Fancy update modality - Lecture Notes on Iris: Higher-Order Concurrent Separation Logic

The fancy update modality allows us to get resources out of knowledge that an invariant exists, i.e.,to getP fromP ^ι, and to put resources back into an invariant,i.e.,to close the invariant. As

16Logically atomic triples allow some reasoning principles, such as opening of invariants, also around programs which are “logically atomic”,e.g.,they use locks, but are not atomic in the sense that they evaluate to a value in a single execution step.

Structural rules.

wp-mono

(∀v. Φ(v)−∗Ψ(v))∗wpEe{Φ} `wpEe{Ψ}

wp-frame

P∗wpEe{Φ} `wpEe{P ∗Φ}

wp-frame-step e<Val

. P ∗wpEe{Φ} `wpEe{P∗Φ}

wp-val

Φ(v)`wpEv{Φ}

wp-bind

wpEe{v.wpEE[v]{Φ}} `wpEE[e]{Φ} Rules for basic language constructs.

wp-fork

. Φ()∗.wpEe{v.True} `wpEfork{e} {Φ}

wp-alloc

.(∀`. ` ,→v−∗Φ(`))`wpEref(v){Φ} wp-load

.(` ,→v)∗.(` ,→v−∗Φ(v))`wpE!`{Φ}

wp-store

.(` ,→v)∗.(` ,→w−∗Φ())`wpE(`←w){Φ} wp-CAS-suc

.(` ,→v)∗.(` ,→w−∗Φ(true))`wpEcas(`, v, w){Φ}

wp-CAS-fail

v,v⁰∧.(` ,→v)∗.(` ,→v−∗Φ(false))`wpEcas(`, v⁰, w){Φ} wp-rec

.wpEe[v/x][(recf(x) =e)/f]{Φ} `wpE(recf(x) =e)v{Φ}

wp-proj

.wpEv_i{Φ} `wpEπ_i(v₁, v₂){Φ} wp-if-true

.wpEe₁{Φ} `wpEif true thene₁elsee₂{Φ}

wp-if-false

.wpEe₂{Φ} `wpEif false thene₁elsee₂{Φ} wp-match

.wpEe_i[u/x_i]{Φ} `wpEmatch inj_iuwith inj₁x₁⇒e₁|inj₂x₂⇒e₂end{Φ} Figure 10: Rules for the weakest precondition assertion.

we explained in Section8.2invariants are persistent, in particular duplicable. Thus we cannot simply get resources out of invariants in the sense of the ruleP^ι`P orP^ι`. P; this would lead to inconsistency. We need to keep track of the fact that we were allowed to open this particular invariant, and that we are not allowed to open this particular invariant again until we have closed it. Thus, the rule for opening invariants will be

ι∈ E P^ι`^E|V^{E \{}^ι^}. P

where^E¹|V^E² is thefancy update modality, andE₁andE₂are masks,i.e.,sets of invariant names (cf. Section8.2).

The intuition behind the modalityÊ¹|VÊ²P is that it contains resourcesrwhich, together with resources in invariants namedE₁, can be updated (via frame preserving update) to resources which can be split into resources satisfyingP and resources in invariants namedE₂. Thus in particular the fancy update modality subsumes the update modality|Vintroduced in Section8, in the sense that|VP `Ê|VÊP,i.e.,if the set of invariant names available does not change. The rules for the fancy update modality are listed in Figure11. We describe the rules now, apart from the ruleFup-timeless, which we describe in the next section, when we introduce the notion of timelessness.

Figure 11: Basic rules for the fancy update modality.

Introduction and structural rules of the fancy update modality The following rules are analogous to the rules for the update modality introduced in Section8.2.

Fup-mono

The ruleFup-intro-maskis perhaps a bit surprising since it introduces two instances of the fancy update modality, with swapped masks. This generality is useful since, in general, we do not haveP ` ^E¹|V^E²P. Indeed, if, for example, P ` ^∅|V^{^ι^}P was provable it would mean that any resource inP could be split into a resource satisfying the invariant named ι, and a resource

satisfyingP. This cannot hold in general, of course. However, using^Fup-trans together with Fup-intro-mask, we can derive the following introduction rule where the masks are the same:

Fup-intro

P `^E|V^EP

We will write|VÊP forÊ|VÊP.

Next we have a rule relating the modality with separating conjunction, analogous to upd-frame, but in addition to framing of resources, we can also frame on additional invariant names E_f.

Fup-frame

E_f disjoint fromE₁∪ E₂ Q∗Ê¹|VÊ²P `Ê¹^]E^f|VÊ²^]E^f(Q∗P)

The rule perhaps looks daunting. The following derived rules are perhaps more natural, since they only manipulate a single concept (either the frame, or the masks) at a time.

Q∗Ê¹|VÊ²P `Ê¹|VÊ²(Q∗P)

E₁⊆ E₂

|V^E₁P ` |V^E₂P

Exercise 14.4. Derive the above two rules from^Fup-frame. ♦ Next we have the rule relating fancy update modality with the ordinary update modality.

The rule states that the fancy update modality is logically weaker than the update modality.

Fup-upd

|VP ` |V^EP

Note that in combination with the previous rules for Ê¹|VÊ², the rulesGhost-allocand Ghost-updateremain valid if we replace|Vwith|VÊ, for any maskE.

Fancy update modality and invariants Finally, we have rules for allocation and opening of invariants:

Inv-alloc E₁infinite . P `^E²|V^E²∃ι∈ E₁. P^ι

Inv-open

ι∈ E P ^ι`^E|V^{E \{}^ι^}

. P ∗

. P −∗^{E \{}^ι^}|V^ETrue

The allocation rule should not be surprising, perhaps apart from the two different sets of in-variant names. An intuitive reason for why the two setsE₁ andE₂of invariant names are not required to be related is that we only allocate a new invariant – the maskE₂ has to do with opening and closing of invariants, as can be seen in^Inv-open.

An equivalent rule to^Inv-allocis the following Inv-alloc-empty

E₁infinite . P ` |^∅V^∅∃ι∈ E₁. P ^ι

Exercise 14.5. Derive^Inv-allocfromInv-alloc-empty. ♦ The rule^Inv-openis used not just to open invariants, but also to close them. It implies the following two rules

The first one of which is the pure invariant opening rule. It states that we can get resources out of an invariant, but onlylater. Removing the later from the rule would be unsound. The second rule is the invariant closing rule. It shows how resources can be transferred back into invariants. The crucial parts in this rule are the invariant masks. In particular, the assertion

E \{ι} E

Trueisnotequivalent toTrue. It contains only those resources which can be combined with resources in invariants namedE \ {ι}to get resources in invariants namedE,i.e.,it contains the resources in the invariant namedι.

Exercise 14.6. Show the following property of the fancy update modality.

E₁ E₂

(P −∗Q)`P −∗^E¹|V^E²Q

♦

Dans le document Lecture Notes on Iris: Higher-Order Concurrent Separation Logic (Page 126-130)