_auth' γ.(ws_deque_1_name_front).
#[local] Definition front_lb γ :=
auth_nat_max_lb γ.(ws_deque_1_name_front).
#[local] Definition history_auth' γ_history :=
mono_list_auth γ_history (DfracOwn 1).
#[local] Definition history_auth γ :=
history_auth' γ.(ws_deque_1_name_history).
#[local] Definition history_at γ :=
mono_list_at γ.(ws_deque_1_name_history).
#[local] Definition winner_pop' γ_winner front (data : option val) P : iProp Σ :=
twins_twin1 γ_winner (DfracOwn 1) (front, data, Next P).
#[local] Definition winner_pop γ :=
winner_pop' γ.(ws_deque_1_name_winner).
#[local] Definition winner_steal' γ_winner front (data : option val) P :=
twins_twin2 γ_winner (front, data, Next P).
#[local] Definition winner_steal γ :=
winner_steal' γ.(ws_deque_1_name_winner).
#[local] Definition winner γ : iProp Σ :=
∃ front data P1 P2,
winner_pop γ front data P1 ∗
winner_steal γ front data P2.
#[local] Instance : CustomIpat "winner" :=
" ( %front_winner & %data_winner & %P1 & %P2 & Hwinner_pop{_{}} & Hwinner_steal{_{}} ) ".
#[local] Definition datas_auth' γ_datas :=
mono_gmultiset_auth γ_datas (DfracOwn 1).
#[local] Definition datas_auth γ :=
datas_auth' γ.(ws_deque_1_name_datas).
#[local] Definition datas_elem' γ_datas :=
mono_gmultiset_elem γ_datas.
#[local] Definition datas_elem γ :=
datas_elem' γ.(ws_deque_1_name_datas).
#[local] Definition data_model data : iProp Σ :=
∃ cap i vs,
array_cslice data cap i DfracDiscarded vs ∗
⌜0 < cap⌝ ∗
⌜length vs = cap⌝.
#[local] Instance : CustomIpat "data_model" :=
" ( %cap_data{} & %i_data{} & %vs_data{} & Hdata{}_cslice & %Hcap_data{} & %Hvs_data{} ) ".
#[local] Definition winner_au γ front P : iProp Σ :=
AU <{
∃∃ vs,
model₁ γ vs
}> @ ⊤ ∖ ↑γ.(ws_deque_1_name_inv), ∅ <{
∀∀ v vs',
⌜vs = v :: vs'⌝ ∗
model₁ γ vs' ∗
history_at γ front v
, COMM
P
}>.
#[local] Definition winner_model_1 γ front data data_winner : iProp Σ :=
⌜data = data_winner⌝
∨ ∃ cap_winner v,
array_cslice data_winner cap_winner front DfracDiscarded [v] ∗
history_at γ front v.
#[local] Instance : CustomIpat "winner_model_1" :=
" [ -> | ( %cap & %v_ & Hdata_cslice & Hhistory_at_ ) ] ".
#[local] Definition winner_model_2 γ front data data_winner P : iProp Σ :=
winner_steal γ front (Some data_winner) P ∗
winner_model_1 γ front data data_winner.
#[local] Instance : CustomIpat "winner_model_2" :=
" ( Hwinner_steal{_{!}} & Hwinner ) ".
#[local] Definition winner_pending_1 γ front data data_winner P id : iProp Σ :=
winner_model_2 γ front data data_winner P ∗
identifier_model' id ∗
winner_au γ front P.
#[local] Instance : CustomIpat "winner_pending_1" :=
" ( (:winner_model_2) & Hid{_{!}} & HP ) ".
#[local] Definition winner_pending_2 γ front data id : iProp Σ :=
∃ data_winner P,
winner_pending_1 γ front data data_winner P id.
#[local] Instance : CustomIpat "winner_pending_2" :=
" ( %data_winner & %P{} & (:winner_pending_1) ) ".
#[local] Definition winner_linearized_1 γ front data data_winner P : iProp Σ :=
winner_model_2 γ front data data_winner P ∗
P.
#[local] Instance : CustomIpat "winner_linearized_1" :=
" ( (:winner_model_2) & HP ) ".
#[local] Definition winner_linearized_2 γ front data P : iProp Σ :=
∃ data_winner,
winner_linearized_1 γ front data data_winner P.
#[local] Instance : CustomIpat "winner_linearized_2" :=
" ( %data_winner & (:winner_linearized_1) ) ".
#[local] Definition inv_state_empty γ stable front back hist : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_empty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state_nonempty γ stable front back data hist vs prophs : iProp Σ :=
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant vs) ∗
( winner γ
∨ match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_2 γ front data id
end
).
#[local] Instance : CustomIpat "inv_state_nonempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_nonempty_steal γ state stable front back data hist vs prophs data_winner P : iProp Σ :=
⌜state = Nonempty⌝ ∗
⌜stable = Stable⌝ ∗
⌜front < back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant vs) ∗
match prophs with
| [] ⇒
False
| id :: _ ⇒
winner_pending_1 γ front data data_winner P id
end.
#[local] Instance : CustomIpat "inv_state_nonempty_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}% & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_emptyish γ stable front back data hist priv : iProp Σ :=
∃ P,
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
( winner_pop γ front None P
∨ winner_linearized_2 γ front data P
).
#[local] Instance : CustomIpat "inv_state_emptyish" :=
" ( %P_ & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner ) ".
#[local] Definition inv_state_emptyish_pop γ state stable front back hist priv P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
winner_pop γ front None P.
#[local] Instance : CustomIpat "inv_state_emptyish_pop" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & Hwinner_pop ) ".
#[local] Definition inv_state_emptyish_steal γ state stable front back data hist priv data_winner P : iProp Σ :=
⌜state = Emptyish⌝ ∗
⌜stable = Unstable⌝ ∗
⌜front = back⌝ ∗
⌜length hist = S front⌝ ∗
history_at γ front (hd inhabitant priv) ∗
winner_linearized_1 γ front data data_winner P.
#[local] Instance : CustomIpat "inv_state_emptyish_steal" :=
" ( {>;}-> & { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & #Hhistory_at_front{} & (:winner_linearized_1) ) ".
#[local] Definition inv_state_superempty γ stable front back hist : iProp Σ :=
⌜stable = Unstable⌝ ∗
⌜front = S back⌝ ∗
⌜length hist = front⌝ ∗
winner γ.
#[local] Instance : CustomIpat "inv_state_superempty" :=
" ( { {lazy}{>}% ; {lazy}% ; {>}-> ; -> } & {>;}-> & {>;}%Hhist{} & Hwinner ) ".
#[local] Definition inv_state γ state stable front back data hist vs priv prophs : iProp Σ :=
match state with
| Empty ⇒
inv_state_empty γ stable front back hist
| Nonempty ⇒
inv_state_nonempty γ stable front back data hist vs prophs
| Emptyish ⇒
inv_state_emptyish γ stable front back data hist priv
| Superempty ⇒
inv_state_superempty γ stable front back hist
end.
#[local] Definition inv_inner t γ : iProp Σ :=
∃ state stable front back data cap hist vs priv datas pasts prophss,
t.[front] ↦ #front ∗
t.[back] ↦ #back ∗
t.[data] ↦ data ∗
owner₂ γ stable back data cap ∗
front_auth γ front ∗
⌜0 < front⌝ ∗
model₂ γ vs ∗
⌜length vs = back - front⌝ ∗
array_cslice data cap front (DfracOwn (1/2)) (vs ++ priv) ∗
⌜0 < cap⌝ ∗
⌜(length vs + length priv)%nat = cap⌝ ∗
history_auth γ hist ∗
datas_auth γ ({[+data+]} ⊎ datas) ∗
([∗ mset] data ∈ datas, data_model data) ∗
prophet_multi_model prophet_identifier γ.(ws_deque_1_name_prophet) γ.(ws_deque_1_name_prophet_name) pasts prophss ∗
⌜∀ i, front ≤ i → pasts i = []⌝ ∗
inv_state γ state stable front back data hist vs priv (prophss front).
#[local] Instance : CustomIpat "inv_inner" :=
" ( %state{} & %stable{} & %front{} & %back{} & %data{} & %cap{} & %hist{} & %vs{} & %priv{} & %datas{} & %pasts{} & %prophss{} & >Ht_front & >Ht_back & >Ht_data & >Howner₂ & >Hfront_auth & >%Hfront{} & >Hmodel₂ & >%Hvs{} & >Hdata{}_cslice₁ & >%Hcap{} & >%Hdata{} & >Hhistory_auth & >Hdatas_auth & >Hdatas & >Hprophet_model & >%Hpasts{} & Hstate ) ".
#[local] Definition inv' t γ : iProp Σ :=
t.[proph] ↦□ #γ.(ws_deque_1_name_prophet) ∗
inv γ.(ws_deque_1_name_inv) (inv_inner t γ).
#[local] Instance : CustomIpat "inv'" :=
" ( #Ht_proph & #Hinv ) ".
Definition ws_deque_1_inv t γ ι : iProp Σ :=
⌜ι = γ.(ws_deque_1_name_inv)⌝ ∗
inv' t γ.
#[local] Instance : CustomIpat "inv" :=
" ( -> & (:inv') ) ".
Definition ws_deque_1_model :=
model₁.
#[local] Instance : CustomIpat "model" :=
" Hmodel₁{_{}} ".
#[local] Definition owner' γ stable back data cap ws i us : iProp Σ :=
owner₁ γ stable back data cap ws ∗
array_cslice data cap i (DfracOwn (1/2)) us ∗
⌜0 < cap⌝ ∗
⌜length us = cap⌝.
#[local] Instance : CustomIpat "owner'" :=
" ( Howner₁{_{}} & Hdata_cslice₂{_{}} & { {!} _ ; %Hcap{} ; %Hcap } & { {!} _ ; %Hus{} ; %Hus } ) ".
Definition ws_deque_1_owner γ ws : iProp Σ :=
∃ back data cap i us,
owner' γ Stable back data cap ws i us.
#[local] Instance : CustomIpat "owner" :=
" ( %back{} & %data{} & %cap{} & %i{} & %us{} & Howner{_{}} ) ".
#[global] Instance ws_deque_1_model_timeless γ vs :
Timeless (ws_deque_1_model γ vs).
#[global] Instance ws_deque_1_owner_timeless γ ws :
Timeless (ws_deque_1_owner γ ws).
#[global] Instance ws_deque_1_inv_persistent t γ ι :
Persistent (ws_deque_1_inv t γ ι).
#[local] Lemma model_owner_alloc data cap :
⊢ |==>
∃ γ_model γ_owner,
model₁' γ_model [] ∗
model₂' γ_model [] ∗
owner₁' γ_owner γ_model Stable 1 data cap [] ∗
owner₂' γ_owner Stable 1 data cap.
#[local] Lemma model₁_valid γ stable back data cap ws vs :
owner₁ γ stable back data cap ws -∗
model₁ γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma model₁_exclusive γ vs1 vs2 :
model₁ γ vs1 -∗
model₁ γ vs2 -∗
False.
#[local] Lemma model_agree γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 = vs2⌝.
#[local] Lemma model_owner₁_agree γ stable back data cap ws vs1 vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 -∗
⌜vs1 `suffix_of` ws⌝ ∗
⌜vs1 = vs2⌝.
#[local] Lemma model_empty {γ stable back data cap ws vs1 vs2} :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap [] ∗
model₁ γ [] ∗
model₂ γ [].
#[local] Lemma model_push {γ stable back data cap ws vs1 vs2} v :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap (vs1 ++ [v]) ∗
model₁ γ (vs1 ++ [v]) ∗
model₂ γ (vs1 ++ [v]).
#[local] Lemma model_steal γ vs1 vs2 :
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
model₁ γ (tail vs1) ∗
model₂ γ (tail vs1).
#[local] Lemma model_pop γ stable back data cap ws vs1 vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ vs1 -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap (removelast vs1) ∗
model₁ γ (removelast vs1) ∗
model₂ γ (removelast vs1).
#[local] Lemma model_pop' γ stable back data cap ws vs1 v vs2 :
owner₁ γ stable back data cap ws -∗
model₁ γ (vs1 ++ [v]) -∗
model₂ γ vs2 ==∗
owner₁ γ stable back data cap vs1 ∗
model₁ γ vs1 ∗
model₂ γ vs1.
#[local] Lemma owner₁_exclusive γ stable1 back1 data1 cap1 ws1 stable2 back2 data2 cap2 ws2 :
owner₁ γ stable1 back1 data1 cap1 ws1 -∗
owner₁ γ stable2 back2 data2 cap2 ws2 -∗
False.
#[local] Lemma owner_agree γ stable1 back1 data1 cap1 ws stable2 back2 data2 cap2 :
owner₁ γ stable1 back1 data1 cap1 ws -∗
owner₂ γ stable2 back2 data2 cap2 -∗
⌜stable1 = stable2⌝ ∗
⌜back1 = back2⌝ ∗
⌜data1 = data2⌝ ∗
⌜cap1 = cap2⌝.
#[local] Lemma owner₁_update γ stable back data cap ws vs :
owner₁ γ stable back data cap ws -∗
model₁ γ vs -∗
model₂ γ vs ==∗
owner₁ γ stable back data cap vs ∗
model₁ γ vs ∗
model₂ γ vs.
#[local] Lemma owner_update {γ stable1 back1 data1 cap1 ws stable2 back2 data2 cap2} stable back data cap :
owner₁ γ stable1 back1 data1 cap1 ws -∗
owner₂ γ stable2 back2 data2 cap2 ==∗
owner₁ γ stable back data cap ws ∗
owner₂ γ stable back data cap.
#[local] Lemma front_alloc :
⊢ |==>
∃ γ_front,
front_auth' γ_front 1.
#[local] Lemma front_lb_get γ front :
front_auth γ front ⊢
front_lb γ front.
#[local] Lemma front_lb_le {γ front} front' :
front' ≤ front →
front_lb γ front ⊢
front_lb γ front'.
#[local] Lemma front_lb_valid γ front1 front2 :
front_auth γ front1 -∗
front_lb γ front2 -∗
⌜front2 ≤ front1⌝.
#[local] Lemma front_update γ front :
front_auth γ front ⊢ |==>
front_auth γ (S front).
#[local] Lemma history_alloc :
⊢ |==>
∃ γ_hist,
history_auth' γ_hist [()%V].
#[local] Lemma history_at_get {γ hist v} i :
i = length hist →
history_auth γ (hist ++ [v]) ⊢
history_at γ i v.
#[local] Lemma history_at_lookup γ hist i v :
history_auth γ hist -∗
history_at γ i v -∗
⌜hist !! i = Some v⌝.
#[local] Lemma history_at_agree γ i v1 v2 :
history_at γ i v1 -∗
history_at γ i v2 -∗
⌜v1 = v2⌝.
#[local] Lemma history_update {γ hist} i v :
i = length hist →
history_auth γ hist ⊢ |==>
history_auth γ (hist ++ [v]) ∗
history_at γ i v.
#[local] Lemma winner_alloc :
⊢ |==>
∃ γ_winner,
winner_pop' γ_winner 1 None True ∗
winner_steal' γ_winner 1 None True.
#[local] Lemma winner_pop_exclusive γ front1 data1 P1 front2 data2 P2 :
winner_pop γ front1 data1 P1 -∗
winner_pop γ front2 data2 P2 -∗
False.
#[local] Lemma winner_pop_exclusive' γ front data P :
winner_pop γ front data P -∗
winner γ -∗
False.
#[local] Lemma winner_steal_exclusive γ front1 data1 P1 front2 data2 P2 :
winner_steal γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 -∗
False.
#[local] Lemma winner_steal_exclusive' γ front data P :
winner_steal γ front data P -∗
winner γ -∗
False.
#[local] Lemma winner_agree γ front1 data1 P1 front2 data2 P2 :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 -∗
⌜front1 = front2⌝ ∗
⌜data1 = data2⌝ ∗
▷ (P1 ≡ P2).
#[local] Lemma winner_update' {γ front1 data1 P1 front2 data2 P2} front data :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 ==∗
winner_pop γ front data P1 ∗
winner_steal γ front data P2.
#[local] Lemma winner_update {γ front1 data1 P1 front2 data2 P2} front data P :
winner_pop γ front1 data1 P1 -∗
winner_steal γ front2 data2 P2 ==∗
winner_pop γ front data P ∗
winner_steal γ front data P.
#[local] Lemma datas_alloc data :
⊢ |==>
∃ γ_datas,
datas_auth' γ_datas ({[+data+]} ⊎ ∅).
#[local] Lemma datas_elem_get γ data datas :
datas_auth γ ({[+data+]} ⊎ datas) ⊢
datas_elem γ data.
#[local] Lemma datas_elem_valid γ data1 datas data2 :
datas_auth γ ({[+data1+]} ⊎ datas) -∗
datas_elem γ data2 -∗
⌜data1 = data2 ∨ data2 ∈ datas⌝.
#[local] Lemma datas_insert {γ datas} data :
datas_auth γ datas ⊢ |==>
datas_auth γ ({[+data+]} ⊎ datas).
Opaque owner₁'.
Lemma ws_deque_1_model_exclusive γ vs1 vs2 :
ws_deque_1_model γ vs1 -∗
ws_deque_1_model γ vs2 -∗
False.
#[local] Lemma owner'_rebase {γ stable back data cap ws i1 us} i2 :
owner' γ stable back data cap ws i1 us ⊢
∃ us,
owner' γ stable back data cap ws i2 us.
#[local] Lemma array_cslice_reshape {data cap back dq us} front :
0 < cap →
length us = cap →
front ≤ back →
back ≤ front + cap →
array_cslice data cap back dq us ⊢
∃ vs priv,
⌜(front + length vs)%nat = back⌝ ∗
⌜(length vs + length priv)%nat = cap⌝ ∗
array_cslice data cap front dq (vs ++ priv) ∗
( array_cslice data cap front dq (vs ++ priv) -∗
array_cslice data cap back dq us
).
Lemma ws_deque_1_owner_exclusive γ ws1 ws2 :
ws_deque_1_owner γ ws1 -∗
ws_deque_1_owner γ ws2 -∗
False.
Lemma ws_deque_1_owner_model γ ws vs :
ws_deque_1_owner γ ws -∗
ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
#[local] Lemma inv_state_Stable γ state front data back hist vs priv prophs :
length vs = back - front →
inv_state γ state Stable front back data hist vs priv prophs ⊢
⌜state = Empty ∨ state = Nonempty⌝ ∗
⌜front ≤ back⌝.
#[local] Lemma inv_state_Unstable γ state front back data hist vs priv prophs :
inv_state γ state Unstable front back data hist vs priv prophs ⊢
⌜state = Emptyish ∨ state = Superempty⌝ ∗
⌜front = back ∨ front = S back⌝.
#[local] Lemma inv_state_Nonempty γ state stable front back data hist vs priv prophs :
front < back →
inv_state γ state stable front back data hist vs priv prophs ⊢
⌜state = Nonempty⌝.
#[local] Lemma inv_state_Superempty γ state front back data hist vs priv prophs :
back < front →
inv_state γ state Unstable front back data hist vs priv prophs -∗
⌜state = Superempty⌝.
#[local] Lemma inv_state_winner_pop γ state stable front1 back data1 hist vs priv prophs front2 data2 P :
inv_state γ state stable front1 back data1 hist vs priv prophs -∗
winner_pop γ front2 (Some data2) P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P ≡ P_) ∗
( inv_state_nonempty_steal γ state stable front2 back data1 hist vs prophs data2 P_
∨ inv_state_emptyish_steal γ state stable front2 back data1 hist priv data2 P_
) ∗
winner_model_1 γ front2 data1 data2 ∗
winner_pop γ front2 (Some data2) P.
#[local] Lemma inv_state_winner_steal γ state stable front2 back data1 hist vs priv prophs front1 data2 P :
inv_state γ state stable front1 back data1 hist vs priv prophs -∗
winner_steal γ front2 data2 P -∗
∃ P_,
⌜front1 = front2⌝ ∗
▷ (P_ ≡ P) ∗
inv_state_emptyish_pop γ state stable front2 back hist priv P_ ∗
winner_steal γ front2 data2 P.
Lemma ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
ws_deque_1٠create ()
{{{
t γ
, RET #t;
meta_token t ⊤ ∗
ws_deque_1_inv t γ ι ∗
ws_deque_1_model γ [] ∗
ws_deque_1_owner γ []
}}}.
#[local] Lemma front𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{front}
{{{
front
, RET #front;
front_lb γ front
}}}.
#[local] Lemma front𑁒spec_owner_Stable t γ back data cap ws :
{{{
inv' t γ ∗
owner₁ γ Stable back data cap ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Stable back data cap ws ∗
front_lb γ front ∗
⌜front ≤ back⌝
}}}.
#[local] Lemma front𑁒spec_owner_Unstable t γ back data cap ws :
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws
}}}
(#t).{front}
{{{
front
, RET #front;
owner₁ γ Unstable back data cap ws ∗
front_lb γ front ∗
⌜front = back ∨ front = S back⌝
}}}.
#[local] Lemma front𑁒spec_Superempty t γ back data cap ws front :
back < front →
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws ∗
front_lb γ front
}}}
(#t).{front}
{{{
RET #front;
owner₁ γ Unstable back data cap ws
}}}.
#[local] Lemma front𑁒spec_winner_steal t γ front data P :
{{{
inv' t γ ∗
winner_steal γ front data P
}}}
(#t).{front}
{{{
RET #front;
winner_steal γ front data P
}}}.
#[local] Lemma back𑁒spec t γ stable back data cap ws :
{{{
inv' t γ ∗
owner₁ γ stable back data cap ws
}}}
(#t).{back}
{{{
RET #back;
owner₁ γ stable back data cap ws
}}}.
#[local] Lemma set_back𑁒spec_Superempty t γ back data cap ws front (back' : Z) :
back < front →
back' = S back →
{{{
inv' t γ ∗
owner₁ γ Unstable back data cap ws ∗
front_lb γ front
}}}
#t <-{back} #back'
{{{
RET ();
owner₁ γ Stable (S back) data cap ws
}}}.
#[local] Lemma data𑁒spec t γ :
{{{
inv' t γ
}}}
(#t).{data}
{{{
data
, RET data;
datas_elem γ data
}}}.
#[local] Lemma data𑁒spec_owner t γ stable back data cap ws :
{{{
inv' t γ ∗
owner₁ γ stable back data cap ws
}}}
(#t).{data}
{{{
RET data;
owner₁ γ stable back data cap ws
}}}.
#[local] Lemma data𑁒spec_winner_pop t γ front data P :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P
}}}
(#t).{data}
{{{
data
, RET data;
winner_pop γ front (Some data) P
}}}.
#[local] Lemma set_data𑁒spec t γ front vs back data1 cap1 priv1 ws data2 cap2 priv2 :
0 < cap2 →
front + length vs = back →
length vs + length priv1 = cap1 →
length vs + length priv2 = cap2 →
{{{
inv' t γ ∗
owner₁ γ Stable back data1 cap1 ws ∗
front_lb γ front ∗
array_cslice data1 cap1 front (DfracOwn (1/2)) (vs ++ priv1) ∗
array_cslice data2 cap2 front (DfracOwn (1/2)) (vs ++ priv2)
}}}
#t <-{data} data2
{{{
RET ();
owner₁ γ Stable back data2 cap2 ws ∗
array_cslice data1 cap1 front (DfracOwn (1/2)) (vs ++ priv1)
}}}.
#[local] Lemma array٠unsafe_cget𑁒spec_loser t γ (data : val) i :
(0 ≤ i)%Z →
{{{
inv' t γ ∗
datas_elem γ data
}}}
array٠unsafe_cget data #i
{{{
v
, RET v;
True
}}}.
#[local] Lemma array٠unsafe_cget𑁒spec_winner_pop t γ front data P v :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P ∗
history_at γ front v
}}}
array٠unsafe_cget data #front
{{{
RET v;
winner_pop γ front (Some data) P
}}}.
#[local] Lemma array٠unsafe_cset𑁒spec_owner t γ back data cap ws us front v :
back < front + cap →
{{{
inv' t γ ∗
owner' γ Stable back data cap ws back us ∗
front_lb γ front
}}}
array٠unsafe_cset data #back v
{{{
RET ();
owner' γ Stable back data cap ws back (<[0 := v]> us)
}}}.
#[local] Lemma resolve𑁒spec_loser_1 t γ front1 front2 id :
front1 < front2 →
{{{
inv' t γ ∗
front_lb γ front2
}}}
Resolve (CAS (#t).[front]%V #front1 #(front1 + 1)) #γ.(ws_deque_1_name_prophet) (#front1, #id)%V
{{{
RET false;
True
}}}.
#[local] Lemma resolve𑁒spec_loser_2 t γ front id prophs0 :
head prophs0 ≠ Some id →
{{{
inv' t γ ∗
front_lb γ front ∗
prophet_multi_full prophet_identifier γ.(ws_deque_1_name_prophet_name) front prophs0
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET false;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_winner_pop t γ front data P id :
{{{
inv' t γ ∗
winner_pop γ front (Some data) P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
▷ P
}}}.
#[local] Lemma resolve𑁒spec_winner_steal t γ front P id :
{{{
inv' t γ ∗
winner_steal γ front None P
}}}
Resolve (CAS (#t).[front]%V #front #(front + 1)) #γ.(ws_deque_1_name_prophet) (#front, #id)%V
{{{
RET true;
front_lb γ (S front)
}}}.
#[local] Lemma resolve𑁒spec_Empty t γ back data cap ws id :
{{{
inv' t γ ∗
owner₁ γ Stable back data cap ws ∗
front_lb γ back
}}}
Resolve (CAS (#t).[front]%V #back #(back + 1)) #γ.(ws_deque_1_name_prophet) (#back, #id)%V
{{{
RET true;
owner₁ γ Unstable back data cap ws ∗
front_lb γ (S back)
}}}.
Lemma ws_deque_1٠size𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠size #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ vs
| RET #(length vs);
ws_deque_1_owner γ vs
>>>.
Lemma ws_deque_1٠is_empty𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠is_empty #t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ vs
| RET #(bool_decide (vs = []%list));
ws_deque_1_owner γ vs
>>>.
Lemma ws_deque_1٠push𑁒spec t γ ι ws v :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠push #t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model γ (vs ++ [v])
| RET ();
ws_deque_1_owner γ (vs ++ [v])
>>>.
Lemma ws_deque_1٠steal𑁒spec t γ ι :
<<<
ws_deque_1_inv t γ ι
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠steal #t @ ↑ι
<<<
ws_deque_1_model γ (tail vs)
| RET head vs;
True
>>>.
Variant pop_state :=
| PopNonempty v
| PopEmptyishWinner v
| PopEmptyishLoser
| PopSuperempty.
#[local] Lemma ws_deque_1٠pop₀𑁒spec {t γ} (state : pop_state) stable back (back_ : Z) data cap ws us id :
back_ = back →
{{{
inv' t γ ∗
owner' γ stable back data cap ws back us ∗
match state with
| PopNonempty v ⇒
⌜stable = Stable⌝ ∗
⌜us !! 0 = Some v⌝
| PopEmptyishWinner v ⇒
⌜stable = Unstable⌝ ∗
⌜us !! 0 = Some v⌝ ∗
winner_steal γ back None inhabitant
| PopEmptyishLoser ⇒
∃ id_winner prophs,
⌜stable = Unstable⌝ ∗
prophet_multi_full prophet_identifier γ.(ws_deque_1_name_prophet_name) back (id_winner :: prophs) ∗
⌜head (id_winner :: prophs) ≠ Some id⌝
| PopSuperempty ⇒
∃ front,
⌜stable = Unstable⌝ ∗
front_lb γ front ∗
⌜front = S back⌝
end
}}}
ws_deque_1٠pop₀ #t #id #back_
{{{
o back data cap i us
, RET o;
owner' γ Stable back data cap ws i us ∗
match state with
| PopNonempty v ⇒
⌜o = Some v⌝
| PopEmptyishWinner v ⇒
⌜o = Some v⌝
| PopEmptyishLoser ⇒
⌜o = None⌝
| PopSuperempty ⇒
⌜o = None⌝
end
}}}.
Lemma ws_deque_1٠pop𑁒spec t γ ι ws :
<<<
ws_deque_1_inv t γ ι ∗
ws_deque_1_owner γ ws
| ∀∀ vs,
ws_deque_1_model γ vs
>>>
ws_deque_1٠pop #t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
ws_deque_1_model γ []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
ws_deque_1_model γ vs'
end
| RET o;
ws_deque_1_owner γ ws'
>>>.
End ws_deque_1_G.
#[global] Opaque ws_deque_1_inv.
#[global] Opaque ws_deque_1_model.
#[global] Opaque ws_deque_1_owner.
End base.
From zoo_saturn Require
ws_deque_1__opaque.
Section ws_deque_1_G.
Context `{ws_deque_1_G : WsDeque1G Σ}.
Implicit Types 𝑡 : location.
Implicit Types t : val.
Definition ws_deque_1_inv t ι : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_inv 𝑡 γ ι.
#[local] Instance : CustomIpat "inv" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hinv{_{}} ) ".
Definition ws_deque_1_model t vs : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_model γ vs.
#[local] Instance : CustomIpat "model" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Hmodel{_{}} ) ".
Definition ws_deque_1_owner t ws : iProp Σ :=
∃ 𝑡 γ,
⌜t = #𝑡⌝ ∗
meta 𝑡 nroot γ ∗
base.ws_deque_1_owner γ ws.
#[local] Instance : CustomIpat "owner" :=
" ( %𝑡{} & %γ{} & {%Heq{};->} & #Hmeta{_{}} & Howner{_{}} ) ".
#[global] Instance ws_deque_1_model_timeless γ vs :
Timeless (ws_deque_1_model γ vs).
#[global] Instance ws_deque_1_owner_timeless γ ws :
Timeless (ws_deque_1_owner γ ws).
#[global] Instance ws_deque_1_inv_persistent t ι :
Persistent (ws_deque_1_inv t ι).
Lemma ws_deque_1_model_exclusive t vs1 vs2 :
ws_deque_1_model t vs1 -∗
ws_deque_1_model t vs2 -∗
False.
Lemma ws_deque_1_owner_exclusive t ws1 ws2 :
ws_deque_1_owner t ws1 -∗
ws_deque_1_owner t ws2 -∗
False.
Lemma ws_deque_1_owner_model γ ws vs :
ws_deque_1_owner γ ws -∗
ws_deque_1_model γ vs -∗
⌜vs `suffix_of` ws⌝.
Lemma ws_deque_1٠create𑁒spec ι :
{{{
True
}}}
ws_deque_1٠create ()
{{{
t
, RET t;
ws_deque_1_inv t ι ∗
ws_deque_1_model t [] ∗
ws_deque_1_owner t []
}}}.
Lemma ws_deque_1٠size𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠size t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t vs
| RET #(length vs);
ws_deque_1_owner t vs
>>>.
Lemma ws_deque_1٠is_empty𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠is_empty t @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t vs
| RET #(bool_decide (vs = []%list));
ws_deque_1_owner t vs
>>>.
Lemma ws_deque_1٠push𑁒spec t ι ws v :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠push t v @ ↑ι
<<<
⌜vs `suffix_of` ws⌝ ∗
ws_deque_1_model t (vs ++ [v])
| RET ();
ws_deque_1_owner t (vs ++ [v])
>>>.
Lemma ws_deque_1٠steal𑁒spec t ι :
<<<
ws_deque_1_inv t ι
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠steal t @ ↑ι
<<<
ws_deque_1_model t (tail vs)
| RET head vs;
True
>>>.
Lemma ws_deque_1٠pop𑁒spec t ι ws :
<<<
ws_deque_1_inv t ι ∗
ws_deque_1_owner t ws
| ∀∀ vs,
ws_deque_1_model t vs
>>>
ws_deque_1٠pop t @ ↑ι
<<<
∃∃ o ws',
⌜vs `suffix_of` ws⌝ ∗
match o with
| None ⇒
⌜vs = []⌝ ∗
⌜ws' = []⌝ ∗
ws_deque_1_model t []
| Some v ⇒
∃ vs',
⌜vs = vs' ++ [v]⌝ ∗
⌜ws' = vs'⌝ ∗
ws_deque_1_model t vs'
end
| RET o;
ws_deque_1_owner t ws'
>>>.
End ws_deque_1_G.
#[global] Opaque ws_deque_1_inv.
#[global] Opaque ws_deque_1_model.
#[global] Opaque ws_deque_1_owner.