@@ -1251,14 +1251,21 @@ section ConcreteMapImpl
12511251 -/
12521252
12531253 /-======================================================
1254+
12541255 HEY THIS IS IMPORTANT:
12551256
12561257 SPECULATION ON USAGE OF `(𝕏 : SolutionT).props` OUTPUT VALUE
12571258 IN LARGER PROOFS
12581259
12591260 ======================================================
12601261
1261- of course, the point of this dataflow solver as a modular
1262+ In particular...
1263+
1264+ Reasoning about execution traces by bisimulation to the dataflow type!
1265+
1266+ ======================================================
1267+
1268+ Of course, the point of this dataflow solver as a modular
12621269 component is to return not just the solution `ν` but propositional
12631270 satisfaction of the dataflow inequalities by the `ν`.
12641271
@@ -1281,11 +1288,15 @@ section ConcreteMapImpl
12811288 (corresponding to value at program entry)
12821289 that relates to the `⊥{β}` for `β`
12831290 satisfying `⊥{α} ∼ ⊥{β}`.
1291+ (but note that `α` need not have any lattice
1292+ structure for the bisimulation to be established)
12841293
12851294 For our above example, we can choose `α := ⟦ℕ, Option ℕ⟧`
12861295 (concrete program states)
1287- and `α₀ ∼ β₀` lifting from a corresponding canonical
1288- `(_:Option ℕ) ∼ (_:ℂ)` relation (e.g. `some n ∼ 𝕊 n`)
1296+ and `α₀ ∼ β₀`
1297+ `α₀` is the concrete/runtime time "refining" `β₀`
1298+ (lifted from a corresponding canonical refinement
1299+ `(_:Option ℕ) ∼ (_:ℂ)` relation (e.g. `some n ∼ 𝕊 n`))
12891300 Once the associated properties are proven...
12901301
12911302 We can now define "program states" `π := (α₀ : α) × (n : ℕ)` (interpreted
@@ -1294,35 +1305,36 @@ section ConcreteMapImpl
12941305 We can now define "program stepping":
12951306 `π₀ ⊑ π₁ := (edge π₀.n π₁.n) ∧ (n:=π₀.n; τₙ) π₀.α₀ = π₁.α₀`
12961307
1297- We can now define a type for "paths" `ℓ` as a list of
1298- `N` `α × ℕ` entries (corresponding to program states at unit times)
1299- where `ℓ[0] = (⊥{α}, 0)`
1300- (assuming 0 is the "entry block"),
1301- and `∀ n < N - 1, l[n] ⊑ l[n+1]` (successive entries constitute valid steps)
1308+ We can now define a type for "traces" `𝕥` as a list of
1309+ `N` `α × ℕ` entries
1310+ (corresponding to program states at successive times)
1311+ where `𝕥[0] = (⊥{α}, 0)`
1312+ (sound entry to trace (assuming 0 is the "entry block")),
1313+ and `∀ n < N - 1, 𝕥[n] ⊑ 𝕥[n+1]`
1314+ (successive entries in trace constitute valid steps)
13021315
13031316 Now if `ν := 𝕏.vals` is a dataflow solution,
1304- and `ℓₙ := (n, _) := ℓ ; n`
1305- and `ℓₐ := (_, α₀) := ℓ ; α₀`
1317+ and `𝕥ₙ := (n, _) := 𝕥 ; n`
1318+ and `𝕥ₐ := (_, α₀) := 𝕥 ; α₀`
13061319 it is provable inductively from `𝕏.props` that:
1307- `∀ ℓ, ℓₐ ∼ ν[ℓₙ ]`.
1320+ `∀ 𝕥, 𝕥ₐ ∼ ν[𝕥ₙ ]`.
13081321
13091322 In the case of our concrete example, this means that we can prove
1310- that any program state `αₙ` at node `n` reached through stepping
1311- from the entry state is constrained by
1312- `αₙ ∼ βₙ` for the abstract state `βₙ := ν[n]`.
1313- For various values of `αₙ` and `βₙ`,
1323+ that any program state `αₙ` at node `n` reached in a trace satifies
1324+ `αₙ ∼ ν[n]` (the concrete state refines the abstract state)
1325+ For various values of `αₙ` and `ν[n]`,
13141326 this could mean (for all keys `k`),
13151327
13161328 `αₙ ∼ 𝕄` : no information
13171329 `αₙ ∼ 𝔸` : `k` is defined
13181330 `αₙ ∼ 𝕊 m` : `k` is defined and equal to `m`
1319- `αₙ ∼ 𝕌` : impossible (which implies that `∄ ℓ, ℓₐ ∼ 𝕌)`,
1331+ `αₙ ∼ 𝕌` : impossible (which implies that `∄ 𝕥, 𝕥ₐ ∼ 𝕌)`,
13201332 i.e., no node `n` satisfying `ν[n] = 𝕌` will
13211333 ever be reached by a path
13221334
1323- These are powerful results, for which much
1324- thought has gone into generating and
1325- presenting conveniently .
1335+ These are powerful results, hopefully
1336+ presented in sufficiently accessible
1337+ datatypes to yield modular use .
13261338 -/
13271339 end ConcreteSolution
13281340end ConcreteMapImpl
0 commit comments