@@ -21,22 +21,12 @@ let inv (i: iname) (p: slprop) =
2121let aux # p ( inst : placeless p ) l1 l2 =
2222 fun () -> inst l1 l2
2323
24- ghost fn placeless_inv i p {| inst : placeless p |} : placeless ( inv i p ) = l1 l2 {
25- ghost_impersonate l1 ( on l1 ( inv i p )) ( on l2 ( inv i p )) fn _ {
26- on_elim ( inv i p );
27- unfold inv i p ; with l_ l' . _ ;
28- loc_gather l1 # l_ ;
29- drop_ ( move_tag l_ l' p _ _ );
30- ghost_impersonate l2 ( C. inv i ( on l' p )) ( on l2 ( inv i p )) fn _ {
31- fold move_tag l2 l' p ( aux # p inst l2 l' ) ( aux # p inst l' l2 );
32- loc_dup l2 ;
33- fold inv i p ;
34- on_intro ( inv i p );
35- }
36- }
37- }
38-
39- ghost fn is_send_inv i p {| is_send p |} : is_send ( inv i p ) = l1 l2 {
24+ ghost fn move i p l1 l2
25+ ( fwd : unit -> stt_ghost unit emp_inames ( on l1 p ) ( fun _ -> on l2 p ))
26+ ( bwd : unit -> stt_ghost unit emp_inames ( on l2 p ) ( fun _ -> on l1 p ))
27+ requires on l1 ( inv i p )
28+ ensures on l2 ( inv i p )
29+ {
4030 ghost_impersonate l1 ( on l1 ( inv i p )) ( on l2 ( inv i p )) fn _ {
4131 on_elim ( inv i p );
4232 unfold inv i p ; with l_ l' f g . _ ;
@@ -47,15 +37,15 @@ ghost fn is_send_inv i p {| is_send p |} : is_send (inv i p) = l1 l2 {
4737 requires on l2 p
4838 ensures on l' p
4939 {
50- is_send_elim p l1 ;
40+ bwd () ;
5141 let f = f ; f ()
5242 };
5343 ghost fn g' ()
5444 requires on l' p
5545 ensures on l2 p
5646 {
5747 let g = g ; g ();
58- is_send_elim p l2 ;
48+ fwd () ;
5949 };
6050 fold move_tag l2 l' p f' g' ;
6151 loc_dup l2 ;
@@ -65,6 +55,18 @@ ghost fn is_send_inv i p {| is_send p |} : is_send (inv i p) = l1 l2 {
6555 }
6656}
6757
58+ ghost fn placeless_inv i p {| inst : placeless p |} : placeless ( inv i p ) = l1 l2 {
59+ move i p l1 l2
60+ fn _ { inst l1 l2 }
61+ fn _ { inst l2 l1 }
62+ }
63+
64+ ghost fn is_send_inv i p {| is_send p |} : is_send ( inv i p ) = l1 l2 {
65+ move i p l1 l2
66+ fn _ { is_send_elim p l2 }
67+ fn _ { is_send_elim p l1 }
68+ }
69+
6870ghost fn dup_inv i p () : duplicable_f ( inv i p ) = {
6971 unfold inv i p ; with l l' f g . _ ;
7072 dup ( C. inv i ( on l' p )) ();
@@ -77,26 +79,85 @@ ghost fn dup_inv i p () : duplicable_f (inv i p) = {
7779instance duplicable_inv i p : duplicable ( inv i p ) =
7880 { dup_f = dup_inv i p }
7981
80- open PulseCore.Observability
82+ ghost fn new_invariant ( p : slprop )
83+ requires p
84+ returns i : iname
85+ ensures inv i p
86+ {
87+ loc_get (); with l . assert loc l ;
88+ on_intro p ;
89+ let i = C. new_invariant ( on l p ) # _ ;
90+ ghost fn f () requires on l p ensures on l p {};
91+ fold move_tag l l p f f ;
92+ fold inv i p ;
93+ i
94+ }
95+
96+ inline_for_extraction noextract
97+ ghost fn with_inv_g u# a ( a : Type u# a )
98+ is ( i : iname { not ( mem_inv is i ) }) ( p : slprop ) pre ( post : a -> slprop )
99+ ( k : unit -> stt_ghost a is ( pre ** p ) ( fun x -> post x ** p ))
100+ opens add_inv is i
101+ preserves inv i p
102+ requires later_credit 1
103+ requires pre
104+ returns x : a
105+ ensures post x
106+ {
107+ unfold inv i p ; with l l' f g . _ ;
108+ let x = with_invariant_g # a
109+ #( pre ** later_credit 1 ** loc l )
110+ #( fun x -> post x ** loc l ) # is #( on l' p ) i fn _ {
111+ later_elim ( on l' p );
112+ { let g = g ; g () };
113+ on_elim p ;
114+ let x = k ();
115+ on_intro p ;
116+ { let f = f ; f () };
117+ later_intro ( on l' p );
118+ x
119+ };
120+ fold inv i p ;
121+ x
122+ }
81123
82- unobservable fn with_inv_unobs u# a (# a : Type u# a ) # is ( i : iname { not ( mem_inv is i ) }) ( p : slprop ) pre ( post : a -> slprop )
83- ( k : unit -> stt_atomic a # Neutral is ( pre ** later p ) ( fun x -> post x ** later p ))
84- opens is
124+ inline_for_extraction noextract
125+ atomic fn with_inv_atomic u# a ( a : Type u# a )
126+ is ( i : iname { not ( mem_inv is i ) }) ( p : slprop ) pre ( post : a -> slprop )
127+ ( k : unit -> stt_atomic a # Observable is ( pre ** p ) ( fun x -> post x ** p ))
128+ opens add_inv is i
85129 preserves inv i p
130+ requires later_credit 1
86131 requires pre
87132 returns x : a
88133 ensures post x
89134{
90- unfold inv i p ; with l_ l' f g . _ ;
91- assume pure ( inames_subset ( add_inv is i ) is );
92- let x = with_invariant # a # Neutral # pre # post # is #( on l' p ) i fn _ {
93- later_on l' p ;
94- // { let g=g; g() };
95- admit ();
135+ unfold inv i p ; with l l' f g . _ ;
136+ let x = with_invariant # a # Observable
137+ #( pre ** later_credit 1 ** loc l )
138+ #( fun x -> post x ** loc l ) # is #( on l' p ) i fn _ {
139+ later_elim ( on l' p );
140+ { let g = g ; g () };
141+ on_elim p ;
96142 let x = k ();
97- on_later l' p ;
143+ on_intro p ;
144+ { let f = f ; f () };
145+ later_intro ( on l' p );
98146 x
99147 };
100- admit ();
101148 fold inv i p ;
149+ x
150+ }
151+
152+ inline_for_extraction noextract
153+ fn with_inv_stt u# a ( a : Type u# a )
154+ is ( i : iname { not ( mem_inv is i ) }) ( p : slprop ) pre ( post : a -> slprop )
155+ ( k : unit -> stt_atomic a # Observable is ( pre ** p ) ( fun x -> post x ** p ))
156+ preserves inv i p
157+ requires pre
158+ returns x : a
159+ ensures post x
160+ {
161+ later_credit_buy 1 ;
162+ with_inv_atomic a is i p pre post k
102163}
0 commit comments