Semantic.CC.Semantics.Props

source

theorem CC.Heap.lookup_deterministic {l : ℕ} {v1 v2 : Cell} {H : Heap} (hlookup1 : H l = some v1) (hlookup2 : H l = some v2) :

v1 = v2

The result of looking up a variable in the heap is deterministic.

source

theorem CC.Memory.lookup_deterministic {l : ℕ} {v1 v2 : Cell} {m : Memory} (hlookup1 : m.lookup l = some v1) (hlookup2 : m.lookup l = some v2) :

v1 = v2

The result of looking up a variable in the memory is deterministic.

source

theorem CC.step_capability_set_precise {C : CapabilitySet} {m : Memory} {e : Exp ∅} {m' : Memory} {e' : Exp ∅} (hstep : Step C m e m' e') :

(∃ (x : ℕ), C = CapabilitySet.cap x) ∨ C = ∅

Extract the precise capability set used by a step.

source

theorem CC.reduce_ctx_letin {C : CapabilitySet} {m : Memory} {e1 : Exp ∅} {m' : Memory} {e1' : Exp ∅} {e2 : Exp (∅,x)} (hred : Reduce C m e1 m' e1') :

Reduce C m (e1.letin e2) m' (e1'.letin e2)

Helper: Congruence for Reduce in letin context.

source

theorem CC.reduce_ctx_unpack {C : CapabilitySet} {m : Memory} {e1 : Exp ∅} {m' : Memory} {e1' : Exp ∅} {e2 : Exp (∅,C ,x)} (hred : Reduce C m e1 m' e1') :

Reduce C m (e1.unpack e2) m' (e1'.unpack e2)

Helper: Congruence for Reduce in unpack context.

source

theorem CC.reduce_var_inv {C : CapabilitySet} {m : Memory} {x : Var Kind.var ∅} {m' : Memory} {v' : Exp ∅} (hred : Reduce C m (Exp.var x) m' v') :

m' = m ∧ v' = Exp.var x ∧ C = ∅

Helper: Variables cannot step, so reduction is reflexive. With precise capabilities, C must be {} for var reduction.

source

theorem CC.step_memory_monotonic {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hstep : Step C m1 e1 m2 e2) :

m2.subsumes m1

Helper: Single step preserves memory subsumption.

source

theorem CC.reduce_memory_monotonic {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hred : Reduce C m1 e1 m2 e2) :

m2.subsumes m1

Helper: Reduction preserves memory subsumption.

source

theorem CC.step_var_absurd {C : CapabilitySet} {m : Memory} {x : Var Kind.var ∅} {m' : Memory} {e' : Exp ∅} (hstep : Step C m (Exp.var x) m' e') :

False

source

theorem CC.step_val_absurd {v : Exp ∅} {C : CapabilitySet} {m m' : Memory} {e' : Exp ∅} (hv : v.IsSimpleVal) (hstep : Step C m v m' e') :

False

source

theorem CC.step_ans_absurd {C : CapabilitySet} {m : Memory} {e : Exp ∅} {m' : Memory} {e' : Exp ∅} (hans : e.IsAns) (hstep : Step C m e m' e') :

False

source

theorem CC.reduce_ans_eq {C : CapabilitySet} {m : Memory} {e : Exp ∅} {m' : Memory} {e' : Exp ∅} (hans : e.IsAns) (hred : Reduce C m e m' e') :

m = m' ∧ e = e'

source

theorem CC.reduce_letin_inv {C : CapabilitySet} {m : Memory} {e1 : Exp ∅} {e2 : Exp (∅,x)} {m' : Memory} {a : Exp ∅} (hred : Reduce C m (e1.letin e2) m' a) (hans : a.IsAns) :

(∃ (C1 : CapabilitySet) (C2 : CapabilitySet) (m0 : Memory) (y0 : ℕ), C1 ∪ C2 ≈ C ∧ Reduce C1 m e1 m0 (Exp.var (Var.free y0)) ∧ Reduce C2 m0 (e2.subst (Subst.openVar (Var.free y0))) m' a) ∨ ∃ (C1 : CapabilitySet) (C2 : CapabilitySet) (m0 : Memory) (v0 : Exp ∅) (hv : v0.IsSimpleVal) (hwf : v0.WfInHeap m0.heap) (l0 : ℕ) (hfresh : m0.heap l0 = none), C1 ∪ C2 ≈ C ∧ Reduce C1 m e1 m0 v0 ∧ Reduce C2 (m0.extend l0 { unwrap := v0, isVal := hv, reachability := compute_reachability m0.heap v0 hv } hwf ⋯ hfresh) (e2.subst (Subst.openVar (Var.free l0))) m' a

Inversion lemma for letin reduction with precise capability tracking. The capability set C is precisely the union of capabilities used in each sub-reduction.

source

@[irreducible]

theorem CC.step_preserves_wf {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hstep : Step C m1 e1 m2 e2) (hwf : e1.WfInHeap m1.heap) :

e2.WfInHeap m2.heap

source

theorem CC.reduce_preserves_wf {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hred : Reduce C m1 e1 m2 e2) (hwf : e1.WfInHeap m1.heap) :

e2.WfInHeap m2.heap

source

theorem CC.reduce_unpack_inv {C : CapabilitySet} {m : Memory} {e1 : Exp ∅} {e2 : Exp (∅,C ,x)} {m' : Memory} {a : Exp ∅} (hred : Reduce C m (e1.unpack e2) m' a) (hans : a.IsAns) :

∃ (C1 : CapabilitySet) (C2 : CapabilitySet) (m0 : Memory) (cs : CaptureSet ∅) (x : ℕ), C1 ∪ C2 ≈ C ∧ Reduce C1 m e1 m0 (Exp.pack cs (Var.free x)) ∧ Reduce C2 m0 (e2.subst (Subst.unpack cs (Var.free x))) m' a

Inversion lemma for reduction of unpack expressions with precise capability tracking.

source

inductive CC.IsProgressive :

CapabilitySet → Memory → Exp ∅ → Prop

done {R : CapabilitySet} {m : Memory} {e : Exp ∅} : e.IsAns → IsProgressive R m e
step {C' : CapabilitySet} {m : Memory} {e : Exp ∅} {m' : Memory} {e' : Exp ∅} {C : CapabilitySet} : Step C' m e m' e' → C' ⊆ C → IsProgressive C m e

Instances For

source

theorem CC.eval_ans_holds_post {C : CapabilitySet} {m : Memory} {e : Exp ∅} {Q : Mpost} (heval : Eval C m e Q) (hans : e.IsAns) :

Q e m

If an answer has an evaluation, then the postcondition holds for it.

source

theorem CC.eval_implies_progressive {C : CapabilitySet} {m : Memory} {e : Exp ∅} {Q : Mpost} (heval : Eval C m e Q) :

IsProgressive C m e

source

theorem CC.step_preserves_eval {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {Q : Mpost} {C' : CapabilitySet} {m2 : Memory} {e2 : Exp ∅} (he : Eval C m1 e1 Q) (hstep : Step C' m1 e1 m2 e2) (hsub : C' ⊆ C) :

Eval C m2 e2 Q

source

theorem CC.reduce_preserves_eval {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {Q : Mpost} {C' : CapabilitySet} {m2 : Memory} {e2 : Exp ∅} (he : Eval C m1 e1 Q) (hred : Reduce C' m1 e1 m2 e2) (hsub : C' ⊆ C) :

Eval C m2 e2 Q

Reduction preserves evaluation when the reduction uses a subset of available capabilities.

source

theorem CC.eval_to_reduce {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {Q : Mpost} {C' : CapabilitySet} (heval : Eval C m1 e1 Q) (hsub : C' ⊆ C) (m2 : Memory) (e2 : Exp ∅) :

e2.IsAns → Reduce C' m1 e1 m2 e2 → Q e2 m2

source

theorem CC.Heap.restricted_has_capdom {D0 D : Finset ℕ} {H : Heap} (hd : H.HasCapDom D0) :

(H.mask_caps D).HasCapDom (D0 ∩ D)

source

theorem CC.Heap.masked_has_findom {D D1 : Finset ℕ} {H : Heap} (hdom : H.HasFinDom D) :

(H.mask_caps D1).HasFinDom D

Masking caps in a heap does not change the finite domain of the heap.

source

theorem CC.Var.wf_masked {a✝ : Kind} {a✝¹ : Sig} {x : Var a✝ a✝¹} {H : Heap} {D : Finset ℕ} (hwf : x.WfInHeap H) :

x.WfInHeap (H.mask_caps D)

source

theorem CC.CaptureSet.wf_masked {a✝ : Sig} {cs : CaptureSet a✝} {H : Heap} {D : Finset ℕ} (hwf : cs.WfInHeap H) :

cs.WfInHeap (H.mask_caps D)

source

theorem CC.CaptureBound.wf_masked {a✝ : Sig} {cb : CaptureBound a✝} {H : Heap} {D : Finset ℕ} (hwf : cb.WfInHeap H) :

cb.WfInHeap (H.mask_caps D)

source

theorem CC.Ty.wf_masked {a✝ : TySort} {a✝¹ : Sig} {T : Ty a✝ a✝¹} {H : Heap} {D : Finset ℕ} (hwf : T.WfInHeap H) :

T.WfInHeap (H.mask_caps D)

source

theorem CC.Exp.wf_masked {a✝ : Sig} {e : Exp a✝} {H : Heap} {D : Finset ℕ} (hwf : e.WfInHeap H) :

e.WfInHeap (H.mask_caps D)

source

theorem CC.reachability_of_loc_masked {D : Finset ℕ} {H : Heap} (l : ℕ) :

reachability_of_loc H l = reachability_of_loc (H.mask_caps D) l

source

theorem CC.expand_captures_masked {D : Finset ℕ} {H : Heap} (cs : CaptureSet ∅) :

expand_captures H cs = expand_captures (H.mask_caps D) cs

source

theorem CC.masked_compute_reachability {v : Exp ∅} {hv : v.IsSimpleVal} {D : Finset ℕ} {H : Heap} :

compute_reachability H v hv = compute_reachability (H.mask_caps D) v hv

source

def CC.Memory.masked_caps (m : Memory) (mask : Finset ℕ) :

Memory

Equations

m.masked_caps mask = { heap := m.heap.mask_caps mask, wf := ⋯, findom := ⋯ }

Instances For

source

theorem CC.masked_lookup_val {m : Memory} {M : Finset ℕ} {l : ℕ} {hv : HeapVal} :

m.lookup l = some (Cell.val hv) → (m.masked_caps M).lookup l = some (Cell.val hv)

source

theorem CC.masked_lookup_cap {m : Memory} {M : Finset ℕ} {l : ℕ} {info : CapabilityInfo} :

m.lookup l = some (Cell.capability info) → l ∈ M → (m.masked_caps M).lookup l = some (Cell.capability info)

source

theorem CC.mem_to_finset {x : ℕ} {C : CapabilitySet} :

x ∈ C → x ∈ C.to_finset

source

theorem CC.CapabilitySet.mem_cap_to_finset {x : ℕ} :

x ∈ (cap x).to_finset

source

theorem CC.masked_preserves_fresh {m : Memory} {M : Finset ℕ} {l : ℕ} :

m.heap l = none → (m.masked_caps M).heap l = none

source

theorem CC.Heap.masked_extend_comm {D : Finset ℕ} {H : Heap} {l : ℕ} {v : HeapVal} :

(H.extend l v).mask_caps D = (H.mask_caps D).extend l v

Capability masking and extension commutes for heaps.

source

theorem CC.Memory.masked_extend_comm {D : Finset ℕ} {m : Memory} {l : ℕ} {v : HeapVal} (hwf_v : v.unwrap.WfInHeap m.heap) (hreach : v.reachability = compute_reachability m.heap v.unwrap ⋯) (hfresh : m.heap l = none) :

(m.extend l v hwf_v hreach hfresh).masked_caps D = (m.masked_caps D).extend l v ⋯ ⋯ ⋯

source

theorem CC.Heap.masked_update_mcell_comm {H : Heap} {l : ℕ} {b : Bool} {M : Finset ℕ} (hmem : l ∈ M) :

(H.update_cell l (Cell.capability (CapabilityInfo.mcell b))).mask_caps M = (H.mask_caps M).update_cell l (Cell.capability (CapabilityInfo.mcell b))

Helper lemma: Heap masking and update_cell commute when the location is in the mask.

source

theorem CC.Memory.masked_update_mcell_comm {m : Memory} {l : ℕ} {b : Bool} {M : Finset ℕ} (hexists : ∃ (b0 : Bool), m.heap l = some (Cell.capability (CapabilityInfo.mcell b0))) (hmem : l ∈ M) :

(m.update_mcell l b hexists).masked_caps M = (m.masked_caps M).update_mcell l b ⋯

Helper lemma: Memory masking and update_mcell commute when the location is in the mask.

source

theorem CC.finset_mem_imp_cap_mem {C1 : CapabilitySet} {x : ℕ} (hx : x ∈ C1.to_finset) :

x ∈ C1

source

theorem CC.CapabilitySet.subset_to_finset {C1 C : CapabilitySet} (hsub : C1 ⊆ C) :

C1.to_finset ⊆ C.to_finset

source

theorem CC.step_masked {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hstep : Step C m1 e1 m2 e2) :

have M := C.to_finset; Step C (m1.masked_caps M) e1 (m2.masked_caps M) e2

source

theorem CC.step_masked_superset {C1 : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} {C : CapabilitySet} (hstep : Step C1 m1 e1 m2 e2) (hsub : C1 ⊆ C) :

Step C1 (m1.masked_caps C.to_finset) e1 (m2.masked_caps C.to_finset) e2

source

theorem CC.reduce_masked_superset {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} {C' : CapabilitySet} (hred : Reduce C m1 e1 m2 e2) (hsub : C ⊆ C') :

Reduce C (m1.masked_caps C'.to_finset) e1 (m2.masked_caps C'.to_finset) e2

source

theorem CC.reduce_masked {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {m2 : Memory} {e2 : Exp ∅} (hred : Reduce C m1 e1 m2 e2) :

have M := C.to_finset; Reduce C (m1.masked_caps M) e1 (m2.masked_caps M) e2

source

theorem CC.eval_exists_answer {C : CapabilitySet} {m : Memory} {e : Exp ∅} {Q : Mpost} (heval : Eval C m e Q) :

∃ (m' : Memory) (e' : Exp ∅), e'.IsAns ∧ m'.subsumes m ∧ Q e' m'

If Eval C m e Q holds, then there exist m' and e' such that e' is an answer, the memory m' subsumes m, and Q e' m' holds.

source

theorem CC.eval_reduce_exists_answer {C : CapabilitySet} {m1 : Memory} {e1 : Exp ∅} {Q : Mpost} (heval : Eval C m1 e1 Q) :

∃ (C' : CapabilitySet) (m2 : Memory) (e2 : Exp ∅), C' ⊆ C ∧ Reduce C' m1 e1 m2 e2 ∧ e2.IsAns ∧ Q e2 m2

If Eval C m1 e1 Q holds, then there exist C' ⊆ C, m2 and e2 such that e1 reduces to e2 (an answer) using capabilities C', and Q e2 m2 holds.

source

theorem CC.eval_bounds_step_capability {C : CapabilitySet} {m : Memory} {e : Exp ∅} {Q : Mpost} {C' : CapabilitySet} {m' : Memory} {e' : Exp ∅} (heval : Eval C m e Q) (hred : Step C' m e m' e') :

C' ⊆ C

source

theorem CC.eval_bounds_reduce_capability {C : CapabilitySet} {m : Memory} {e : Exp ∅} {Q : Mpost} {C' : CapabilitySet} {m' : Memory} {e' : Exp ∅} (heval : Eval C m e Q) (hred : Reduce C' m e m' e') :

C' ⊆ C