@@ -1248,7 +1248,81 @@ section ConcreteMapImpl
12481248 Node 18: 𝕌 𝕌
12491249 Node 19: 𝕌 𝕌
12501250 ))
1251+ -/
12511252
1253+ /-======================================================
1254+ HEY THIS IS IMPORTANT:
1255+
1256+ SPECULATION ON USAGE OF `(𝕏 : SolutionT).props` OUTPUT VALUE
1257+ IN LARGER PROOFS
1258+
1259+ ======================================================
1260+
1261+ of course, the point of this dataflow solver as a modular
1262+ component is to return not just the solution `ν` but propositional
1263+ satisfaction of the dataflow inequalities by the `ν`.
1264+
1265+ The propositional components of `𝕏 : SolutionT` establish
1266+ that for any edge from nodes `n` to `m` `τ ν[n] ≤ ν[m]`.
1267+
1268+ How is this useful?
1269+
1270+ Call `β := ⟦ℕ, ℂ⟧` our abstract domain.
1271+ The instance definition provides transitions `τ : ℕ → β → β`.
1272+
1273+ Choose a "concrete domain" `α`
1274+ with a "stepping relation" for each node `σ : ℕ → α → α`,
1275+ and a "simulation relation" `α₀ ∼ β₀ : Prop`
1276+ satisfying `∀ n, α₀ ∼ β₀ → (σₙ α₀) ∼ (τₙ β₀)`
1277+ and `β₀ ≤ β₁ → α₀ ∼ β₀ → α₀ ∼ β₁`
1278+ and `β₀ == β₁ → α₀ ∼ β₀ → α₀ ∼ β₁`.
1279+
1280+ We must also choose a `⊥{α}` for `α`,
1281+ (corresponding to value at program entry)
1282+ that relates to the `⊥{β}` for `β`
1283+ satisfying `⊥{α} ∼ ⊥{β}`.
1284+
1285+ For our above example, we can choose `α := ⟦ℕ, Option ℕ⟧`
1286+ (concrete program states)
1287+ and `α₀ ∼ β₀` lifting from a corresponding canonical
1288+ `(_:Option ℕ) ∼ (_:ℂ)` relation (e.g. `some n ∼ 𝕊 n`)
1289+ Once the associated properties are proven...
1290+
1291+ We can now define "program states" `π := (α₀ : α) × (n : ℕ)` (interpreted
1292+ as the statement "execution has state `α` at entry to block `n`.
1293+
1294+ We can now define "program stepping":
1295+ `π₀ ⊑ π₁ := (edge π₀.n π₁.n) ∧ (n:=π₀.n; τₙ) π₀.α₀ = π₁.α₀`
1296+
1297+ We can now define a type for "paths" `ℓ` as a list of
1298+ `N` `α × ℕ` entries (corresponding to program states at unit times)
1299+ where `ℓ[0] = (⊥{α}, 0)`
1300+ (assuming 0 is the "entry block"),
1301+ and `∀ n < N - 1, l[n] ⊑ l[n+1]` (successive entries constitute valid steps)
1302+
1303+ Now if `ν := 𝕏.vals` is a dataflow solution,
1304+ and `ℓₙ := (n, _) := ℓ; n`
1305+ and `ℓₐ := (_, α₀) := ℓ; α₀`
1306+ it is provable inductively from `𝕏.props` that:
1307+ `∀ ℓ, ℓₐ ∼ ν[ℓₙ]`.
1308+
1309+ In the case of our concrete example, this means that we can prove
1310+ that any program state `αₙ` at node `n` reached through stepping
1311+ from the entry state is constrained by
1312+ `αₙ ∼ βₙ` for the abstract state `βₙ := ν[n]`.
1313+ For various values of `αₙ` and `βₙ`,
1314+ this could mean (for all keys `k`),
1315+
1316+ `αₙ ∼ 𝕄` : no information
1317+ `αₙ ∼ 𝔸` : `k` is defined
1318+ `αₙ ∼ 𝕊 m` : `k` is defined and equal to `m`
1319+ `αₙ ∼ 𝕌` : impossible (which implies that `∄ ℓ, ℓₐ ∼ 𝕌)`,
1320+ i.e., no node `n` satisfying `ν[n] = 𝕌` will
1321+ ever be reached by a path
1322+
1323+ These are powerful results, for which much
1324+ thought has gone into generating and
1325+ presenting conveniently.
12521326 -/
12531327 end ConcreteSolution
12541328end ConcreteMapImpl
0 commit comments