Before we define weakest preconditions and prove the rules for invariants, there is one other piece of the Iris program logic we need to cover: view shifts (). These serve three roles:
1. They permit frame-preserving updates, as realized by the ruleGHOST-UPDATE: aB
a γ E∃b∈B. b γ
2. They allow stripping away a later modality off a timeless proposition, as realized by the ruleVS-TIMELESS:
timeless(P) PEP
3. They allow accessing invariants, as realized by the following rule, which we have not shown before:
P∗Q1E\NP∗Q2 N⊆E P N ∗Q1E P N∗Q2
We have already seen two connectives that can be used for the first or second role of view shifts, respectively: the basic update modality|˙, which can be used to perform frame-preserving updates (UPD-UPDATE), and the except-0 modality", which can be used to strip laters of timeless propositions ("-TIMELESS).
We will now define a new modality that subsumes the basic update modality|˙ and the except-0 modality"and can also take care of the last role: accessing invariants. This modality, called thefancy update modalityE1|E2, is defined as follows:
|
E1 E2PW∗ E1
γEN−∗ ˙|"(W∗ E2
γEN∗P)
|
EPE|EP
Before going into details about the definition or the proof rules (seeFigure 15) of this modality, let us mention that in the same way that Hoare triples are defined in terms of weakest preconditions, view shifts are defined in terms of fancy updates:
P E1E2Q (P−∗ |E1E2Q) PEQP EEQ
Using the rules of the fancy update modality inFigure 15, it is easy to establish the rules for view shifts that we have seen in this paper.
FUP-MONO Fig. 15. Rules for the fancy update modality and invariants.
The intuition behindE1|E2Pis to express ownership of resources such that, if we further assume that the invariants inE1are enabled, we can perform aframe-preserving update such that we end up owning P and the invariants in E2 are enabled. By looking at the definition ofE1|E2P, we can see how it supports all the fancy roles of view shifts:
1. At the heart of the fancy update modality is a basic update modality, which permits doing frame-preserving updates (see the ruleFUP-UPDinFigure 15).
2. The modality is able to remove laters from timeless propositions by incorporating the “except 0” modality"(see§5.7andFUP-TIMELESS).
3. Finally, the modality “threads through” world satisfaction, in the sense that a proof of E1|E2Pcan useW but also has to reestablish it. Furthermore, controlled by the two masksE1 andE2, the modality provides and consumes “enabled” tokens. The first mask controls which invariants are available to the modality, while the second mask controls which invariants remain available afterwards (seeINV-ACCESS). It is also possible to allocate new invariants (INV-ALLOC). Notice that this is mostly a matter of convenience; treating the tokens as masks instead of the underlying ghost resources keeps them out of the way for the majority of the proof that does not care about them.
The rulesFUP-MONO,FUP-TRANS, andFUP-FRAMEcorrespond to the related rules of the basic update modality inFigure 11. We can also derive a rule corresponding toUPD-INTRO:
FUP-INTRO
P |EP
This follows from FUP-INTRO-MASK, FUP-TRANS and FUP-FRAME (or, alternatively, from
FUP-UPD).
It is important to notice that there isnorule likeP |E1E2Pthat lets us introduce an arbitrary mask-changingfancy update. With a goal of the form E1|E2, the fact that the masks are different actually presents anobligation that we have to discharge—typically by eliminating fancy update modalities until the masksdomatch. The reason this works is that elimination of a mask-changing fancy update changes only thefirstof the two masks in our goal:
FUP-CHANGE-MASK
R∗P |E2E3Q R∗ |E1E2P |E1E3Q
| Fig. 16. Derivation ofINV-ACCESS.
As you can see, eliminating an update with masksE1andE2has the effect of changing the first mask in the conclusion fromE1 toE2, while the second mask (E3) stays unaffected.
FUP-CHANGE-MASKfollows fromFUP-FRAME,FUP-MONOandFUP-TRANS.
As a more concrete example for how to work with mask-changing updates, we will prove the ruleINV-ACCESSinFigure 15. The rule may look fairly cryptic; we will see in the next section how it can be used to deriveWP-INV. The proof of this rule relies on the following two mask-changing updates, both centering aroundWSAT-OPENCLOSE:
INV-OPEN
We discuss the proof ofINV-OPENin some more detail; the proof ofINV-CLOSEproceeds in a very similar way.
• To proveINV-OPEN, we start by unfolding the definition of the fancy update modal-ity. We can thus assume P ι, W, and the enabled token E γEN. From these assumptions we now have to show|˙ W∗ E\ι γEN∗ P∗ {ι} γDIS.
• We split the enabled token E γEN into {ι} γEN and E\ {ι} γEN.
• We do not actually need to do any frame-preserving updates, so we just apply
UPD-INTRO. Furthermore, we have the assumptions to useWSAT-OPENCLOSE, which gives usW, the disabled token {ι} γDIS, andP. We can thus easily discharge our goal.
Now we can prove INV-ACCESS using just the rules INV-OPEN, INV-CLOSE, and some rules shown inFigure 15. Below we give detailed notes to accompany the derivation in Figure 16.
1. We begin by assuming P N, from which we have to show E|E\N P∗(P−∗
|
E\N ETrue). By definition of P N this means there existsι∈N s.t. P ι. So using
INV-OPEN and P ι, we can addE|E\{ι}P∗ {ι} γDIS to our assumptions. We can keep P ιaround because it is persistent.
2. Now we apply FUP-CHANGE-MASK, which means the update modality is removed from our new assumption and the goal changes toE\{ι}|E\N . . .. Observe how, by applying view shiftINV-OPEN, which has twodifferentmasks, the first mask in our goal changes fromEtoE\ {ι}.
WP-VUP
|EwpEe
v.|EΦ(v)
wpEe{Φ}
WP-ATOMIC
atomic(e)
|
E1 E2wpE
2e
v.E2|E1Φ(v) wpE
1e{Φ}
Fig. 17. New rules for weakest precondition with invariants.
3. We do not have any more invariants to open, but our goal is still a mask-changing update. This is where we useFUP-INTRO-MASK. We proceed in much the same way as when we appliedINV-OPENin the previous step: First, we obtain a new assumption
|
E\{ι}E\NE\N|E\{ι}True.
4. Next, we apply FUP-CHANGE-MASK, which eliminates the outer of the two update modalities from our new assumption, and turns our goal into E\N|E\N . . .. Now we can use FUP-INTRO to get rid of the fancy update in the goal, because the two masks are the same.
5. Since we havePas an assumption, we can now discharge the left-hand side of our goal. For the right-hand side, we immediately assumePagain, and our goal becomesE\N|ETrue.
6. UsingFUP-CHANGE-MASKwith our assumption E\N|E\{ι}True(which we obtained from the update we got viaFUP-INTRO-MASK), the goal changes to E\{ι}|ETrue.
7. The goal now immediately follows fromINV-CLOSEand our remaining assumptions.